Re: Review Request 53722: AMBARI-18425:Support PAM as an authentication option for Ranger in Ambari

Thu, 17 Nov 2016 13:10:29 -0800 


> On Nov. 17, 2016, 12:57 p.m., Mugdha Varadkar wrote:
> > ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py,
> >  line 164
> > <https://reviews.apache.org/r/53722/diff/2/?file=1565876#file1565876line164>
> >
> >     What if the directory is not present? Should it just ignore or create 
> > the directory?

Add Logger.error("Unable to use PAM authentication, /etc/pam.d/ directory does 
not exist.") to catch this condition. Because if create a /etc/pam.d directory 
for ranger pam authentication may cause issue to the os since if /etc/pam.d 
exsits it may ignore /etc/pam.conf file.


- Shi


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53722/#review156198
-----------------------------------------------------------


On Nov. 17, 2016, 9:05 p.m., Shi Wang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53722/
> -----------------------------------------------------------
> 
> (Updated Nov. 17, 2016, 9:05 p.m.)
> 
> 
> Review request for Ambari and Robert Levas.
> 
> 
> Bugs: trunk
>     https://issues.apache.org/jira/browse/trunk
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Ranger-842 has added PAM support for ranger, we need to add this part to 
> ambari, to do automatic setup for ranger to use PAM authentication.
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
>  6462495 
>   
> ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2
>  PRE-CREATION 
>   
> ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2
>  PRE-CREATION 
>   
> ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml
>  c0e537b 
>   ambari-web/app/data/HDP2.3/site_properties.js 9ae68df 
> 
> Diff: https://reviews.apache.org/r/53722/diff/
> 
> 
> Testing
> -------
> 
> In this patch, the default value for ranger-admin module is
> auth    sufficient        pam_unix.so
> auth    sufficient        pam_sss.so
> account sufficient        pam_unix.so
> account sufficient        pam_sss.so
> 1. Create a Unix User shiwang, and sync unix user to Ranger, restart 
> ranger-admin as root and login to ranger using shiwang, it will success.
> 2. Change ranger-admin pam file to 
> auth    sufficient        pam_deny.so
> account sufficient        pam_deny.so
> and login using shiwang it will fall.
> 3. Change ranger-admin pam file to 
> auth    sufficient        pam_ldap.so
> account sufficient        pam_ldap.so
> and use a ldap user that already sync in ranger(it will show user not synced 
> error if not synced in ranger) login will success.
> 4. Configure sssd with ldap and using the synced user from ldap login will 
> success.
> 
> 
> Thanks,
> 
> Shi Wang
> 
>

Reply via email to