Happy July 4th!
I am using HDP2.6 and knox + ranger. I have tried multiple solutions for setting up knox authentication but got no luck. This email is to get some clue to get me unblocked.
Solution 1: LDAP. This does not work because our IT disables LDAP in production hosts by following cis control (https://www.cisecurity.org/controls/). AD is not applicable since I am not using Microsoft technology.
Solution 2: OS auth. Ranger can sync the local users from a specified host. However, knox causes trouble. For knox, I did:
a) use pam_unix.so to authenticate input username/password. Unfortunately, pam_unix.so uses unix_chkpw to get password from /etc/shadow. Our production hosts use 000 as /etc/shadow which cannot be changed. This means unix_chkpw need to be run as root to be able to access /etc/shadow. However, gateway.sh cannot be run as root. Setting setuid and setgid bits for gateway.sh did not help either.
b) use SSSD. Among the supported id providers: ldap, ipa, ad, proxy, local, only local is close to OS auth used by Ranger. Still, it is not appropriate because:
reason 1: it is not designed for production. See https://serverfault.com/questions/826848/sss-useradd-vs-useradd-with-sssd.
reason 2: local provider does not use /etc/passwd and /etc/shadow. To sync local users on a host with SSSD, I need to use sssd tools to explicitly copy over the local users to SSSD's database, which is not ideal and those synced users in SSSD database may not work for Ranger.
I did not go deep for proxy provider since the document says it is for a legacy NSS provider which is a red flag.
Any clue for a working knox authentication in our production hosts? Appreciate very much!
I did authenticate Knox using PAM. I created an ACL to give read access only to knox user on /etc/shadow file. Alternatively, you can try creating a link to the /etc/shadow file and give read access on that link.
Links that I referred to: