[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15713571#comment-15713571 ] Vishal Ghugare commented on AMBARI-12263: - Hello Henning, Can you please provide me steps/details to reproduce the hive view issue? > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667431#comment-15667431 ] Hudson commented on AMBARI-12263: - FAILURE: Integrated in Jenkins build Ambari-branch-2.5 #326 (See [https://builds.apache.org/job/Ambari-branch-2.5/326/]) AMBARI-12263. Support PAM as authentication mechanism for accessing (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=c446bf29f21125b3cbeb89b6e46badbba3bd5d77]) * (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Group.java * (edit) ambari-server/sbin/ambari-server * (edit) ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java * (edit) ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ResourceDAO.java * (edit) ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/GroupResponse.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PamAuthenticationException.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java * (edit) ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java * (edit) ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java * (edit) ambari-server/src/main/python/ambari_server/setupActions.py * (edit) ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql * (edit) ambari-server/pom.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/GroupDAO.java * (edit) ambari-server/src/main/python/ambari-server.py * (edit) ambari-server/src/main/resources/properties.json * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java * (edit) ambari-server/src/main/python/ambari_server/setupSecurity.py * (add) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/GroupType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667385#comment-15667385 ] Hudson commented on AMBARI-12263: - FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #6016 (See [https://builds.apache.org/job/Ambari-trunk-Commit/6016/]) AMBARI-12263. Support PAM as authentication mechanism for accessing (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=b5a2bb8ddbc7badcdd459b443077d429c5e8235d]) * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java * (edit) ambari-server/src/main/resources/Ambari-DDL-Oracle-CREATE.sql * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/PamAuthenticationException.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLAnywhere-CREATE.sql * (edit) ambari-server/src/main/resources/properties.json * (edit) ambari-server/src/main/resources/Ambari-DDL-MySQL-CREATE.sql * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java * (add) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProviderTest.java * (edit) ambari-server/src/main/python/ambari-server.py * (edit) ambari-server/src/main/resources/webapp/WEB-INF/spring-security.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/GroupResourceProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/UserType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java * (edit) ambari-server/src/main/python/ambari_server/setupActions.py * (edit) ambari-server/pom.xml * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/GroupDAO.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Group.java * (edit) ambari-server/src/main/python/ambari_server/setupSecurity.py * (edit) ambari-server/src/main/resources/Ambari-DDL-Postgres-CREATE.sql * (edit) ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/GroupResponse.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/security/ClientSecurityType.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariPamAuthenticationProvider.java * (add) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/GroupType.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/entities/GroupEntity.java * (edit) ambari-server/src/main/resources/Ambari-DDL-SQLServer-CREATE.sql * (edit) ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java * (edit) ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ResourceDAO.java * (edit) ambari-server/sbin/ambari-server > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667381#comment-15667381 ] Vishal Ghugare commented on AMBARI-12263: - Thanks Robert for your help. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667361#comment-15667361 ] Robert Levas commented on AMBARI-12263: --- [~ghugare], I committed this patch: Committed to trunk {noformat} commit b5a2bb8ddbc7badcdd459b443077d429c5e8235d Author: Vishal Ghugare Date: Tue Nov 15 09:19:06 2016 -0500 {noformat} Committed to branch-2.5 {noformat} commit c446bf29f21125b3cbeb89b6e46badbba3bd5d77 Author: Vishal Ghugare Date: Tue Nov 15 09:54:03 2016 -0500 {noformat} You should resolve this JIRA and close the review. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk, 2.5.0 > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665586#comment-15665586 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12838862/AMBARI-12263.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 3 new or modified test files. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:red}-1 core tests{color}. The test build failed in ambari-server Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/9267//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/9267//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665318#comment-15665318 ] Vishal Ghugare commented on AMBARI-12263: - done. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15665186#comment-15665186 ] Robert Levas commented on AMBARI-12263: --- [~ghugare], The latest patch looks good, but fails to apply to the trunk {noformat} error: patch failed: ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java:2459 error: ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java: patch does not apply {noformat} Can you rebase and resubmit the patch to this JIRA and the review? > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15654646#comment-15654646 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12838379/AMBARI-12263.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 3 new or modified test files. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:red}-1 core tests{color}. The patch failed these unit tests in ambari-server: org.apache.ambari.server.state.ServicePropertiesTest org.apache.ambari.server.controller.metrics.JMXPropertyProviderTest org.apache.ambari.server.state.cluster.ClusterDeadlockTest org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProviderForDNWithSpaceTest Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/9221//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/9221//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652396#comment-15652396 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12838241/TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml against trunk revision . {color:red}-1 patch{color}. The patch command could not apply the patch. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/9203//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc, > TEST-org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.xml, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest-output.txt, > > org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest.txt > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652226#comment-15652226 ] Robert Levas commented on AMBARI-12263: --- [~ghugare], Please run the unit tests... there is a failure in {{org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProviderTest}} See attached. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652035#comment-15652035 ] Vishal Ghugare commented on AMBARI-12263: - done, i have updated both review board and JIRA with new patch. