logo_kerberos.gif

Difference between revisions of "Projects/Config File Validator"

From K5Wiki
Jump to: navigation, search
(New page: {{project-early}} == Purpose == Check the internal correctness of the configuration files before the run-time to avoid the undesirable or unpredictable behavior and to save time chasing...)
 
m (Design)
Line 13: Line 13:
 
== Design ==
 
== Design ==
   
validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath]
+
validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath]
 
 
path – path to the configuration file to validate
+
''path'' – path to the configuration file to validate
-d defPath – path to the k5-int.h file. Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”.
+
-d ''defPath'' – path to the k5-int.h file. Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”.
-r rulesPath – path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules.
+
-r ''rulesPath'' – path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules.
-c validatorConfPath – the same as -r and -d options, but in validator configuration file format.
+
-c ''validatorConfPath'' – the same as -r and -d options, but in validator configuration file format.
   
The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules.yml file:
+
The list of the valid attributes is created based on the “configuration variables” section in ''k5-int.h'' and user defined attributes from the ''rules.yml'' file:
   
k5-int.h
+
''k5-int.h''
 
 
 
/* cofiguration variables */
 
/* cofiguration variables */
Line 34: Line 34:
 
and
 
and
   
rules.yml (Example)
+
''rules.yml'' (Example)
 
 
 
# Extend the list of the allowed enctypes and salts as needed
 
# Extend the list of the allowed enctypes and salts as needed
Line 50: Line 50:
 
- dbmodules
 
- dbmodules
   
Example of the file validatorConfPath:
+
Example of the file ''validatorConfPath'':
   
validator.conf (Example)
+
''validator.conf ''(Example)
 
 
 
RulesPath=./rules.yml
 
RulesPath=./rules.yml

Revision as of 17:21, 18 May 2010

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.



Purpose

Check the internal correctness of the configuration files before the run-time to avoid the undesirable or unpredictable behavior and to save time chasing the bugs later.

The configuration file is verified against

  • Formatting errors
  • Invalid attributes
  • Invalid values

Design

validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath]

path          – path to the configuration file to validate
-d defPath    – path to the k5-int.h file.  Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”.
-r rulesPath  – path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules.
-c validatorConfPath – the same as -r and -d options, but in validator configuration file format.

The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules.yml file:

k5-int.h
…
/* cofiguration variables */
#define  KRB5_CONF_ACL_FILE       "acl_file"
#define  KRB5_CONF_ADMIN_KEYTAB   "admin_keytab"
#define  KRB5_CONF_ADMIN_SERVER   "admin_server"
#define  KRB5_CONF_ALLOW_WEAK_CRYPTO      "allow_weak_crypto"
#define  KRB5_CONF_AP_REQ_CHECKSUM_TYPE   "ap_req_checksum_type”
…

and

rules.yml (Example)

# Extend the list of the allowed enctypes and salts as needed
Types:
   supported_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)(:(normal|v4))?$'
   default_tgs_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1)'
   default_tkt_enctypes:
       '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)'

# Add all valid profile attributes that are not listed in k5-int.h
Attributes:
   - logging
   - dbmodules

Example of the file validatorConfPath:

validator.conf (Example)

RulesPath=./rules.yml
HfilePath=../../include/k5-int.h

Pre-requisites

Python 2.5+

YAML - available from http://yaml.org/

Current status

Configuration validator is implemented and available from the following location:

src/util/confvalidator/validator.py