How to include or exclude individual users or groups of users in RStudio Connect when using PAM Authentication



When using LDAP or SAML for Authentication, excluding users is easier - groups can be managed within your Authentication provider, and RStudio Connect can be configured to allow and disallow some groups.


When using PAM for Authentication, there is no obvious way to forcibly include or exclude some groups of users, and RStudio Connect doesn't discriminate.



PAM comes with a service that allows you to allow or deny users based on group membership called pam_listfile.

Setting up PAM to take advantage of this is quick and easy:


1. Create a text file listing the allowed groups:

# cat /etc/connect.login.groups.allowed


2. Then, depending on your OS, open /etc/pam.d/system-auth (RHEL style) or /etc/pam.d/common-auth (Debian style) and add something like this at the top of the file:

auth required onerr=fail item=group sense=allow file=/etc/connect.login.groups.allowed

We put it at or near the top because we want this to be the first rule that a user hits when authenticating - excluding users before accidentally including them with another rule.

Note that the hard work is done with the sense directive:

sense=[allow|deny] Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.


Users can be included or excluded in the same method by changing item=user.