https://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&feed=atom&action=historyProjects/kadmin access interface - Revision history2024-03-28T16:42:29ZRevision history for this page on the wikiMediaWiki 1.27.4https://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5857&oldid=prevGhudson at 22:03, 29 July 20172017-07-29T22:03:05Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 22:03, 29 July 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 70:</td>
<td colspan="2" class="diff-lineno">Line 70:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the fourth rule in the new framework without complicating the kadm5_auth interface, we must modify it to be more strict: a client must use an initial ticket to change its own keys, even if it is authorized via the ACL file. We should also enforce this rule in the kadmin protocol as well as the password change protocol.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the fourth rule in the new framework without complicating the kadm5_auth interface, we must modify it to be more strict: a client must use an initial ticket to change its own keys, even if it is authorized via the ACL file. We should also enforce this rule in the kadmin protocol as well as the password change protocol.</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==Additional requirements==</div></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>These requirements were discussed on 2017-07-18 and are documented here; they should ideally be addressed in the design and folded into the above sections.</div></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The first note is that a combined kadm5_auth and KDB module cannot robustly associate DB operations with the authorized kadmin operation. The module could annotate its KDB module pointer based on an authorization method, but it would be relying on the (currently valid) assumption that all database calls following an authorization call are associated with that kadmin operation until the next authorization call. A possible use case for this association is fetching the DB record for the target principal during authorization, and reusing that record during the subsequent DB operation.</div></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The second note is that both IPA and Samba will likely implement some access restrictions by performing the actionable LDAP operation as an LDAP client DN corresponding to the client principal, rather than checking prior to the LDAP operation. To do this, the DB method needs to know the client principal name, either directly (as in the first high-level design option) or via an association described in the previous paragraph.</div></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5856&oldid=prevGhudson: /* Module interface */2017-07-29T22:02:52Z<p><span dir="auto"><span class="autocomment">Module interface</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 22:02, 29 July 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 51:</td>
<td colspan="2" class="diff-lineno">Line 51:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>After consulting with potential module authors, the second option was selected. To avoid having to repeat the accumulator code many times, the consumer interface inside kadmind will use option 1, and will fan out to one method per operation when calling out to the module. The two methods which support restrictions will use a separate accumulator function to keep the other accumulator simple.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>After consulting with potential module authors, the second option was selected. To avoid having to repeat the accumulator code many times, the consumer interface inside kadmind will use option 1, and will fan out to one method per operation when calling out to the module. The two methods which support restrictions will use a separate accumulator function to keep the other accumulator simple.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>kadm5_auth modules which are also KDB modules will want to correlate authorized kadmin operations with database calls. The kadm5_auth interface will include an "end" method to indicate when an authorized operation is finished; all database calls between an authorization method call and an end call will be associated with the authorized operation. This design has repercussions for thread safety--a multi-threaded consumer of both the kadm5_auth and KDB interfaces must use a separate krb5_context (and therefore a separate database context) for each thread.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Self-service and kadmin/changepw===</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Self-service and kadmin/changepw===</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5855&oldid=prevGhudson at 15:21, 19 July 20172017-07-19T15:21:25Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:21, 19 July 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 68:</td>
<td colspan="2" class="diff-lineno">Line 68:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the fourth rule in the new framework without complicating the kadm5_auth interface, we must modify it to be more strict: a client must use an initial ticket to change its own keys, even if it is authorized via the ACL file. We should also enforce this rule in the kadmin protocol as well as the password change protocol.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the fourth rule in the new framework without complicating the kadm5_auth interface, we must modify it to be more strict: a client must use an initial ticket to change its own keys, even if it is authorized via the ACL file. We should also enforce this rule in the kadmin protocol as well as the password change protocol.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==Additional requirements==</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>These requirements were discussed on 2017-07-18 and are documented here; they should ideally be addressed in the design and folded into the above sections.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The first note is that a combined kadm5_auth and KDB module cannot robustly associate DB operations with the authorized kadmin operation. The module could annotate its KDB module pointer based on an authorization method, but it would be relying on the (currently valid) assumption that all database calls following an authorization call are associated with that kadmin operation until the next authorization call. A possible use case for this association is fetching the DB record for the target principal during authorization, and reusing that record during the subsequent DB operation.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The second note is that both IPA and Samba will likely implement some access restrictions by performing the actionable LDAP operation as an LDAP client DN corresponding to the client principal, rather than checking prior to the LDAP operation. To do this, the DB method needs to know the client principal name, either directly (as in the first high-level design option) or via an association described in the previous paragraph.</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5854&oldid=prevGhudson: /* Self-service and kadmin/changepw */2017-07-04T14:53:06Z<p><span dir="auto"><span class="autocomment">Self-service and kadmin/changepw</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:53, 4 July 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 57:</td>
