https://k5wiki.kerberos.org/w/api.php?action=feedcontributions&feedformat=atom&user=HardjonoK5Wiki - User contributions [en]2026-05-13T03:40:01ZUser contributionsMediaWiki 1.27.4https://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=4317Projects/Documentation Tasks2011-11-08T19:34:16Z<p>Hardjono: /* Most commonly used API functions (in alphabetical order) */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Doc-type/Reader<br />
! Architectural Guide<br />
! Setup & Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
! API Details<br />
|-<br />
|-<br />
| End-users || || || || || ||<br />
|-<br />
| Architects || || || || || ||<br />
|-<br />
|System Admins || || || || || ||<br />
|-<br />
|Application Developers || || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || || ||<br />
|-<br />
|Kerberos Developers || || || || || ||<br />
|}<br />
<br />
<br />
== Application development ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! task<br />
! Proposed Author<br />
! Target Date<br />
! Reviewer<br />
! Reviewer Comments<br />
|-<br />
|-<br />
| Designing a new protocol, or extending existing one, to use GSS-API || || || ||<br />
|-<br />
| Choosing security API|| || || ||<br />
|-<br />
| <ul><li> GSS-API vs SASL vs KRB5 </ul>|| || || ||<br />
|-<br />
| <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| || || ||<br />
|-<br />
| GSS-API || || || ||<br />
|-<br />
| <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| || || ||<br />
|-<br />
| <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| || || ||<br />
|-<br />
| <ul><li> How to write mechanism-independent GSS-API code</ul>|| || || ||<br />
|-<br />
| <ul><li> Acceptor naming - How to get servers to use any key in a keytab</ul>|| GH|| || ||<br />
|-<br />
| <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| || || ||<br />
|-<br />
| <ul><li> Using IAKERB</ul>|| || || ||<br />
|-<br />
| <ul><li> Anonymous credentials</ul>|| || || ||<br />
|-<br />
| <ul><li> Delegating credentials</ul>|| MIT || || ||<br />
|-<br />
| <ul><li> Available extensions</ul>|| || || ||<br />
|-<br />
| <ul><li> Thread safety</ul>|| KR || || ||<br />
|-<br />
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||<br />
|-<br />
| Developing plugins|| GH || || ||<br />
|-<br />
| <ul><li> A guide to developing plugins </ul>|| || || ||<br />
|-<br />
| <ul><li>Overview of existing pluggable interfaces </ul>|| || || ||<br />
|-<br />
| Krb5 library guide|| || || ||<br />
|-<br />
| <ul><li> A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || || ||<br />
|-<br />
| <ul><li> Kerberos prompter behavior</ul>|| || || ||<br />
|-<br />
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| KR || || ||<br />
|-<br />
| <ul><li> An advanced guide to the pre-auth mechanisms, FAST</ul>|| || || ||<br />
|-<br />
| <ul><li> An advanced guide to the principal manipulation and parsing</ul>|| TY || || ||<br />
|-<br />
| <ul><li> Thread safety</ul>|| KR || || ||<br />
|-<br />
| <ul><li> Password change including the automatic internal support for password change on expired passwords if a prompter is provided</ul>|| || || ||<br />
|-<br />
| <ul><li> krb5_appdefault_* functions and their alternatives </ul>|| || || ||<br />
|-<br />
| MIT Kerberos features : quick facts || ZT || || || ongoing<br />
|-<br />
| How to build Kerberos from source || ZT || || || ready for review<br />
|-<br />
|}<br />
<br />
== Administration ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! task<br />
! Proposed Author<br />
! Target Date<br />
! Reviewer<br />
! Reviewer Comments<br />
|-<br />
|-<br />
|Setting a new realm|| || || ||<br />
|-<br />
|<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || ||<br />
|-<br />
|<ul><li>Replication</ul>|| ZT|| || ||ready for review<br />
|-<br />
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| ZT|| || ||<br />
|-<br />
| Integration Kerberos with Login System|| || || ||<br />
|-<br />
| <ul><li> Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment</ul>|| || || ||<br />
|-<br />
| <ul><li> Validating Kerberos tickets</ul>|| || || ||<br />
|-<br />
| <ul><li> Clear text password over HTTPS </ul>|| || || ||<br />
|-<br />
| <ul><li> Configuring with pam_krb5 module</ul>|| || || ||<br />
|-<br />
| <ul><li> Storing/locating keytab</ul>|| || || ||<br />
|-<br />
| Cross-realm|| || || ||<br />
|-<br />
| <ul><li>cross-realm interaction with AD </ul>|| || || ||<br />
|-<br />
| <ul><li> Transitive trust</ul>|| || || ||<br />
|-<br />
| <ul><li> Referrals</ul>|| || || ||<br />
|-<br />
| Performance|| || || ||<br />
|-<br />
| <ul><li> Performance tuning tips</ul>|| || || ||<br />
|-<br />
| <ul><li> Performance tradeoffs</ul>|| || || ||<br />
|-<br />
| kadmin interface|| || || ||<br />
|-<br />
| <ul><li> Keying workstation/ host key setting</ul>|| || || ||<br />
|-<br />
| Using Smartcard with PKINIT|| || || ||<br />
|-<br />
| Kerberized ssh|| || || ||<br />
|-<br />
| <ul><li> Configuration</ul>|| || || ||<br />
|-<br />
| <ul><li>Cross-realm and ssh</ul>|| || || ||<br />
|-<br />
| Selecting and configuring plugins|| GH || || ||<br />
|-<br />
| Anonymity support|| || || ||<br />
|-<br />
| A guide to principal naming basics and structure|| || || ||<br />
|-<br />
| Troubleshooting|| || || ||<br />
|-<br />
| <ul><li>Troubleshooting errors</ul> || ZT || || || ongoing<br />
|-<br />
| <ul><li>Trace logging</ul>||GH || || ||<br />
|-<br />
| <ul><li>Realm renaming </ul>|| || || ||<br />
|-<br />
| Using LDAP server for Kerberos backend|| ZT || ||Ubuntu 10.4 (lucid)|| <br />
|-<br />
|}<br />
<br />
== API documentation ==<br />
<br />
===Most commonly used API functions (in alphabetical order)===<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - Highest priority<br />
|-<br />
! API<br />
! Proposed Author<br />
! Target Date<br />
! Reviewer<br />
! Reviewer Comments<br />
|-<br />
|-<br />
| krb5_build_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal.html]|| ZT || GH|| ||<br />
|-<br />
|krb5_build_principal_alloc_va [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_alloc_va.html] || ZT || GH|| ||<br />
|-<br />
| krb5_build_principal_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_ext.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_close.html] ||ZT ||GH || ||<br />
|-<br />
| krb5_cc_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default_name.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_destroy [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_destroy.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_dup [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_dup.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_cc_get_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_type.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_initialize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_initialize.html]|| ZT||GH || ||<br />
|-<br />
| krb5_cc_new_unique [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_new_unique.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_resolve.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_change_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_change_password.html]|| ZT||GH || ||<br />
|-<br />
| krb5_free_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_context.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_free_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_error_message.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_free_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_fwd_tgt_cred [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_fwd_tgt_cred.html]|| ZT || GH|| || Needs example<br />
|-<br />
| krb5_get_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_default_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_error_message.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_host_realm.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_credentials [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_credentials.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_fallback_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_fallback_host_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_keytab [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_keytab.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_alloc.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_free [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_free.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_get_fast_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_init [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_init.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_address_list.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_anonymous.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_canonicalize.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_etype_list.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_expire_callback.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_forwardable.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_out_ccache.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_pa.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_preauth_list.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_proxiable.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_renew_life.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_salt.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_tkt_life.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_password.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_profile [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_profile.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_prompt_types [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_prompt_types.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_renewed_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_renewed_creds.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_validated_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_validated_creds.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_init_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_context.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_init_secure_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_secure_context.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_is_config_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_config_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_is_thread_safe [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_thread_safe.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_close.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_kt_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_type.html] || ZT ||GH || ||<br />
|-<br />
| krb5_kt_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_resolve.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_kuserok [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kuserok.html] || ZT ||GH || ||<br />
|-<br />
| krb5_parse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_parse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name_flags.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_principal_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_principal_compare_any_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_any_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_principal_compare_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_prompter_posix [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_prompter_posix.html]|| ZT||GH || ||<br />
|-<br />
| krb5_realm_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_realm_compare.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_recvauth [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth.html]||ZT ||GH || ||<br />
|-<br />
| krb5_recvauth_version [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth_version.html] ||ZT ||GH || ||<br />
|-<br />
| krb5_set_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_default_realm.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_set_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_set_password_using_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password_using_ccache.html] || ZT ||GH || ||<br />
|-<br />
| krb5_set_principal_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_principal_realm.html] || ZT || GH|| ||<br />
|-<br />
| krb5_set_trace_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_callback.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_set_trace_filename [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_filename.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_sname_to_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_sname_to_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_unparse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_unparse_name_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_ext.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_unparse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags.html] || ZT || GH|| ||<br />
|-<br />
| krb5_unparse_name_flags_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags_ext.html] || ZT ||GH || ||<br />
|-<br />
| krb5_us_timeofday [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_us_timeofday.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_verify_authdata_kdc_issued.html]|| ZT || GH|| ||<br />
|-<br />
|}<br />
<br />
== Abbreviations ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! abbreviation<br />
! full names?<br />
|-<br />
|-<br />
| GH || Greg Hudson<br />
|-<br />
| KR || Ken Raeburn<br />
|-<br />
| MIT || MITKC group<br />
|-<br />
| TY|| Tom Yu<br />
|-<br />
| ZT || Zhanna Tsitkova<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=4316Projects/Documentation Tasks2011-11-08T19:33:27Z<p>Hardjono: /* Administration */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Doc-type/Reader<br />
! Architectural Guide<br />
! Setup & Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
! API Details<br />
|-<br />
|-<br />
| End-users || || || || || ||<br />
|-<br />
| Architects || || || || || ||<br />
|-<br />
|System Admins || || || || || ||<br />
|-<br />
|Application Developers || || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || || ||<br />
|-<br />
|Kerberos Developers || || || || || ||<br />
|}<br />
<br />
<br />
== Application development ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! task<br />
! Proposed Author<br />
! Target Date<br />
! Reviewer<br />
! Reviewer Comments<br />
|-<br />
|-<br />
| Designing a new protocol, or extending existing one, to use GSS-API || || || ||<br />
|-<br />
| Choosing security API|| || || ||<br />
|-<br />
| <ul><li> GSS-API vs SASL vs KRB5 </ul>|| || || ||<br />
|-<br />
| <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| || || ||<br />
|-<br />
| GSS-API || || || ||<br />
|-<br />
| <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| || || ||<br />
|-<br />
| <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| || || ||<br />
|-<br />
| <ul><li> How to write mechanism-independent GSS-API code</ul>|| || || ||<br />
|-<br />
| <ul><li> Acceptor naming - How to get servers to use any key in a keytab</ul>|| GH|| || ||<br />
|-<br />
| <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| || || ||<br />
|-<br />
| <ul><li> Using IAKERB</ul>|| || || ||<br />
|-<br />
| <ul><li> Anonymous credentials</ul>|| || || ||<br />
|-<br />
| <ul><li> Delegating credentials</ul>|| MIT || || ||<br />
|-<br />
| <ul><li> Available extensions</ul>|| || || ||<br />
|-<br />
| <ul><li> Thread safety</ul>|| KR || || ||<br />
|-<br />
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||<br />
|-<br />
| Developing plugins|| GH || || ||<br />
|-<br />
| <ul><li> A guide to developing plugins </ul>|| || || ||<br />
|-<br />
| <ul><li>Overview of existing pluggable interfaces </ul>|| || || ||<br />
|-<br />
| Krb5 library guide|| || || ||<br />
|-<br />
| <ul><li> A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || || ||<br />
|-<br />
| <ul><li> Kerberos prompter behavior</ul>|| || || ||<br />
|-<br />
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| KR || || ||<br />
|-<br />
| <ul><li> An advanced guide to the pre-auth mechanisms, FAST</ul>|| || || ||<br />
|-<br />
