Changes to cred store design
ghudson@MIT.EDU
ghudson at MIT.EDU
Fri Jul 20 10:35:00 EDT 2012
I think we have the following points of agreement for the GSS cred
store design, based on a recent call:
* It's important to separate "where the creds are stored" from
"answers to questions asked during initial authentication" in a
proxy scenario. Cred storage locations are references to external
resources which may require privilege to access, and should
therefore be configured on the proxy server rather than blindly
trusted from the client. Authentication responses make sense to
proxy, though.
* However, there's no reason we can't use the same key-value data
store for both purposes, as long as we give it an appropriate name.
* Keys for a map like this should not be constrained to URNs. Sam
suggested that we allow either URIs or implementation-defined simple
strings. We can then use "ccache" and "keytab" in the krb5 mech for
brevity in config files, although it would be good if they had URI
aliases.
So the specific changes needed are just naming changes:
* gss_cred_store_element{_struct,_t} -> gss_key_value_element{_struct,_t}
* gss_cred_store_element_struct.urn -> gss_key_value_element_struct.key
* gss_cred_store{_struct,_t} -> gss_key_value_set{_struct,_t}
More information about the krbdev
mailing list