Proposition for new remctl ACL scheme / group support
Rémi Ferrand
remi.ferrand at cc.in2p3.fr
Thu Jul 17 08:22:58 EDT 2014
On 03/07/2014 06:20, Russ Allbery wrote:
> Thank you very much for this work!
>
> I have now finally merged it and pushed out a new release, as you probably
> just saw. Unfortunately, we use Gerrit internally in a way that doesn't
> work well with merges, so the line of development doesn't look like a
> merge of your branch in Github. (There are ways to fix this, but they
> were all too complex than I had time for.) But your patches, rebased, are
> in there, along with some subsequent refactoring.
Perfect, this will be a major improvement for us at CC-IN2P3, thank you
for this release !
>
> I haven't had a chance to take a look at the PTS ACL code yet,
> unfortunately. I have a few other things queued up to look at before I'll
> get a chance to poke at it.
Since my last e-mail to this list, I didn't very much time to work on
this ACL scheme, but I'm still waiting for any kind of comments as
dealing with AFS libraries could be tricky.
This morning, I was looking at your remctl TODO-List
(http://www.eyrie.org/~eagle/software/remctl/todo.html) and I'm quite
excited about what I've seen !
Two particular items retain my attention:
* REMCTL-7: Support LDAP-based ACLs in addition to file system ACLs.
Probably need to support both entitlement and group-based ACLs.
Before starting to write the "getgrnam*" code, I was originally decided
to write some OpenLDAP code/binding (as discussed with K. Dreyer at the
Kerberos conference at CERN) but then I changed my mind.
Do you already have a proof of concept of this functionnality ? I'll be
glad to help on this.
The main issue I see here is: "how to specify the ACL".
Some ideas I had in my mind were:
- Maybe something like "ldapgroup:THEGROUP:ldaps://host:port/...etc...
(I choosed to put the LDAP connection string after the group name, this
could make it easier to parse). This solution is quite hugly (IMHO) but
allows one to use one LDAP connection string specific to one ACL. I
don't really like this solution anyway.
- Maybe something like "ldapgroup:THEGROUP", then the connection
credentials to the LDAP server should be specified somewhere else. For
instance something like "ldapconnection_string
ldaps://host:port/...etc..." in the global remctld.conf.
I like this "plugin configuration/initialization approach" but I think
that it could require some modifications in the "configuration file"
parsing code, isnt' it ?
- Maybe the best solution for the final user could be to create a
dedicated "option", something like:
>> command subcommand executable
ldap_connection_string=ldaps://host:port/...etc... acl1
ldapgroup:THEGROUP ... aclN
If I'm right, the easiest way to do so would be to pass the whold
"struct rule" to functions "acl_check_XXX".
* REMCTL-8: Add support for external ACL checking programs. If the
program exits with a zero status, access is granted. If it exits 1,
access is not granted but checking continues. If it exits with any other
exit status, access is not granted and checking aborts. Ideally, for
writing generic ACL checking programs, the program should get the type
and service of the remctl command as well as any arguments. However, it
would also be good to support passing other arguments into the program
as specified in the ACL file.
I'll also be glad to help.
My question is quite the same as for the LDAP scheme configuration: how
would you like the final user to pass arguments to the external checking
program ?
Can you also clarify the "for writing generic ACL checking programs, the
program should get the type and service of the remctl command as well as
any arguments" for me please ? For instance, with a remctl command such
as "command subcommand executable", what's the "type" and what's the
"service" ?
Cheers
Rémi
More information about the Kerberos
mailing list