[
https://issues.apache.org/jira/browse/DRILL-5820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181668#comment-16181668
]
ASF GitHub Bot commented on DRILL-5820:
---------------------------------------
Github user paul-rogers commented on a diff in the pull request:
https://github.com/apache/drill/pull/962#discussion_r141198807
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/Pam4jUserAuthenticator.java
---
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+import org.jvnet.libpam.PAM;
+import org.jvnet.libpam.PAMException;
+import org.jvnet.libpam.UnixUser;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * Implement {@link
org.apache.drill.exec.rpc.user.security.UserAuthenticator} based on Pluggable
Authentication
+ * Module (PAM) configuration. Configure the PAM profiles using
"drill.exec.security.user.auth.pam_profiles" BOOT
+ * option. Ex. value <i>[ "login", "sudo" ]</i> (value is an array of
strings).
+ */
+@UserAuthenticatorTemplate(type = "pam4j")
+public class Pam4jUserAuthenticator implements UserAuthenticator {
+ private static final org.slf4j.Logger logger =
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+
+ private List<String> profiles;
+
+ @Override
+ public void setup(DrillConfig drillConfig) throws
DrillbitStartupException {
+ profiles =
drillConfig.getStringList(ExecConstants.PAM_AUTHENTICATOR_PROFILES);
+ }
+
+ @Override
+ public void authenticate(String user, String password) throws
UserAuthenticationException {
+ for (String profile : profiles) {
+ PAM pam = null;
+ UnixUser unixUser;
+ try {
+ pam = new PAM(profile);
+ unixUser = pam.authenticate(user, password);
+ } catch (PAMException ex) {
+ logger.error("PAM auth failed for user: {} against {} profile.
Exception: {}", user, profile, ex.getMessage());
+ throw new UserAuthenticationException(String.format("PAM auth
failed for user: %s using profile: %s",
+ user, profile));
+ } finally {
+ if (pam != null) {
+ pam.dispose();
+ }
+ }
+
+ if (!user.equals(unixUser.getUserName())) {
+ throw new UserAuthenticationException(String.format("Unexpected
error from pam module. Input user %s is " +
+ "different from authenticated output user %s of pam module
libpam4j", user, unixUser.getUserName()));
+ }
+
+ if (logger.isTraceEnabled()) {
--- End diff --
Can omit this if statement, `logger.trace()` will do teh right thing.
> Add support for libpam4j Pam Authenticator
> ------------------------------------------
>
> Key: DRILL-5820
> URL: https://issues.apache.org/jira/browse/DRILL-5820
> Project: Apache Drill
> Issue Type: Task
> Reporter: Sorabh Hamirwasia
> Assignee: Sorabh Hamirwasia
> Labels: doc-impacting
> Fix For: 1.12.0
>
>
> Drill uses JPAM as the PAM authenticator module for username/password
> verification for PLAIN mechanism. There are some known issues with JPAM which
> leads to JVM crash and memory leaks. JPAM also requires a manual step in
> copying the native library.
> Also based on the
> [HIVE-16529|https://issues.apache.org/jira/browse/HIVE-16529] there have been
> mention of these issues with JPAM which is resolved in the libpam4j. Also
> libpam4j avoids the need to install native library explicitly. It would be
> good to provide support for libpam4j in Drill to avoid these issues.
> Some other reported problems with JPAM:
> * https://wiki.dlib.indiana.edu/display/V3/Pam+Authentication+through+JPam
> * https://bugzilla.redhat.com/show_bug.cgi?id=860119#c12
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