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15651262#comment-15651262 ] Robert Levas commented on AMBARI-12263: --- [~ghugare] I had issues merging the patch into trunk. Can you fix? {noformat} git apply ~/Downloads/AMBARI-12263.patch ... error: patch failed: ambari-server/pom.xml:1436 error: ambari-server/pom.xml: patch does not apply error: patch failed: ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java:2355 error: ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java: patch does not apply error: patch failed: ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java:196 error: ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java: patch does not apply error: patch failed: ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java:27 error: ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java: patch does not apply error: patch failed: ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java:216 error: ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java: patch does not apply error: patch failed: ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java:30 error: ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java: patch does not apply {noformat} > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15618312#comment-15618312 ] Vishal Ghugare commented on AMBARI-12263: - Hello Henning, Thank you for trying out the patch. I will address these issues. -Vishal > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15611627#comment-15611627 ] Henning Kropp commented on AMBARI-12263: Patch looks good. Thanks! We were able to successfully port it to current Ambari 2.4.0.1 Something we noticed is that in a secured cluster we have issues with the views, getting the following exception for the Hive view as an example: {code} Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of ambari for org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@3459:33:32, . sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of ambari for org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@3459), serverProtocolVersion:null) {code} As you can see it tries to impersonte {{"org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@3459:33:32"}}. Changing the {{UsernamePasswordAuthenticationToken}} from {{Principal}} to username fixes this. So instead of : {code} UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, null, userAuthorities); {code} We use: {code} UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserName(), null, userAuthorities); {code} What could potential also work is, overriding {{toString}} of the principal like: {code} Principal principal = new Principal() { @Override public String getName() { return user.getUserName(); } @Override public String toString(){ return user.getUserName().toString(); } }; {code} We did not test this! As a little side note, I notices you are using String concatenation in your error logging like this: {{LOG.error("Message"+ ex.getMessage())}} I think the {{public void error(String msg, Throwable t);}} interface would be preferable in such scenarios, so: {{LOG.error("Message", ex)}} > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15609603#comment-15609603 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12835253/AMBARI-12263.patch against trunk revision . {color:red}-1 patch{color}. The patch command could not apply the patch. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/9015//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15535079#comment-15535079 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12831011/AMBARI-12263_trunk.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 core tests{color}. The patch passed unit tests in ambari-server. Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/8766//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/8766//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15532129#comment-15532129 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12830804/PAM%20Support.doc against trunk revision . {color:red}-1 patch{color}. The patch command could not apply the patch. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/8755//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15531340#comment-15531340 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12830804/PAM%20Support.doc against trunk revision . {color:red}-1 patch{color}. The patch command could not apply the patch. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/8751//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15530452#comment-15530452 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12830742/AMBARI-12263_trunk.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color:red}-1 javac{color:red}. The patch appears to cause the build to fail. Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/8744//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15388728#comment-15388728 ] Vishal Ghugare commented on AMBARI-12263: - Thank you for your input Henning. I am creating a new patch to address remarks 1 & 4. Revoke Privileges: The patch already revokes the privileges if a user no longer belongs to, for example, "admin group". Once a user is authenticated via PAM, we retrieve all the groups a user belongs to and update user-group membership. Please feel free to let me know if you have any questions. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15382054#comment-15382054 ] Henning Kropp commented on AMBARI-12263: Patch looks good. Some remarks from my side: 1. Please make PAM service name configurable The idea is to reuse system configuration for example of tools like Quest, Centrify, Winbind, SSSD or ... Introducing a new {{ambari-pam}} file seems like a duplication with the potential of being the root of much trouble. While there is no good default for the service name 'sshd' and/or 'passwd' could be used as suggestions to the user during setup. 2. Authorization As the user needs to be created there needs to be authorization obviously. The authorization of Ambari in a typical enterprise environment with a centralized authorization entity (AD, LDAP) is broken. We might consider taking this as an opportunity to fix authorization and preferably integrate it into the {{AuthorizationFilter}} already existing. In addition to operator or admin groups there should be users/groups allow/deny properties to inactivate users or prohibit them from login from the start. There is already AMBARI-15040 3. Revoke Privileges Going quickly through your patch I am not sure, if you ever revoke privileges? So a user might no longer be in the "admin group" when logging in the next time, so he needs to be revoked the privileges. Again I would suggest to take the opportunity to consolidate this into some work and fixing the AuthorisationFilter in Ambari. 4. Reduce DB connections I noticed in your function {{void AmbariPamAuthorization}} in the for loop you repeatedly call {{userDAO.findUserByName(userName)}} without userName ever changing, so it will always return the same result!? Further the DAO of groups and users could be extended to support adding and removing multiple groups with one call instead of looping. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST
[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15380490#comment-15380490 ] Hadoop QA commented on AMBARI-12263: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12818262/AMBARI-12263_trunk.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 core tests{color}. The patch passed unit tests in ambari-server. Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/7881//testReport/ Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/7881//console This message is automatically generated. > Support PAM as authentication mechanism for accessing Ambari UI/REST > > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Eric Yang >Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263_trunk.patch > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)