Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.5.1, 0.6.0
    • Fix Version/s: 0.6.0
    • Component/s: admin
    • Flags:
      Patch

      Description

      Ranger currently uses shadow based authentication if configured for unix authentication. This way of authenticating is somewhat outdated as any recent Linux system (and many of the BSDs) have PAM available. PAM allows multiple authentication sources and also does authorization.

      Ranger should be able to use PAM for authentication

        Issue Links

          Activity

          Hide
          bolke Bolke de Bruin added a comment - - edited Reporter

          This patch adds support for authentication against PAM.

          • /etc/pam.d/ranger-remote is used for remote authentication
          • /etc/pam.d/ranger-admin is used for native authentication
          1. unixauthnative now uses PAM as a standard as it doesn't seem to make sense to keep /etc/shadow based authentication in modern times (using /etc/pam.d/passwd as an example for /etc/pam.d/ranger-remote you have backwards compatibility)
          2. a new option "PAM" is available next to LDAP,AD,UNIX
          3. the patch now also adds the benefit of compiling and working on OSX

          Please note that this patch adds a dependency on libpam4j which is MIT licensed. It is only required for JAAS PAM.

          Additional tests have not been supplied. Any test would require valid credentials on the test system. If these can be supplied I will add some tests.

          Show
          bolke Bolke de Bruin added a comment - - edited Reporter This patch adds support for authentication against PAM. /etc/pam.d/ranger-remote is used for remote authentication /etc/pam.d/ranger-admin is used for native authentication unixauthnative now uses PAM as a standard as it doesn't seem to make sense to keep /etc/shadow based authentication in modern times (using /etc/pam.d/passwd as an example for /etc/pam.d/ranger-remote you have backwards compatibility) a new option "PAM" is available next to LDAP,AD,UNIX the patch now also adds the benefit of compiling and working on OSX Please note that this patch adds a dependency on libpam4j which is MIT licensed. It is only required for JAAS PAM. Additional tests have not been supplied. Any test would require valid credentials on the test system. If these can be supplied I will add some tests.
          Hide
          bolke Bolke de Bruin added a comment - Reporter
          Show
          bolke Bolke de Bruin added a comment - Reporter Velmurugan Periasamy FYI
          Hide
          rangerqa rangerqa added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12787258/0001-Implements-ranger-admin-authentication-remote-and-na.patch
          against master revision 6ca739b.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          -1 javac. The patch appears to cause the build to fail.

          Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/43//console

          This message is automatically generated.

          Show
          rangerqa rangerqa added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12787258/0001-Implements-ranger-admin-authentication-remote-and-na.patch against master revision 6ca739b. +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 javac . The patch appears to cause the build to fail. Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/43//console This message is automatically generated.
          Hide
          bolke Bolke de Bruin added a comment - - edited Reporter

          It is unclear to me why the build fails?

          Show
          bolke Bolke de Bruin added a comment - - edited Reporter It is unclear to me why the build fails?
          Hide
          rangerqa rangerqa added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12787356/0001-Implements-ranger-admin-authentication-remote-and-na.patch
          against master revision 6ca739b.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          -1 javac. The patch appears to cause the build to fail.

          Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/44//console

          This message is automatically generated.

          Show
          rangerqa rangerqa added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12787356/0001-Implements-ranger-admin-authentication-remote-and-na.patch against master revision 6ca739b. +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 javac . The patch appears to cause the build to fail. Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/44//console This message is automatically generated.
          Hide
          rmani Ramesh Mani added a comment - - edited

          Bolke de Bruin if "PAM" routine be the authentication method for Unix, why do we need to addition properties for PAM?
          Also how it will be if it Kerberos / SSL is configured?

