|
 |
bb7cd1 |
From 6236b14d20151053f5ccad1fc8ee9b669d4b0ffb Mon Sep 17 00:00:00 2001
|
|
|
bb7cd1 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
bb7cd1 |
Date: Tue, 14 Mar 2017 11:17:05 +0100
|
|
|
bb7cd1 |
Subject: [PATCH 34/36] KCM: Make the secrets ccache back end configurable,
|
|
|
bb7cd1 |
make secrets the default
|
|
|
bb7cd1 |
MIME-Version: 1.0
|
|
|
bb7cd1 |
Content-Type: text/plain; charset=UTF-8
|
|
|
bb7cd1 |
Content-Transfer-Encoding: 8bit
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Adds a new option 'ccache_storage' that allows to select either the
|
|
|
bb7cd1 |
memory back end or the secrets back end. The secrets back end is the
|
|
|
bb7cd1 |
default one and this option is even undocumented.
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
bb7cd1 |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
bb7cd1 |
---
|
|
|
bb7cd1 |
src/confdb/confdb.h | 1 +
|
|
|
bb7cd1 |
src/config/cfg_rules.ini | 1 +
|
|
|
bb7cd1 |
src/responder/kcm/kcm.c | 49 ++++++++++++++++++++++++++++++++----
|
|
|
bb7cd1 |
src/responder/kcm/kcmsrv_ccache.c | 2 +-
|
|
|
bb7cd1 |
src/responder/kcm/kcmsrv_ccache.h | 6 +----
|
|
|
bb7cd1 |
src/responder/kcm/kcmsrv_ccache_be.h | 1 +
|
|
|
bb7cd1 |
src/responder/kcm/kcmsrv_pvt.h | 7 ++++++
|
|
|
bb7cd1 |
7 files changed, 56 insertions(+), 11 deletions(-)
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
bb7cd1 |
index c443e869a7a6782265b42c4ad122867c4e3dd8e0..fb60675ca8beb2c2a157bf021ed9cad362742988 100644
|
|
|
bb7cd1 |
--- a/src/confdb/confdb.h
|
|
|
bb7cd1 |
+++ b/src/confdb/confdb.h
|
|
|
bb7cd1 |
@@ -234,6 +234,7 @@
|
|
|
bb7cd1 |
/* KCM Service */
|
|
|
bb7cd1 |
#define CONFDB_KCM_CONF_ENTRY "config/kcm"
|
|
|
bb7cd1 |
#define CONFDB_KCM_SOCKET "socket_path"
|
|
|
bb7cd1 |
+#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
struct confdb_ctx;
|
|
|
bb7cd1 |
struct config_file_ctx;
|
|
|
bb7cd1 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
bb7cd1 |
index 5e789c51658c51c0af1338d23d6c0f30f40bf119..67a5d1f5ad447a942b437ffd04a7f5d7cfe77d7f 100644
|
|
|
bb7cd1 |
--- a/src/config/cfg_rules.ini
|
|
|
bb7cd1 |
+++ b/src/config/cfg_rules.ini
|
|
|
bb7cd1 |
@@ -280,6 +280,7 @@ option = fd_limit
|
|
|
bb7cd1 |
option = client_idle_timeout
|
|
|
bb7cd1 |
option = description
|
|
|
bb7cd1 |
option = socket_path
|
|
|
bb7cd1 |
+option = ccache_storage
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
[rule/allowed_domain_options]
|
|
|
bb7cd1 |
validator = ini_allowed_options
|
|
|
bb7cd1 |
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
|
|
|
bb7cd1 |
index 2c12ef215ce3967df183e51c20590c5f439d278f..063c27b915b4b92f6259496feee891aa94a498b6 100644
|
|
|
bb7cd1 |
--- a/src/responder/kcm/kcm.c
|
|
|
bb7cd1 |
+++ b/src/responder/kcm/kcm.c
|
|
|
bb7cd1 |
@@ -47,6 +47,37 @@ static int kcm_responder_ctx_destructor(void *ptr)
|
|
|
bb7cd1 |
return 0;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+static errno_t kcm_get_ccdb_be(struct kcm_ctx *kctx)
|
|
|
bb7cd1 |
+{
|
|
|
bb7cd1 |
+ errno_t ret;
|
|
|
bb7cd1 |
+ char *str_db;
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = confdb_get_string(kctx->rctx->cdb,
|
|
|
bb7cd1 |
+ kctx->rctx,
|
|
|
bb7cd1 |
+ kctx->rctx->confdb_service_path,
|
|
|
