[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15713571#comment-15713571 ] Vishal Ghugare commented on AMBARI-12263: - Hello Henning, Can you please provide me steps/details to reproduce the hive view issue? > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667431#comment-15667431 ] Hudson commented on AMBARI-12263: - FAILURE: Integrated in Jenkins build Ambari-branch-2.5 #326 (See [https://builds.apache.org/job/Ambari-branch-2.5/326/]) AMBARI-12263. Support PAM as authentication mechanism for accessing (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=c446bf29f21125b3cbeb89b6e46badbba3bd5d77]) * (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Group.java * (edit) ambari-server/sbin/ambari-server * (edit) ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java * (edit) ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ResourceDAO.java * (edit) ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/GroupResponse.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PamAuthenticationException.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java * (edit) ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java * (edit) ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java * (edit) ambari-server/src/main/python/ambari_server/setupActions.py * (edit) ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql * (edit) ambari-server/pom.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/GroupDAO.java * (edit) ambari-server/src/main/python/ambari-server.py * (edit) ambari-server/src/main/resources/properties.json * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java * (edit) ambari-server/src/main/python/ambari_server/setupSecurity.py * (add) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/GroupType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667385#comment-15667385 ] Hudson commented on AMBARI-12263: - FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #6016 (See [https://builds.apache.org/job/Ambari-trunk-Commit/6016/]) AMBARI-12263. Support PAM as authentication mechanism for accessing (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=b5a2bb8ddbc7badcdd459b443077d429c5e8235d]) * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java * (edit) ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PamAuthenticationException.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql * (edit) ambari-server/src/main/resources/properties.json * (edit) ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java * (add) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java * (edit) ambari-server/src/main/python/ambari-server.py * (edit) ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java * (edit) ambari-server/src/main/python/ambari_server/setupActions.py * (edit) ambari-server/pom.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/GroupDAO.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Group.java * (edit) ambari-server/src/main/python/ambari_server/setupSecurity.py * (edit) ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql * (edit) ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/GroupResponse.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/GroupType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql * (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ResourceDAO.java * (edit) ambari-server/sbin/ambari-server > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667381#comment-15667381 ] Vishal Ghugare commented on AMBARI-12263: - Thanks Robert for your help. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667361#comment-15667361
]
Robert Levas commented on AMBARI-12263:
---
[~ghugare],
I committed this patch:
Committed to trunk
{noformat}
commit b5a2bb8ddbc7badcdd459b443077d429c5e8235d
Author: Vishal Ghugare
Date: Tue Nov 15 09:19:06 2016 -0500
{noformat}
Committed to branch-2.5
{noformat}
commit c446bf29f21125b3cbeb89b6e46badbba3bd5d77
Author: Vishal Ghugare
Date: Tue Nov 15 09:54:03 2016 -0500
{noformat}
You should resolve this JIRA and close the review.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk, 2.5.0
>
> Attachments: AMBARI-12263.patch, PAM Support.doc,
> TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665586#comment-15665586
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12838862/AMBARI-12263.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 3 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The test build failed in ambari-server
Test results:
https://builds.apache.org/job/Ambari-trunk-test-patch/9267//testReport/
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/9267//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc,
> TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665318#comment-15665318 ] Vishal Ghugare commented on AMBARI-12263: - done. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665186#comment-15665186
]
Robert Levas commented on AMBARI-12263:
---
[~ghugare],
The latest patch looks good, but fails to apply to the trunk
{noformat}
error: patch failed:
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java:2459
error:
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java:
patch does not apply
{noformat}
Can you rebase and resubmit the patch to this JIRA and the review?
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc,
> TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15654646#comment-15654646
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12838379/AMBARI-12263.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 3 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in
ambari-server:
org.apache.ambari.server.state.ServicePropertiesTest
org.apache.ambari.server.controller.metrics.JMXPropertyProviderTest
org.apache.ambari.server.state.cluster.ClusterDeadlockTest
org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProviderForDNWithSpaceTest
Test results:
https://builds.apache.org/job/Ambari-trunk-test-patch/9221//testReport/
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/9221//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc,
> TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652396#comment-15652396
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12838241/TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml
against trunk revision .
{color:red}-1 patch{color}. The patch command could not apply the patch.
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/9203//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc,
> TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt,
>
> org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652226#comment-15652226
]
Robert Levas commented on AMBARI-12263:
---
[~ghugare],
Please run the unit tests... there is a failure in
{{org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest}}
See attached.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652035#comment-15652035 ] Vishal Ghugare commented on AMBARI-12263: - done, i have updated both review board and JIRA with new patch. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15651262#comment-15651262
]
Robert Levas commented on AMBARI-12263:
---
[~ghugare]
I had issues merging the patch into trunk. Can you fix?