<td colspan="2" class="diff-lineno">Line 57:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A client principal can change its own password, randomize its own keys, purge its own keys, get its own principal entry, get its own string attributes, and get the policy entry associated with its own principal entry.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A client principal can change its own password, randomize its own keys, purge its own keys, get its own principal entry, get its own string attributes, and get the policy entry associated with its own principal entry.</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the<del class="diffchange diffchange-inline"> UDP</del> password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change, even if the client is authorized to change its key via the ACL file.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change, even if the client is authorized to change its key via the ACL file.</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># A client is only authorized to change its own keys via the<del class="diffchange diffchange-inline"> UDP</del> password change protocol if it uses an initial ticket to authenticate. This restriction is redundant if kadmin/changepw has the DISALLOW_TGT_BASED flag, as it does by default.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># A client is only authorized to change its own keys via the password change protocol if it uses an initial ticket to authenticate. This restriction is redundant if kadmin/changepw has the DISALLOW_TGT_BASED flag, as it does by default<ins class="diffchange diffchange-inline">. This rule is not enforced in the kadmin protocol</ins>.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-lineno">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the third rule in the new framework, we must again check for self-service outside of the authorization layer to see if we should enforce minimum life, but still call into the authorization layer for self-service requests.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the third rule in the new framework, we must again check for self-service outside of the authorization layer to see if we should enforce minimum life, but still call into the authorization layer for self-service requests.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The fourth rule can likely be discarded, as it is not enforced if the client uses the kadmin protocol instead of the UDP password change protocol, and the security property is normally enforced by the TGS server. Alternatively, the rule could be enforced for all self-service password changes, even if the client is authorized to change passwords in the ACL file or by another module.</div></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>To apply the fourth rule in the new framework without complicating the kadm5_auth interface, we must modify it to be more strict: a client must use an initial ticket to change its own keys, even if it is authorized via the ACL file. We should also enforce this rule in the kadmin protocol as well as the password change protocol.</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5851&oldid=prevGhudson: /* Self-service and kadmin/changepw */2017-06-26T05:25:46Z<p><span dir="auto"><span class="autocomment">Self-service and kadmin/changepw</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 05:25, 26 June 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 59:</td>
<td colspan="2" class="diff-lineno">Line 59:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the UDP password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the UDP password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change, even if the client is authorized to change its key via the ACL file.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change, even if the client is authorized to change its key via the ACL file.</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># A client is authorized to change its own keys via the UDP password change protocol<del class="diffchange diffchange-inline">, but only</del> if it uses an initial ticket to authenticate. This restriction is redundant if kadmin/changepw has the DISALLOW_TGT_BASED flag, as it does by default.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># A client is<ins class="diffchange diffchange-inline"> only</ins> authorized to change its own keys via the UDP password change protocol if it uses an initial ticket to authenticate. This restriction is redundant if kadmin/changepw has the DISALLOW_TGT_BASED flag, as it does by default.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-lineno">Line 66:</td>
<td colspan="2" class="diff-lineno">Line 66:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the third rule in the new framework, we must again check for self-service outside of the authorization layer to see if we should enforce minimum life, but still call into the authorization layer for self-service requests.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>To apply the third rule in the new framework, we must again check for self-service outside of the authorization layer to see if we should enforce minimum life, but still call into the authorization layer for self-service requests.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The fourth rule can likely be discarded, as it is not enforced if the client uses the kadmin protocol instead of the UDP password change protocol, and the security property is normally enforced by the TGS server. Alternatively, the rule could be enforced for all self-service password changes, even if the client is authorized to change passwords in the ACL file or by another module.</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5850&oldid=prevGhudson at 16:46, 25 June 20172017-06-25T16:46:43Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:46, 25 June 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 59:</td>