          Show
          rmani Ramesh Mani added a comment - - edited Bolke de Bruin if "PAM" routine be the authentication method for Unix, why do we need to addition properties for PAM? Also how it will be if it Kerberos / SSL is configured?
          Hide
          bolke Bolke de Bruin added a comment - Reporter

          Ramesh Mani I'm not sure what you are aiming at. This is an additional authentication mechanism next to LDAP, AD, UNIX (by means of /etc/passwd). See also #ranger-827. The way authentication works I am not interfering with and was a design choice in Ranger. What do you mean by additional properties? If what you are referring to is not replacing "UNIX /etc/passwd authentication" with PAM then this is for backwards compatibility reasons. If something else please elaborate.

          This patch does not interfere with neither Kerberos or SSL.

          On a side note: can someone explain me why the build fails? The logs do not indicate much and locally it builds fine.

          Show
          bolke Bolke de Bruin added a comment - Reporter Ramesh Mani I'm not sure what you are aiming at. This is an additional authentication mechanism next to LDAP, AD, UNIX (by means of /etc/passwd). See also #ranger-827. The way authentication works I am not interfering with and was a design choice in Ranger. What do you mean by additional properties? If what you are referring to is not replacing "UNIX /etc/passwd authentication" with PAM then this is for backwards compatibility reasons. If something else please elaborate. This patch does not interfere with neither Kerberos or SSL. On a side note: can someone explain me why the build fails? The logs do not indicate much and locally it builds fine.
          Hide
          rmani Ramesh Mani added a comment - - edited

          Bolke de Bruin what I meant was ranger admin uses properties in ranger-admin-default-site.xml and ranger-admin-site.xml -> ranger.authentication.method to define which kind of authentication is used. when PAM is in place we just change this property to "PAM" and this should take care of the authentication via "PAM", I wanted some writeup on how to test this mechanism if I need to do.
          Also regarding kerberos, I see that PAM can be configured with Kerberos and if its done like that we don't need any addition parameters in ranger-admin to handle this?

          Show
          rmani Ramesh Mani added a comment - - edited Bolke de Bruin what I meant was ranger admin uses properties in ranger-admin-default-site.xml and ranger-admin-site.xml -> ranger.authentication.method to define which kind of authentication is used. when PAM is in place we just change this property to "PAM" and this should take care of the authentication via "PAM", I wanted some writeup on how to test this mechanism if I need to do. Also regarding kerberos, I see that PAM can be configured with Kerberos and if its done like that we don't need any addition parameters in ranger-admin to handle this?
          Hide
          bolke Bolke de Bruin added a comment - Reporter

          Ok I updated the patch to make it a bit more user friendly. Ramesh Mani see below for the steps how to activate. Please note that due to missing header files (and maybe libraries) on rangerqa-jenkins the build will fail. I don't know how to solve this. "pam-devel" or "pam-dev" are the required packages.

          • set ranger.authentication.method to PAM .
          • create /etc/pam.d/ranger-remote (not configurable)
          • create /etc/pam.d/ranger-admin (configurable)
          • set ranger.pam.service property to "ranger-admin" (standard) or the name you configured above
          Show
          bolke Bolke de Bruin added a comment - Reporter Ok I updated the patch to make it a bit more user friendly. Ramesh Mani see below for the steps how to activate. Please note that due to missing header files (and maybe libraries) on rangerqa-jenkins the build will fail. I don't know how to solve this. "pam-devel" or "pam-dev" are the required packages. set ranger.authentication.method to PAM . create /etc/pam.d/ranger-remote (not configurable) create /etc/pam.d/ranger-admin (configurable) set ranger.pam.service property to "ranger-admin" (standard) or the name you configured above
          Hide
          rangerqa rangerqa added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12787840/0002-RANGER-842-pam-authentication.patch
          against master revision c20a0d1.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          -1 javac. The patch appears to cause the build to fail.

          Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/52//console

          This message is automatically generated.

