What do you want from your credentials cache? (was Credential cache searching, ccapi and file caches)
Matt Crawford
crawdad at fnal.gov
Thu Jul 15 15:54:09 EDT 2004
> The Questions:
My site seems to be near the lunatic fringe (some days), so I'll answer
from our viewpoint.
> 1) Do users need the ability to be able to switch between two TGTs
> with the same client principal?
In theory, some user will want to do this some day. In practice, such
a user and such a day will be so rare that I'd "just say no."
> 2) When searching through TGTs, what kind of control would the user
> want? Obviously we want to be able to turn searching off, but do we
> want something finer-grained?
I can only imagine a non-trivial number of users wanting the following
choices:
0. Use the credentials (or client principal) I specify.
1. Use a credential with the first component I specify.
2. Use a credential with the second component (instance) I specify.
3. Choose the credential with the "best" realm match for the service.
> 3) How many different non-cross-realm client principals do users
> usually get? How many service tickets do users usually get per client
> principal? If you envision larger numbers in the near future, use
> those instead.
Today: 1 to 3 client principals, 1 to 20 service tickets.
Five years out: 1 to 6 client principals, up to a few hundred service
tickets.
> 4) Would it be acceptable to only implement the searching for
> CCAPI-based caches and just leave the file-based cache behavior as is?
When CCAPI is available on other platforms, yes.
More information about the krbdev
mailing list