<td colspan="2" class="diff-lineno">Line 59:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the UDP password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the UDP password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change, even if the client is authorized to change its key via the ACL file.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change, even if the client is authorized to change its key via the ACL file.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># A client is authorized to change its own keys via the UDP password change protocol, but only if it uses an initial ticket to authenticate. This restriction is redundant if kadmin/changepw has the DISALLOW_TGT_BASED flag, as it does by default.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration.</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5849&oldid=prevGhudson: /* Self-service and kadmin/changepw */2017-06-25T16:39:54Z<p><span dir="auto"><span class="autocomment">Self-service and kadmin/changepw</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 16:39, 25 June 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 56:</td>
<td colspan="2" class="diff-lineno">Line 56:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>kadmind currently makes several decisions before consulting the ACL file:</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>kadmind currently makes several decisions before consulting the ACL file:</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># A client principal can change its own password, randomize its own keys, purge its own keys, get its own principal <del class="diffchange diffchange-inline">record</del>, get its own string attributes, and get the policy <del class="diffchange diffchange-inline">record</del> associated with its own principal <del class="diffchange diffchange-inline">record</del>.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># A client principal can change its own password, randomize its own keys, purge its own keys, get its own principal <ins class="diffchange diffchange-inline">entry</ins>, get its own string attributes, and get the policy <ins class="diffchange diffchange-inline">entry</ins> associated with its own principal <ins class="diffchange diffchange-inline">entry</ins>.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the UDP password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the UDP password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change<del class="diffchange diffchange-inline">. In the kadmin protocol</del>,<del class="diffchange diffchange-inline"> this rule applies</del> even if the client<del class="diffchange diffchange-inline"> principal</del> is authorized to change its <del class="diffchange diffchange-inline">own password via the ACL file; in the UDP password change protocol, this rule does not apply if the client principal is authorized</del> via the ACL file.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change, even if the client is authorized to change its <ins class="diffchange diffchange-inline">key</ins> via the ACL file.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration<del class="diffchange diffchange-inline">. Applying the second and third rules with this proviso requires care, and becomes easier if it is acceptable for the UDP password change protocol to behave like the kadmin protocol for the third rule</del>.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>To apply the second rule in the new framework, when the service principal is kadmin/changepw, we must apply the self-service restriction outside of the authorization layer, but then still call into the authorization layer (which may again grant access based on self-service) if the restriction is met. For the get-policy operation, applying the self-service restriction requires fetching the client principal entry from the database. It is probably easiest to fetch the entry unconditionally in the server stub, and pass the client principal's policy name to the authorization framework's get-policy method as a second string argument.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>To apply the third rule in the new framework, we must again check for self-service outside of the authorization layer to see if we should enforce minimum life, but still call into the authorization layer for self-service requests.</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5848&oldid=prevGhudson at 04:27, 25 June 20172017-06-25T04:27:48Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 04:27, 25 June 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 50:</td>
<td colspan="2" class="diff-lineno">Line 50:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A few methods grouped by operation class, such as "principal operation", "policy operation", and "general operation".</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A few methods grouped by operation class, such as "principal operation", "policy operation", and "general operation".</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The consumer interface in kadmind need not precisely reflect the module interface. For example, if the module interface uses option 2, it would be possible to reduce the amount of redundant accumulator code by making the consumer interface look more like option 1 or 3.</div></td>
<td colspan="2" class="diff-empty"> </td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>After consulting with potential module authors, the second option was selected. To avoid having to repeat the accumulator code many times, the consumer interface inside kadmind will use option 1, and will fan out to one method per operation when calling out to the module. The two methods which support restrictions will use a separate accumulator function to keep the other accumulator simple.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>===Self-service and kadmin/changepw===</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>kadmind currently makes several decisions before consulting the ACL file:</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># A client principal can change its own password, randomize its own keys, purge its own keys, get its own principal record, get its own string attributes, and get the policy record associated with its own principal record.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># If the client authenticated to kadmin/changepw but uses the kadmin protocol rather than the UDP password change protocol, it is only allowed to use the change-password, randomize-key, get-principal, or get-policy operations, and is only allowed to operate on its own principal or policy. The get-principal and get-policy operations are used by the old kadmin-based kpasswd program to display policy restrictions to the user before asking for the new password.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># If a client changes its own keys, the policy minimum lifetime (if present) must have elapsed since the last key change. In the kadmin protocol, this rule applies even if the client principal is authorized to change its own password via the ACL file; in the UDP password change protocol, this rule does not apply if the client principal is authorized via the ACL file.