| <ul><li> An advanced guide to the principal manipulation and parsing</ul>|| TY || || ||<br />
|-<br />
| <ul><li> Thread safety</ul>|| KR || || ||<br />
|-<br />
| <ul><li> Password change including the automatic internal support for password change on expired passwords if a prompter is provided</ul>|| || || ||<br />
|-<br />
| <ul><li> krb5_appdefault_* functions and their alternatives </ul>|| || || ||<br />
|-<br />
| MIT Kerberos features : quick facts || ZT || || || ongoing<br />
|-<br />
| How to build Kerberos from source || ZT || || || ready for review<br />
|-<br />
|}<br />
<br />
== Administration ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! task<br />
! Proposed Author<br />
! Target Date<br />
! Reviewer<br />
! Reviewer Comments<br />
|-<br />
|-<br />
|Setting a new realm|| || || ||<br />
|-<br />
|<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || ||<br />
|-<br />
|<ul><li>Replication</ul>|| ZT|| || ||ready for review<br />
|-<br />
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| ZT|| || ||<br />
|-<br />
| Integration Kerberos with Login System|| || || ||<br />
|-<br />
| <ul><li> Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment</ul>|| || || ||<br />
|-<br />
| <ul><li> Validating Kerberos tickets</ul>|| || || ||<br />
|-<br />
| <ul><li> Clear text password over HTTPS </ul>|| || || ||<br />
|-<br />
| <ul><li> Configuring with pam_krb5 module</ul>|| || || ||<br />
|-<br />
| <ul><li> Storing/locating keytab</ul>|| || || ||<br />
|-<br />
| Cross-realm|| || || ||<br />
|-<br />
| <ul><li>cross-realm interaction with AD </ul>|| || || ||<br />
|-<br />
| <ul><li> Transitive trust</ul>|| || || ||<br />
|-<br />
| <ul><li> Referrals</ul>|| || || ||<br />
|-<br />
| Performance|| || || ||<br />
|-<br />
| <ul><li> Performance tuning tips</ul>|| || || ||<br />
|-<br />
| <ul><li> Performance tradeoffs</ul>|| || || ||<br />
|-<br />
| kadmin interface|| || || ||<br />
|-<br />
| <ul><li> Keying workstation/ host key setting</ul>|| || || ||<br />
|-<br />
| Using Smartcard with PKINIT|| || || ||<br />
|-<br />
| Kerberized ssh|| || || ||<br />
|-<br />
| <ul><li> Configuration</ul>|| || || ||<br />
|-<br />
| <ul><li>Cross-realm and ssh</ul>|| || || ||<br />
|-<br />
| Selecting and configuring plugins|| GH || || ||<br />
|-<br />
| Anonymity support|| || || ||<br />
|-<br />
| A guide to principal naming basics and structure|| || || ||<br />
|-<br />
| Troubleshooting|| || || ||<br />
|-<br />
| <ul><li>Troubleshooting errors</ul> || ZT || || || ongoing<br />
|-<br />
| <ul><li>Trace logging</ul>||GH || || ||<br />
|-<br />
| <ul><li>Realm renaming </ul>|| || || ||<br />
|-<br />
| Using LDAP server for Kerberos backend|| ZT || ||Ubuntu 10.4 (lucid)|| <br />
|-<br />
|}<br />
<br />
== API documentation ==<br />
<br />
===Most commonly used API functions (in alphabetical order)===<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - Highest priority<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal.html]|| ZT || GH|| ||<br />
|-<br />
|krb5_build_principal_alloc_va [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_alloc_va.html] || ZT || GH|| ||<br />
|-<br />
| krb5_build_principal_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_ext.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_close.html] ||ZT ||GH || ||<br />
|-<br />
| krb5_cc_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default_name.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_destroy [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_destroy.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_dup [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_dup.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_cc_get_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_type.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_initialize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_initialize.html]|| ZT||GH || ||<br />
|-<br />
| krb5_cc_new_unique [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_new_unique.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_resolve.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_change_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_change_password.html]|| ZT||GH || ||<br />
|-<br />
| krb5_free_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_context.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_free_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_error_message.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_free_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_fwd_tgt_cred [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_fwd_tgt_cred.html]|| ZT || GH|| || Needs example<br />
|-<br />
| krb5_get_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_default_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_error_message.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_host_realm.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_credentials [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_credentials.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_fallback_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_fallback_host_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_keytab [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_keytab.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_alloc.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_free [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_free.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_get_fast_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_init [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_init.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_address_list.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_anonymous.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_canonicalize.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_etype_list.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_expire_callback.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_forwardable.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_out_ccache.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_pa.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_preauth_list.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_proxiable.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_renew_life.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_salt.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_tkt_life.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_password.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_profile [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_profile.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_prompt_types [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_prompt_types.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_renewed_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_renewed_creds.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_validated_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_validated_creds.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_init_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_context.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_init_secure_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_secure_context.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_is_config_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_config_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_is_thread_safe [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_thread_safe.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_close.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_kt_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_type.html] || ZT ||GH || ||<br />
|-<br />
| krb5_kt_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_resolve.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_kuserok [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kuserok.html] || ZT ||GH || ||<br />
|-<br />
| krb5_parse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_parse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name_flags.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_principal_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_principal_compare_any_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_any_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_principal_compare_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_prompter_posix [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_prompter_posix.html]|| ZT||GH || ||<br />
|-<br />
| krb5_realm_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_realm_compare.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_recvauth [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth.html]||ZT ||GH || ||<br />
|-<br />
| krb5_recvauth_version [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth_version.html] ||ZT ||GH || ||<br />
|-<br />
| krb5_set_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_default_realm.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_set_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_set_password_using_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password_using_ccache.html] || ZT ||GH || ||<br />
|-<br />
| krb5_set_principal_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_principal_realm.html] || ZT || GH|| ||<br />
|-<br />
| krb5_set_trace_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_callback.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_set_trace_filename [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_filename.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_sname_to_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_sname_to_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_unparse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_unparse_name_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_ext.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_unparse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags.html] || ZT || GH|| ||<br />
|-<br />
| krb5_unparse_name_flags_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags_ext.html] || ZT ||GH || ||<br />
|-<br />
| krb5_us_timeofday [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_us_timeofday.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_verify_authdata_kdc_issued.html]|| ZT || GH|| ||<br />
|-<br />
|}<br />
<br />
== Abbreviations ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! abbreviation<br />
! full names?<br />
|-<br />
|-<br />
| GH || Greg Hudson<br />
|-<br />
| KR || Ken Raeburn<br />
|-<br />
| MIT || MITKC group<br />
|-<br />
| TY|| Tom Yu<br />
|-<br />
| ZT || Zhanna Tsitkova<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=4315Projects/Documentation Tasks2011-11-08T16:29:24Z<p>Hardjono: /* Application development */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Doc-type/Reader<br />
! Architectural Guide<br />
! Setup & Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
! API Details<br />
|-<br />
|-<br />
| End-users || || || || || ||<br />
|-<br />
| Architects || || || || || ||<br />
|-<br />
|System Admins || || || || || ||<br />
|-<br />
|Application Developers || || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || || ||<br />
|-<br />
|Kerberos Developers || || || || || ||<br />
|}<br />
<br />
<br />
== Application development ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! task<br />
! Proposed Author<br />
! Target Date<br />
! Reviewer<br />
! Reviewer Comments<br />
|-<br />
|-<br />
| Designing a new protocol, or extending existing one, to use GSS-API || || || ||<br />
|-<br />
| Choosing security API|| || || ||<br />
|-<br />
| <ul><li> GSS-API vs SASL vs KRB5 </ul>|| || || ||<br />
|-<br />
| <ul><li> A guide to the similarities and differences between Heimdal and MIT Kerberos API </ul>|| || || ||<br />
|-<br />
| GSS-API || || || ||<br />
|-<br />
| <ul><li> A basic introduction to GSS-API, making use of the sample client and server, with special attention paid to Kerberos-related GSS-API issues</ul>|| || || ||<br />
|-<br />
| <ul><li> How to tell the GSS-API library on the client side where the existing Kerberos ticket cache is </ul>|| || || ||<br />
|-<br />
| <ul><li> How to write mechanism-independent GSS-API code</ul>|| || || ||<br />
|-<br />
| <ul><li> Acceptor naming - How to get servers to use any key in a keytab</ul>|| GH|| || ||<br />
|-<br />
| <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| || || ||<br />
|-<br />
| <ul><li> Using IAKERB</ul>|| || || ||<br />
|-<br />
| <ul><li> Anonymous credentials</ul>|| || || ||<br />
|-<br />
| <ul><li> Delegating credentials</ul>|| MIT || || ||<br />
|-<br />
| <ul><li> Available extensions</ul>|| || || ||<br />
|-<br />
| <ul><li> Thread safety</ul>|| KR || || ||<br />
|-<br />
| <ul><li> Validating the flags set on the connection to ensure things like mutual authentication, confidentiality, integrity, replay protection, and sequence protection</ul>|| || || ||<br />
|-<br />
| Developing plugins|| GH || || ||<br />
|-<br />
| <ul><li> A guide to developing plugins </ul>|| || || ||<br />
|-<br />
| <ul><li>Overview of existing pluggable interfaces </ul>|| || || ||<br />
|-<br />
| Krb5 library guide|| || || ||<br />
|-<br />
| <ul><li> A more advanced introduction to using the Kerberos libraries for initial authentication, focusing on the authentication steps, validating initial credential</ul>|| TY || || ||<br />
|-<br />
| <ul><li> Kerberos prompter behavior</ul>|| || || ||<br />
|-<br />
| <ul><li> An introduction to ticket caches and keytabs and their corresponding APIs </ul>|| KR || || ||<br />
|-<br />
| <ul><li> An advanced guide to the pre-auth mechanisms, FAST</ul>|| || || ||<br />
|-<br />
| <ul><li> An advanced guide to the principal manipulation and parsing</ul>|| TY || || ||<br />
|-<br />
| <ul><li> Thread safety</ul>|| KR || || ||<br />
|-<br />
| <ul><li> Password change including the automatic internal support for password change on expired passwords if a prompter is provided</ul>|| || || ||<br />
|-<br />
| <ul><li> krb5_appdefault_* functions and their alternatives </ul>|| || || ||<br />
|-<br />
| MIT Kerberos features : quick facts || ZT || || || ongoing<br />
|-<br />
| How to build Kerberos from source || ZT || || || ready for review<br />
|-<br />
|}<br />
<br />
== Administration ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! task<br />
! who writes/due date<br />
! who reviews/due date<br />
! comments<br />
! status<br />
|-<br />
|-<br />
|Setting a new realm|| || || ||<br />
|-<br />
|<ul><li>Choosing backend: LDAP vs DB2</ul>|| || || ||<br />
|-<br />
|<ul><li>Replication</ul>|| ZT|| || ||ready for review<br />
|-<br />
|<ul><li> DNS configuration and SRV records - how they are used, in what order</ul>|| ZT|| || ||<br />
|-<br />
| Integration Kerberos with Login System|| || || ||<br />
|-<br />
| <ul><li> Difference between real Kerberos authentication, Kerberos password verification on the server side, and "LDAP authentication" in a Kerberos environment</ul>|| || || ||<br />
|-<br />
| <ul><li> Validating Kerberos tickets</ul>|| || || ||<br />
|-<br />
| <ul><li> Clear text password over HTTPS </ul>|| || || ||<br />
|-<br />
| <ul><li> Configuring with pam_krb5 module</ul>|| || || ||<br />
|-<br />
| <ul><li> Storing/locating keytab</ul>|| || || ||<br />
|-<br />
| Cross-realm|| || || ||<br />
|-<br />
| <ul><li>cross-realm interaction with AD </ul>|| || || ||<br />
|-<br />
| <ul><li> Transitive trust</ul>|| || || ||<br />
|-<br />
| <ul><li> Referrals</ul>|| || || ||<br />
|-<br />
| Performance|| || || ||<br />
|-<br />
| <ul><li> Performance tuning tips</ul>|| || || ||<br />
|-<br />
| <ul><li> Performance tradeoffs</ul>|| || || ||<br />
|-<br />
| kadmin interface|| || || ||<br />
|-<br />
| <ul><li> Keying workstation/ host key setting</ul>|| || || ||<br />
|-<br />
| Using Smartcard with PKINIT|| || || ||<br />
|-<br />
| Kerberized ssh|| || || ||<br />
|-<br />
| <ul><li> Configuration</ul>|| || || ||<br />
|-<br />
| <ul><li>Cross-realm and ssh</ul>|| || || ||<br />
|-<br />
| Selecting and configuring plugins|| GH || || ||<br />
|-<br />
| Anonymity support|| || || ||<br />
|-<br />
| A guide to principal naming basics and structure|| || || ||<br />
|-<br />
| Troubleshooting|| || || ||<br />
