[jira] [Commented] (AMBARI-12263) Support PAM as authentication mechanism for accessing Ambari UI/REST

[Henning Kropp (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMBARI-12263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15611627#comment-15611627
 ] 

Henning Kropp commented on AMBARI-12263:
----------------------------------------

Patch looks good. Thanks! We were able to successfully port it to current 
Ambari 2.4.0.1

Something we noticed is that in a secured cluster we have issues with the 
views, getting the following exception for the Hive view as an example:
{code}
Struct:TOpenSessionResp(status:TStatus(statusCode:ERROR_STATUS, 
infoMessages:[*org.apache.hive.service.cli.HiveSQLException:Failed to validate 
proxy privilege of ambari for 
org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32,
 
.....
sqlState:08S01, errorCode:0, errorMessage:Failed to validate proxy privilege of 
ambari for 
org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119),
 serverProtocolVersion:null)
{code}

As you can see it tries to impersonte 
{{"org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider$1@34511119:33:32"}}.
 Changing the {{UsernamePasswordAuthenticationToken}} from {{Principal}} to 
username fixes this.

So instead of :
{code}
UsernamePasswordAuthenticationToken token = new 
UsernamePasswordAuthenticationToken(principal, null, userAuthorities);
{code}

We use:
{code}
UsernamePasswordAuthenticationToken token = new 
UsernamePasswordAuthenticationToken(user.getUserName(), null, userAuthorities);
{code}

What could potential also work is, overriding {{toString}} of the principal 
like:
{code}
Principal principal = new Principal() {
                    @Override
                    public String getName() {
                        return user.getUserName();
                    }

                    @Override
                    public String toString(){
                        return user.getUserName().toString();
                    }
                };
{code}
We did not test this!

As a little side note, I notices you are using String concatenation in your 
error logging like this:  {{LOG.error("Message"+ ex.getMessage())}} I think the 
{{public void error(String msg, Throwable t);}} interface would be preferable 
in such scenarios, so: {{LOG.error("Message", ex)}}

> Support PAM as authentication mechanism for accessing Ambari UI/REST
> --------------------------------------------------------------------
>
>                 Key: AMBARI-12263
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12263
>             Project: Ambari
>          Issue Type: Story
>          Components: ambari-server, ambari-web
>    Affects Versions: trunk
>            Reporter: Eric Yang
>            Assignee: Vishal Ghugare
>              Labels: security
>             Fix For: trunk
>
>         Attachments: AMBARI-12263.patch, PAM Support.doc
>
>
> Ambari GUI is using default "admin" user which is not a real user in 
> operating system.  Some company has strict password policy which can not be 
> enforced to Ambari.  It would be good to implement a Shiro PAM connector to 
> authenticate user by Linux user credential.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)