[ https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15611627#comment-15611627 ]
Henning Kropp commented on AMBARI-12263: ---------------------------------------- Patch looks good. Thanks! We were able to successfully port it to current Ambari 2.4.0.1 Something we noticed is that in a secured cluster we have issues with the views, getting the following exception for the Hive view as an example: {code} Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to validate proxy privilege of ambari for org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32, ..... sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of ambari for org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119), serverProtocolVersion:null) {code} As you can see it tries to impersonte {{"org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32"}}. Changing the {{UsernamePasswordAuthenticationToken}} from {{Principal}} to username fixes this. So instead of : {code} UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, null, userAuthorities); {code} We use: {code} UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUserName(), null, userAuthorities); {code} What could potential also work is, overriding {{toString}} of the principal like: {code} Principal principal = new Principal() { @Override public String getName() { return user.getUserName(); } @Override public String toString(){ return user.getUserName().toString(); } }; {code} We did not test this! As a little side note, I notices you are using String concatenation in your error logging like this: {{LOG.error("Message"+ ex.getMessage())}} I think the {{public void error(String msg, Throwable t);}} interface would be preferable in such scenarios, so: {{LOG.error("Message", ex)}} > Support PAM as authentication mechanism for accessing Ambari UI/REST > -------------------------------------------------------------------- > > Key: AMBARI-12263 > URL: https://issues.apache.org/jira/browse/AMBARI-12263 > Project: Ambari > Issue Type: Story > Components: ambari-server, ambari-web > Affects Versions: trunk > Reporter: Eric Yang > Assignee: Vishal Ghugare > Labels: security > Fix For: trunk > > Attachments: AMBARI-12263.patch, PAM Support.doc > > > Ambari GUI is using default "admin" user which is not a real user in > operating system. Some company has strict password policy which can not be > enforced to Ambari. It would be good to implement a Shiro PAM connector to > authenticate user by Linux user credential. -- This message was sent by Atlassian JIRA (v6.3.4#6332)