|-<br />
| <ul><li>Troubleshooting errors</ul> || ZT || || || ongoing<br />
|-<br />
| <ul><li>Trace logging</ul>||GH || || ||<br />
|-<br />
| <ul><li>Realm renaming </ul>|| || || ||<br />
|-<br />
| Using LDAP server for Kerberos backend|| ZT || ||Ubuntu 10.4 (lucid)|| <br />
|-<br />
|}<br />
<br />
<br />
== API documentation ==<br />
<br />
===Most commonly used API functions (in alphabetical order)===<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - Highest priority<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal.html]|| ZT || GH|| ||<br />
|-<br />
|krb5_build_principal_alloc_va [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_alloc_va.html] || ZT || GH|| ||<br />
|-<br />
| krb5_build_principal_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_build_principal_ext.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_close.html] ||ZT ||GH || ||<br />
|-<br />
| krb5_cc_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_default_name.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_destroy [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_destroy.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_dup [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_dup.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_cc_get_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_get_type.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_cc_initialize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_initialize.html]|| ZT||GH || ||<br />
|-<br />
| krb5_cc_new_unique [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_new_unique.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_cc_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_cc_resolve.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_change_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_change_password.html]|| ZT||GH || ||<br />
|-<br />
| krb5_free_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_context.html]|| ZT|| GH|| ||<br />
|-<br />
| krb5_free_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_error_message.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_free_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_free_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_fwd_tgt_cred [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_fwd_tgt_cred.html]|| ZT || GH|| || Needs example<br />
|-<br />
| krb5_get_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_default_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_error_message [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_error_message.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_host_realm.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_credentials [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_credentials.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_fallback_host_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_fallback_host_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_keytab [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_keytab.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_alloc.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_free [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_free.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_get_fast_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_init [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_init.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_address_list.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_anonymous.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_canonicalize.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_etype_list.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_expire_callback.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_fast_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_forwardable.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_out_ccache.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_pa.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_preauth_list.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_proxiable.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_renew_life.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_salt.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_opt_set_tkt_life.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_init_creds_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_init_creds_password.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_profile [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_profile.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_prompt_types [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_prompt_types.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_get_renewed_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_renewed_creds.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_get_validated_creds [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_get_validated_creds.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_init_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_context.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_init_secure_context [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_init_secure_context.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_is_config_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_config_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_is_thread_safe [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_is_thread_safe.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_close [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_close.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_kt_default [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_default_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_default_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_get_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_kt_get_type [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_get_type.html] || ZT ||GH || ||<br />
|-<br />
| krb5_kt_resolve [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kt_resolve.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_kuserok [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_kuserok.html] || ZT ||GH || ||<br />
|-<br />
| krb5_parse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_parse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_parse_name_flags.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_principal_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_principal_compare_any_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_any_realm.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_principal_compare_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_principal_compare_flags.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_prompter_posix [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_prompter_posix.html]|| ZT||GH || ||<br />
|-<br />
| krb5_realm_compare [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_realm_compare.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_recvauth [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth.html]||ZT ||GH || ||<br />
|-<br />
| krb5_recvauth_version [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_recvauth_version.html] ||ZT ||GH || ||<br />
|-<br />
| krb5_set_default_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_default_realm.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_set_password [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_set_password_using_ccache [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_password_using_ccache.html] || ZT ||GH || ||<br />
|-<br />
| krb5_set_principal_realm [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_principal_realm.html] || ZT || GH|| ||<br />
|-<br />
| krb5_set_trace_callback [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_callback.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_set_trace_filename [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_set_trace_filename.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_sname_to_principal [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_sname_to_principal.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_unparse_name [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_unparse_name_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_ext.html]|| ZT ||GH || ||<br />
|-<br />
| krb5_unparse_name_flags [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags.html] || ZT || GH|| ||<br />
|-<br />
| krb5_unparse_name_flags_ext [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_unparse_name_flags_ext.html] || ZT ||GH || ||<br />
|-<br />
| krb5_us_timeofday [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_us_timeofday.html]|| ZT || GH|| ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued [http://web.mit.edu/tsitkova/www/build/refs/api/krb5_verify_authdata_kdc_issued.html]|| ZT || GH|| ||<br />
|-<br />
|}<br />
<br />
== Abbreviations ==<br />
<br />
{| class="wikitable"<br />
|+ <br />
|-<br />
! abbreviation<br />
! full names?<br />
|-<br />
|-<br />
| GH || Greg Hudson<br />
|-<br />
| KR || Ken Raeburn<br />
|-<br />
| MIT || MITKC group<br />
|-<br />
| TY|| Tom Yu<br />
|-<br />
| ZT || Zhanna Tsitkova<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Release_1.10&diff=3864Release 1.102011-05-19T15:17:02Z<p>Hardjono: </p>
<hr />
<div>== Timeline ==<br />
<br />
This is only an approximate timeline.<br />
<br />
* Jul. 2010 -- make release branch<br />
* Oct. 2010 -- final release<br />
<br />
== Goals ==<br />
<br />
* Kernel / user split (for NFS, etc.): Add build infrastructure demonstrating and testing a message-processing subset of the gss-krb5 mechanism suitable for kernel filesystems.<br />
* Localization: Create infrastructure for localization of client user interface messages using gettext.<br />
* Improve API documentation: Create documentation for the libkrb5 API.<br />
* Selective refactoring of KDC (to support libKDC etc.): Reorganize parts of the KDC code for improved modularity and maintainability.<br />
* Pluggable configuration back-end: Allow applications and integrators to override krb5.conf as the source of krb5 configuration data.<br />
* Credential selection: Add a facility to select between credentials for different Kerberos identities based on the service being contacted. (This will be confirmed).<br />
* Referrals: Finish implementation following IETF updates.<br />
* PKINIT hash agility: Allow PKINIT to use newer hash algorithms than SHA-1.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=3775Projects/Documentation Tasks2011-01-13T17:14:21Z<p>Hardjono: /* API documentation */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
=== API documentation ===<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Doc-type/Reader<br />
! Architectural Guide<br />
! Setup & Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
! API Details<br />
|-<br />
|-<br />
| End-users || || || || || || ||<br />
|-<br />
| Architects || || || || || || ||<br />
|-<br />
|System Admins || || || || || || ||<br />
|-<br />
|Application Developers || || || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || || || ||<br />
|-<br />
|Kerberos Developers || || || || || || ||<br />
|}<br />
<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - most commonly used API functions (in alphabetical order)<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
|krb5_build_principal_alloc_val || || || || ||<br />
|-<br />
| krb5_build_principal_ext || || || || ||<br />
|-<br />
| krb5_cc_close || || || || ||<br />
|-<br />
| krb5_cc_default || || || || ||<br />
|-<br />
| krb5_cc_default_name || || || || ||<br />
|-<br />
| krb5_cc_destroy || || || || ||<br />
|-<br />
| krb5_cc_dup || || || || ||<br />
|-<br />
| krb5_cc_get_name || || || || ||<br />
|-<br />
| krb5_cc_get_principal || || || || ||<br />
|-<br />
| krb5_cc_get_type || || || || ||<br />
|-<br />
| krb5_cc_initialize || || || || ||<br />
|-<br />
| krb5_cc_new_unique || || || || ||<br />
|-<br />
| krb5_cc_resolve || || || || ||<br />
|-<br />
| krb5_change_password || || || || ||<br />
|-<br />
| krb5_free_context || || || || ||<br />
|-<br />
| krb5_free_error_message || || || || ||<br />
|-<br />
| krb5_free_principal || || || || ||<br />
|-<br />
| krb5_fwd_tgt_cred || || || || ||<br />
|-<br />
| krb5_get_default_realm || || || || ||<br />
|-<br />
| krb5_get_error_message || || || || ||<br />
|-<br />
| krb5_get_host_realm || || || || ||<br />
|-<br />
| krb5_get_credentials || || || || ||<br />
|-<br />
| krb5_get_fallback_host_realm || || || || ||<br />
|-<br />
| krb5_get_init_creds_keytab || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_free || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_init || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_password || || || || ||<br />
|-<br />
| krb5_get_profile || || || || ||<br />
|-<br />
| krb5_get_prompt_types || || || || ||<br />
|-<br />
| krb5_get_renewed_creds || || || || ||<br />
|-<br />
| krb5_get_validated_creds || || || || ||<br />
|-<br />
| krb5_init_context || || || || ||<br />
|-<br />
| krb5_init_secure_context || || || || ||<br />
|-<br />
| krb5_is_config_principal || || || || ||<br />
|-<br />
| krb5_is_thread_safe || || || || ||<br />
|-<br />
| krb5_kt_close || || || || ||<br />
|-<br />
| krb5_kt_default || || || || ||<br />
|-<br />
| krb5_kt_default_name || || || || ||<br />
|-<br />
| krb5_kt_get_name || || || || ||<br />
|-<br />
| krb5_kt_get_type || || || || ||<br />
|-<br />
| krb5_kt_resolve || || || || ||<br />
|-<br />
| krb5_kuserok || || || || ||<br />
|-<br />
| krb5_parse_name || || || || ||<br />
|-<br />
| krb5_parse_name_flags || || || || ||<br />
|-<br />
| krb5_principal_compare || || || || ||<br />
|-<br />
| krb5_principal_compare_any_realm || || || || ||<br />
|-<br />
| krb5_principal_compare_flags || || || || ||<br />
|-<br />
| krb5_prompter_posix || || || || ||<br />
|-<br />
| krb5_realm_compare || || || || ||<br />
|-<br />
| krb5_recvauth || || || || ||<br />
|-<br />
| krb5_recvauth_version || || || || ||<br />
|-<br />
| krb5_set_default_realm || || || || ||<br />
|-<br />
| krb5_set_password || || || || ||<br />
|-<br />
| krb5_set_password_using_ccache || || || || ||<br />
|-<br />
| krb5_set_principal_realm || || || || ||<br />
|-<br />
| krb5_set_trace_callback || || || || ||<br />
|-<br />
| krb5_set_trace_filename || || || || ||<br />
|-<br />
| krb5_sname_to_principal || || || || ||<br />
|-<br />
| krb5_unparse_name || || || || ||<br />
|-<br />
| krb5_unparse_name_ext || || || || ||<br />
|-<br />
| krb5_unparse_name_flags || || || || ||<br />
|-<br />
| krb5_unparse_name_flags_ext || || || || ||<br />
|-<br />
| krb5_us_timeofday || || || || ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued || || || || ||<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=3774Projects/Documentation Tasks2011-01-13T17:13:45Z<p>Hardjono: /* API documentation */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
=== API documentation ===<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Doc-type/Reader<br />
! Architectural Guide<br />
! Setup and Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
! API Details<br />
|-<br />
|-<br />
| End-users || || || || || || ||<br />
|-<br />
| Architects || || || || || || ||<br />
|-<br />
|Sys Admins || || || || || || ||<br />
|-<br />
|Application Developers || || || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || || || ||<br />
|-<br />
|Kerberos Developers || || || || || || ||<br />
|}<br />
<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - most commonly used API functions (in alphabetical order)<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
|krb5_build_principal_alloc_val || || || || ||<br />
|-<br />
| krb5_build_principal_ext || || || || ||<br />
|-<br />
| krb5_cc_close || || || || ||<br />
|-<br />
| krb5_cc_default || || || || ||<br />
|-<br />
| krb5_cc_default_name || || || || ||<br />
|-<br />
| krb5_cc_destroy || || || || ||<br />
|-<br />
| krb5_cc_dup || || || || ||<br />
|-<br />
| krb5_cc_get_name || || || || ||<br />
|-<br />
| krb5_cc_get_principal || || || || ||<br />
|-<br />
| krb5_cc_get_type || || || || ||<br />
|-<br />