bb7cd1 |
+ CONFDB_KCM_DB,
|
|
|
bb7cd1 |
+ "secrets",
|
|
|
bb7cd1 |
+ &str_db);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
bb7cd1 |
+ "Cannot get the KCM database type [%d]: %s\n",
|
|
|
bb7cd1 |
+ ret, strerror(ret));
|
|
|
bb7cd1 |
+ return ret;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CONF_SETTINGS, "KCM database type: %s\n", str_db);
|
|
|
bb7cd1 |
+ if (strcasecmp(str_db, "memory") == 0) {
|
|
|
bb7cd1 |
+ kctx->cc_be = CCDB_BE_MEMORY;
|
|
|
bb7cd1 |
+ return EOK;
|
|
|
bb7cd1 |
+ } else if (strcasecmp(str_db, "secrets") == 0) {
|
|
|
bb7cd1 |
+ kctx->cc_be = CCDB_BE_SECRETS;
|
|
|
bb7cd1 |
+ return EOK;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unexpected KCM database type %s\n", str_db);
|
|
|
bb7cd1 |
+ return EOK;
|
|
|
bb7cd1 |
+}
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
static int kcm_get_config(struct kcm_ctx *kctx)
|
|
|
bb7cd1 |
{
|
|
|
bb7cd1 |
int ret;
|
|
|
bb7cd1 |
@@ -88,14 +119,21 @@ static int kcm_get_config(struct kcm_ctx *kctx)
|
|
|
bb7cd1 |
&sock_name);
|
|
|
bb7cd1 |
if (ret != EOK) {
|
|
|
bb7cd1 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
bb7cd1 |
- "Cannot get the client idle timeout [%d]: %s\n",
|
|
|
bb7cd1 |
+ "Cannot get KCM socket path [%d]: %s\n",
|
|
|
bb7cd1 |
ret, strerror(ret));
|
|
|
bb7cd1 |
goto done;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
kctx->rctx->sock_name = sock_name;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ ret = kcm_get_ccdb_be(kctx);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
bb7cd1 |
+ "Cannot get KCM ccache DB [%d]: %s\n",
|
|
|
bb7cd1 |
+ ret, strerror(ret));
|
|
|
bb7cd1 |
+ goto done;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
ret = EOK;
|
|
|
bb7cd1 |
-
|
|
|
bb7cd1 |
done:
|
|
|
bb7cd1 |
return ret;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
@@ -111,7 +149,8 @@ static int kcm_data_destructor(void *ptr)
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
|
|
|
bb7cd1 |
- struct tevent_context *ev)
|
|
|
bb7cd1 |
+ struct tevent_context *ev,
|
|
|
bb7cd1 |
+ enum kcm_ccdb_be cc_be)
|
|
|
bb7cd1 |
{
|
|
|
bb7cd1 |
struct kcm_resp_ctx *kcm_data;
|
|
|
bb7cd1 |
krb5_error_code kret;
|
|
|
bb7cd1 |
@@ -122,7 +161,7 @@ static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
|
|
|
bb7cd1 |
return NULL;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
- kcm_data->db = kcm_ccdb_init(kcm_data, ev, CCDB_BE_MEMORY);
|
|
|
bb7cd1 |
+ kcm_data->db = kcm_ccdb_init(kcm_data, ev, cc_be);
|
|
|
bb7cd1 |
if (kcm_data->db == NULL) {
|
|
|
bb7cd1 |
talloc_free(kcm_data);
|
|
|
bb7cd1 |
return NULL;
|
|
|
bb7cd1 |
@@ -176,7 +215,7 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx,
|
|
|
bb7cd1 |
goto fail;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
- kctx->kcm_data = kcm_data_setup(kctx, ev);
|
|
|
bb7cd1 |
+ kctx->kcm_data = kcm_data_setup(kctx, ev, kctx->cc_be);
|
|
|
bb7cd1 |
if (kctx->kcm_data == NULL) {
|
|
|
bb7cd1 |
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
bb7cd1 |
"fatal error initializing responder data\n");
|
|
|
bb7cd1 |
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
|
|
|
bb7cd1 |
index 2ae120269b0c62275ba2acdff6d6daa8b7077708..a22184e0f2b1300f3678bb343b6a110bf144a36b 100644
