[ARVADOS] updated: 1.3.0-2508-gadabb565d

Git user git at public.arvados.org
Fri May 1 18:27:41 UTC 2020

Summary of changes:
 doc/install/setup-login.html.textile.liquid | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

       via  adabb565d5cc6d5a5da9f019ba0cf8620425ca2b (commit)
      from  5792ec3a8ddfdba959da5c09dfa1be4ac7472c20 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

commit adabb565d5cc6d5a5da9f019ba0cf8620425ca2b
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Fri May 1 14:26:32 2020 -0400

    16212: Add PAM configuration hints.
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index 2f757b48d..c9e65ca7e 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -31,7 +31,7 @@ Next, copy the values of *Client ID* and *Client secret* from the Google Develop
 h2(#pam). PAM (experimental)
-With this configuration, authentication is done according to the Linux PAM configuration on your controller host.
+With this configuration, authentication is done according to the Linux PAM ("Pluggable Authentication Modules") configuration on your controller host.
 Enable PAM authentication in @config.yml@:
@@ -42,6 +42,12 @@ Enable PAM authentication in @config.yml@:
 Check the "default config file":{{site.baseurl}}/admin/config.html for more PAM configuration options.
+The default PAM configuration on most Linux systems uses the local password database in @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a shell account and password on the controller host itself. This can be convenient for a single-user or test cluster.
+PAM can also be configured to use different backends like LDAP. In a production environment, PAM configuration should use the service name ("arvados" by default) to set a separate policy for Arvados logins: generally, Arvados users should not have shell accounts on the controller node.
+For information about configuring PAM, refer to the "PAM System Administrator's Guide":http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html.
 h2(#sso). Separate single-sign-on (SSO) server
 With this configuration, Arvados passes off authentication to a separate SSO server that supports Google, LDAP, and a local password database.



More information about the arvados-commits mailing list