keberos/KL apis

Sam Hartman hartmans at MIT.EDU
Tue Jan 13 19:40:20 EST 2004

>>>>> "Prabhakaran" == Prabhakaran vaidya <prab at> writes:

    Prabhakaran> On Jan 13, 2004, at 4:22 PM, Sam Hartman wrote:

    >>>>>>> "Prabhakaran" == Prabhakaran vaidya <prab at>
    >>>>>>> writes:
    Prabhakaran> Unfortunately our realms are for Test, dev and prod
    Prabhakaran> etc where realms should not trust each other.
    >>  It seems entirely reasonable for the dev and test realms to
    >> trust user accounts from the prod realm.

    Prabhakaran> true, but not the other way around.  There might be
    Prabhakaran> user ids in test/dev but not in prod.  We would like
So only create the key in one direction.

    Prabhakaran> to coexist with power users who might have their own
    Prabhakaran> KDCs/projects they work on which we do not know
    Prabhakaran> about, so the safest approach was to support realm
    Prabhakaran> separation.  

Power users can be expected to set up their credentials caches
correctly and modify the file appropriately.

    Prabhakaran> It is not a problem for majority of
    Prabhakaran> users since they should only be seeing prod realm and
    Prabhakaran> not even know about the other realms. But there is a
    Prabhakaran> considerable number of developers/testers the same
    Prabhakaran> app has to be deployed. Many of them also have to
    Prabhakaran> simultaneously use production and test versions of
    Prabhakaran> the apps going to respective realms.  thanks -prab

I'd recommend providing a facility to launch test versions of the app
that sets the KRB5_CONFIG environment variable to a special file.

More information about the krbdev mailing list