-
Notifications
You must be signed in to change notification settings - Fork 366
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Convert the ACL code to a kadm5_auth module, and create a new module for self-service authorization. Use the kadm5_auth consumer code instead of directly using the ACL code to authorize requests. Do not assume self-service authorization in the RPC stubs or in schpw_util_wrapper(). For key change requests, enforce the initial ticket requirement whenever a client changes its own keys, regardless of how it is authorized or which protocol it uses. The initial ticket check for protocol version 1 in process_chpw_request() is redundant after this change, so remove it. The old kadmin-based password change client authenticates to kadmin/changepw and performs self-service get_principal, get_policy, and chpass requests. Continue to allow these operations, enforcing the self-service requirement in addition to checking through the kadm5_auth interface. For get_policy requests, always look up the client principal's policy name, for this check and for the authorization layer's use. The error messages for rename authorization failures are now more vague (because there is a specific rename operation check in the kadm5_auth interface, and we do not find out whether it failed due to missing add or delete privileges). Adjust t_kadmin_acl.py accordingly. ticket: 8595
- Loading branch information
1 parent
d921147
commit 92a1a7e
Showing
19 changed files
with
591 additions
and
458 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.