logo_kerberos.gif

Projects/Local authorization pluggable interface

From K5Wiki
< Projects
Revision as of 14:40, 30 January 2013 by Ghudson (talk | contribs) (New page: {{project-early}} {{project-target|1.12}} ==Description== This project adds a pluggable interface to affect the behavior of the krb5_kuserok() and krb5_aname_to_localname() functions. =...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project is targeted at release 1.12.


Description

This project adds a pluggable interface to affect the behavior of the krb5_kuserok() and krb5_aname_to_localname() functions.

Background

The krb5_aname_to_localname() function attempts to convert a krb5 principal name into a local account name according to policy. The default behavior maps single-component principals within the default realm to their values without realm (e.g. ghudson@ATHENA.MIT.EDU to ghudson, if ATHENA.MIT.EDU is the default realm). Its behavior can be modified through profile configuration as outlined below: 

   [realms]
       DEFREALMNAME = {
           auth_to_local_names = {
               princname = localname
           }
           auth_to_local = RULE:[selstring](regexp)s/pattern/replacement/
           auth_to_local = DEFAULT
       }

The krb5_kuserok() function decides whether a principal name is authorized to control a particular local account name. The current implementation looks for a .k5login file in the local account's home directory and searches it for the principal name; if no .k5login file exists, authorization succeeds if krb5_aname_to_localname maps the principal name to the local account name.

Proposal

This project proposes to use a single pluggable interface to control the behavior of both operations. A module may choose to only implement methods to control one or the other function, but the expectation is that a module may wish to use the same internal state to control both operations.

[XXX rough notes follow:] 

 * kuserok: princname, localname -> accept/reject or krb5 error; KRB5_PLUGIN_NO_HANDLE implies pass?
   - accumulator behavior: succeed if no modules reject/error and at least one module accepts

 * an2ln: some different design choices
   1. plug into realms -> DEFREALMNAME -> auth_to_local values
      module registers prefix type (like current "RULE" or "DEFAULT")
      method is invoked if module's prefix is selected, perhaps multiple times with different residuals
      config required to take over all an2ln operations is somewhat cumbersome
   2. treat existing support as modules, and add new modules
      accumulator behavior is hard to specify without ordering
   3. module can take over all an2ln operations, but only allow one module to do so

Testing

Documentation

Release notes

Retrieved from "https://k5wiki.kerberos.org/wiki?title=Projects/Local_authorization_pluggable_interface&oldid=5054"