I'm pleased to announce release 1.3 of wallet.
The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data. Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users. The wallet
tracks ACLs, metadata, and trace information. It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication. One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadmind with richer ACL and metadata
operations.
Changes from previous release:
This release adds initial, experimental support for using Active
Directory as the KDC for keytab creation. The interface to Active
Directory uses a combination of direct LDAP queries and the msktutil
utility. This version does not support the wallet unchanging flag.
Unchanging requires that a keytab be retrieved without changing the
password/kvno which is not supported by msktutil. Active Directory
can be selected by setting KEYTAB_KRBTYPE to AD in the wallet
configuration. Multiple other configuration options must also be set;
see Wallet::Config for more information and README for the additional
Perl modules required. Thanks to Bill MacAllister for the
implementation.
A new ACL type, nested (Wallet::ACL::Nested), is now supported. The
identifier of this ACL names another ACL, and access is granted if
that ACL would grant access. This lets one combine multiple other
ACLs and apply the union to an object. To enable this ACL type for an
existing wallet database, use wallet-admin to register the new
verifier.
A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal, type and name of the object, and the ACL
identifier to that command. To enable this ACL type for an existing
wallet database, use wallet-admin to register the new verifier.
A new variation on the ldap-attr ACL type, ldap-attr-root
(Wallet::ACL::LDAP::Attribute::Root), is now supported. This is
similar to netdb-root (compared to netdb): the authenticated principal
must end in /root, and the LDAP entry checked will be for the same
principal without the /root component. This is useful for limiting
access to certain privileged objects to Kerberos root instances. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
A new object type, password (Wallet::Object::Password), is now
supported. This is a subclass of the file object that will randomly
generate content for the object if you do a get before storing any
content inside it. To enable this object type for an existing
database, use wallet-admin to register the new object.
Add a new command to wallet-backend, update. This will update the
contents of an object before running a get on it, and is only valid
for objects that can automatically get new content, such as keytab and
password objects. A keytab will get a new kvno regardless of the
unchanging flag if called with update. In a future release get will
be changed to never update a keytab, and the unchanging flag will be
ignored. Please start moving to use get or update as the situation
warrants.
Add an acl replace command, to change all objects owned by one ACL to
be owned by another. This currently only handles owner, not any of
the more specific ACLs.
All ACL operations now refer to the ACL by name rather than ID.
Add a report for unstored objects to wallet-report, and cleaned up the
help for the existing unused report that implied it showed unstored as
well as unused.
Add reports that list all object types (types) and all ACL schemes
(schemes) currently registered in the wallet database.
Add a report of all ACLs that nest a given ACL. This requires some
additional local configuration (and probably some code). See
Wallet::Config for more information.
Took contributions from Commerzbank AG to improve wallet history. Add
a command to dump all object history for searching on to
wallet-report, and add a new script for more detailed object history
operations to the contrib directory.
Displays of ACLs and ACL entries are now sorted correctly.
The versions of all of the wallet Perl modules now match the overall
package version except for Wallet::Schema, which is used to version
the database schema.
Update to rra-c-util 5.10:
* Add missing va_end to xasprintf implementation.
* Fix Perl test suite framework for new Automake relative paths.
* Improve portability to Kerberos included in Solaris 10.
* Use appropriate warning flags with Clang (currently not warning clean).
Update to C TAP Harness 3.4:
* Fix segfault in runtests with an empty test list.
* Display verbose test results with -v or C_TAP_VERBOSE.
* Test infrastructure builds cleanly with Clang warnings.
* Support comments and blank lines in test lists.
You can download it from:
<http://www.eyrie.org/~eagle/software/wallet/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
