logo_kerberos.gif

Projects/Config File Validator

From K5Wiki
< Projects
Revision as of 18:21, 18 May 2010 by Tsitkova (talk | contribs) (Design)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Purpose

Check the internal correctness of the configuration files before the run-time to avoid the undesirable or unpredictable behavior and to save time chasing the bugs later.

The configuration file is verified against

  • Formatting errors
  • Invalid attributes
  • Invalid values

Design

validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath]

path          – path to the configuration file to validate
-d defPath    – path to the k5-int.h file.  Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”.
-r rulesPath  – path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules.
-c validatorConfPath – the same as -r and -d options, but in validator configuration file format.

The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules.yml file:

k5-int.h
…
/* cofiguration variables */
#define  KRB5_CONF_ACL_FILE       "acl_file"
#define  KRB5_CONF_ADMIN_KEYTAB   "admin_keytab"
#define  KRB5_CONF_ADMIN_SERVER   "admin_server"
#define  KRB5_CONF_ALLOW_WEAK_CRYPTO      "allow_weak_crypto"
#define  KRB5_CONF_AP_REQ_CHECKSUM_TYPE   "ap_req_checksum_type”
…

and

rules.yml (Example)

# Extend the list of the allowed enctypes and salts as needed
Types:
   supported_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)(:(normal|v4))?$'
   default_tgs_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1)'
   default_tkt_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)'

# Add all valid profile attributes that are not listed in k5-int.h
Attributes:
   - logging
   - dbmodules

Example of the file validatorConfPath:

validator.conf (Example)

RulesPath=./rules.yml
HfilePath=../../include/k5-int.h

Pre-requisites

Python 2.5+

YAML - available from http://yaml.org/

Current status

Configuration validator is implemented and available from the following location:

src/util/confvalidator/validator.py