          Show
          rangerqa rangerqa added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12787840/0002-RANGER-842-pam-authentication.patch against master revision c20a0d1. +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 javac . The patch appears to cause the build to fail. Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/52//console This message is automatically generated.
          Hide
          sneethiraj Selvamohan Neethiraj added a comment -

          Bolke de Bruin - Does the libpam4j contain BSD licensed C code? My understanding is that Apache project has some restrictions on licenses associated with the libraries used in the Apache2 projects. Is the BSD licensed code allowed for Apache projects?
          cc: Don Bosco Durai

          Show
          sneethiraj Selvamohan Neethiraj added a comment - Bolke de Bruin - Does the libpam4j contain BSD licensed C code? My understanding is that Apache project has some restrictions on licenses associated with the libraries used in the Apache2 projects. Is the BSD licensed code allowed for Apache projects? cc: Don Bosco Durai
          Hide
          bolke Bolke de Bruin added a comment - Reporter

          Selvamohan Neethiraj all libpam4j files are MIT licensed, which, as far as I know, is a compatible license. In my patch I added it to NOTICE.txt with a referral to the copyright holder.

          Show
          bolke Bolke de Bruin added a comment - Reporter Selvamohan Neethiraj all libpam4j files are MIT licensed, which, as far as I know, is a compatible license. In my patch I added it to NOTICE.txt with a referral to the copyright holder.
          Hide
          bosco Don Bosco Durai added a comment -

          Both MIT and BSD licenses should be fine with Apache projects. Thanks

          Show
          bosco Don Bosco Durai added a comment - Both MIT and BSD licenses should be fine with Apache projects. Thanks
          Hide
          bolke Bolke de Bruin added a comment - - edited Reporter

          Ramesh Mani any feedback? additional clarifications needed?

          I have also submitted the patch to the review board.

          Show
          bolke Bolke de Bruin added a comment - - edited Reporter Ramesh Mani any feedback? additional clarifications needed? I have also submitted the patch to the review board.
          Hide
          rmani Ramesh Mani added a comment -
          Show
          rmani Ramesh Mani added a comment - Review request from Bolke de Bruin https://reviews.apache.org/r/43584/
          Hide
          rmani Ramesh Mani added a comment - - edited

          +1 for the PATCH.
          I could apply and build it locally. Error was due to failure of unit test report publishing.

          Show
          rmani Ramesh Mani added a comment - - edited +1 for the PATCH. I could apply and build it locally. Error was due to failure of unit test report publishing.
          Hide
          rmani Ramesh Mani added a comment -

          Bolke de Bruin You had metioned this.
          "Implementation was done for JAAS and Remote (C) For remote authentication it is now needed to have the pam headers and libraries installed (not available currently with rangerqa)
          For remote authentication a /etc/pamd.d/ranger-remote config file is required. This is hardcoded in the C file. This file needs to exist otherwise authentication will fail. For local authentication the property "ranger.pam.service" can be configured. It defaults to "ranger-admin" and thus refers to /etc/pam.d/ranger-admin by default. This file needs to exist otherwise authentication will fail

          • To enable PAM authentication set ranger.authentication.method to PAM"

          So when PAM has to be used are you saying that the files /etc/pam.d/ranger-admin and /etc/pamd.d/ranger-remote are to be created manually?
          How this patch will affect where PAM is not used, i.e how the normal authentication going to work? This wil clarify my testing part.

          Show
          rmani Ramesh Mani added a comment - Bolke de Bruin You had metioned this. "Implementation was done for JAAS and Remote (C) For remote authentication it is now needed to have the pam headers and libraries installed (not available currently with rangerqa) For remote authentication a /etc/pamd.d/ranger-remote config file is required. This is hardcoded in the C file. This file needs to exist otherwise authentication will fail. For local authentication the property "ranger.pam.service" can be configured. It defaults to "ranger-admin" and thus refers to /etc/pam.d/ranger-admin by default. This file needs to exist otherwise authentication will fail To enable PAM authentication set ranger.authentication.method to PAM" So when PAM has to be used are you saying that the files /etc/pam.d/ranger-admin and /etc/pamd.d/ranger-remote are to be created manually? How this patch will affect where PAM is not used, i.e how the normal authentication going to work? This wil clarify my testing part.
          Hide
          bolke Bolke de Bruin added a comment - - edited Reporter

          Ramesh Mani In general yes. So when you ship rpms or debs for the different distributions you would need to include these files and make sure they are installed at the right location. They are distribution specific (ie. RedHat uses different contents than Debian does).

