[krbdev.mit.edu #8595] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Aug 17 12:46:24 EDT 2017
Use kadm5_auth interface in kadmind
Convert the ACL code to a kadm5_auth module, and create a new module
for self-service authorization. Use the kadm5_auth consumer code
instead of directly using the ACL code to authorize requests.
Do not assume self-service authorization in the RPC stubs or in
schpw_util_wrapper(). For key change requests, enforce the initial
ticket requirement whenever a client changes its own keys, regardless
of how it is authorized or which protocol it uses. The initial ticket
check for protocol version 1 in process_chpw_request() is redundant
after this change, so remove it.
The old kadmin-based password change client authenticates to
kadmin/changepw and performs self-service get_principal, get_policy,
and chpass requests. Continue to allow these operations, enforcing
the self-service requirement in addition to checking through the
kadm5_auth interface. For get_policy requests, always look up the
client principal's policy name, for this check and for the
authorization layer's use.
The error messages for rename authorization failures are now more
vague (because there is a specific rename operation check in the
kadm5_auth interface, and we do not find out whether it failed due to
missing add or delete privileges). Adjust t_kadmin_acl.py
accordingly.
https://github.com/krb5/krb5/commit/92a1a7efe2fc43337416098f2227038a72f1e35a
Author: Greg Hudson <ghudson at mit.edu>
Commit: 92a1a7efe2fc43337416098f2227038a72f1e35a
Branch: master
doc/admin/conf_files/kadm5_acl.rst | 13 ++
doc/admin/conf_files/kdc_conf.rst | 7 +-
doc/admin/conf_files/krb5_conf.rst | 20 ++
src/kadmin/server/Makefile.in | 8 +-
src/kadmin/server/auth.c | 7 +
src/kadmin/server/auth.h | 7 +
src/kadmin/server/auth_acl.c | 344 ++++++++++++++++++++++++++----------
src/kadmin/server/auth_acl.h | 74 --------
src/kadmin/server/auth_self.c | 77 ++++++++
src/kadmin/server/deps | 33 +++-
src/kadmin/server/ipropd_svc.c | 5 +-
src/kadmin/server/misc.c | 122 ++------------
src/kadmin/server/misc.h | 17 --
src/kadmin/server/ovsec_kadmd.c | 8 +-
src/kadmin/server/schpw.c | 12 +-
src/kadmin/server/server_stubs.c | 281 ++++++++++++++++--------------
src/lib/kadm5/kadm_err.et | 1 +
src/lib/krb5/krb/plugin.c | 3 +-
src/tests/t_kadmin_acl.py | 10 +-
19 files changed, 591 insertions(+), 458 deletions(-)
More information about the krb5-bugs
mailing list