| krb5_cc_initialize || || || || ||<br />
|-<br />
| krb5_cc_new_unique || || || || ||<br />
|-<br />
| krb5_cc_resolve || || || || ||<br />
|-<br />
| krb5_change_password || || || || ||<br />
|-<br />
| krb5_free_context || || || || ||<br />
|-<br />
| krb5_free_error_message || || || || ||<br />
|-<br />
| krb5_free_principal || || || || ||<br />
|-<br />
| krb5_fwd_tgt_cred || || || || ||<br />
|-<br />
| krb5_get_default_realm || || || || ||<br />
|-<br />
| krb5_get_error_message || || || || ||<br />
|-<br />
| krb5_get_host_realm || || || || ||<br />
|-<br />
| krb5_get_credentials || || || || ||<br />
|-<br />
| krb5_get_fallback_host_realm || || || || ||<br />
|-<br />
| krb5_get_init_creds_keytab || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_free || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_init || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_password || || || || ||<br />
|-<br />
| krb5_get_profile || || || || ||<br />
|-<br />
| krb5_get_prompt_types || || || || ||<br />
|-<br />
| krb5_get_renewed_creds || || || || ||<br />
|-<br />
| krb5_get_validated_creds || || || || ||<br />
|-<br />
| krb5_init_context || || || || ||<br />
|-<br />
| krb5_init_secure_context || || || || ||<br />
|-<br />
| krb5_is_config_principal || || || || ||<br />
|-<br />
| krb5_is_thread_safe || || || || ||<br />
|-<br />
| krb5_kt_close || || || || ||<br />
|-<br />
| krb5_kt_default || || || || ||<br />
|-<br />
| krb5_kt_default_name || || || || ||<br />
|-<br />
| krb5_kt_get_name || || || || ||<br />
|-<br />
| krb5_kt_get_type || || || || ||<br />
|-<br />
| krb5_kt_resolve || || || || ||<br />
|-<br />
| krb5_kuserok || || || || ||<br />
|-<br />
| krb5_parse_name || || || || ||<br />
|-<br />
| krb5_parse_name_flags || || || || ||<br />
|-<br />
| krb5_principal_compare || || || || ||<br />
|-<br />
| krb5_principal_compare_any_realm || || || || ||<br />
|-<br />
| krb5_principal_compare_flags || || || || ||<br />
|-<br />
| krb5_prompter_posix || || || || ||<br />
|-<br />
| krb5_realm_compare || || || || ||<br />
|-<br />
| krb5_recvauth || || || || ||<br />
|-<br />
| krb5_recvauth_version || || || || ||<br />
|-<br />
| krb5_set_default_realm || || || || ||<br />
|-<br />
| krb5_set_password || || || || ||<br />
|-<br />
| krb5_set_password_using_ccache || || || || ||<br />
|-<br />
| krb5_set_principal_realm || || || || ||<br />
|-<br />
| krb5_set_trace_callback || || || || ||<br />
|-<br />
| krb5_set_trace_filename || || || || ||<br />
|-<br />
| krb5_sname_to_principal || || || || ||<br />
|-<br />
| krb5_unparse_name || || || || ||<br />
|-<br />
| krb5_unparse_name_ext || || || || ||<br />
|-<br />
| krb5_unparse_name_flags || || || || ||<br />
|-<br />
| krb5_unparse_name_flags_ext || || || || ||<br />
|-<br />
| krb5_us_timeofday || || || || ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued || || || || ||<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=3773Projects/Documentation Tasks2011-01-13T17:13:21Z<p>Hardjono: /* API documentation */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
=== API documentation ===<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Doc-type/Reader<br />
! Architectural Guide<br />
! Setup and Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
|-<br />
|-<br />
| End-users || || || || || || ||<br />
|-<br />
| Architects || || || || || || ||<br />
|-<br />
|Sys Admins || || || || || || ||<br />
|-<br />
|Application Developers || || || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || || || ||<br />
|-<br />
|Kerberos Developers || || || || || || ||<br />
|}<br />
<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - most commonly used API functions (in alphabetical order)<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
|krb5_build_principal_alloc_val || || || || ||<br />
|-<br />
| krb5_build_principal_ext || || || || ||<br />
|-<br />
| krb5_cc_close || || || || ||<br />
|-<br />
| krb5_cc_default || || || || ||<br />
|-<br />
| krb5_cc_default_name || || || || ||<br />
|-<br />
| krb5_cc_destroy || || || || ||<br />
|-<br />
| krb5_cc_dup || || || || ||<br />
|-<br />
| krb5_cc_get_name || || || || ||<br />
|-<br />
| krb5_cc_get_principal || || || || ||<br />
|-<br />
| krb5_cc_get_type || || || || ||<br />
|-<br />
| krb5_cc_initialize || || || || ||<br />
|-<br />
| krb5_cc_new_unique || || || || ||<br />
|-<br />
| krb5_cc_resolve || || || || ||<br />
|-<br />
| krb5_change_password || || || || ||<br />
|-<br />
| krb5_free_context || || || || ||<br />
|-<br />
| krb5_free_error_message || || || || ||<br />
|-<br />
| krb5_free_principal || || || || ||<br />
|-<br />
| krb5_fwd_tgt_cred || || || || ||<br />
|-<br />
| krb5_get_default_realm || || || || ||<br />
|-<br />
| krb5_get_error_message || || || || ||<br />
|-<br />
| krb5_get_host_realm || || || || ||<br />
|-<br />
| krb5_get_credentials || || || || ||<br />
|-<br />
| krb5_get_fallback_host_realm || || || || ||<br />
|-<br />
| krb5_get_init_creds_keytab || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_free || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_init || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_password || || || || ||<br />
|-<br />
| krb5_get_profile || || || || ||<br />
|-<br />
| krb5_get_prompt_types || || || || ||<br />
|-<br />
| krb5_get_renewed_creds || || || || ||<br />
|-<br />
| krb5_get_validated_creds || || || || ||<br />
|-<br />
| krb5_init_context || || || || ||<br />
|-<br />
| krb5_init_secure_context || || || || ||<br />
|-<br />
| krb5_is_config_principal || || || || ||<br />
|-<br />
| krb5_is_thread_safe || || || || ||<br />
|-<br />
| krb5_kt_close || || || || ||<br />
|-<br />
| krb5_kt_default || || || || ||<br />
|-<br />
| krb5_kt_default_name || || || || ||<br />
|-<br />
| krb5_kt_get_name || || || || ||<br />
|-<br />
| krb5_kt_get_type || || || || ||<br />
|-<br />
| krb5_kt_resolve || || || || ||<br />
|-<br />
| krb5_kuserok || || || || ||<br />
|-<br />
| krb5_parse_name || || || || ||<br />
|-<br />
| krb5_parse_name_flags || || || || ||<br />
|-<br />
| krb5_principal_compare || || || || ||<br />
|-<br />
| krb5_principal_compare_any_realm || || || || ||<br />
|-<br />
| krb5_principal_compare_flags || || || || ||<br />
|-<br />
| krb5_prompter_posix || || || || ||<br />
|-<br />
| krb5_realm_compare || || || || ||<br />
|-<br />
| krb5_recvauth || || || || ||<br />
|-<br />
| krb5_recvauth_version || || || || ||<br />
|-<br />
| krb5_set_default_realm || || || || ||<br />
|-<br />
| krb5_set_password || || || || ||<br />
|-<br />
| krb5_set_password_using_ccache || || || || ||<br />
|-<br />
| krb5_set_principal_realm || || || || ||<br />
|-<br />
| krb5_set_trace_callback || || || || ||<br />
|-<br />
| krb5_set_trace_filename || || || || ||<br />
|-<br />
| krb5_sname_to_principal || || || || ||<br />
|-<br />
| krb5_unparse_name || || || || ||<br />
|-<br />
| krb5_unparse_name_ext || || || || ||<br />
|-<br />
| krb5_unparse_name_flags || || || || ||<br />
|-<br />
| krb5_unparse_name_flags_ext || || || || ||<br />
|-<br />
| krb5_us_timeofday || || || || ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued || || || || ||<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=3772Projects/Documentation Tasks2011-01-13T17:12:46Z<p>Hardjono: /* API documentation */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
=== API documentation ===<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Architectural Guide<br />
! Setup and Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
|-<br />
|-<br />
| End-users || || || || || || ||<br />
|-<br />
| Architects || || || || || || ||<br />
|-<br />
|Sys Admins || || || || || || ||<br />
|-<br />
|Application Developers || || || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || || || ||<br />
|-<br />
|Kerberos Developers || || || || || || ||<br />
|}<br />
<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - most commonly used API functions (in alphabetical order)<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
|krb5_build_principal_alloc_val || || || || ||<br />
|-<br />
| krb5_build_principal_ext || || || || ||<br />
|-<br />
| krb5_cc_close || || || || ||<br />
|-<br />
| krb5_cc_default || || || || ||<br />
|-<br />
| krb5_cc_default_name || || || || ||<br />
|-<br />
| krb5_cc_destroy || || || || ||<br />
|-<br />
| krb5_cc_dup || || || || ||<br />
|-<br />
| krb5_cc_get_name || || || || ||<br />
|-<br />
| krb5_cc_get_principal || || || || ||<br />
|-<br />
| krb5_cc_get_type || || || || ||<br />
|-<br />
| krb5_cc_initialize || || || || ||<br />
|-<br />
| krb5_cc_new_unique || || || || ||<br />
|-<br />
| krb5_cc_resolve || || || || ||<br />
|-<br />
| krb5_change_password || || || || ||<br />
|-<br />
| krb5_free_context || || || || ||<br />
|-<br />
| krb5_free_error_message || || || || ||<br />
|-<br />
| krb5_free_principal || || || || ||<br />
|-<br />
| krb5_fwd_tgt_cred || || || || ||<br />
|-<br />
| krb5_get_default_realm || || || || ||<br />
|-<br />
| krb5_get_error_message || || || || ||<br />
|-<br />
| krb5_get_host_realm || || || || ||<br />
|-<br />
| krb5_get_credentials || || || || ||<br />
|-<br />
| krb5_get_fallback_host_realm || || || || ||<br />
|-<br />
| krb5_get_init_creds_keytab || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_free || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_init || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_password || || || || ||<br />
|-<br />
| krb5_get_profile || || || || ||<br />
|-<br />
| krb5_get_prompt_types || || || || ||<br />
|-<br />
| krb5_get_renewed_creds || || || || ||<br />
|-<br />
| krb5_get_validated_creds || || || || ||<br />
|-<br />
| krb5_init_context || || || || ||<br />
|-<br />
| krb5_init_secure_context || || || || ||<br />
|-<br />
| krb5_is_config_principal || || || || ||<br />
|-<br />
| krb5_is_thread_safe || || || || ||<br />
|-<br />
| krb5_kt_close || || || || ||<br />
|-<br />
| krb5_kt_default || || || || ||<br />
|-<br />
| krb5_kt_default_name || || || || ||<br />
|-<br />
| krb5_kt_get_name || || || || ||<br />
|-<br />
| krb5_kt_get_type || || || || ||<br />
|-<br />
| krb5_kt_resolve || || || || ||<br />
|-<br />
| krb5_kuserok || || || || ||<br />
|-<br />
| krb5_parse_name || || || || ||<br />
|-<br />
| krb5_parse_name_flags || || || || ||<br />
|-<br />
| krb5_principal_compare || || || || ||<br />
|-<br />
| krb5_principal_compare_any_realm || || || || ||<br />
|-<br />
| krb5_principal_compare_flags || || || || ||<br />
|-<br />
| krb5_prompter_posix || || || || ||<br />
|-<br />
| krb5_realm_compare || || || || ||<br />
|-<br />
| krb5_recvauth || || || || ||<br />
|-<br />
| krb5_recvauth_version || || || || ||<br />
|-<br />
| krb5_set_default_realm || || || || ||<br />
|-<br />
| krb5_set_password || || || || ||<br />
|-<br />
| krb5_set_password_using_ccache || || || || ||<br />
|-<br />
| krb5_set_principal_realm || || || || ||<br />
|-<br />
| krb5_set_trace_callback || || || || ||<br />
|-<br />
| krb5_set_trace_filename || || || || ||<br />
|-<br />
| krb5_sname_to_principal || || || || ||<br />
|-<br />
| krb5_unparse_name || || || || ||<br />
|-<br />
| krb5_unparse_name_ext || || || || ||<br />
|-<br />
| krb5_unparse_name_flags || || || || ||<br />
|-<br />
| krb5_unparse_name_flags_ext || || || || ||<br />
|-<br />
| krb5_us_timeofday || || || || ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued || || || || ||<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=3771Projects/Documentation Tasks2011-01-13T17:11:59Z<p>Hardjono: /* API documentation */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
=== API documentation ===<br />
<br />
{| class="wikitable"<br />
|+ Matrix of Document-Type VS Intended Readership<br />
|-<br />
! Architectural Guide<br />
! Setup and Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
|-<br />
|-<br />
| End-users || || || || ||<br />
|-<br />
| Architects || || || || ||<br />
|-<br />
|Sys Admins || || || || ||<br />
|-<br />
|Application Developers || || || || ||<br />
|-<br />
|GSSAPI Developers || || || || ||<br />
|-<br />
|Kerberos Developers || || || || ||<br />
|}<br />
<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - most commonly used API functions (in alphabetical order)<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
|krb5_build_principal_alloc_val || || || || ||<br />
|-<br />
| krb5_build_principal_ext || || || || ||<br />
|-<br />
| krb5_cc_close || || || || ||<br />
|-<br />
| krb5_cc_default || || || || ||<br />
|-<br />
| krb5_cc_default_name || || || || ||<br />
|-<br />
| krb5_cc_destroy || || || || ||<br />
|-<br />
| krb5_cc_dup || || || || ||<br />
|-<br />
| krb5_cc_get_name || || || || ||<br />
|-<br />
| krb5_cc_get_principal || || || || ||<br />
|-<br />
| krb5_cc_get_type || || || || ||<br />
|-<br />
| krb5_cc_initialize || || || || ||<br />
|-<br />
| krb5_cc_new_unique || || || || ||<br />
|-<br />
| krb5_cc_resolve || || || || ||<br />
|-<br />
| krb5_change_password || || || || ||<br />
|-<br />
| krb5_free_context || || || || ||<br />
|-<br />
| krb5_free_error_message || || || || ||<br />
|-<br />
| krb5_free_principal || || || || ||<br />
|-<br />
| krb5_fwd_tgt_cred || || || || ||<br />
|-<br />
| krb5_get_default_realm || || || || ||<br />
|-<br />
| krb5_get_error_message || || || || ||<br />
|-<br />
| krb5_get_host_realm || || || || ||<br />
|-<br />
| krb5_get_credentials || || || || ||<br />
|-<br />
| krb5_get_fallback_host_realm || || || || ||<br />
|-<br />
| krb5_get_init_creds_keytab || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_free || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_init || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_password || || || || ||<br />
|-<br />
| krb5_get_profile || || || || ||<br />
|-<br />
| krb5_get_prompt_types || || || || ||<br />
|-<br />
| krb5_get_renewed_creds || || || || ||<br />
|-<br />
| krb5_get_validated_creds || || || || ||<br />
|-<br />
| krb5_init_context || || || || ||<br />
|-<br />
| krb5_init_secure_context || || || || ||<br />
|-<br />
| krb5_is_config_principal || || || || ||<br />
|-<br />
| krb5_is_thread_safe || || || || ||<br />
|-<br />
| krb5_kt_close || || || || ||<br />
|-<br />
| krb5_kt_default || || || || ||<br />
|-<br />
| krb5_kt_default_name || || || || ||<br />
|-<br />
| krb5_kt_get_name || || || || ||<br />
|-<br />
| krb5_kt_get_type || || || || ||<br />
|-<br />
| krb5_kt_resolve || || || || ||<br />
|-<br />
| krb5_kuserok || || || || ||<br />
|-<br />
| krb5_parse_name || || || || ||<br />
|-<br />
| krb5_parse_name_flags || || || || ||<br />
|-<br />
| krb5_principal_compare || || || || ||<br />
|-<br />
| krb5_principal_compare_any_realm || || || || ||<br />
|-<br />
| krb5_principal_compare_flags || || || || ||<br />
|-<br />
| krb5_prompter_posix || || || || ||<br />
|-<br />
| krb5_realm_compare || || || || ||<br />
|-<br />
| krb5_recvauth || || || || ||<br />
|-<br />
| krb5_recvauth_version || || || || ||<br />
|-<br />
| krb5_set_default_realm || || || || ||<br />
|-<br />
| krb5_set_password || || || || ||<br />
|-<br />
| krb5_set_password_using_ccache || || || || ||<br />
|-<br />
| krb5_set_principal_realm || || || || ||<br />
|-<br />
| krb5_set_trace_callback || || || || ||<br />
|-<br />
| krb5_set_trace_filename || || || || ||<br />
|-<br />
| krb5_sname_to_principal || || || || ||<br />
|-<br />
| krb5_unparse_name || || || || ||<br />
|-<br />
| krb5_unparse_name_ext || || || || ||<br />
|-<br />
| krb5_unparse_name_flags || || || || ||<br />
|-<br />
| krb5_unparse_name_flags_ext || || || || ||<br />
|-<br />
| krb5_us_timeofday || || || || ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued || || || || ||<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Documentation_Tasks&diff=3770Projects/Documentation Tasks2011-01-13T17:10:14Z<p>Hardjono: /* Purpose */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Purpose ==<br />
<br />
To keep track of the various tasks that need to be documented such as function documentation, administration, troubleshooting etc.<br />
<br />
=== API documentation ===<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - most commonly used API functions (in alphabetical order)<br />
|-<br />
! Architectural Guide<br />
! Setup and Config of Kerberos<br />
! Admin & Operations of Kerberos<br />