          In case these files are not present PAM will automatically fallback to /etc/pam.d/other . It again depends on the distribution what is in these files. Redhat/CentOS 7 default to deny everything I don't know what Debian is doing.

          In the case of UNIX authentication the non-remote part will still allow authentication from /etc/passwd. I, personally, consider this outdated and it should be replaced by PAM. But if you choose UNIX as authentication mechanism it will still use the old code path.

          My patch does however impact the remote authentication (ie. the C implementation). Remote authentication now only allows PAM and does not use /etc/passwd anymore. If you would like to mimic the old behavior you can symlink /etc/pam.d/ranger-remote to /etc/pam.d/passwd . I have chosen this to keep remote authentication simple and to make sure you are not triggering two login attempts (eg. if I would try PAM first and then /etc/passwd) as that could be a security incident.

          Show
          bolke Bolke de Bruin added a comment - - edited Reporter Ramesh Mani In general yes. So when you ship rpms or debs for the different distributions you would need to include these files and make sure they are installed at the right location. They are distribution specific (ie. RedHat uses different contents than Debian does). In case these files are not present PAM will automatically fallback to /etc/pam.d/other . It again depends on the distribution what is in these files. Redhat/CentOS 7 default to deny everything I don't know what Debian is doing. In the case of UNIX authentication the non-remote part will still allow authentication from /etc/passwd. I, personally, consider this outdated and it should be replaced by PAM. But if you choose UNIX as authentication mechanism it will still use the old code path. My patch does however impact the remote authentication (ie. the C implementation). Remote authentication now only allows PAM and does not use /etc/passwd anymore. If you would like to mimic the old behavior you can symlink /etc/pam.d/ranger-remote to /etc/pam.d/passwd . I have chosen this to keep remote authentication simple and to make sure you are not triggering two login attempts (eg. if I would try PAM first and then /etc/passwd) as that could be a security incident.
          Hide
          yzhou2001 Yan added a comment -

          This is a very interesting feature. Are there any updates/discussions/merge schedules on this jira? Thanks.

          Show
          yzhou2001 Yan added a comment - This is a very interesting feature. Are there any updates/discussions/merge schedules on this jira? Thanks.
          Hide
          rmani Ramesh Mani added a comment -

          I am looking into testing this before I can merge this.

          Show
          rmani Ramesh Mani added a comment - I am looking into testing this before I can merge this.
          Hide
          amadhavi Madhavi Amirneni added a comment -

          This is an interesting feature. Is there any update for the patch testing?

          Show
          amadhavi Madhavi Amirneni added a comment - This is an interesting feature. Is there any update for the patch testing?
          Hide
          yzhou2001 Yan added a comment -

          Ramesh Mani Any updates on the testing? Thanks!

          Show
          yzhou2001 Yan added a comment - Ramesh Mani Any updates on the testing? Thanks!
          Hide
          rmani Ramesh Mani added a comment -

          @Yan We are adding the fall back functionality to configure the normal way if ranger PAM configuration is not there. Soon will merge this patch

          Show
          rmani Ramesh Mani added a comment - @Yan We are adding the fall back functionality to configure the normal way if ranger PAM configuration is not there. Soon will merge this patch
          Hide
          sneethiraj Selvamohan Neethiraj added a comment -

          Bolke de Bruin - I and Ramesh tested this patch with a build setup on a separate Apache branch (ranger-842-tester). This patch requires "security/pam_appl.h" header file for it to successfully build. Do you know if we can have this as a pre-request for the build machines ? Currently, the build machines do not have this - see log from https://builds.apache.org/job/ranger-ranger842-mvn-build/1/console

