Projects/Config File Validator
From K5Wiki
< Projects
Revision as of 15:36, 18 May 2010 by Tsitkova (talk | contribs) (New page: {{project-early}} == Purpose == Check the internal correctness of the configuration files before the run-time to avoid the undesirable or unpredictable behavior and to save time chasing...)
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.
Purpose
Check the internal correctness of the configuration files before the run-time to avoid the undesirable or unpredictable behavior and to save time chasing the bugs later.
The configuration file is verified against
- Formatting errors
- Invalid attributes
- Invalid values
Design
validator.py path [-d defPath] [-r rulesPath] [-c validatorConfPath] path – path to the configuration file to validate -d defPath – path to the k5-int.h file. Starting from the 1.7 release this header holds the profile attribute names in the form #define KRB5_CONF_xxx ”ZZZ”. -r rulesPath – path the rules file in yaml format. It may be used to manage the list of the valid attributes and to define the additional validation rules. -c validatorConfPath – the same as -r and -d options, but in validator configuration file format.
The list of the valid attributes is created based on the “configuration variables” section in k5-int.h and user defined attributes from the rules.yml file:
k5-int.h … /* cofiguration variables */ #define KRB5_CONF_ACL_FILE "acl_file" #define KRB5_CONF_ADMIN_KEYTAB "admin_keytab" #define KRB5_CONF_ADMIN_SERVER "admin_server" #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type” …
and
rules.yml (Example) # Extend the list of the allowed enctypes and salts as needed Types: supported_enctypes: '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)(:(normal|v4))?$' default_tgs_enctypes: '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts|des3-hmac-sha1)' default_tkt_enctypes: '(aes256-cts-hmac-sha1-96|aes256-cts|aes128-cts-hmac-sha1-96|aes128-cts)' # Add all valid profile attributes that are not listed in k5-int.h Attributes: - logging - dbmodules
Example of the file validatorConfPath:
validator.conf (Example) RulesPath=./rules.yml HfilePath=../../include/k5-int.h
Pre-requisites
Python 2.5+
YAML - available from http://yaml.org/
Current status
Configuration validator is implemented and available from the following location:
src/util/confvalidator/validator.py