Skip to content

PAM Authentication#

RStudio Connect provides a PAM Authentication provider for those who want to integrate their user authentication with Linux PAM.

Using this integration, user authentication will be handled by the authentication mechanism integrated with PAM. However, the group functionality is provided by RStudio Connect, and the groups will have no relation with Linux groups that may be provided by PAM.

Configuration Example#

Note

The PAM configuration appendix contains information about each PAM configuration option. The Authentication.Notice text can be customized to display reminders to users. Notice text will appear on the login, sign up, and user completion pages. 

; /etc/rstudio-connect/rstudio-connect.gcfg

[Authentication]
Provider = "pam"
;Notice = "Please Note: Usernames are case-sensitive."

[PAM]
; These default values should be adjusted
; accord to the level of PAM support desired:
;Service = "rstudio-connect"
;UseSession = false
;ForwardPassword = false
; When attempting to troubleshoot a problem relating to PAM Authentication,
; you can enable more verbose logging by enabling the following line
;Logging = true

Tip

See the PAM sessions section for information about using PAM sessions when launching processes associated with content.

PAM Service#

You can change the PAM service used for authentication by customizing the PAM.Service setting. The default PAM service name used for authentication is rstudio-connect.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = "rstudio-connect"

Note that there are three types of PAM services that can be configured in the PAM configuration section. The PAM sessions section contains additional information.

  • PAM.Service: The PAM service used for authenticating users when logging in.

    Tip

    If the user accounts on Linux are provisioned externally, you may need to use the pam_mkhomedir module in your PAM configuration to automatically create the users’ home directories on first login.

  • PAM.SessionService: When PAM.UseSession is enabled, this PAM service is used for running processes either as the default user or as an arbitrary user. This service should not require a password.

    Tip

    You may need to use the pam_rootok module in your PAM configuration to accomplish this.

  • PAM.AuthenticatedSessionService: The PAM service used for running processes as the currently logged-in user with the user's password. Requires PAM.UseSession, PAM.ForwardPassword, and Applications.RunAsCurrentUser to be enabled. This is useful in Kerberos configurations to allow the running content to access authenticated resources as the visiting user.

The examples below assume RStudio Connect is configured to use the rstudio-connect PAM service name for authentication.

Ubuntu#

RStudio Connect does not create a PAM service on Ubuntu systems. When RStudio Connect attempts to use the rstudio-connect service name for authentication, PAM will recognize that there is no service with that name and fall back to the default other service located at /etc/pam.d/other.

The default Ubuntu other service is configured to inherit from a set of common PAM services:

# Ubuntu default "other" PAM service.
@include common-auth
@include common-account
@include common-password
@include common-session

If the other service is appropriate for your organization, no further configuration is needed.

Otherwise, create and configure /etc/pam.d/rstudio-connect to prevent PAM from falling back to the other service. PAM will use this service for subsequent authentication attempts using the rstudio-connect service name.

Red Hat/CentOS/SUSE#

Red Hat/CentOS/SUSE systems may deny access to unknown PAM service names by default. This is because the other configuration in /etc/pam.d/other contains only "deny" rules.

#%PAM-1.0
# The Red Hat/CentOS default "other" PAM service.
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so

The RStudio Connect RPM installs an rstudio-connect PAM service located at /etc/pam.d/rstudio-connect. This service is configured to require a user ID greater than 500 and authenticates against local system accounts.

#%PAM-1.0
# The RStudio Connect default PAM service.
auth      requisite      pam_succeed_if.so uid >= 500 quiet
auth      required       pam_unix.so nodelay
account   required       pam_unix.so

This default PAM service may not reflect the authentication behavior that you want for RStudio Connect. Feel free to customize this service for your organization.

Configuring a PAM service#

This section may be helpful if your organization has different requirements from the default behavior of the rstudio-connect PAM service name. Please consult with your PAM/systems administrator to ensure that the RStudio Connect PAM service configuration fits your needs.

If your system already has a PAM service (e.g. /etc/pam.d/login) with the desired behavior, it may be enough to simply include that service from within the RStudio Connect service. For example:

# RStudio Connect PAM service that defers to the existing login service.
@include login

Alternatively, you may copy the existing service into the RStudio Connect service.

sudo cp /etc/pam.d/login /etc/pam.d/rstudio-connect

Lastly, you could configure the PAM.Service setting to reference that PAM service. This would be appropriate if you have a common rstudio service that you use across all RStudio products, for example.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = rstudio

If you change the PAM.Service setting from its default rstudio-connect value, the PAM service defined in /etc/pam.d/rstudio-connect will not be used.

User Provisioning#

PAM Authentication requires that users in RStudio Connect have corresponding local system accounts. These accounts should be provisioned ahead of the first login in RStudio Connect. Linux Name Service Switch (NSS) or System Security Services Daemon (SSSD) can be configured on the machine hosting RStudio Connect to automate the provisioning of these local accounts.

Users may also be created in RStudio Connect ahead of their first login by adding them as users via the RStudio Connect Server API.

Register on First Login#

By default, PAM users can be created in RStudio Connect upon their first successful login attempt. Accounts will be created with the role specified in the Authorization.DefaultUserRole setting (see User Roles).

Disabling Register on First Login#

If you wish to disable this feature, set the configuration setting PAM.RegisterOnFirstLogin to false.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
RegisterOnFirstLogin = false

Important

Using this option requires users to be exclusively created via the RStudio Connect Server API.

Usernames#

Usernames must be unique and are case-sensitive following the Linux requirement for usernames. Additionally, they must adhere to the following:

  • Be 3-64 characters in length
  • Start with a letter
  • Contain only alphanumeric characters, underscores, and periods
  • The following values are prohibited: connect, apps, users, groups, setpassword, user-completion, confirm, recent, reports, plots, unpublished, settings, metrics, tokens, help, login, welcome, register, resetpassword, content

Editing User Attributes#

RStudio Connect is always supplied with a username corresponding to the Linux account username and is therefore not editable.

Warning

Changing the username of the Linux account will result in a new user being created in RStudio Connect the next time the user logs in.

A user's first name, last name, and email address are not provided by the hosting system and are considered editable. The setting Authorization.UserInfoEditableBy has a default value of AdminAndSelf, permitting users and administrators to manage these user profile attributes. Configure Authorization.UserInfoEditableBy with Admin if profile editing should be restricted to administrators.

Tip

It is recommended that if you disable PAM.RegisterOnFirstLogin, that you also configure Authorization.UserInfoEditableBy to Admin.

Automatic User Role Mapping#

RStudio Connect does not provide the ability to map user roles when using the PAM Authentication provider. Roles must be managed within the RStudio Connect dashboard or via the RStudio Connect Server API.

Group Membership Management#

RStudio Connect allows the organization of users into groups. Administrators can manage local groups within the "People" tab in the RStudio Connect dashboard or via the RStudio Connect Server API.

Note

These groups are local to RStudio Connect and have no relation with Linux groups present on the host machine where PAM is configured.

Tip

If you do not want groups at all in RStudio Connect, set the Authorization.UserGroups configuration option to false.

Copyright © RStudio, PBC. All Rights Reserved