! Custom Build<br />
! API Description<br />
|-<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
|krb5_build_principal_alloc_val || || || || ||<br />
|}<br />
<br />
<br />
<br />
<br />
{| class="wikitable"<br />
|+ Tier 1 - most commonly used API functions (in alphabetical order)<br />
|-<br />
! API<br />
! who writes?<br />
! who reviews?<br />
! reviewed?<br />
! comments<br />
|-<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
| krb5_build_principal || || || || ||<br />
|-<br />
|krb5_build_principal_alloc_val || || || || ||<br />
|-<br />
| krb5_build_principal_ext || || || || ||<br />
|-<br />
| krb5_cc_close || || || || ||<br />
|-<br />
| krb5_cc_default || || || || ||<br />
|-<br />
| krb5_cc_default_name || || || || ||<br />
|-<br />
| krb5_cc_destroy || || || || ||<br />
|-<br />
| krb5_cc_dup || || || || ||<br />
|-<br />
| krb5_cc_get_name || || || || ||<br />
|-<br />
| krb5_cc_get_principal || || || || ||<br />
|-<br />
| krb5_cc_get_type || || || || ||<br />
|-<br />
| krb5_cc_initialize || || || || ||<br />
|-<br />
| krb5_cc_new_unique || || || || ||<br />
|-<br />
| krb5_cc_resolve || || || || ||<br />
|-<br />
| krb5_change_password || || || || ||<br />
|-<br />
| krb5_free_context || || || || ||<br />
|-<br />
| krb5_free_error_message || || || || ||<br />
|-<br />
| krb5_free_principal || || || || ||<br />
|-<br />
| krb5_fwd_tgt_cred || || || || ||<br />
|-<br />
| krb5_get_default_realm || || || || ||<br />
|-<br />
| krb5_get_error_message || || || || ||<br />
|-<br />
| krb5_get_host_realm || || || || ||<br />
|-<br />
| krb5_get_credentials || || || || ||<br />
|-<br />
| krb5_get_fallback_host_realm || || || || ||<br />
|-<br />
| krb5_get_init_creds_keytab || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_alloc || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_free || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_get_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_init || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_address_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_anonymous || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_canonicalize || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_change_password_prompt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_etype_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_expire_callback || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_ccache_name || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_fast_flags || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_forwardable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_out_ccache || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_pa || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_preauth_list || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_proxiable || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_renew_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_salt || || || || ||<br />
|-<br />
| krb5_get_init_creds_opt_set_tkt_life || || || || ||<br />
|-<br />
| krb5_get_init_creds_password || || || || ||<br />
|-<br />
| krb5_get_profile || || || || ||<br />
|-<br />
| krb5_get_prompt_types || || || || ||<br />
|-<br />
| krb5_get_renewed_creds || || || || ||<br />
|-<br />
| krb5_get_validated_creds || || || || ||<br />
|-<br />
| krb5_init_context || || || || ||<br />
|-<br />
| krb5_init_secure_context || || || || ||<br />
|-<br />
| krb5_is_config_principal || || || || ||<br />
|-<br />
| krb5_is_thread_safe || || || || ||<br />
|-<br />
| krb5_kt_close || || || || ||<br />
|-<br />
| krb5_kt_default || || || || ||<br />
|-<br />
| krb5_kt_default_name || || || || ||<br />
|-<br />
| krb5_kt_get_name || || || || ||<br />
|-<br />
| krb5_kt_get_type || || || || ||<br />
|-<br />
| krb5_kt_resolve || || || || ||<br />
|-<br />
| krb5_kuserok || || || || ||<br />
|-<br />
| krb5_parse_name || || || || ||<br />
|-<br />
| krb5_parse_name_flags || || || || ||<br />
|-<br />
| krb5_principal_compare || || || || ||<br />
|-<br />
| krb5_principal_compare_any_realm || || || || ||<br />
|-<br />
| krb5_principal_compare_flags || || || || ||<br />
|-<br />
| krb5_prompter_posix || || || || ||<br />
|-<br />
| krb5_realm_compare || || || || ||<br />
|-<br />
| krb5_recvauth || || || || ||<br />
|-<br />
| krb5_recvauth_version || || || || ||<br />
|-<br />
| krb5_set_default_realm || || || || ||<br />
|-<br />
| krb5_set_password || || || || ||<br />
|-<br />
| krb5_set_password_using_ccache || || || || ||<br />
|-<br />
| krb5_set_principal_realm || || || || ||<br />
|-<br />
| krb5_set_trace_callback || || || || ||<br />
|-<br />
| krb5_set_trace_filename || || || || ||<br />
|-<br />
| krb5_sname_to_principal || || || || ||<br />
|-<br />
| krb5_unparse_name || || || || ||<br />
|-<br />
| krb5_unparse_name_ext || || || || ||<br />
|-<br />
| krb5_unparse_name_flags || || || || ||<br />
|-<br />
| krb5_unparse_name_flags_ext || || || || ||<br />
|-<br />
| krb5_us_timeofday || || || || ||<br />
|-<br />
| krb5_verify_authdata_kdc_issued || || || || ||<br />
|-<br />
|}</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3574Projects/Plugin support improvements2010-08-03T19:13:20Z<p>Hardjono: /* Background */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Background ==<br />
<br />
* Project inception and first proposal: Zhanna Tsitkova (see [[Projects/Plugin_support_improvements_%28first_version%29]]).<br />
* Further revisions (this page): Greg Hudson, Tom Yu and Thomas Hardjono.<br />
<br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3573Projects/Plugin support improvements2010-08-03T19:12:47Z<p>Hardjono: /* Background */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Background ==<br />
<br />
* Project inception and first proposal: Zhanna Tsitkova (see [[Projects/Plugin_support_improvements_%28first_version%29]]).<br />
* Further revisions: Greg Hudson, Tom Yu and Thomas Hardjono.<br />
<br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3572Projects/Plugin support improvements2010-08-03T19:12:39Z<p>Hardjono: /* Background */</p>
<hr />
<div>{{project-early}}<br />
<br />
== Background ==<br />
<br />
* Project inception and first proposal: Zhanna Tsitkova (see [[Projects/Plugin_support_improvements_%28first_version%29]]).<br />
* Further revision: Greg Hudson, Tom Yu and Thomas Hardjono.<br />
<br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3571Projects/Plugin support improvements2010-08-03T19:12:12Z<p>Hardjono: </p>
<hr />
<div>{{project-early}}<br />
<br />
== Background ==<br />
<br />
* Project inception: Zhanna Tsitkova (see [[Projects/Plugin_support_improvements_%28first_version%29]]).<br />
* Further revision: Greg Hudson, Tom Yu and Thomas Hardjono.<br />
<br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3570Projects/Plugin support improvements2010-08-03T19:05:45Z<p>Hardjono: </p>
<hr />
<div>{{project-early}}<br />
<br />
== Background ==<br />
<br />
* Project inception: Zhanna Tsitkova [[Projects/Plugin_support_improvements_%28first_version%29]]<br />
* Further revision: Greg Hudson and Tom Yu.<br />
<br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements_(first_version)&diff=3563Projects/Plugin support improvements (first version)2010-08-03T18:54:45Z<p>Hardjono: Projects/Plugin support improvements moved to Projects/Plugin support improvements (first version)</p>
<hr />
<div>{{project-early}}<br />
<br />
==Motivation ==<br />
<br />
We set up our goal on creating a framework that <br />
<br />
* Separates plugin interface from its implementation;<br />
* Provides simple and clear mechanism that facilitates additions of new plugin interfaces and their implementations(modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same plugin interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation to use services provided by the other plugin implementations.<br />
<br />
<br />
==Structure==<br />
[[Image:Slide1.jpg]]<br />
<br />
==Participants==<br />
<br />
* Plugin Manager ('''PM''') - Module that implements operations that manage plugin configuration and registry services. PM is responsible to maintain a container populated with plugin handles (references to plugin objects) and provide the search capabilities for callers requesting the plugin services. <br />
* Plugin Loader ('''PL''') - Abstract module that declares an interface for operations that facilitate manipulation with the set of plugin implementations;<br />
* Plugin Loader Implementation ('''PLI''') - Concrete implementation of PL. It knows about the set of the available implementations and how to create them;<br />
* Plugin Interface ('''PI''') - Abstract module that declares plugin interface. <br />
* Plugin Interface Implementation ('''PII''') - Concrete implementation of the plugin interface;<br />
* Caller - Plugin caller.<br />
<br />
<br />
==Collaboration==<br />
<br />
* An instance ''pl_manager'' of PM is created as part of ''krb5_init_context'' operation at run-time (1). This instance will use PM methods to configure and register the desired plugin implementations;<br />
* The list of the desired plugin implementations is known to the specific PLI which is aggregated within PM (2);<br />
* PM delegates acquiring of plugin interfaces to PLI (3);<br />
* The caller uses ''pl_manager'' to invoke the desired plugin interface (4).<br />
<br />
<br />
==User Interface==<br />
<br />
; plugin_manager_get_service: - perform a search in the plugin manager registry to locate the particular interface based on plugin interface name and plugin id. If the search is successful, the plhandle structure gets populated with reference to the plugin interface and the function return code is set to success. Otherwise, this function returns an error;<br />
; plugin_manager_configure: - parse a configuration file. Based on the obtained information construct plugin objects and load them into the plugin registry;<br />
; plugin_manager_start: - complete necessary initializations of plugin objects and make them available for use;<br />
; plugin_manager_stop: - free resources;<br />
; plugin_manager_get_instance: - instantiate an instance of plugin manager if it does not exist.<br />
; plugin_loader_create_api: - return the vtable with the implementation pertained to the specific interface;<br />
<br />
<br />
==Implementation==<br />
<br />
; MT safety : Implementation must be MT safe.<br />
<br />
; Proof of concept code is available from ''plugins'' branch: ''svn+ssh://svn.mit.edu/krb5/branches/plugins''<br />
<br />
; k5-int.h: ''plugin_manager *pl_manager'' is added to _krb5_context;<br />
<br />
; PM: The purpose of PM is to provide the configuration and registry services. In future the ability to have multiple implementations of the PM may be desired to allow one to have flexible configuration environment (For example, the configuration service can be implemented using various file formats or be completely hardcoded.) <br />
; PM vs PLI: In general PM is tied to one or more PLIs. In its turn, each PLI is responsible for loading one or more plugins. The notion of the multiple plugins per PLI is justified by the convenience of the grouping based on the plugin functionality, level of optimization or other features;<br />
<br />
<br />
<br />
<br />
==Consequences==<br />
<br />
The framework is designed to hide the management details, such as configuration and loading, from the plugin writers and callers.<br />
<br />
* The responsibility of the writer of the '''new plugin interface (PI)''' is limited to the writing source and header as described at Template_1:<br />
<br />
''Template 1''<br />
<br />
''HEADER''<br />
#include <plugin_manager.h><br />
#include <k5-int.h><br />
typedef struct {<br />
int version;<br />
char plugin_name[MAX_PL_NAME_LEN];<br />
krb5_error_code (*fn1)(...);<br />
} plugin_PLName;<br />
krb5_error_code plugin_PLName_fn1(plhandle handle, ...); <br />
<br />
''SOURCE''<br />
krb5_error_code plugin_PLName_fn1(plhandle handle, ...)<br />
{<br />
plugin_PLName* api = (plugin_PLName*) handle.api;<br />
api->plugin_PLName_fn1(...);<br />
return 0;<br />
}<br />
<br />
<br />
* The responsibility of the writer of the '''new plugin interface implementation (PII)''' is limited to the writing source and header as described at Template_2 and the notifying the plugin loader about its availability Template_3:<br />
<br />
''Template 2''<br />
<br />
''HEADER''<br />
plhandle plugin_pwd_qlty_krb_create(void);<br />
<br />
''SOURCE''<br />
static krb5_error_code<br />
plugin_PLName_fn1(...)<br />
{ /*intended functionality */}<br />
<br />
static void<br />
plugin_PLName_cleanup(...) <br />
{ /* cleanup */ }<br />
<br />
static krb5_error_code<br />
plugin_PLName_init(...)<br />
{ /* init */ } <br />
<br />
plhandle plugin_PLName_PLImpl_create()<br />
{<br />
plhandle handle;;<br />
plugin_PLName* api = malloc(sizeof(plugin_PLName));<br />
api->fn1 = plugin_PLName_fn1;<br />
api->PLName_init = plugin_PLName_init;<br />
api->PLName_cleanup = plugin_PLName_cleanup;<br />
handle.api = api;<br />
return handle;<br />
}<br />
<br />
''Template 3''<br />
<br />
static plugin_descr _table[] = {<br />
{"plugin_PLImpl_PLName", plugin_PLName_PLImpl_create},<br />
};<br />
<br />
''For better readability some of the verification, clean-up, error handling code is omitted from the templates''<br />
<br />
<br />
<br />
==Built-in Plugins==<br />
<br />
*; Examples: PreAuth, AuthData, Password Quality (see ''Current plugins'' section for details)<br />
<br />
*; Invoking multiple implementations of the same plugin: This is achieved by using the aimed ''plugin_id'''s in ''plugin_manager_get_service'' calls. For example, two specific implementations of the password quality plugins may be invoked in password check. <br />
<br />
*; Invoking ''all available'' plugin implementations: See also "Defaults" section<br />
<br />
<br />
==Dynamic Plugins==<br />
<br />
*; Examples: Audit, Password sync<br />
<br />
*; Requirements: <br />
<br />
# The difference between dynamic and built-in plugins (both interface and implementation) should be on the level of linkage. <br />
# Plugin consumer should not have the knowledge about the type of plugins it is using (in terms of dynamic/built-in). On the caller side the code invoking plugin should stay the same for both dynamic and built-in plugins.<br />
# Similar to built-in plugins, the plugin consumer may call the multiple implementations of the same plugin interface. For example, two implementations of the audit plugin interface may be used to handle password change and intruder lockout events.<br />
# Similar to built-in plugins, one can choose to use ''all available'' plugin implementations. Their location may be some default one, or passed via env variable, or defined in the configuration.<br />
# In the case one wants to have better control over the configuration and management of the plugins selection, it responsibility of the administrator to point to the location of the dynamic plugin as part of the configuration.<br />
<br />
*; Creating dynamic plugin: The appropriate loader is linked with the set of the desired plugins resulting into the shared library. Details:<br />
# One of the deliverables of the plugin framework is the loader file. Its responsibility is to load modules that are listed in its local table (see below). ;<br />
# The dynamic plugin creator must fill this table with the list of the desired pluginmodules. <br />
# The dynamic plugin creator then links the loader with the set of the desired plugin modules resulting into the shared library;<br />
# Administrator points to the location of the dynamic plugin by setting ''plugin_loader_path'' configuration attribute to this library.<br />
<br />
<br />
NOTE: This approach allows to bundle dynamic plugins. <br />
It also hides loading details from the plugin writer making code for dynamic and built-in plugin indistinguishable. <br />
<br />
<br />
''The following is the example of how the table in the loader may look:''<br />
static plugin_descr plugin_dyn_factory_table[] = {<br />
{"plugin_pwd_qlty_DYN", plugin_pwd_qlty_DYN_create},<br />
{"plugin_pwd_qlty_XYZ", plugin_pwd_qlty_XYZ_create},<br />
{NULL,NULL}<br />
};<br />
<br />
<br />