{noformat}
git apply ~/Downloads/AMBARI-12263.patch
...
error: patch failed: ambari-server/pom.xml:1436
error: ambari-server/pom.xml: patch does not apply
error: patch failed:
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java:2355
error:
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java:
patch does not apply
error: patch failed:
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java:196
error:
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java:
patch does not apply
error: patch failed:
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java:27
error:
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java:
patch does not apply
error: patch failed:
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java:216
error:
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java:
patch does not apply
error: patch failed:
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java:30
error:
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java:
patch does not apply
{noformat}
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15618312#comment-15618312 ] Vishal Ghugare commented on AMBARI-12263: - Hello Henning, Thank you for trying out the patch. I will address these issues. -Vishal > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15611627#comment-15611627
]
Henning Kropp commented on AMBARI-12263:
Patch looks good. Thanks! We were able to successfully port it to current
Ambari 2.4.0.1
Something we noticed is that in a secured cluster we have issues with the
views, getting the following exception for the Hive view as an example:
{code}
Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS,
infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to validate
proxy privilege of ambari for
org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@3459:33:32,
.
sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of
ambari for
org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@3459),
serverProtocolVersion:null)
{code}
As you can see it tries to impersonte
{{"org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@3459:33:32"}}.
Changing the {{UsernamePasswordAuthenticationToken}} from {{Principal}} to
username fixes this.
So instead of :
{code}
UsernamePasswordAuthenticationToken token = new
UsernamePasswordAuthenticationToken(principal, null, userAuthorities);
{code}
We use:
{code}
UsernamePasswordAuthenticationToken token = new
UsernamePasswordAuthenticationToken(user.getUserName(), null, userAuthorities);
{code}
What could potential also work is, overriding {{toString}} of the principal
like:
{code}
Principal principal = new Principal() {
@Override
public String getName() {
return user.getUserName();
}
@Override
public String toString(){
return user.getUserName().toString();
}
};
{code}
We did not test this!
As a little side note, I notices you are using String concatenation in your
error logging like this: {{LOG.error("Message"+ ex.getMessage())}} I think the
{{public void error(String msg, Throwable t);}} interface would be preferable
in such scenarios, so: {{LOG.error("Message", ex)}}
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15609603#comment-15609603
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12835253/AMBARI-12263.patch
against trunk revision .
{color:red}-1 patch{color}. The patch command could not apply the patch.
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/9015//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15535079#comment-15535079
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12831011/AMBARI-12263_trunk.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
ambari-server.
Test results:
https://builds.apache.org/job/Ambari-trunk-test-patch/8766//testReport/
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/8766//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263_trunk.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15532129#comment-15532129
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12830804/PAM%20Support.doc
against trunk revision .
{color:red}-1 patch{color}. The patch command could not apply the patch.
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/8755//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263_trunk.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15531340#comment-15531340
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12830804/PAM%20Support.doc
against trunk revision .
{color:red}-1 patch{color}. The patch command could not apply the patch.
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/8751//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263_trunk.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15530452#comment-15530452
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12830742/AMBARI-12263_trunk.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:red}-1 javac{color:red}. The patch appears to cause the build to
fail.
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/8744//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263_trunk.patch
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15388728#comment-15388728 ] Vishal Ghugare commented on AMBARI-12263: - Thank you for your input Henning. I am creating a new patch to address remarks 1 & 4. Revoke Privileges: The patch already revokes the privileges if a user no longer belongs to, for example, "admin group". Once a user is authenticated via PAM, we retrieve all the groups a user belongs to and update user-group membership. Please feel free to let me know if you have any questions. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15382054#comment-15382054
]
Henning Kropp commented on AMBARI-12263:
Patch looks good. Some remarks from my side:
1. Please make PAM service name configurable
The idea is to reuse system configuration for example of tools like Quest,
Centrify, Winbind, SSSD or ... Introducing a new {{ambari-pam}} file seems
like a duplication with the potential of being the root of much trouble. While
there is no good default for the service name 'sshd' and/or 'passwd' could
be used as suggestions to the user during setup.
2. Authorization
As the user needs to be created there needs to be authorization obviously. The
authorization of Ambari in a typical enterprise environment with a centralized
authorization entity (AD, LDAP) is broken. We might consider taking this as an
opportunity to fix authorization and preferably integrate it into the
{{AuthorizationFilter}}
already existing. In addition to operator or admin groups there should be
users/groups allow/deny properties to inactivate users or prohibit them from
login from the start.
There is already AMBARI-15040
3. Revoke Privileges
Going quickly through your patch I am not sure, if you ever revoke privileges?
So a user might no longer be in the "admin group" when logging in the next
time, so he needs to be revoked the privileges.
Again I would suggest to take the opportunity to consolidate this into some
work and fixing the AuthorisationFilter in Ambari.
4. Reduce DB connections
I noticed in your function {{void AmbariPamAuthorization}} in the for loop you
repeatedly call {{userDAO.findUserByName(userName)}} without userName ever
changing, so it will always return the same result!? Further the DAO of groups
and users could be extended to support adding and removing multiple groups with
one call instead of looping.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263_trunk.patch
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15380490#comment-15380490
]
Hadoop QA commented on AMBARI-12263:
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12818262/AMBARI-12263_trunk.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
ambari-server.
Test results:
https://builds.apache.org/job/Ambari-trunk-test-patch/7881//testReport/
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/7881//console
This message is automatically generated.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
>
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
>Affects Versions: trunk
>Reporter: Eric Yang
>Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263_trunk.patch
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
