(Final?) krb5.Conf Lexer/Parser Proposal

Theodore Ts'o tytso at MIT.EDU
Fri Jan 6 14:26:32 EST 2006 

On Thu, Jan 05, 2006 at 07:17:44PM -0500, Alexandra Ellwood wrote:
> And if you want to change large portions of the system config file,  
> you can just copy, edit and use the KRB5_CONFIG environment variable  
> to override it completely.  This is even possible on Mac OS X via  
> ~/.MacOSX/environment.plist, which affects all applications,  
> including GUI ones.

But this argument could just as easily be used to say that config file
chaining shouldn't be supported at all, since you can always do the
copy, modify, and repoint KRB5_CONFIG environment variable approach...

And from a support point of view, only supporting a single config file
would certainly be easier on the help desks than allowing multiple
config files.

> So what exactly does the final signifier gain us?
> 
> Now maybe I'm missing something obvious, but the only case I can  
> think of where you would want to use the final signifier is if you  
> want to *replace* an entire sub-section or a multi-value tag such as  
> the KDC tags for a single realm.  

The other reason why you might want to do something like this is if
the *presence* of a particular config setting has a specific meaning,
and you want to (for example) mask the presence of a particular
setting in the global config file.  This could be considered a special
case of the *replacing* an entire section, but it's important to call
this out in the general case, I think.

(You could argue that designing profile configuration variables that
worked this way is a really bad idea, and I'd probably even agree with
you....)

> Even with the final signifier it's not like we'd be supporting  
> everything the user would like to do.  The user might like to add a  
> tag to the end of a list of multi-valued tags.  Since the user's tags  
> always come first in the merged configuration, this is impossible  
> without replacing the entire section in the user's config file or  
> using KRB5_CONFIG.

Yes, but with the final signifier there is at last a way you can do it
by replacing the entire section in the user's config file:

[realms]
	ATHENA.MIT.EDU = {
		kdc = kerberos-2.mit.edu:88
		kdc = kerberos.mit.edu:88
		admin_server = kerberos2.mit.edu
	}*

Witout the final signifier, the only thing you can do is to copy the
global config file and repoint KRB5_CONFIG.

> I'm also concerned about the support issues of having a final  
> signifier.  The syntax seems sufficiently subtle that site help desks  
> would have trouble debugging busted configurations.  Users are  
> already in the habit of cut and pasting config file lines from random  
> locations and not even bothering to check if the lines do anything  
> (eg: "ticket_lifetime = 600").  Imagine the nightmare support calls  
> which could result from accidentally copying lines containing a '*'.

As I mentioned earlier, I would think this would be an argument for
not supporting chained configuration files at all.

Although thinking about this some more, if someone cuts and pastes a
complete section replacement, complete with the trailing '*', it's
hard to see how this would likely cause a "nightmare support call". 

						- Ted

More information about the krbdev mailing list