Skip Menu |
 

Subject: Pluggable interface for kadmin authorization
We should have a pluggable interface for authorizing kadmin requests.
See:

https://k5wiki.kerberos.org/wiki/Projects/kadmin_access_interface
From: ghudson@mit.edu
Subject: git commit

Add kadm5_auth pluggable interface

Add a pluggable interface for authorizing kadmin operations, and the
consumer interface code in kadmind.

https://github.com/krb5/krb5/commit/d92114795fee2bdfa855263797aea7eaa47e0fc0
Author: Greg Hudson <ghudson@mit.edu>
Commit: d92114795fee2bdfa855263797aea7eaa47e0fc0
Branch: master
doc/plugindev/index.rst | 1 +
doc/plugindev/kadm5_auth.rst | 35 ++++
src/include/Makefile.in | 1 +
src/include/k5-int.h | 3 +-
src/include/k5-trace.h | 7 +
src/include/krb5/kadm5_auth_plugin.h | 306 +++++++++++++++++++++++++++++++++
src/kadmin/server/Makefile.in | 8 +-
src/kadmin/server/auth.c | 307 ++++++++++++++++++++++++++++++++++
src/kadmin/server/auth.h | 78 +++++++++
9 files changed, 741 insertions(+), 5 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 2.4KiB

Use kadm5_auth interface in kadmind

Convert the ACL code to a kadm5_auth module, and create a new module
for self-service authorization. Use the kadm5_auth consumer code
instead of directly using the ACL code to authorize requests.

Do not assume self-service authorization in the RPC stubs or in
schpw_util_wrapper(). For key change requests, enforce the initial
ticket requirement whenever a client changes its own keys, regardless
of how it is authorized or which protocol it uses. The initial ticket
check for protocol version 1 in process_chpw_request() is redundant
after this change, so remove it.

The old kadmin-based password change client authenticates to
kadmin/changepw and performs self-service get_principal, get_policy,
and chpass requests. Continue to allow these operations, enforcing
the self-service requirement in addition to checking through the
kadm5_auth interface. For get_policy requests, always look up the
client principal's policy name, for this check and for the
authorization layer's use.

The error messages for rename authorization failures are now more
vague (because there is a specific rename operation check in the
kadm5_auth interface, and we do not find out whether it failed due to
missing add or delete privileges). Adjust t_kadmin_acl.py
accordingly.

https://github.com/krb5/krb5/commit/92a1a7efe2fc43337416098f2227038a72f1e35a
Author: Greg Hudson <ghudson@mit.edu>
Commit: 92a1a7efe2fc43337416098f2227038a72f1e35a
Branch: master
doc/admin/conf_files/kadm5_acl.rst | 13 ++
doc/admin/conf_files/kdc_conf.rst | 7 +-
doc/admin/conf_files/krb5_conf.rst | 20 ++
src/kadmin/server/Makefile.in | 8 +-
src/kadmin/server/auth.c | 7 +
src/kadmin/server/auth.h | 7 +
src/kadmin/server/auth_acl.c | 344 ++++++++++++++++++++++++++----------
src/kadmin/server/auth_acl.h | 74 --------
src/kadmin/server/auth_self.c | 77 ++++++++
src/kadmin/server/deps | 33 +++-
src/kadmin/server/ipropd_svc.c | 5 +-
src/kadmin/server/misc.c | 122 ++------------
src/kadmin/server/misc.h | 17 --
src/kadmin/server/ovsec_kadmd.c | 8 +-
src/kadmin/server/schpw.c | 12 +-
src/kadmin/server/server_stubs.c | 281 ++++++++++++++++--------------
src/lib/kadm5/kadm_err.et | 1 +
src/lib/krb5/krb/plugin.c | 3 +-
src/tests/t_kadmin_acl.py | 10 +-
19 files changed, 591 insertions(+), 458 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add tests for kadm5_auth interface

Add a test plugin module to exercise features of the kadm5_auth
interface, and a Python test script using the module. Also test the
initial ticket requirement for self-service key changes in
t_kadmin_acl.py.

https://github.com/krb5/krb5/commit/17d34e956ec454c36573e0cb07a7dc3f3328c99c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 17d34e956ec454c36573e0cb07a7dc3f3328c99c
Branch: master
src/Makefile.in | 1 +
src/configure.in | 1 +
src/plugins/kadm5_auth/test/Makefile.in | 20 ++
src/plugins/kadm5_auth/test/deps | 22 ++
.../kadm5_auth/test/kadm5_auth_test.exports | 2 +
src/plugins/kadm5_auth/test/main.c | 305 ++++++++++++++++++++
src/tests/Makefile.in | 1 +
src/tests/t_kadm5_auth.py | 81 ++++++
src/tests/t_kadmin_acl.py | 15 +
9 files changed, 448 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix bugs in kadm5_auth commit

Commit 92a1a7efe2fc43337416098f2227038a72f1e35a uses line after it is
freed in load_acl_file(). Move the k5_setmsg() call earlier to fix
it. The same commit also used the wrong header underline in
krb5_conf.rst for the kadm5_auth interface subsection. Fix it.

https://github.com/krb5/krb5/commit/d9e8bdc9858a1dbe135db2d12c70854ef1851ce8
Author: Greg Hudson <ghudson@mit.edu>
Commit: d9e8bdc9858a1dbe135db2d12c70854ef1851ce8
Branch: master
doc/admin/conf_files/krb5_conf.rst | 2 +-
src/kadmin/server/auth_acl.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)