*; Invoking dynamic plugin: Similar to builtin plugins with the following additions. The option ''plugin_loader_path'' in the configuration file refers to the location of the dynamic plugin shared library and the option ''plugin_loader_type'' must be set to ''dynamic''. <br />
<br />
<br />
==Configuration==<br />
If no plugin configuration is provided the new plugin framework should act upon some default behavior. <br />
<br />
<br />
*; '''Configuration file attributes'''<br />
:: ''plugin list'' - list of the desired plugins;<br />
:: ''plugin_api'' - name of the plugin interface;<br />
:: ''plugin_name'' - concrete plugin implementation;<br />
:: ''plugin_version'' - desired version of plugin implementation; This may be used by the administrator to point to the most recent plugin implementation (perhaps, bug fix). <br />
:: ''plugin_loader_name'' - name of the loader the particular implementation is associated with;<br />
:: ''plugin_loader_type'' - defines the plugin type: built-in or dynamic; <br />
:: ''plugin_loader_path'' - path to the plugin dynamic library<br />
:: ''plugin_disable'' - don't use this plugin implementation <br />
:: ''plugin_properties'' - plugin implementation initialization parameters (when needed) <br />
<br />
<br />
*; '''Example of the plugin section in krb5.conf'''<br />
[plugins]<br />
/* By default, all built-in plugin impls are enabled. To disable a particular built-in plugin one need to specify it */<br />
plugin_list = PQ1<br />
PQ1 = {<br />
plugin_api = plugin_pwd_qlty <br />
plugin_name = plugin_pwd_qlty_krb <br />
plugin_disable = yes<br />
}<br />
<br />
/* dynamic plugin */<br />
plugin_list = PQ_DYN<br />
PQ_DYN = {<br />
plugin_api = plugin_pwd_qlty<br />
plugin_name = plugin_pwd_qlty_DYN<br />
plugin_loader_type = dynamic<br />
plugin_loader_path = /path-to-the-lib/libplugin_dynamic.so # if default, may be omitted<br />
}<br />
<br />
<br />
*; '''Alternatives'''<br />
The choice of plugin configuration format is a matter of preference. It may be presented in XML, YAML, JSON etc. One needs only an appropriate parser. <br />
<br />
<br />
*; '''Configuration change at run-time'''<br />
TBD<br />
<br />
<br />
==Directory Structure==<br />
<br />
*; src/plugin_core: plugin_manager.[ch], plugin_loader.[ch], impl/plugin_XXX_manager.[ch], impl/plugin_XXX_loader.[ch]<br />
<br />
*; src/plugins: pluginA/plugin_A.[ch], pluginA/plugin_A_implN/plugin_A_implN.[ch]<br />
<br />
*; src/plugin_dynamic: plugin_dyn_factory.[ch]<br />
<br />
<br />
==Defaults==<br />
If no plugin configuration is provided new plugin framework should act upon some default behavior. <br />
<br />
There are two default loaders. <br />
The first loader aggregates built-in plugin implementations, while the second one - dynamically loadable ones located in some default directory. If the administrator wishes to have all of these plugin implementations available and they need no additional configuration (for example, for their initialization), the configuration file may not have any plugin related information. <br />
<br />
<br />
==Build process==<br />
<br />
*; Options: DEBUG_PLUGINS - output more info for debugging<br />
<br />
<br />
==Sample Code==<br />
<br />
*; Plugin initialization<br />
The following is an example of the plugin manager initialization:<br />
<br />
plugin_manager_get_instance(&ctx->pl_manager);<br />
plugin_manager_configure(ctx->pl_manager, conf_path);<br />
plugin_manager_start(ctx->pl_manager);<br />
<br />
<br />
*; How to call plugins<br />
The following is an example of invoking Password Quality plugin: <br />
<br />
plugin_manager_get_service(ctx->pl_manager, PWD_QLTY, PWD_QLTY_KRB, &plugin_handle);<br />
plugin_pwd_qlty_check(plugin_handle, srv_handle, password, use_policy, pol, principal);<br />
<br />
<br />
*;How to construct plugin interface (PI)<br />
The following is an example of how plugin interface called "password quality" may look:<br />
<br />
#ifndef PLUGIN_PWD_QLTY_H_<br />
#define PLUGIN_PWD_QLTY_H_<br />
<br />
typedef struct {<br />
int version;<br />
char plugin_id[MAX_PL_NAME_LEN];<br />
kadm5_ret_t (*pwd_qlty_init)(kadm5_server_handle_t);<br />
void (*pwd_qlty_cleanup)();<br />
kadm5_ret_t (*pwd_qlty_check)(kadm5_server_handle_t, char*, int, kadm5_policy_ent_t, krb5_principal);<br />
} plugin_pwd_qlty;<br />
<br />
kadm5_ret_t plugin_pwd_qlty_init(plhandle, kadm5_server_handle_t);<br />
kadm5_ret_t plugin_pwd_qlty_cleanup(plhandle);<br />
kadm5_ret_t plugin_pwd_qlty_check(plhandle, kadm5_server_handle_t, char*, int, kadm5_policy_ent_t, krb5_principal);<br />
<br />
#endif /* PLUGIN_PWD_QLTY_H_ */<br />
<br />
<br />
''SOURCE'' <br />
kadm5_ret_t <br />
plugin_pwd_qlty_check( plhandle handle, kadm5_server_handle_t srv_handle, char *password, int use_policy, kadm5_policy_ent_t pol, krb5_principal principal) <br />
{<br />
plugin_pwd_qlty* api = (plugin_pwd_qlty*) handle.api;<br />
api->pwd_qlty_check(srv_handle, password, use_policy, pol, principal);<br />
}<br />
<br />
kadm5_ret_t<br />
plugin_pwd_qlty_init(plhandle, kadm5_server_handle_t)<br />
{ /* init */ } <br />
<br />
void<br />
plugin_pwd_qlty_cleanup(plhandle) <br />
{ /* clean-up */ } <br />
<br />
<br />
*; How to construct plugin interface implementation (PII)<br />
Every PII should have only one public ''create'' function. For PII called "password quality krb" it would be ''plhandle plugin_pwd_qlty_krb_create()''.The following is an example of the this PII:<br />
<br />
#ifndef PLUGIN_PWD_QLTY_KRB_IMPL_H_<br />
#define PLUGIN_PWD_QLTY_KRB_IMPL_H_<br />
<br />
plhandle plugin_pwd_qlty_krb_create(void);<br />
<br />
#endif /* PLUGIN_PWD_QLTY_KRB_IMPL_H_ */<br />
<br />
<br />
''SOURCE''<br />
plhandle plugin_pwd_qlty_krb_create()<br />
{<br />
plhandle handle;<br />
...<br />
api->pwd_qlty_init = plugin_pwd_qlty_init;<br />
api->pwd_qlty_check = plugin_pwd_qlty_check;<br />
api->pwd_qlty_cleanup = plugin_pwd_qlty_clean;<br />
handle.api = api;<br />
return handle;<br />
}<br />
<br />
static kadm5_ret_t <br />
plugin_pwd_qlty_check(kadm5_server_handle_t srv_handle, char *password, int use_policy, kadm5_policy_ent_t pol, krb5_principal principal)<br />
{ /* do some quality verification */ }<br />
<br />
static kadm5_ret_t <br />
plugin_pwd_qlty_init(kadm5_server_handle_t handle)<br />
{ /* initialization */ } <br />
<br />
static kadm5_ret_t <br />
plugin_pwd_qlty_cleanup()<br />
{ /* cleanup */ } <br />
<br />
''For better readability some of the verification, clean-up, error handling code is omitted from the samples''<br />
<br />
<br />
<br />
<br />
==Current plugins==<br />
<br />
We currently have the following plugin:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
<br />
==Future plugins==<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
==Current support infrastructure==<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
==Problem areas==<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (Dependent library shared objects of the calling library can contain "built-in" modules for the calling library.) The distinguishing feature of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3562Projects/Plugin Support2010-08-03T18:49:39Z<p>Hardjono: </p>
<hr />
<div>* Original Proposal: [[projects/Plugin_support_improvements]].<br />
* Revised Proposal [[http://k5wiki.kerberos.org/wiki/User:Hardjono/Plugin_Support]]</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3561Projects/Plugin Support2010-08-03T18:49:12Z<p>Hardjono: </p>
<hr />
<div>* Original Proposal: [[Plugin_support_improvements]].<br />
* Revised Proposal [[http://k5wiki.kerberos.org/wiki/User:Hardjono/Plugin_Support]]</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3560Projects/Plugin Support2010-08-03T18:40:13Z<p>Hardjono: </p>
<hr />
<div>* Original Proposal: [[http://k5wiki.kerberos.org/wiki/Projects/Plugin_support_improvements]].<br />
* Revised Proposal [[http://k5wiki.kerberos.org/wiki/User:Hardjono/Plugin_Support]]</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3559Projects/Plugin Support2010-08-03T18:38:13Z<p>Hardjono: </p>
<hr />
<div>* Original Proposal: [[http://k5wiki.kerberos.org/wiki/Projects/Plugin_support_improvements]].<br />
* Revised Proposal.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3558Projects/Plugin Support2010-08-03T18:35:48Z<p>Hardjono: </p>
<hr />
<div>* [[Original Proposal]].<br />
* Revised Proposal.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3557Projects/Plugin Support2010-08-03T18:34:28Z<p>Hardjono: </p>
<hr />
<div>* Original Proposal<br />
* Revised Proposal.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3556Projects/Plugin Support2010-08-03T18:34:05Z<p>Hardjono: </p>
<hr />
<div>* [Original Proposal] http://k5wiki.kerberos.org/wiki/Projects/Plugin_support_improvements.<br />
* Revised Proposal.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3555Projects/Plugin Support2010-08-03T18:33:53Z<p>Hardjono: </p>
<hr />
<div>* [Original Proposal]http://k5wiki.kerberos.org/wiki/Projects/Plugin_support_improvements.<br />
* Revised Proposal.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_Support&diff=3554Projects/Plugin Support2010-08-03T18:32:23Z<p>Hardjono: New page: * Original Proposal. * Revised Proposal.</p>
<hr />
<div><br />
* Original Proposal.<br />
* Revised Proposal.</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3553Projects/Plugin support improvements2010-08-03T18:28:00Z<p>Hardjono: /* Background */</p>
<hr />
<div><br />
== Background ==<br />
<br />
* Project inception: Zhanna Tsitkova.<br />
* Further revision: Greg Hudson and Tom Yu.<br />
<br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3552Projects/Plugin support improvements2010-08-03T18:26:50Z<p>Hardjono: /* Motivations, Priorities & Requirements */</p>
<hr />
<div><br />
== Background ==<br />
<br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3550Projects/Plugin support improvements2010-07-28T18:55:04Z<p>Hardjono: /* Definitions */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support architecture uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3549Projects/Plugin support improvements2010-07-28T18:54:38Z<p>Hardjono: /* Current plugins */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin support:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin support:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin support which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3548Projects/Plugin support improvements2010-07-28T18:53:28Z<p>Hardjono: /* Deliverables */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The architecture is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3547Projects/Plugin support improvements2010-07-28T18:52:55Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin manager to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3546Projects/Plugin support improvements2010-07-28T18:52:19Z<p>Hardjono: /* Provider interface */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin manager uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3545Projects/Plugin support improvements2010-07-28T18:51:57Z<p>Hardjono: /* Consumer interface */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin manager. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3544Projects/Plugin support improvements2010-07-28T18:51:01Z<p>Hardjono: /* Motivations, Priorities & Requirements */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture:<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the architecture to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new architecture.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3543Projects/Plugin support improvements2010-07-28T18:49:58Z<p>Hardjono: /* Function signatures */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
:k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
: k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
: k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3542Projects/Plugin support improvements2010-07-28T18:49:23Z<p>Hardjono: /* Configuration */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
<tt><br />
: [plugins]<br />
: interfacename = {<br />
:: # May take multiple values; only named plugins will be enabled.<br />
:: enable_only = name<br />
: <br />
:: # May take multiple values; named plugins will be disabled.<br />
:: disable = name<br />
: <br />
:: # Establishes a mapping from a module name to a dynamic object.<br />
:: module = modname:pathname<br />
: }<br />
</tt><br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3541Projects/Plugin support improvements2010-07-28T18:48:19Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3540Projects/Plugin support improvements2010-07-28T18:47:13Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
:: goto cleanup;<br />
<br />
: /* Allocate a large enough list of handles. */<br />
: for (count = 0; modules[count] != NULL; count++);<br />
: list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
: if (list == NULL)<br />
:: goto cleanup;<br />
<br />
: /* For each module, allocate a handle and initialize its vtable. Skip <br />
: * modules which don't successfully initialize. */<br />
: count = 0;<br />
: for (mod = modules; *mod != NULL; mod++) {<br />
:: handle = k5alloc(sizeof(*handle), &ret);<br />
:: if (handle == NULL)<br />
::: goto cleanup;<br />
:: ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
:: if (ret == 0)<br />
::: list[count++] = handle;<br />
:: else<br />
::: free(handle);<br />
: }<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3539Projects/Plugin support improvements2010-07-28T18:45:07Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<tt><br />
: ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
: if (ret != 0)<br />
goto cleanup;<br />
<br />
/* Allocate a large enough list of handles. */<br />
for (count = 0; modules[count] != NULL; count++);<br />
list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
if (list == NULL)<br />
goto cleanup;<br />
<br />
/* For each module, allocate a handle and initialize its vtable. Skip <br />
* modules which don't successfully initialize. */<br />
count = 0;<br />
for (mod = modules; *mod != NULL; mod++) {<br />
handle = k5alloc(sizeof(*handle), &ret);<br />
if (handle == NULL)<br />
goto cleanup;<br />
ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
if (ret == 0)<br />
list[count++] = handle;<br />
else<br />
free(handle);<br />
}<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3538Projects/Plugin support improvements2010-07-28T18:44:25Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
:: }<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<br />
ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
if (ret != 0)<br />
goto cleanup;<br />
<br />
/* Allocate a large enough list of handles. */<br />
for (count = 0; modules[count] != NULL; count++);<br />
list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
if (list == NULL)<br />
goto cleanup;<br />
<br />
/* For each module, allocate a handle and initialize its vtable. Skip <br />
* modules which don't successfully initialize. */<br />
count = 0;<br />
for (mod = modules; *mod != NULL; mod++) {<br />
handle = k5alloc(sizeof(*handle), &ret);<br />
if (handle == NULL)<br />
goto cleanup;<br />
ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
if (ret == 0)<br />
list[count++] = handle;<br />
else<br />
free(handle);<br />
}<br />
<br />
<br />
<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3537Projects/Plugin support improvements2010-07-28T18:44:07Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
: for (h = handle->qual_handles; *h != NULL; h++) {<br />
:: ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
:: if (ret != 0)<br />
::: return ret;<br />
}<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<br />
ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
if (ret != 0)<br />
goto cleanup;<br />
<br />
/* Allocate a large enough list of handles. */<br />
for (count = 0; modules[count] != NULL; count++);<br />
list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
if (list == NULL)<br />
goto cleanup;<br />
<br />
/* For each module, allocate a handle and initialize its vtable. Skip <br />
* modules which don't successfully initialize. */<br />
count = 0;<br />
for (mod = modules; *mod != NULL; mod++) {<br />
handle = k5alloc(sizeof(*handle), &ret);<br />
if (handle == NULL)<br />
goto cleanup;<br />
ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
if (ret == 0)<br />
list[count++] = handle;<br />
else<br />
free(handle);<br />
}<br />
<br />
<br />
<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3536Projects/Plugin support improvements2010-07-28T18:43:20Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
<tt><br />
: ret = k5_pwqual_load(handle->context, &list);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<tt><br />
for (h = handle->qual_handles; *h != NULL; h++) {<br />
ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
if (ret != 0)<br />
return ret;<br />
}<br />
</tt><br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<br />
ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
if (ret != 0)<br />
goto cleanup;<br />
<br />
/* Allocate a large enough list of handles. */<br />
for (count = 0; modules[count] != NULL; count++);<br />
list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
if (list == NULL)<br />
goto cleanup;<br />
<br />
/* For each module, allocate a handle and initialize its vtable. Skip <br />
* modules which don't successfully initialize. */<br />
count = 0;<br />
for (mod = modules; *mod != NULL; mod++) {<br />
handle = k5alloc(sizeof(*handle), &ret);<br />
if (handle == NULL)<br />
goto cleanup;<br />
ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
if (ret == 0)<br />
list[count++] = handle;<br />
else<br />
free(handle);<br />
}<br />
<br />
<br />
<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3535Projects/Plugin support improvements2010-07-28T18:42:10Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
<tt><br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "dict", pwqual_dict_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
<br />
: ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL, "policy", pwqual_policy_init);<br />
:: if (ret != 0)<br />
::: return ret;<br />
</tt><br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
ret = k5_pwqual_load(handle->context, &list);<br />
if (ret != 0)<br />
return ret;<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<br />
for (h = handle->qual_handles; *h != NULL; h++) {<br />
ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
if (ret != 0)<br />
return ret;<br />
}<br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<br />
ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
if (ret != 0)<br />
goto cleanup;<br />
<br />
/* Allocate a large enough list of handles. */<br />
for (count = 0; modules[count] != NULL; count++);<br />
list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
if (list == NULL)<br />
goto cleanup;<br />
<br />
/* For each module, allocate a handle and initialize its vtable. Skip <br />
* modules which don't successfully initialize. */<br />
count = 0;<br />
for (mod = modules; *mod != NULL; mod++) {<br />
handle = k5alloc(sizeof(*handle), &ret);<br />
if (handle == NULL)<br />
goto cleanup;<br />
ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
if (ret == 0)<br />
list[count++] = handle;<br />
else<br />
free(handle);<br />
}<br />
<br />
<br />
<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3534Projects/Plugin support improvements2010-07-28T18:39:59Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
The Subversion URL for the proof of concept is:<br />
<br />
<tt>svn://anonsvn.mit.edu/krb5/branches/plugins2</tt><br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL,<br />
"dict", pwqual_dict_init);<br />
if (ret != 0)<br />
return ret;<br />
<br />
ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL,<br />
"policy", pwqual_policy_init);<br />
if (ret != 0)<br />
return ret;<br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
ret = k5_pwqual_load(handle->context, &list);<br />
if (ret != 0)<br />
return ret;<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<br />
for (h = handle->qual_handles; *h != NULL; h++) {<br />
ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
if (ret != 0)<br />
return ret;<br />
}<br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<br />
ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
if (ret != 0)<br />
goto cleanup;<br />
<br />
/* Allocate a large enough list of handles. */<br />
for (count = 0; modules[count] != NULL; count++);<br />
list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
if (list == NULL)<br />
goto cleanup;<br />
<br />
/* For each module, allocate a handle and initialize its vtable. Skip <br />
* modules which don't successfully initialize. */<br />
count = 0;<br />
for (mod = modules; *mod != NULL; mod++) {<br />
handle = k5alloc(sizeof(*handle), &ret);<br />
if (handle == NULL)<br />
goto cleanup;<br />
ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
if (ret == 0)<br />
list[count++] = handle;<br />
else<br />
free(handle);<br />
}<br />
<br />
<br />
<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3533Projects/Plugin support improvements2010-07-28T18:39:05Z<p>Hardjono: /* Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
<br />
<tt><br />
The Subversion URL for the proof of concept is:<br />
<br />
svn://anonsvn.mit.edu/krb5/branches/plugins2<br />
<br />
There is a README.BRANCH file as the top level containing a walkthrough of the changes on the branch.<br />
<br />
This is a consumer registering built-in plugin modules for the password quality interface:<br />
<br />
ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL,<br />
"dict", pwqual_dict_init);<br />
if (ret != 0)<br />
return ret;<br />
<br />
ret = k5_plugin_register(context, PLUGIN_INTERFACE_PWQUAL,<br />
"policy", pwqual_policy_init);<br />
if (ret != 0)<br />
return ret;<br />
<br />
This is a consumer using the pwqual consumer API to create a list of handles for all available password quality modules:<br />
<br />
ret = k5_pwqual_load(handle->context, &list);<br />
if (ret != 0)<br />
return ret;<br />
<br />
This is a consumer using the pwqual consumer API to check a password against all available password quality modules:<br />
<br />
for (h = handle->qual_handles; *h != NULL; h++) {<br />
ret = k5_pwqual_check(handle->context, *h, password, policy, princ);<br />
if (ret != 0)<br />
return ret;<br />
}<br />
<br />
This is the password quality loader function invoking the plugin framework to get a list of all available password quality vtable constructors, and then invoking the vtable constructors to create plugin<br />
handles:<br />
<br />
ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_PWQUAL, &modules);<br />
if (ret != 0)<br />
goto cleanup;<br />
<br />
/* Allocate a large enough list of handles. */<br />
for (count = 0; modules[count] != NULL; count++);<br />
list = k5alloc((count + 1) * sizeof(*list), &ret);<br />
if (list == NULL)<br />
goto cleanup;<br />
<br />
/* For each module, allocate a handle and initialize its vtable. Skip <br />
* modules which don't successfully initialize. */<br />
count = 0;<br />
for (mod = modules; *mod != NULL; mod++) {<br />
handle = k5alloc(sizeof(*handle), &ret);<br />
if (handle == NULL)<br />
goto cleanup;<br />
ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&handle->vt);<br />
if (ret == 0)<br />
list[count++] = handle;<br />
else<br />
free(handle);<br />
}<br />
<br />
<br />
<br />
<br />
</tt><br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3532Projects/Plugin support improvements2010-07-28T18:37:28Z<p>Hardjono: /* Configuration */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
Here is a description of the configuration used by the proof of concept:<br />
<br />
[plugins]<br />
interfacename = {<br />
# May take multiple values; only named plugins will be enabled.<br />
enable_only = name<br />
<br />
# May take multiple values; named plugins will be disabled.<br />
disable = name<br />
<br />
# Establishes a mapping from a module name to a dynamic object.<br />
module = modname:pathname<br />
}<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3531Projects/Plugin support improvements2010-07-28T18:36:07Z<p>Hardjono: /* Sample Code and Proof of Concept */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
=== Configuration ===<br />
<br />
=== Code and Proof of Concept ===<br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3530Projects/Plugin support improvements2010-07-28T18:35:32Z<p>Hardjono: /* Configuration */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3529Projects/Plugin support improvements2010-07-28T18:33:29Z<p>Hardjono: /* Function signatures */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id, krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname, krb5_plugin_init_fn module); </code><br />
<br />
== Configuration ==<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjonohttps://k5wiki.kerberos.org/wiki?title=Projects/Plugin_support_improvements&diff=3528Projects/Plugin support improvements2010-07-28T18:32:52Z<p>Hardjono: /* Function signatures */</p>
<hr />
<div><br />
==Motivations, Priorities & Requirements ==<br />
<br />
'''Motivations''': there are a number of motivations behind the creation of the plugin architecture framework.<br />
<br />
* Desire to separate pluggable interface from its implementation;<br />
* Desire to provide simple and clear mechanism that facilitates additions of new pluggable interfaces and their implementations (modules);<br />
* Handles both built-in and dynamic plugin modules;<br />
* Allows multiple implementation of the same pluggable interface;<br />
* Provides uniform way to supply parameters for plugin configuration;<br />
* Allows one plugin implementation (module) to use services provided by the other plugin implementations.<br />
<br />
'''Requirements''': from these items we have developed a more formal set of requirements<br />
covering the design and the implementation of the framework to<br />
support the plugins. These are as follows:<br />
<br />
# Allow third parties to implement multiple plugin modules for each pluggable interface.<br />
# Allow a plugin module to build as dynamic or built-in from the same source code.<br />
# Allow third parties to more easily create new plugin modules.<br />
# Provide a uniform method for configuring discovery of plugin modules.<br />
# Improve readability of code that calls pluggable interfaces.<br />
# Allow easier creation of new pluggable interfaces.<br />
# Allow incremental transition of existing pluggable interfaces to the new framework.<br />
<br />
== Architecture Overview and Concepts ==<br />
<br />
=== Introduction ===<br />
<br />
The architecture for the plugin support is shown in the following figure.<br />
The participants and components are described in the section below.<br />
<br />
<br />
[[Image:plugin_architecture_v3_png.png]]<br />
<br />
=== Participants ===<br />
<br />
The following is a summary of participants and components<br />
within the architecture. Further details are provided in the sections below.<br />
<br />
'''Plugin Manager''': The plugin manager provides a set of generic capabilities that are independent of individual plugin interfaces. The plugin manager implements operations that manage plugin configuration and plugin registry services.<br />
<br />
'''Pluggable Interface''': A pluggable interface is an interface that can be implemented by a third party in a modular manner. An implementation of a pluggable interface is referred to as a ''plugin module''. Furthermore, a pluggable interface itself consist of a ''consumer interface'' and ''provider interface'' (see below).<br />
<br />
'''Plugin Module''': A plugin module is an implementation of a pluggable interface. For example, in the Figure Plugin_A is shown to have two implementations (modules).<br />
<br />
'''Consumer''': The consumer or caller is the entity that uses the plugin module.<br />
<br />
=== Collaboration: Flows ===<br />
<br />
As shown in the above Figure,<br />
the plugin architecture is designed based on the notion<br />
of pluggable interfaces, each of which are defined based on an abstract design.<br />
<br />
When a third party wishes to develop a loadable plugin module<br />
(e.g. Plugin_Module_A1)<br />
that implements a specific task (e.g. implement password<br />
quality check), the developer of the module must<br />
conform to the pluggable interface (Pluggable Interface A) defined for that<br />
"family" of plugin modules.<br />
<br />
The consumer (or caller) that later makes use of the plugin module,<br />
must invoke functions implemented in that module<br />
through a specific consumer interface (Consumer_Interface_A).<br />
Discovery (and filtering) is triggered by the first load operation (within a krb5_context).<br />
<br />
== Architecture Components ==<br />
<br />
In this section we provide further details on the components<br />
of the architecture, describing its features and behaviors.<br />
<br />
=== Plugin Manager ===<br />
<br />
<br />
The plugin manager provides a set of generic support capabilities that are independent of individual pluggable interfaces. It centralizes the discovery process for plugin modules. Typically, consumers of pluggable interfaces do not call it directly. Instead a consumer calls a loader function (of the specific pluggable interface) which in-turn calls the plugin manager.<br />
<br />
In this architecture, the <code>krb5_init_context()</code> functions will create and configure a plugin manager context that will exist in the krb5_context. <br />
<br />
The plugin manager locates plugin modules using both a ''numeric identifier'' (that designates a plugin interface) and a ''string'' (that names a module which implements that pluggable interface). The primary way to use the plugin manager is to query it for the vtable constructor for a specified module (or a set of vtable constructors for all modules of that interface).<br />
<br />
The plugin manager keeps track of modules through its registries. These are discussed as follows.<br />
<br />
==== Registry of built-in modules ====<br />
<br />
This registry keeps track of built-in modules. Typically, libkrb5 will initialize this with locators for all of the built-in modules that are linked into it. Other code units can also register private built-in plugin modules using this registry.<br />
<br />
==== Registry of loadable modules ====<br />
<br />
This registry keeps track of a few additional items needed for loadable modules:<br />
<br />
* Each interface's registry starts out empty.<br />
<br />
* The consumer (typically) populates the registry by registering vtable constructors for built-in modules.<br />
<br />
* When k5_plugin_load() is invoked on an interface for the first time, discovery is performed. This has two steps:<br />
<br />
** Dynamic module mappings are read from the profile. Each named dynamic module is dlopened and dlsym'd to obtain the vtable constructor, and that constructor is added to the interface registry.<br />
<br />
** Enable/disable information is read from the profile. The interface registry is pruned to contain only enabled modules.<br />
<br />
* Thereafter, the interface's registry is unchanging.<br />
<br />
=== Pluggable Interfaces ===<br />
<br />
A pluggable interface is an interface (possibly internal to a library) that can be implemented by a third party in a modular, well-compartmentalized manner. These implementations of pluggable interfaces are called plugin modules. Pluggable interfaces allow a consumer to use the capabilities of the interface without needing to be aware of the implementation details. In particular, a pluggable interface prevents the consumer from needing to know whether the module is a built-in or a dynamically loadable module. <br />
<br />
Pluggable interfaces can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
A pluggable interface has two parts: a ''consumer interface'' and a ''provider interface''. Typically, library code implements the consumer interface, and application code or other library code calls the functions of the consumer interface.<br />
<br />
==== Consumer interface ====<br />
<br />
The consumer interface isolates the consumer from implementation details of the pluggable interface. The consumer does not generally need to know about whether a given module is built-in or dynamically loaded. The implementation of a consumer interface is essentially a glue layer, and can make use of domain-independent (not specific to any pluggable interface) capabilities of the plugin framework. The consumer might explicitly register a new plugin module that it implements: this capability is part of the plugin manager.<br />