          [INFO] --- native-maven-plugin:1.0-alpha-8:compile (default-compile) @ credValidator ---
          [INFO] /bin/sh -c cd /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative && gcc -I/home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/src/main/c -o /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/target/objs/credValidator.o -c /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/src/main/c/credValidator.c
          /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/src/main/c/credValidator.c:25:31: fatal error: security/pam_appl.h: No such file or directory
           #include <security/pam_appl.h>
                                         ^
          compilation terminated.
          [INFO]                                                                         
          [INFO] ------------------------------------------------------------------------
          [INFO] Skipping ranger
          [INFO] This project has been banned from the build due to previous failures.
          [INFO] ------------------------------------------------------------------------
          
          .....
          
          
          [INFO] Unix Native Authenticator ......................... FAILURE [0.728s]
          [INFO] ------------------------------------------------------------------------
          [INFO] BUILD FAILURE
          [INFO] ------------------------------------------------------------------------
          

          cc: Ramesh Mani

          Show
          sneethiraj Selvamohan Neethiraj added a comment - Bolke de Bruin - I and Ramesh tested this patch with a build setup on a separate Apache branch (ranger-842-tester). This patch requires "security/pam_appl.h" header file for it to successfully build. Do you know if we can have this as a pre-request for the build machines ? Currently, the build machines do not have this - see log from https://builds.apache.org/job/ranger-ranger842-mvn-build/1/console [INFO] --- native -maven-plugin:1.0-alpha-8:compile ( default -compile) @ credValidator --- [INFO] /bin/sh -c cd /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative && gcc -I/home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/src/main/c -o /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/target/objs/credValidator.o -c /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/src/main/c/credValidator.c /home/jenkins/jenkins-slave/workspace/ranger-ranger842-mvn-build/unixauthnative/src/main/c/credValidator.c:25:31: fatal error: security/pam_appl.h: No such file or directory #include <security/pam_appl.h> ^ compilation terminated. [INFO] [INFO] ------------------------------------------------------------------------ [INFO] Skipping ranger [INFO] This project has been banned from the build due to previous failures. [INFO] ------------------------------------------------------------------------ ..... [INFO] Unix Native Authenticator ......................... FAILURE [0.728s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ cc: Ramesh Mani
          Hide
          bolke Bolke de Bruin added a comment - Reporter

          I'm a bit surprised that you are asking me. This header file is part of the Pam devel package which is available in all Linux repos. So if you do not manage the build system you might need to ask Apache Infra or maybe add it to Jenkins?

          Show
          bolke Bolke de Bruin added a comment - Reporter I'm a bit surprised that you are asking me. This header file is part of the Pam devel package which is available in all Linux repos. So if you do not manage the build system you might need to ask Apache Infra or maybe add it to Jenkins?
          Hide
          sneethiraj Selvamohan Neethiraj added a comment -

          I am looking at options and finding out - some of the existing users of ranger may not have PAM libraries installed on their linux servers. In such case, can we have two different executable files - one for user who uses /etc/password based authentication (uses crypt library) - another one for users who wants to use PAM based authentication.

          Any thoughts ?

          Show
          sneethiraj Selvamohan Neethiraj added a comment - I am looking at options and finding out - some of the existing users of ranger may not have PAM libraries installed on their linux servers. In such case, can we have two different executable files - one for user who uses /etc/password based authentication (uses crypt library) - another one for users who wants to use PAM based authentication. Any thoughts ?
          Hide
          bolke Bolke de Bruin added a comment - Reporter

          You could do that. However I would challenge you to find a Linux install that does not have PAM available. The large distributions all include it as it is the standard for authentication on this platform.

          Obviously if you supply a precompiled rpm/deb one does not need the development headers installed.

