Configuring PAM authentication with Linux users
You can configure PAM authentication to allow built-in Linux users to log in to Cloudera Manager.
- Configure the Cloudera Manager Server host:
- The Linux user who is running Cloudera Manager (for example, cloudera-scm)
must have read access to the system shadow file. Run the following command on the
Cloudera Manager Server host to check the shadow file group
permission::
ls -l /etc/shadow ----r-----+ 1 root root 1738 Jul 16 17:09 /etc/shadowThe above example shows that the root group of the shadow file is the owner group and not the shadow group. The '-r' indicates that the user in the root group can have read access to the shadow file.
If you see something like
---------- 1 root root 1611 Jul 16 17:09 /etc/shadow, no group read permission is assigned. Add that permission to the file by running the following command:chmod g+r /etc/shadow
- The Linux user who is running Cloudera Manager (for example, cloudera-scm)
must have read access to the system shadow file. Run the following command on the
Cloudera Manager Server host to check the shadow file group
permission::
- Add the user to the owner group:
usermod -a -G root cloudera-scmIf the owner group is the shadow group:
usermod -a -G shadow cloudera-scm - In Cloudera Manager, click Administration > Settings > External Authentication.
- Verify that the Authentication Backend Order property is not set to "Database Only."
- Verify that the Authorization Backend Order property is not set to "Database Only." If set to Database Only, the external group mapping will not work.
- Select PAM as the external authentication type.
- If you have a specific PAM configuration you wish to use for Cloudera Manager, modify the PAM Service Name property with that configuration's name (it should correspond to a file residing in /etc/pam.d/). Otherwise, use the default value, login.
- Save the changes.
- When finished, restart the Cloudera Manager Server:
sudo systemctl restart cloudera-scm-server - To test the configuration, log into Cloudera Manager with a Linux user and run the
following commands in the host server console to create a user and assign groups to the
user:
- Create the user:
useradd testUser passwd testUser - Assign groups to the user:
groupadd testGroup usermod -a -G testGroup testUser
- Create the user:
- In Cloudera Manager, map roles to the groups that your user belongs to. Click Administration > Users & Roles > LDAP/PAM Groups, then Add LDAP/PAM Group Mapping.
