[
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15382054#comment-15382054
]
Henning Kropp commented on AMBARI-12263:
----------------------------------------
Patch looks good. Some remarks from my side:
1. Please make PAM service name configurable
The idea is to reuse system configuration for example of tools like Quest,
Centrify, Winbind, SSSD or ... Introducing a new {{ambari-pam}} file seems
like a duplication with the potential of being the root of much trouble. While
there is no good default for the service name 'sshd' and/or 'passwd' could
be used as suggestions to the user during setup.
2. Authorization
As the user needs to be created there needs to be authorization obviously. The
authorization of Ambari in a typical enterprise environment with a centralized
authorization entity (AD, LDAP) is broken. We might consider taking this as an
opportunity to fix authorization and preferably integrate it into the
{{AuthorizationFilter}}
already existing. In addition to operator or admin groups there should be
users/groups allow/deny properties to inactivate users or prohibit them from
login from the start.
There is already AMBARI-15040
3. Revoke Privileges
Going quickly through your patch I am not sure, if you ever revoke privileges?
So a user might no longer be in the "admin group" when logging in the next
time, so he needs to be revoked the privileges.
Again I would suggest to take the opportunity to consolidate this into some
work and fixing the AuthorisationFilter in Ambari.
4. Reduce DB connections
I noticed in your function {{void AmbariPamAuthorization}} in the for loop you
repeatedly call {{userDAO.findUserByName(userName)}} without userName ever
changing, so it will always return the same result!? Further the DAO of groups
and users could be extended to support adding and removing multiple groups with
one call instead of looping.
> Support PAM as authentication mechanism for accessing Ambari UI/REST
> --------------------------------------------------------------------
>
> Key: AMBARI-12263
> URL: https://issues.apache.org/jira/browse/AMBARI-12263
> Project: Ambari
> Issue Type: Story
> Components: ambari-server, ambari-web
> Affects Versions: trunk
> Reporter: Eric Yang
> Assignee: Vishal Ghugare
> Labels: security
> Fix For: trunk
>
> Attachments: AMBARI-12263_trunk.patch
>
>
> Ambari GUI is using default "admin" user which is not a real user in
> operating system. Some company has strict password policy which can not be
> enforced to Ambari. It would be good to implement a Shiro PAM connector to
> authenticate user by Linux user credential.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