          Show
          bolke Bolke de Bruin added a comment - Reporter You could do that. However I would challenge you to find a Linux install that does not have PAM available. The large distributions all include it as it is the standard for authentication on this platform. Obviously if you supply a precompiled rpm/deb one does not need the development headers installed.
          Hide
          scottgray1 Scott C Gray added a comment -

          I agree with Bolke de Bruin, I have never seen a system without PAM other than, maybe, embedded systems.

          How are things progressing with the updates to separate the PAM and Unix auth? If you would like help testing, please let me know, I have an environment that is in need of this work and can help out if needed.

          Show
          scottgray1 Scott C Gray added a comment - I agree with Bolke de Bruin , I have never seen a system without PAM other than, maybe, embedded systems. How are things progressing with the updates to separate the PAM and Unix auth? If you would like help testing, please let me know, I have an environment that is in need of this work and can help out if needed.
          Hide
          lmccay Larry McCay added a comment -

          I am interested in this capability and have an outstanding patch for Knox to add the same. https://issues.apache.org/jira/browse/KNOX-537
          This would make PAM based authn available to Ranger through KnoxSSO as well.

          I am curious as to what things if any should be aligned between our two integrations.
          For instance, what things are available to configure in each, etc.

          I would also certainly welcome any help testing PAM for Knox as well!

          Show
          lmccay Larry McCay added a comment - I am interested in this capability and have an outstanding patch for Knox to add the same. https://issues.apache.org/jira/browse/KNOX-537 This would make PAM based authn available to Ranger through KnoxSSO as well. I am curious as to what things if any should be aligned between our two integrations. For instance, what things are available to configure in each, etc. I would also certainly welcome any help testing PAM for Knox as well!
          Hide
          sneethiraj Selvamohan Neethiraj added a comment -

          I am currently trying out the option to create two executables - One for who uses traditional model and new one for who uses PAM authentication. I will update the details within next couple of days.

          Regarding system without PAM, I am just really worried about breaking existing ranger users who may have systems that does not have PAM libraries and will cause the upgrade to break their existing model. So, I really like the two executable model - where the PAM based executable is used only if the user selects PAM authentication.

          Show
          sneethiraj Selvamohan Neethiraj added a comment - I am currently trying out the option to create two executables - One for who uses traditional model and new one for who uses PAM authentication. I will update the details within next couple of days. Regarding system without PAM, I am just really worried about breaking existing ranger users who may have systems that does not have PAM libraries and will cause the upgrade to break their existing model. So, I really like the two executable model - where the PAM based executable is used only if the user selects PAM authentication.
          Hide
          yujie.li Yujie Li added a comment -

          I have been testing this patch and it's built successfully.
          But have one question regarding the testing. I am currently building the source with the patch into RPMs and install Ranger using Ambari web interface. During the installation, I still don't see a new option as "PAM" next to other authentication methods so I chose UNIX instead. Isn't this patch supposed to add a new option regarding authentication methods? In this way, how can I test the PAM function? Can I manually change the method to PAM after the installation?

          Show
          yujie.li Yujie Li added a comment - I have been testing this patch and it's built successfully. But have one question regarding the testing. I am currently building the source with the patch into RPMs and install Ranger using Ambari web interface. During the installation, I still don't see a new option as "PAM" next to other authentication methods so I chose UNIX instead. Isn't this patch supposed to add a new option regarding authentication methods? In this way, how can I test the PAM function? Can I manually change the method to PAM after the installation?
          Hide
          sneethiraj Selvamohan Neethiraj added a comment -

          Yujie Li - Only after we commit this feature into Ranger, Ambari will be able to support this feature.

          Bolke de Bruin/Scott C Gray - I have rebased the attached patch; Also modified the design to support the 'traditional' UNIX authentication using the credValidator (old exe file) and added your changes to a new module, unixauthpam.
          Based on this new approach, the ranger administrator should set
          'ranger.authentication.method' to 'PAM' in ranger-admin-site.xml and
          'ranger.usersync.passwordvalidator.path' to './native/pamCredValidator.uexe'

          Please apply '0001-RANGER-842-This-patch-adds-PAM-auth-support-to-range.patch' first
          and then, apply '0002-RANGER-842modified-to-create-a-separate-module-for.patch'
          to test these patches.