</div></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td colspan="2" class="diff-empty"> </td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In some unusual deployments, it could be valuable to be able to turn off the self-service permissions when using an authorization module. This could be accomplished by moving the self-service decisions to a module which operates alongside the ACL module; that module could then be disabled through module configuration. Applying the second and third rules with this proviso requires care, and becomes easier if it is acceptable for the UDP password change protocol to behave like the kadmin protocol for the third rule.</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5847&oldid=prevGhudson: /* Module interface */2017-06-11T19:46:11Z<p><span dir="auto"><span class="autocomment">Module interface</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 19:46, 11 June 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 46:</td>
<td colspan="2" class="diff-lineno">Line 46:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A design similar to the above, with some possible variations:</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A design similar to the above, with some possible variations:</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>## The restrictions object could be transparent, and applied by the krb5 code, so that the interface does not depend on a kadmin type.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>## The restrictions object could be transparent, and applied by the krb5 code, so that the interface does not depend on a kadmin type.</div></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>## The restrictions object could be eliminated; instead, optional entry and mask parameters could be provided to the check function to be modified.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>## The restrictions object could be eliminated; instead, optional entry and mask parameters could be provided to the check function to be modified.<ins class="diffchange diffchange-inline"> (However, note that renames are denied if the ACL entry for the client principal imposes any restrictions on the modify operation, which might be harder to detect with this design.)</ins></div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># One method per operation, with parameters specific to the operation, and policy operations separated from principal operations.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># One method per operation, with parameters specific to the operation, and policy operations separated from principal operations.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A few methods grouped by operation class, such as "principal operation", "policy operation", and "general operation".</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># A few methods grouped by operation class, such as "principal operation", "policy operation", and "general operation".</div></td>
</tr>
</table>Ghudsonhttps://k5wiki.kerberos.org/wiki?title=Projects/kadmin_access_interface&diff=5846&oldid=prevGhudson: /* Architecture */2017-06-11T18:48:36Z<p><span dir="auto"><span class="autocomment">Architecture</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 18:48, 11 June 2017</td>
</tr><tr>
<td colspan="2" class="diff-lineno">Line 24:</td>
<td colspan="2" class="diff-lineno">Line 24:</td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Architecture===</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Architecture===</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker">−</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>One simple high-level <del class="diffchange diffchange-inline">deisgn</del> option is to make kadmind tell the KDB module the authenticated client principal. The KDB module could then check access for subsequent operations such as put_principal and change_pwd. kadmin.local would not supply a client principal (or would perhaps only supply one if specifically requested), so the KDB module would not check access control. This option does not satisfy the first use case and would require the administrator to install a permissive kadm5.acl file, but it would be easy to implement.</div></td>
<td class="diff-marker">+</td>
<td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>One simple high-level <ins class="diffchange diffchange-inline">design</ins> option is to make kadmind tell the KDB module the authenticated client principal. The KDB module could then check access for subsequent operations such as put_principal and change_pwd. kadmin.local would not supply a client principal (or would perhaps only supply one if specifically requested), so the KDB module would not check access control. This option does not satisfy the first use case and would require the administrator to install a permissive kadm5.acl file, but it would be easy to implement.</div></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td>
</tr>
<tr>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Another option, similar to the above, is to amend the kadm5_hook pluggable interface to receive the client principal, either by revising the five existing methods (chpass, create, modify, remove, rename) or by adding a new method to specify the client principal for subsequent operations. This option is not a great fit for the first use case because the kadm5_hook interface only addresses the subset of kadm5_operations which alter principal entries, not those which affect policy objects or those which only request data. It might be helpful, if not completely sufficient, for the second use case insofar as it allows control of set-password operations. As with the first option, this option would require the administrator to install a permissive kadm5.acl file, as kadm5_hook operates at a lower layer than kadm5.acl.</div></td>
<td class="diff-marker"> </td>
<td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Another option, similar to the above, is to amend the kadm5_hook pluggable interface to receive the client principal, either by revising the five existing methods (chpass, create, modify, remove, rename) or by adding a new method to specify the client principal for subsequent operations. This option is not a great fit for the first use case because the kadm5_hook interface only addresses the subset of kadm5_operations which alter principal entries, not those which affect policy objects or those which only request data. It might be helpful, if not completely sufficient, for the second use case insofar as it allows control of set-password operations. As with the first option, this option would require the administrator to install a permissive kadm5.acl file, as kadm5_hook operates at a lower layer than kadm5.acl.</div></td>
</tr>
</table>Ghudson