wallet 0.11 released
Russ Allbery
rra at stanford.edu
Mon Mar 8 22:31:51 EST 2010
I'm pleased to announce release 0.11 of wallet.
The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data. Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users. The wallet
tracks ACLs, metadata, and trace information. It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication. One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadmind with richer ACL and metadata
operations.
Changes from previous release:
When deleting an ACL on the server, verify that the ACL is not
referenced by any object first. Database referential integrity should
also catch this, but not all database backends may enforce referential
integrity. This also allows us to return a better error message
naming an object that's still using that ACL.
Wallet::Config now supports an additional local function,
verify_acl_name, which can be used to enforce ACL naming policies. If
set, it is called for any ACL creation or rename and can reject the
new ACL name.
Add an audit command to wallet-report and two audits: acls name, which
returns all ACLs that do not pass the local naming policy, and objects
name, which does the same for objects. The corresponding
Wallet::Report method is audit().
Add the acls unused report to wallet-report and Wallet::Report,
returning all ACLs not referenced by any database objects.
Wallet::Config::verify_name may now be called with an undefined third
argument (normally the user attempting to create an object). This
calling convention is used when auditing, and the local policy
function should select the correct policy to apply for useful audit
results.
Fix portability to older Kerberos libraries without
krb5_free_error_message.
You can download it from:
<http://www.eyrie.org/~eagle/software/wallet/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list