PlonePAS is a standard component of Plone; it is always there and there is no need to install it separately.
PlonePAS is used to implement the
acl_users object in a Plone portal. You can explore this object using an url of the form
<url_to_your_plone>/acl_users/manage_workspace. What you see there are objects used to implement plugins. Via the "add" action, you can add more plugins. To be effective, a plugin must be in
acl_users and it must be activated. You use the
Plugins tab to manage activations.
PluggableAuthService (and by extension
PlonePAS) splits authentication and authorization into a multitude of tiny subtasks. Each such subtask is specified by an interface (which often has a single method). A plugin implements one or more such interfaces and thereby can perform the corresponding subtasks. The
Plugins tab, mentioned above, gives you an overview of the potential subtasks (respectively interfaces).
To learn about the details of the interfaces, you look into the source tree
Products.PluggableAuthService; watch out for