logo_kerberos.gif

Projects/Config File Validator

From K5Wiki
Jump to: navigation, search
This project was completed in release 1.9.


Purpose

Check the internal correctness of the configuration files before the run-time to avoid the undesirable or unpredictable behavior and to save time chasing the bugs later.

The configuration file is verified against

  • Formatting errors
  • Invalid attributes
  • Invalid values

Design

validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath] 

path          – path to the configuration file to validate
-d defPath    – path to the k5-int.h file.  Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”.
-r rulesPath  – path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules.
-c validatorConfPath – the same as -r and -d options, but in validator configuration file format.

The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules.yml file: 

k5-int.h
…
/* cofiguration variables */
#define  KRB5_CONF_ACL_FILE       "acl_file"
#define  KRB5_CONF_ADMIN_KEYTAB   "admin_keytab"
#define  KRB5_CONF_ADMIN_SERVER   "admin_server"
#define  KRB5_CONF_ALLOW_WEAK_CRYPTO      "allow_weak_crypto"
#define  KRB5_CONF_AP_REQ_CHECKSUM_TYPE   "ap_req_checksum_type”
…

and 

rules.yml (Example)

# Extend the list of the allowed enctypes and salts as needed
Types:
   supported_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)(:(normal|v4))?$'
   default_tgs_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1)'
   default_tkt_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)'

# Add all valid profile attributes that are not listed in k5-int.h
Attributes:
   - logging
   - dbmodules

Example of the file validatorConfPath: 

validator.conf (Example)

RulesPath=./rules.yml
HfilePath=../../include/k5-int.h

Pre-requisites

Python 2.4+

libyaml - available from http://yaml.org/

Current status

Configuration validator is implemented and available from the following location: 

src/util/confvalidator/validator.py
Retrieved from "https://k5wiki.kerberos.org./wiki?title=Projects/Config_File_Validator&oldid=3817"