          Please review and provide your feedback.

          Show
          sneethiraj Selvamohan Neethiraj added a comment - Yujie Li - Only after we commit this feature into Ranger, Ambari will be able to support this feature. Bolke de Bruin / Scott C Gray - I have rebased the attached patch; Also modified the design to support the 'traditional' UNIX authentication using the credValidator (old exe file) and added your changes to a new module, unixauthpam. Based on this new approach, the ranger administrator should set 'ranger.authentication.method' to 'PAM' in ranger-admin-site.xml and 'ranger.usersync.passwordvalidator.path' to './native/pamCredValidator.uexe' Please apply '0001- RANGER-842 -This-patch-adds-PAM-auth-support-to-range.patch' first and then, apply '0002- RANGER-842 modified-to-create-a-separate-module-for .patch' to test these patches. Please review and provide your feedback.
          Hide
          sneethiraj Selvamohan Neethiraj added a comment - - edited
          Please apply '0001-RANGER-842-This-patch-adds-PAM-auth-support-to-range.patch' first and then '0002-RANGER-842-modified-to-create-a-separate-module-for-.patch'  to validate this change.
          
          Show
          sneethiraj Selvamohan Neethiraj added a comment - - edited Please apply '0001-RANGER-842-This-patch-adds-PAM-auth-support-to-range.patch' first and then '0002-RANGER-842-modified-to-create-a-separate-module- for -.patch' to validate this change.
          Hide
          rangerqa rangerqa added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12813000/0002-RANGER-842-modified-to-create-a-separate-module-for-.patch
          against master revision 65d7fbc.

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/276//console

          This message is automatically generated.

          Show
          rangerqa rangerqa added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12813000/0002-RANGER-842-modified-to-create-a-separate-module-for-.patch against master revision 65d7fbc. -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/276//console This message is automatically generated.
          Hide
          rangerqa rangerqa added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12817204/0003-RANGER-842-Fixed-Apache-License-Header-and-Added-add.patch
          against master revision 937e0ba.

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/290//console

          This message is automatically generated.

          Show
          rangerqa rangerqa added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12817204/0003-RANGER-842-Fixed-Apache-License-Header-and-Added-add.patch against master revision 937e0ba. -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-RANGER-Build/290//console This message is automatically generated.
          Hide
          yujie.li Yujie Li added a comment -

          Hello,
          I am testing the new patches that Selvamohan Neethiraj provided. Couple of questions here.
          1.
          I set ranger.authentication.method to PAM and created ranger-admin and ranger-remote files under /etc/pam.d. When I am debugging, the PAM module is used but every time PAM authentication would fail and try JDBCAuthentication instead. This is weird. Am I doing anything wrong? How should I configure the pam files?

          2.
          I am also testing the fall back functionality. Right now the ranger is running on a machine without PAM-devel library but of course with PAM. The build won't fail any more. But I am just curious about the fall back functionality. Is this for machines that don't have PAM at all (Both PAM and pam-devel library)?

          Thanks!

          Show
          yujie.li Yujie Li added a comment - Hello, I am testing the new patches that Selvamohan Neethiraj provided. Couple of questions here. 1. I set ranger.authentication.method to PAM and created ranger-admin and ranger-remote files under /etc/pam.d. When I am debugging, the PAM module is used but every time PAM authentication would fail and try JDBCAuthentication instead. This is weird. Am I doing anything wrong? How should I configure the pam files? 2. I am also testing the fall back functionality. Right now the ranger is running on a machine without PAM-devel library but of course with PAM. The build won't fail any more. But I am just curious about the fall back functionality. Is this for machines that don't have PAM at all (Both PAM and pam-devel library)? Thanks!
          Hide
          sneethiraj Selvamohan Neethiraj added a comment -

          Yujie Li

          1. If you set the PAM authentication, it should authenticate via PAM authentication first; However, to support the LOCAL users, the authentication will continue to JDBCAuthentication if the PAM authentication fails.
          For non-LOCAL users, the encrypted-password stored in the JDBC table is random plain-text, which will never match.

