> On Nov. 21, 2016, 5:17 a.m., Mugdha Varadkar wrote: > > Ship It!
Hi Shi Wang, Please attach latest updated patch on Apache Jira AMBARI-18425 also. - Mugdha ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53722/#review156438 ----------------------------------------------------------- On Nov. 17, 2016, 9:05 p.m., Shi Wang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53722/ > ----------------------------------------------------------- > > (Updated Nov. 17, 2016, 9:05 p.m.) > > > Review request for Ambari and Robert Levas. > > > Bugs: trunk > https://issues.apache.org/jira/browse/trunk > > > Repository: ambari > > > Description > ------- > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py > 6462495 > > ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2 > PRE-CREATION > > ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2 > PRE-CREATION > > ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml > c0e537b > ambari-web/app/data/HDP2.3/site_properties.js 9ae68df > > Diff: https://reviews.apache.org/r/53722/diff/ > > > Testing > ------- > > In this patch, the default value for ranger-admin module is > auth sufficient pam_unix.so > auth sufficient pam_sss.so > account sufficient pam_unix.so > account sufficient pam_sss.so > 1. Create a Unix User shiwang, and sync unix user to Ranger, restart > ranger-admin as root and login to ranger using shiwang, it will success. > 2. Change ranger-admin pam file to > auth sufficient pam_deny.so > account sufficient pam_deny.so > and login using shiwang it will fall. > 3. Change ranger-admin pam file to > auth sufficient pam_ldap.so > account sufficient pam_ldap.so > and use a ldap user that already sync in ranger(it will show user not synced > error if not synced in ranger) login will success. > 4. Configure sssd with ldap and using the synced user from ldap login will > success. > > > Thanks, > > Shi Wang > >