[krbdev.mit.edu #6206] storing configuration data in credentials caches

[Sam Hartman]

I'd like to start a discussion of a patch Love filed a while back.
He proposed to add the following APIs:

+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_config(krb5_context, krb5_ccache,
+                  krb5_const_principal,
+                  const char *, krb5_data *);
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_config(krb5_context, krb5_ccache,
+                  krb5_const_principal,
+                  const char *, krb5_data *);

+krb5_boolean KRB5_CALLCONV
+krb5_is_config_principal(krb5_context,
+                        krb5_const_principal);



The implementation of these APIs stores extra data as tickets with
fake principal names in the cache.  Jeff Altman complained that this
approach seems problematic and that especially for CCAPI caches, we
can do better.  Jeff would rather us have a mechanism where we have
types of data including v4 tickets, v5 tickets, and config data in a
cache, and where there is some registration procedure for these types.

I'd really like to see these or similar APIs exist and be exposed in
the MIT interface.

I agree with Jeff that the implementation is kind of ugly.  However I
don't want to see us get into a situation where perfect is the enemy
of progress.  In particular, Jeff's proposal seems difficult to
implement for file based ccaches.


I'd like to collect input on this.

--Sam