          2. If the build machine does not have pam-devel library, the ranger pom.xml will avoid building the PAM based authentication executable. So, you will not have PAM executables (pamCredValidator.uexe) under ./unixauthpam/target/ folder.

          Hope this answers your questions,

          Show
          sneethiraj Selvamohan Neethiraj added a comment - Yujie Li 1. If you set the PAM authentication, it should authenticate via PAM authentication first; However, to support the LOCAL users, the authentication will continue to JDBCAuthentication if the PAM authentication fails. For non-LOCAL users, the encrypted-password stored in the JDBC table is random plain-text, which will never match. 2. If the build machine does not have pam-devel library, the ranger pom.xml will avoid building the PAM based authentication executable. So, you will not have PAM executables (pamCredValidator.uexe) under ./unixauthpam/target/ folder. Hope this answers your questions,
          Hide
          yujie.li Yujie Li added a comment -

          Thanks for the explanation. Based on that, I tried to do authentication for local/non-local users with different PAM configurations. All tests are going great and their authentication results make sense.

          Thank you.

          Show
          yujie.li Yujie Li added a comment - Thanks for the explanation. Based on that, I tried to do authentication for local/non-local users with different PAM configurations. All tests are going great and their authentication results make sense. Thank you.
          Show
          rmani Ramesh Mani added a comment - - edited Commit the patches into Master. https://git1-us-west.apache.org/repos/asf?p=incubator-ranger.git;a=commit;h=42d8db56 http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5ba4831f http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b063a998
          Hide
          bolke Bolke de Bruin added a comment - Reporter

          Nice! Thanks.

          Show
          bolke Bolke de Bruin added a comment - Reporter Nice! Thanks.
          Hide
          yzhou2001 Yan added a comment -

          When PAM is used, it seems to be that the Ranger has to be run as the root. Otherwise the authentication would fail. More investigation suggests that the permission of the /etc/shadow is the issue. If its permission was changed to "all readable", although obviously an unwise value, the PAM would work well.

          Is this an expected behavior? Thanks!

          Show
          yzhou2001 Yan added a comment - When PAM is used, it seems to be that the Ranger has to be run as the root. Otherwise the authentication would fail. More investigation suggests that the permission of the /etc/shadow is the issue. If its permission was changed to "all readable", although obviously an unwise value, the PAM would work well. Is this an expected behavior? Thanks!
          Hide
          bolke Bolke de Bruin added a comment - Reporter

          This is expected and is also true for the previous setup (using shadow directly). Making /etc/shadow worl readable is a security issue.

          Btw the only thing that is required to run as root is the ranger-pam service.

          Van: Yan (JIRA)

          Show
          bolke Bolke de Bruin added a comment - Reporter This is expected and is also true for the previous setup (using shadow directly). Making /etc/shadow worl readable is a security issue. Btw the only thing that is required to run as root is the ranger-pam service. Van: Yan (JIRA)
          Hide
          yzhou2001 Yan added a comment -

          It seems to be ok to run Ranger as a non-root user "using shadow directly". On the other hand, having to run Ranger as a root might raise some eyebrows. Maybe we can consider use of setuid in Ranger to finer control?

          Show
          yzhou2001 Yan added a comment - It seems to be ok to run Ranger as a non-root user "using shadow directly". On the other hand, having to run Ranger as a root might raise some eyebrows. Maybe we can consider use of setuid in Ranger to finer control?

            People

            • Assignee:
              sneethiraj Selvamohan Neethiraj
              Reporter:
              bolke Bolke de Bruin
              Request participants:
              None
            • Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: