logo_kerberos.gif

Projects/kadmin access interface

From K5Wiki
< Projects
Revision as of 10:26, 9 June 2017 by Ghudson (talk | contribs) (Created page with "{{project-early}} This project implements a pluggable interface to allow more flexible access control for kadmin operations. ==Background== The kadmin facility allows admin...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project implements a pluggable interface to allow more flexible access control for kadmin operations.

Background

The kadmin facility allows administration of a Kerberos database in two ways. In the normal scenario, the kadmin client calls into libkadm5clnt, which authenticates to kadmind and transmits requests via an XDR-based protocol. kadmind executes the requests by calling into libkadm5srv, which in turns calls into libkdb5:

   kadmin --> libkadm5clnt ==> kadmind --> libkadm5srv --> libkdb5

Alternatively, an administrator can run kadmin.local on a KDC host (or with permissions to directly access the database, if LDAP or a similar KDB module is in use). kadmin.local can "authenticate" as any user, and directly calls into libkadm5srv to fulfill requests:

   kadmin.local --> libkadm5srv --> libkdb5

The current built-in access control mechanism is implemented at the kadmind layer, so it does not affect kadmin.local. It reads an ACL file which contains access rules, and checks the authenticated user and requested operation against the rules. The ACL file can also apply restrictions to add-principal and modify-principal operations, which may result in changes to the added or modified principal.

A pluggable interface for access control can solve two use cases:

1. Administrators can implement programmatic access control if the kadm5.acl format is not flexible enough. For instances, a module could allow users to create host principals for hosts in particular subdomains, which is currently not possible with kadm5.acl as we only allow wildcarding of whole principal components.

2. Projects which implement their own KDB module (particularly Samba and IPA) can use the database to control access.

Design