Use kadm5_auth interface in kadmind

Convert the ACL code to a kadm5_auth module, and create a new module
for self-service authorization.  Use the kadm5_auth consumer code
instead of directly using the ACL code to authorize requests.

Do not assume self-service authorization in the RPC stubs or in
schpw_util_wrapper().  For key change requests, enforce the initial
ticket requirement whenever a client changes its own keys, regardless
of how it is authorized or which protocol it uses.  The initial ticket
check for protocol version 1 in process_chpw_request() is redundant
after this change, so remove it.

The old kadmin-based password change client authenticates to
kadmin/changepw and performs self-service get_principal, get_policy,
and chpass requests.  Continue to allow these operations, enforcing
the self-service requirement in addition to checking through the
kadm5_auth interface.  For get_policy requests, always look up the
client principal's policy name, for this check and for the
authorization layer's use.

The error messages for rename authorization failures are now more
vague (because there is a specific rename operation check in the
kadm5_auth interface, and we do not find out whether it failed due to
missing add or delete privileges).  Adjust t_kadmin_acl.py
accordingly.

ticket: 8595

doc/admin/conf_files/kadm5_acl.rst

@@ -144,6 +144,19 @@ principals.
 any principal that it creates or modifies will not be able to get
 postdateable tickets or tickets with a life of longer than 9 hours.
 
+MODULE BEHAVIOR
+---------------
+
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`.  The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
+
 SEE ALSO
 --------
 

doc/admin/conf_files/kdc_conf.rst

@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
 **acl_file**
     (String.)  Location of the access control list file that
     :ref:`kadmind(8)` uses to determine which principals are allowed
-    which permissions on the Kerberos database.  The default value is
-    |kdcdir|\ ``/kadm5.acl``.  For more information on Kerberos ACL
-    file see :ref:`kadm5.acl(5)`.
+    which permissions on the Kerberos database.  To operate without an
+    ACL file, set this relation to the empty string with ``acl_file =
+    ""``.  The default value is |kdcdir|\ ``/kadm5.acl``.  For more
+    information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
 
 **database_module**
     (String.)  This relation indicates the name of the configuration

doc/admin/conf_files/krb5_conf.rst

@@ -778,6 +778,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
 with another database such as Active Directory.  No plugins are built
 in for this interface.
 
+.. _kadm5_auth:
+
+kadm5_auth interface
+====================
+
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation.  The
+following built-in modules exist for this interface:
+
+**acl**
+    This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+    operations which are allowed according to the rules in the file.
+
+**self**
+    This module authorizes self-service operations including password
+    changes, creation of new random keys, fetching the client's
+    principal record or string attributes, and fetching the policy
+    record associated with the client principal.
+
 .. _clpreauth:
 
 .. _kdcpreauth:

src/kadmin/server/Makefile.in

@@ -7,10 +7,10 @@ LOCALINCLUDES = -I$(top_srcdir)/lib/gssapi/generic \
 	-I$(BUILDTOP)/lib/gssapi/krb5 -I$(top_srcdir)/lib/kadm5/srv
 
 PROG = kadmind
-OBJS = auth.o auth_acl.o kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o \
-	misc.o ipropd_svc.o
-SRCS = auth.o auth_acl.c kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c \
-	misc.c ipropd_svc.c
+OBJS = auth.o auth_acl.o auth_self.o kadm_rpc_svc.o server_stubs.o \
+	ovsec_kadmd.o schpw.o misc.o ipropd_svc.o
+SRCS = auth.o auth_acl.c auth_self.c kadm_rpc_svc.c server_stubs.c \
+	ovsec_kadmd.c schpw.c misc.c ipropd_svc.c
 
 all: $(PROG)
 

src/kadmin/server/auth.c

@@ -66,7 +66,14 @@ auth_init(krb5_context context, const char *acl_file)
     krb5_plugin_initvt_fn *modules = NULL, *mod;
     size_t count;
     auth_handle h = NULL;
+    const int intf = PLUGIN_INTERFACE_KADM5_AUTH;
 
+    ret = k5_plugin_register(context, intf, "acl", kadm5_auth_acl_initvt);
+    if (ret)
+        goto cleanup;
+    ret = k5_plugin_register(context, intf, "self", kadm5_auth_self_initvt);
+    if (ret)
+        goto cleanup;
     ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KADM5_AUTH, &modules);
     if (ret)
         goto cleanup;

src/kadmin/server/auth.h

@@ -75,4 +75,11 @@ krb5_boolean auth_restrict(krb5_context context, int opcode,
 /* Notify modules that the most recent authorized operation has ended. */
 void auth_end(krb5_context context);
 
+/* initvt declarations for built-in modules */
+
+krb5_error_code kadm5_auth_acl_initvt(krb5_context context, int maj_ver,
+                                      int min_ver, krb5_plugin_vtable vtable);
+krb5_error_code kadm5_auth_self_initvt(krb5_context context, int maj_ver,
+                                       int min_ver, krb5_plugin_vtable vtable);
+
 #endif /* AUTH_H */