<br />
A consumer of a pluggable interface uses an opaque handle (obtained from a loader function that is part of the pluggable interface) to call the methods of a plugin module. Each handle represents one plugin module, and perhaps associated resource information. For one-to-many pluggable interfaces, the loader function will return a list of handles.<br />
<br />
<br />
Each method of the consumer interface is an ordinary C function that takes the opaque handle either explicitly as its first argument or implicitly by some means such as a module name. In essence, these pluggable interface functions in the architecture are wrapper functions that call through function pointers contained in the opaque plugin module handle object.<br />
<br />
One rationale for using wrapper functions instead of having the consumer directly invoke methods through a function pointer is to make it easier for debuggers and analysis tools to recognize when a particular interface method is being called. (Function pointers might have identifier names that look nothing like the actual name of the function they point to, in addition to enabling confusing aliasing.)<br />
<br />
The loader function is specific to the pluggable interface. One reason is for type safety: there will be a distinct opaque handle type for each pluggable interface, allowing compile-time checking to catch some sorts of programming errors. Another reason is backward compatibility: it allows a pluggable interface to support plugin modules that implement an older provider interface.<br />
<br />
==== Provider interface ====<br />
<br />
A plugin module is a unit of code that implements (among others) the provider interface portion of a pluggable interface. Plugin modules can be built in or dynamically loaded. Several alternatives exist for the form of the provider interface, but some have significant advantages in allowing the plugin module to use identical source code for both built-in and loadable modules.<br />
<br />
A built-in module is a module whose implementation is already available within the consumer's symbol namespace at the time of module discovery. This typically means a module whose implementation is part of the same code unit as the consumer, though it could also mean a module which was registered by some other code unit.<br />
<br />
A dynamically loaded module is a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. (In POSIX systems, this is typically done using <code>dlopen()</code>).<br />
<br />
===== Loadable module provider interface =====<br />
<br />
The contents of the vtable are specific to the interface, as well as the major version of the interface. The constructor signature uses an abstract type to represent the vtable pointer.<br />
<br />
The constructor takes as arguments a major version number, a minor version number, and a pointer to a caller-allocated vtable structure.<br />
<br />
The name of the function symbol is constructed from the name of the plugin interface and the name of the plugin module. This allows the caller to see just from the symbol name which interface and plugin it is calling.<br />
<br />
===== Built-in-module provider interface =====<br />
<br />
A built-in module provides the same interface as a loadable module. In this architecture we use an exported function symbol for each loadable module implementing a pluggable interface.<br />
<br />
<br />
<br />
<br />
<br />
== Operational Flow ==<br />
<br />
=== Startup ===<br />
<br />
* The krb5_init_context() function initializes an empty registry for each pluggable interface. <br />
<br />
* It then registers libkrb5 built-in modules.<br />
<br />
=== Consumer ===<br />
<br />
* The consumer registers built-in modules for the desired pluggable interface, if they were not registered by krb5_init_context (because they are not libkrb5 built-in modules).<br />
<br />
* The consumer calls the plugin loader function for the desired pluggable interface.<br />
<br />
* The loader function calls the plugin manager to retrieve the vtable constructor function for the appropriate module.<br />
<br />
* If this is the first load operation for the pluggable interface, the plugin manager performs module discovery and filtering using the appropriate profile variables for the interface.<br />
<br />
* The loader function uses the resulting vtable to build an opaque handle to give to the consumer.<br />
<br />
* The consumer calls the wrapper functions of the pluggable interface, passing the opaque module handle in order to access the capabilities of the plugin module.<br />
<br />
== Interfaces and Functions ==<br />
<br />
=== Consumer accessible functions ===<br />
<br />
The following functions are meant to be used by a consumer of pluggable interfaces:<br />
<br />
; <code> k5_plugin_register</code>: Register a vtable constructor for a built-in module of a specified interface.<br />
<br />
=== Loader accessible function ===<br />
<br />
The following functions are meant to be used by a loader function of a pluggable interface:<br />
<br />
; <code>k5_plugin_load</code>: Obtain a vtable constructor for a named module of a specified interface.<br />
<br />
; <code>k5_plugin_load_all</code>: Obtain a list of all available vtable constructors for a specified interface.<br />
<br />
; <code>k5_plugin_free_modules</code>: Free a list of vtable constructors allocated by k5_plugin_load_all.<br />
<br />
=== Function signatures ===<br />
<br />
The function signatures as as follows:<br />
<br />
; <code> krb5_error_code <br />
k5_plugin_load(krb5_context context, int interface_id, const char *modname,<br />
krb5_plugin_init_fn *module); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_load_all(krb5_context context, int interface_id,<br />
krb5_plugin_init_fn **modules); </code><br />
<br />
; <code>void<br />
k5_plugin_free_modules(krb5_context context, krb5_plugin_init_fn *modules); </code><br />
<br />
; <code>krb5_error_code<br />
k5_plugin_register(krb5_context context, int interface_id, const char *modname,<br />
krb5_plugin_init_fn module); </code><br />
<br />
== Configuration ==<br />
<br />
== Sample Code and Proof of Concept ==<br />
<br />
== Deliverables ==<br />
<br />
<br />
For Release 1.9, the deliverables are (a) plugin framework/manager and pluggable interfaces that can support (b) password strength and (c) password synchronization plugin modules. <br />
<br />
These should support the capabilities of two existing extensions written by Russ Allbery -- krb5-strength and krb5-sync. The framework is subject to change in the future, so it doesn't have to accommmodate all eventualities, but we will have a goal of not painting ourselves into a corner with respect to reasonably plausible future requirements.<br />
<br />
== Existing Support ==<br />
<br />
This section provides some background material<br />
on existing support for pluggable interfaces.<br />
<br />
=== Current plugins ===<br />
<br />
We currently have the following plugin frameworks:<br />
<br />
* Preauth: All shared objects from profile-specified or installation directory are loaded. Two vtables are read from the shared objects, one for libkrb5 and one for the KDC. The preauth framework iterates over the module list invoking functions to generate or handle preauth data. Preauth vtable functions receive a callback function and data object which allow it to request information such as the expected enctype or FAST armor key for the request.<br />
<br />
* Authdata: Very similar to the preauth framework.<br />
<br />
* KDB: The profile specifies a database library name for each realm. Shared objects matching the library name are loaded from a profile-specified and installation directory; the first matching object with an appropriately-named vtable data object is used, and the rest are ignored. libkdb5 contains wrappers which invoke functions in the library's vtable, or (for some optional functions) default implementations if the vtable left the function pointer as NULL.<br />
<br />
* KDC location: All shared objects from an installation directory are located. A vtable is read from the shared objects. The KDC location framework iterates over each vtable and invokes a lookup function; modules can return success with a location, an error (which halts the location process), or a distinguished error code which passes control along to the next module or the built-in location mechanisms.<br />
<br />
* GSSAPI: The file /etc/gss/mechs can specify a list of mechanism OIDs and shared object filenames; filenames are taken as relative to an installation directory. Shared objects implementing mechanisms can export either a function returning a vtable, or can export each GSSAPI interface individually.<br />
<br />
The following areas of functionality are virtualized but have no exposed plugin framework:<br />
<br />
* Serialization: Serialization table entries can be registered with krb5_register_serializer. Data objects are matched to table entries by magic number. The registration function is exported by libkrb5 and is named with the krb5_ prefix, but it and its associated structure are declared in k5-int.h rather than krb5.h. It is not used outside of libkrb5.<br />
<br />
* ccache: Very similar to serialization, except that ccache implementations are selected using a URL-style prefix in the ccache name.<br />
<br />
* keytab: Very similar to ccache, except that the keytab registration function is used outside of libkrb5 to register a "KDB keytab", which is used by kadmind to serve GSSRPC without requiring a keytab file containing the kadmin keys.<br />
<br />
* Replay cache: Very similar to ccache, except that the replay cache registration function is not used anywhere (even inside libkrb5).<br />
<br />
Plugin frameworks which are "not exposed" may still be productively used by vendor forks of the krb5 tree.<br />
<br />
=== Future planned plugins ===<br />
<br />
The following areas are candidates for future plugin support:<br />
<br />
* PRNG<br />
* profile / configuration<br />
* DNS / host-realm mapping<br />
* password quality policy<br />
* lockout<br />
* audit<br />
* password synchronization<br />
<br />
=== Current support infrastructure ===<br />
<br />
In libkrb5support, we have functions to facilitate loading plugins from shared objects. There is a set of functions to load individual plugins from named files and mechglue; these are currently used by the HDB bridge and GSS mechglue:<br />
<br />
* krb5int_open_plugin - Create a plugin handle from a filename<br />
* krb5int_close_plugin - Close a plugin handle<br />
* krb5int_get_plugin_data - Retrieve a data object from a plugin handle by symbol name<br />
* krb5int_get_plugin_func - Retrieve a function object from a plugin handle by symbol name<br />
<br />
There is another set of functions to scan a list of directories for plugins:<br />
<br />
* krb5int_open_plugin_dirs - Create a plugin dir handle from a list of directories and (optionally) filebases<br />
* krb5int_close_plugin_dirs - Close a plugin dir handle<br />
* krb5int_get_plugin_dir_data - Retrieve a list of data objects from a plugin dir handle by symbol name<br />
* krb5int_get_plugin_dir_func - Retrieve a list of function objects from a plugin dir handle by symbol name<br />
* krb5int_free_plugin_dir_data - Free a list of data objects returned by krb5int_get_plugin_dir_data<br />
* krb5int_free_plugin_dir_func - Free a list of function objects returned by krb5int_get_plugin_dir_func<br />
<br />
=== Problem areas ===<br />
<br />
* Every caller of krb5int_open_plugin_dirs specifies either no filebases (e.g. preauth plugins) or a single filebase (KDB plugins). Accepting and processing a list of filebases is probably needless complexity.<br />
<br />
* Callers of krb5int_open_plugin_dirs have to know what directories to supply, which means they need to know the krb5 install root as well as the magic plugin area for OS X, and they need logic for reading a profile variable to determine the alternate plugin directory for the test suite (currently only implemented for KDB and preauth plugins).<br />
<br />
* In most uses of plugins, we read a data object containing a list of function pointers. This makes it mostly impossible to supply a plugin which works with multiple versions of krb5. If we instead read a function object which we invoked with a version number to retrieve the vtable, it would be possible (though perhaps awkward) to create a shared object which works with multiple versions.<br />
<br />
* We are somewhat schizophrenic about how plugins can access krb5 library functionality, and in particular internal symbols. Sometimes we call functions directly, sometimes we make use of a vtable passed into the plugin (e.g. the preauth_get_client_data_proc function), sometimes we use the accessor to invoke internal functions, and sometimes we call APIs or internal functions directly. Ideally we should have a consistent policy with a sound justification.<br />
<br />
* When measuring code coverage with gcov, we cannot use shared libraries; this means we need to link in-tree plugins statically into the libraries or programs which load them. We have an ad-hoc method to do this with KDB plugins, but not with other plugin types.<br />
<br />
* Administrators have an easier time writing scripts than creating linkable shared objects. In some cases it might yield a better administrator experience to create plugin interfaces via subprocesses than loading shared objects, although in many cases this might not be feasible.<br />
<br />
* In some scenarios such as embedded environments, it may be more useful to allow applications to supply plugin vtables via an API (as we do for keytabs and ccaches, though those APIs are not public) than to load them from shared objects in the filesystem.<br />
<br />
== Definitions ==<br />
<br />
; pluggable interface: an (internal) interface that can be implemented by a third party. These can be one-to-one, or one-to-many. An example of one-to-one is the DAL, and an example of one-to-many is preauth.<br />
<br />
; module: a unit of code that implements a pluggable interface. It can be built in, or it can be dynamically loadable.<br />
:; built-in: a module whose executable code is located within the library shared object or executable program file, or behaves as if it were. (While separate library shared objects that the calling library depends on can contain "built-in" modules for the calling library, this can cause problems with cyclic references.) The distinguishing characteristic of a built-in module is that, as part of program startup, the operating system automatically maps the executable code of the module into the address space of the process that calls it, without any explicit action by the library or program.<br />
:; dynamically loaded: a module whose executable code is located within a file that is distinct from the library or program that calls it. The plugin support framework uses the runtime linker (or equivalent) to explicitly map the executable code of the module into the process address space. In POSIX systems, this is typically done using <code>dlopen()</code>.<br />
<br />
; discovery: process of enumerating what modules are available for a pluggable interface. Includes possible filtering of the raw discovered set.<br />
:* compiled-in<br />
:* directory scan<br />
:* explicit inclusion by configuration<br />
:* explicit exclusion by configuration<br />
<br />
; loading: the process of making modules available for calling. This can involve dynamically loading a module using the runtime linker, or it can involve registering a vtable provided by an application.<br />
:* built-in<br />
:* dynamic loading<br />
:* application-registered<br />
<br />
; selection: the process of a caller invoking one specific module from the set of loaded modules that implement an interface.<br />
<br />
; consumer interface: the interface that a caller uses to access the services of a pluggable interface. Typically, but not always, the krb5 library implements the consumer interface.<br />
<br />
; provider interface: the interface that a module author implements</div>Hardjono