Configuring user authentication for PAM and default clients

Follow these steps to configure authentication for PAM and default clients by using an authentication plug-in.

1. Edit the PAM configuration file ($EGO_CONFDIR/pamauth.conf) to set the values of mandatory and optional parameters:

   Table 1. PAM configuration parameters

   Parameter	Mandatory or optional	Description
   PAM_SERVICE	Mandatory	Specifies the PAM policy file that is located under the /etc/pam.d/ directory.
   KEYFILE	Optional	Specifies the path to the key file. You can also specify a custom key in the key file, which is used to create credentials. Specify a value for the KEY parameter within the KEYFILE parameter. Specify up to 64 ASCII alphanumeric characters and special characters. For example, KEY="myKey12345@#$%^*ABC".
   PAM_CACHEEXPIRYTIME	Optional	Specifies the interval at which the user cache is updated, enabling new users and user groups to be imported from PAM and registered to the system. By default, the user cache is updated every day. In environments where adding and removing users are frequent operations, set this parameter at an interval that suits your requirements. To specify an interval in days, enter a positive integer or a positive integer followed by d or D for days. For example, 2 or 2d means the user cache is set to refresh every 2 days. The default is 1d. To specify a duration in minutes or hours, enter a positive integer followed by m or M for minutes or h or H for hours. For example, 2m means the user cache is set to refresh every 2 minutes; 2h means the user cache is set to refresh every 2 hours. Configuring a short refresh interval might degrade cluster performance. Ensure that you choose a value that balances cache refresh requirements and cluster performance. Take note that setting the value to 0 disables the user cache and retrieves user data from PAM all the time.
   SEC_PAM_BYPASS	Optional	Specifies whether to bypass PAM authentication. If you enable this parameter, all user authentication requests from PAM clients succeed.

   For example, the pamauth.conf file can include the following parameters:

   # Optional parameters
   # PAM_CACHEEXPIRYTIME=<a-positive-integer-followed-by-d-or-D-or-h-or-H-or-m-or-M>
   # The interval at which the user cache is updated.
   PAM_CACHEEXPIRYTIME=2h
   
   # KEYFILE=<keyfile-location>
   # Absolute path to the location of the key file.
   KEYFILE=/tmp/seckey.conf
   # SEC_PAM_BYPASS=<y-or-n>
   # Bypass PAM authentication: Y or N.
   SEC_PAM_BYPASS=N
   # Mandatory parameters
   # PAM_SERVICE=<pam-service-name>
   # PAM service file (at /etc/pam.d) which defines the
   # PAM policy to be used for EGO.
   # Default is "sshd"
   PAM_SERVICE=sshd

2. Optional: If you configured the KEYFILE parameter in pamauth.conf, configure a custom key by using the KEY parameter within KEYFILE.
   For example, the pamauth.conf file contains the KEYFILE parameter set to a value of /tmp/seckey.conf:

   KEYFILE=/tmp/seckey.conf

   For example, you can set the KEY parameter with a value of myKey12345@#$%^*ABC, defined within the KEYFILE value:

   KEY="myKey12345@#$%^*ABC"

3. On all management hosts, edit ego.conf to modify the value of the EGO_SEC_PLUGIN and EGO_SEC_CONF parameters as follows:

   Table 2. Management host configuration parameters

   Parameter	Value	Description
   EGO_SEC_PLUGIN	sec_ego_pam_default	Specifies PAM+default authentication on management hosts.
   EGO_SEC_CONF	$EGO_CONFDIR,0,INFO,$EGO_TOP/kernel/log	Specifies if log messages are required from the server-side plug-in. All server-side messages are logged to ego_ext_plugin_server.log in the plug-in log-directory. Use this format: <plugin-configurationdirectory, created-ttl, plugin-log-level, pluginlog-directory>

4. On all compute hosts, edit ego.conf to modify the value of the EGO_SEC_PLUGIN and (optionally) the EGO_SEC_CONF parameter:

   Table 3. Compute host configuration parameters

   Parameter	Value	Description
   EGO_SEC_PLUGIN	sec_ego_pam_default	Specifies PAM+default authentication.
   EGO_SEC_CONF (optional)	$EGO_TOP/kernel/conf,0,DEBUG,$EGO_TOP/kernel/log	Specifies whether log messages are required from the client-side plug-in. All client-side messages are logged to ego_ext_plugin_client.log in the plug-in log-directory. Use this format: <plugin-configurationdirectory, created-ttl, plugin-log-level, pluginlog-directory>

5. Start the IBM® Spectrum Conductor cluster:
   1. Log on to the primary host as the cluster administrator.
   2. Run the following commands to start the cluster:
      • For bash:

        # . $EGO_TOP/profile.platform
        # egosh ego start all

      • For csh:

        # source $EGO_TOP/cshrc.platform
        # egosh ego start all

6. Complete this step only if the authentication server is required to authenticate a PAM client by using the default authentication method or the PAM authentication method.

   Log on to EGO as the cluster administrator called Admin, then run the egosh user add command to map the PAM user to the EGO account.

7. From the cluster management console, edit the Spark instance group configuration to enable the Spark drivers and executors to run as the OS user.
   1. From the cluster management console, click Workload > Spark > Spark Instance Groups.
   2. Select the Spark instance group to modify and click Configure.
      If the Spark instance group is running workload, stop the Spark instance group and all associated notebooks before you change its configuration.
   3. In the Basic Settings tab, select Enable authentication and authorization for the submission user.
   4. Click Modify Instance Group.