Difference between revisions of "Projects/Local authorization pluggable interface"
(New page: {{project-early}} {{project-target|1.12}} ==Description== This project adds a pluggable interface to affect the behavior of the krb5_kuserok() and krb5_aname_to_localname() functions. =...) |
(→Proposal) |
||
| Line 25: | Line 25: | ||
This project proposes to use a single pluggable interface to control the behavior of both operations. A module may choose to only implement methods to control one or the other function, but the expectation is that a module may wish to use the same internal state to control both operations. |
This project proposes to use a single pluggable interface to control the behavior of both operations. A module may choose to only implement methods to control one or the other function, but the expectation is that a module may wish to use the same internal state to control both operations. |
||
| − | [XXX rough notes follow:] |
||
| + | The pluggable interface will have four methods (plus initialization and finalization methods): |
||
| − | * kuserok: princname, localname -> accept/reject or krb5 error; KRB5_PLUGIN_NO_HANDLE implies pass? |
||
| + | krb5_error_code (*kuserok)(krb5_context context, krb5_localauth_moddata data, |
||
| − | - accumulator behavior: succeed if no modules reject/error and at least one module accepts |
||
| + | krb5_const_principal princ, const char *lname); |
||
| + | |||
| + | const char **an2ln_types; |
||
| + | krb5_error_code (*an2ln)(krb5_context context, krb5_localauth_moddata data, |
||
| + | const char *type, const char *residual, |
||
| + | krb5_const_principal princ, char **lname_out); |
||
| + | |||
| + | krb5_error_code (*an2ln_all)(krb5_context context, krb5_localauth_moddata data, |
||
| + | krb5_const_principal princ, char **lname_out); |
||
| + | |||
| + | void (*free_string)(krb5_context context, krb5_localauth_moddata data, |
||
| + | char *str); |
||
| − | * an2ln: some different design choices |
||
| + | The kuserok method is optional. If it is implemented, it will be invoked for krb5_kuserok operations. It should return 0 if authorization is allowed, EPERM if authorization is authoritatively denied, KRB5_PLUGIN_NO_HANDLE if the module cannot determine whether authorization is allowed, and any other error code on a serious failure. krb5_kuserok will return true if at least one module returns success and all other modules return success or KRB5_PLUGIN_NO_HANDLE. If any modules return EPERM or another error, krb5_kuserok will return false. Remaining modules will be skipped if |
||
| − | 1. plug into realms -> DEFREALMNAME -> auth_to_local values |
||
| + | |||
| − | module registers prefix type (like current "RULE" or "DEFAULT") |
||
| + | an2ln_types is optional. If it is set, it contains a null-terminated array of uppercase string constants which act as type names. As krb5_aname_to_localname processes the auth_to_local values in the profile, any values with type strings matching a string in an2ln_types will result in calls to the an2ln method, with the residual string (or NULL if there is none) as an argument. The method should return 0 and set *lname_out if it can translate the principal, KRB5_PLUGIN_NO_HANDLE if it cannot, and any other error code on a serious failure. The an2ln method will be invoked multiple times if multiple auth_to_local values reference its types, if it returns KRB5_PLUGIN_NO_HANDLE on prior invocations. |
||
| − | method is invoked if module's prefix is selected, perhaps multiple times with different residuals |
||
| + | |||
| − | config required to take over all an2ln operations is somewhat cumbersome |
||
| + | an2ln_all is optional. If it is set, it will be consulted for all krb5_aname_to_localname operations, to the exclusion of all built-in mechanisms and all other modules. Only one registered module may implement an2ln_all. |
||
| − | 2. treat existing support as modules, and add new modules |
||
| + | |||
| − | accumulator behavior is hard to specify without ordering |
||
| + | Module registration will fail (with a trace log message, but without disabling all kuserok or an2ln library operations) if it tries to register an already registered an2ln_types value or if it implements an2ln_all and a previous module already implements that method. |
||
| − | 3. module can take over all an2ln operations, but only allow one module to do so |
||
==Testing== |
==Testing== |
||
Revision as of 19:33, 30 January 2013
Description
This project adds a pluggable interface to affect the behavior of the krb5_kuserok() and krb5_aname_to_localname() functions.
Background
The krb5_aname_to_localname() function attempts to convert a krb5 principal name into a local account name according to policy. The default behavior maps single-component principals within the default realm to their values without realm (e.g. ghudson@ATHENA.MIT.EDU to ghudson, if ATHENA.MIT.EDU is the default realm). Its behavior can be modified through profile configuration as outlined below:
[realms]
DEFREALMNAME = {
auth_to_local_names = {
princname = localname
}
auth_to_local = RULE:[selstring](regexp)s/pattern/replacement/
auth_to_local = DEFAULT
}
The krb5_kuserok() function decides whether a principal name is authorized to control a particular local account name. The current implementation looks for a .k5login file in the local account's home directory and searches it for the principal name; if no .k5login file exists, authorization succeeds if krb5_aname_to_localname maps the principal name to the local account name.
Proposal
This project proposes to use a single pluggable interface to control the behavior of both operations. A module may choose to only implement methods to control one or the other function, but the expectation is that a module may wish to use the same internal state to control both operations.
The pluggable interface will have four methods (plus initialization and finalization methods):
krb5_error_code (*kuserok)(krb5_context context, krb5_localauth_moddata data,
krb5_const_principal princ, const char *lname);
const char **an2ln_types;
krb5_error_code (*an2ln)(krb5_context context, krb5_localauth_moddata data,
const char *type, const char *residual,
krb5_const_principal princ, char **lname_out);
krb5_error_code (*an2ln_all)(krb5_context context, krb5_localauth_moddata data,
krb5_const_principal princ, char **lname_out);
void (*free_string)(krb5_context context, krb5_localauth_moddata data,
char *str);
The kuserok method is optional. If it is implemented, it will be invoked for krb5_kuserok operations. It should return 0 if authorization is allowed, EPERM if authorization is authoritatively denied, KRB5_PLUGIN_NO_HANDLE if the module cannot determine whether authorization is allowed, and any other error code on a serious failure. krb5_kuserok will return true if at least one module returns success and all other modules return success or KRB5_PLUGIN_NO_HANDLE. If any modules return EPERM or another error, krb5_kuserok will return false. Remaining modules will be skipped if
an2ln_types is optional. If it is set, it contains a null-terminated array of uppercase string constants which act as type names. As krb5_aname_to_localname processes the auth_to_local values in the profile, any values with type strings matching a string in an2ln_types will result in calls to the an2ln method, with the residual string (or NULL if there is none) as an argument. The method should return 0 and set *lname_out if it can translate the principal, KRB5_PLUGIN_NO_HANDLE if it cannot, and any other error code on a serious failure. The an2ln method will be invoked multiple times if multiple auth_to_local values reference its types, if it returns KRB5_PLUGIN_NO_HANDLE on prior invocations.
an2ln_all is optional. If it is set, it will be consulted for all krb5_aname_to_localname operations, to the exclusion of all built-in mechanisms and all other modules. Only one registered module may implement an2ln_all.
Module registration will fail (with a trace log message, but without disabling all kuserok or an2ln library operations) if it tries to register an already registered an2ln_types value or if it implements an2ln_all and a previous module already implements that method.
