ATLAS-1866 :- Documentation for PAM type authentication and better logging for PAM auth

2e69f922 · nixonrodrigues · 72910c4f · 2e69f922 · 2e69f922 · 2e69f922
Commit 2e69f922 authored Mar 13, 2020 by nixonrodrigues
4 changed files
--- a/docs/src/documents/Security/Authentication.md
+++ b/docs/src/documents/Security/Authentication.md
@@ -20,6 +20,7 @@ Atlas supports following authentication methods
   * **Kerberos**
   * **LDAP**
   * **Keycloak (OpenID Connect / OAUTH2)**
+   * **PAM**


 Following properties should be set true to enable the authentication of that type in `atlas-application.properties` file.
@@ -153,3 +154,26 @@ Setup you keycloak.json per instructions from Keycloak. Make sure to include `"p
  "autodetect-bearer-only": true
 }`}
 </SyntaxHighlighter>
+
+ ### PAM.
+
+The prerequisite for enabling PAM authentication, is to have login service file in */etc/pam.d/*
+
+To enable the PAM authentication mode in Atlas.
+
+* Set the atlas property `atlas.authentication.method.pam` to true in `atlas-application.properties`.
+
+<SyntaxHighlighter wrapLines={true} language="shell" style={theme.dark}>
+{
+`atlas.authentication.method.pam=true`
+}
+</SyntaxHighlighter>
+
+* Set the property `atlas.authentication.method.pam.service=<login service>` to use desired PAM login service.
+  For example, set below property to use `/etc/pam.d/login`.
+
+<SyntaxHighlighter wrapLines={true} language="shell" style={theme.dark}>
+{
+ `atlas.authentication.method.pam.service=login`
+}
+</SyntaxHighlighter>
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
@@ -37,6 +37,7 @@ import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.Arrays;

 import org.apache.atlas.utils.AuthenticationUtil;

@@ -106,7 +107,7 @@ public abstract class AtlasAbstractAuthenticationProvider implements Authenticat
            String[] groups = ugi.getGroupNames();

            if(LOG.isDebugEnabled()) {
-                LOG.debug("UserGroupInformation userGroups=" + groups);
+                LOG.debug("UserGroupInformation userGroups=" + Arrays.toString(groups));
            }

            if (groups != null) {

--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasPamAuthenticationProvider.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasPamAuthenticationProvider.java
@@ -110,7 +110,7 @@ public class AtlasPamAuthenticationProvider extends AtlasAbstractAuthenticationP
            LOG.debug("Pam Authentication Failed:", e);
        }
        if (isDebugEnabled) {
-            LOG.debug("<== AtlasPamAuthenticationProvider getPamAuthentication");
+            LOG.debug("<== AtlasPamAuthenticationProvider getPamAuthentication : " + jaasAuthenticationProvider);
        }
        return authentication;
    }
@@ -127,6 +127,13 @@ public class AtlasPamAuthenticationProvider extends AtlasAbstractAuthenticationP
            if (!options.containsKey("service")) {
                options.put("service", "atlas-login");
            }
+
+            if(LOG.isDebugEnabled()) {
+                LOG.debug("AtlasPAMAuthenticationProvider{groupsFromUGI= "+ groupsFromUGI +'\'' +
+                        ", options=" + options +
+                         '}');
+            }
+
        } catch (Exception e) {
            LOG.error("Exception while setLdapProperties", e);
        }
@@ -148,6 +155,16 @@ public class AtlasPamAuthenticationProvider extends AtlasAbstractAuthenticationP
            UserAuthorityGranter[] authorityGranters = new UserAuthorityGranter[]{authorityGranter};
            jaasAuthenticationProvider.setAuthorityGranters(authorityGranters);
            jaasAuthenticationProvider.afterPropertiesSet();
+
+            if(LOG.isDebugEnabled()) {
+                LOG.debug("AtlasPAMAuthenticationProvider{" +
+                        "jaasAuthenticationProvider='" + jaasAuthenticationProvider + '\'' +
+                        ", loginModuleName='" + loginModuleName + '\'' +
+                        ", controlFlag='" + controlFlag + '\'' +
+                        ", options='" + options + '}');
+            }
+
+
        } catch (Exception e) {
            LOG.error("Failed to init PAM Authentication", e);
        }

--- a/webapp/src/main/java/org/apache/atlas/web/security/PamLoginModule.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/PamLoginModule.java
@@ -22,7 +22,8 @@ package org.apache.atlas.web.security;
 import org.jvnet.libpam.PAM;
 import org.jvnet.libpam.PAMException;
 import org.jvnet.libpam.UnixUser;
-
+import org.slf4j.LoggerFactory;
+import org.slf4j.Logger;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.*;
 import javax.security.auth.login.FailedLoginException;
@@ -35,6 +36,8 @@ import java.util.Map;
 import java.util.Set;

 public class PamLoginModule extends Object implements LoginModule {
+    private static final Logger LOG = LoggerFactory.getLogger(PamLoginModule.class);
+
    public static final String SERVICE_KEY = "service";

    private PAM pam;
@@ -110,6 +113,9 @@ public class PamLoginModule extends Object implements LoginModule {

            initUserName(nameCallback);
            initPassword(passwordCallback);
+
+            if (LOG.isDebugEnabled())
+                LOG.debug("Searching for user " + nameCallback.getName());
        }
        catch (IOException | UnsupportedCallbackException ex)
        {
@@ -150,6 +156,8 @@ public class PamLoginModule extends Object implements LoginModule {
            principal = new PamPrincipal(user);
            authSucceeded = true;

+            if (LOG.isDebugEnabled())
+                LOG.debug("user " + username );
            return true;
        }
        catch (PAMException ex)