Make error messages more useful: add a URI
Nico Williams
nico at cryptonector.com
Wed Oct 1 17:18:24 EDT 2014
Consider the error that you get from gss_init_sec_context() when there's
no ccache or the ccache is corrupted:
No Kerberos credentials available
That's just not sufficiently informative. Adding more information would
be nice (I'll be submitting a patch for that), but it's not always
possible or appropriate to -say- give the user advice as to how to
recover.
While we can improve some errors on a case by case basis, there will be
enough site-specific context in many cases that a way to direct users to
an appropriate web page would be handy.
The idea is to derive a reasonably stable URI local part from context
and format a URI. If a site-local base URI is configured, then that
should be used, otherwise something like file:///${docdir}/pages/ should
be used as the base URI.
Option #1: Hash the krb5_set_error_message() format string to get a
resource local part.
Option #2: Use the error code's symbolic name (e.g., KRB5_CC_NOTFOUND)
to build a resource local part (e.g., cc_notfound).
Option #3: Keep a stable format string / error code to resource local
part mapping and look that up at run time.
Option #1 would require doing something (possibly nothing) about
collisions if the hash function is not cryptographic or if a
cryptographic hash function's output is truncated. Collisions may be
tolerable. Running an expensive hash function at run-time probably not
really acceptable.
Option #2 would require enhancing the error table compiler to produce
code->symbol mappings.
Option #3 would affect krb5 developers too much for my tastes.
Ideally some additional information could be passed as query parameters.
That would require much more work on the codebase, but it could be done
for just those error conditions where it'd be most useful.
Nico
--
More information about the krbdev
mailing list