Difference between revisions of "Projects/Interposer Mechanism"
Line 16: | Line 16: | ||
The Interposer mechanism must also be able to call back into the mechglue in order to execute code using the original mechanism. |
The Interposer mechanism must also be able to call back into the mechglue in order to execute code using the original mechanism. |
||
The interposer mechanism should be completely transparent to applications, in that pure gssapi application should not need any modification in order to work with the interposer mechanism nor need to issue any special call to use the interposer functionality. |
The interposer mechanism should be completely transparent to applications, in that pure gssapi application should not need any modification in order to work with the interposer mechanism nor need to issue any special call to use the interposer functionality. |
||
+ | |||
+ | = Architecture = |
||
+ | |||
+ | In order to allow interposer plugins to re-enter the mechglue we had to change their function signature so that the SPI does not match the GSs API function signatures, as interposer plugins are allowed to call back into GSSAPI. |
||
+ | The interposer plugins SPI uses the gssi_ prefix (GSS Interposer) for all the mechglue functions it implements. |
Revision as of 15:17, 2 October 2012
This project is about creating a mechanism by which it is possible to intercept accepting and initializing a security context at the mechglue layer so that any mechanism can be ideally proxied to a separate application potentially running in a different security context.
Background
During the development of the GSS-Proxy project in connection with the Projects/ProxyGSSAPI a new GSSAPI Mechanism interface has emerged. We call this kind of mechanism an Interposer Mechanism as it intercept all function calls for a specific mechanism.
The Interposer Mechanism instructs the mechglue layer on what mechanisms it wants to interpose. Once a mechnism is interposed the mechglue will always call the interposer for any function related to interposed mechanism.
The interposer plugin is responsible for handling the requested functionality, it can proxy it to another process (for example to the GSS-Proxy daemon) or can short-circuit it back to the mechglue in order to call the original mechanism handler.
Requirements
The Interposer mechanism must be able to intercept any mechanism function. The Interposer mechanism must also be able to call back into the mechglue in order to execute code using the original mechanism. The interposer mechanism should be completely transparent to applications, in that pure gssapi application should not need any modification in order to work with the interposer mechanism nor need to issue any special call to use the interposer functionality.
Architecture
In order to allow interposer plugins to re-enter the mechglue we had to change their function signature so that the SPI does not match the GSs API function signatures, as interposer plugins are allowed to call back into GSSAPI. The interposer plugins SPI uses the gssi_ prefix (GSS Interposer) for all the mechglue functions it implements.