|
|
|
bb7cd1 |
--- a/src/responder/kcm/kcmsrv_ccache.c
|
|
|
bb7cd1 |
+++ b/src/responder/kcm/kcmsrv_ccache.c
|
|
|
bb7cd1 |
@@ -244,7 +244,7 @@ struct kcm_ccdb *kcm_ccdb_init(TALLOC_CTX *mem_ctx,
|
|
|
bb7cd1 |
break;
|
|
|
bb7cd1 |
case CCDB_BE_SECRETS:
|
|
|
bb7cd1 |
DEBUG(SSSDBG_FUNC_DATA, "KCM back end: sssd-secrets\n");
|
|
|
bb7cd1 |
- /* Not implemented yet */
|
|
|
bb7cd1 |
+ ccdb->ops = &ccdb_sec_ops;
|
|
|
bb7cd1 |
break;
|
|
|
bb7cd1 |
default:
|
|
|
bb7cd1 |
DEBUG(SSSDBG_CRIT_FAILURE, "Unknown ccache database\n");
|
|
|
bb7cd1 |
diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h
|
|
|
bb7cd1 |
index 18c8c47ad4ecb24521a85a1833b239c7a2a8bb45..36c481c5335d557318f0ed0204d93e533b4b6c41 100644
|
|
|
bb7cd1 |
--- a/src/responder/kcm/kcmsrv_ccache.h
|
|
|
bb7cd1 |
+++ b/src/responder/kcm/kcmsrv_ccache.h
|
|
|
bb7cd1 |
@@ -29,6 +29,7 @@
|
|
|
bb7cd1 |
#include "util/util.h"
|
|
|
bb7cd1 |
#include "util/sss_iobuf.h"
|
|
|
bb7cd1 |
#include "util/util_creds.h"
|
|
|
bb7cd1 |
+#include "responder/kcm/kcmsrv_pvt.h"
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
#define UUID_BYTES 16
|
|
|
bb7cd1 |
#define UUID_STR_SIZE 37
|
|
|
bb7cd1 |
@@ -113,11 +114,6 @@ errno_t kcm_cc_store_cred_blob(struct kcm_ccache *cc,
|
|
|
bb7cd1 |
struct kcm_cred *kcm_cc_get_cred(struct kcm_ccache *cc);
|
|
|
bb7cd1 |
struct kcm_cred *kcm_cc_next_cred(struct kcm_cred *crd);
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
-enum kcm_ccdb_be {
|
|
|
bb7cd1 |
- CCDB_BE_MEMORY,
|
|
|
bb7cd1 |
- CCDB_BE_SECRETS,
|
|
|
bb7cd1 |
-};
|
|
|
bb7cd1 |
-
|
|
|
bb7cd1 |
/* An opaque database that contains all the ccaches */
|
|
|
bb7cd1 |
struct kcm_ccdb;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
diff --git a/src/responder/kcm/kcmsrv_ccache_be.h b/src/responder/kcm/kcmsrv_ccache_be.h
|
|
|
bb7cd1 |
index 1bd2b6981e227675866e82e0a5389445cac4df66..a0796c298bae15a01adf612a6195a494ba6b4d23 100644
|
|
|
bb7cd1 |
--- a/src/responder/kcm/kcmsrv_ccache_be.h
|
|
|
bb7cd1 |
+++ b/src/responder/kcm/kcmsrv_ccache_be.h
|
|
|
bb7cd1 |
@@ -200,5 +200,6 @@ struct kcm_ccdb_ops {
|
|
|
bb7cd1 |
};
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
extern const struct kcm_ccdb_ops ccdb_mem_ops;
|
|
|
bb7cd1 |
+extern const struct kcm_ccdb_ops ccdb_sec_ops;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
#endif /* _KCMSRV_CCACHE_BE_ */
|
|
|
bb7cd1 |
diff --git a/src/responder/kcm/kcmsrv_pvt.h b/src/responder/kcm/kcmsrv_pvt.h
|
|
|
bb7cd1 |
index a29680246c1e616da75e1bbff951ce2fad66fb65..74f30c00014105ed533744779b02c5d42523722d 100644
|
|
|
bb7cd1 |
--- a/src/responder/kcm/kcmsrv_pvt.h
|
|
|
bb7cd1 |
+++ b/src/responder/kcm/kcmsrv_pvt.h
|
|
|
bb7cd1 |
@@ -49,6 +49,12 @@ struct kcm_resp_ctx {
|
|
|
bb7cd1 |
struct kcm_ccdb *db;
|
|
|
bb7cd1 |
};
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+/* Supported ccache back ends */
|
|
|
bb7cd1 |
+enum kcm_ccdb_be {
|
|
|
bb7cd1 |
+ CCDB_BE_MEMORY,
|
|
|
bb7cd1 |
+ CCDB_BE_SECRETS,
|
|
|
bb7cd1 |
+};
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
/*
|
|
|
bb7cd1 |
* responder context that contains both the responder data,
|
|
|
bb7cd1 |
* like the ccaches and the sssd-specific stuff like the
|
|
|
bb7cd1 |
@@ -58,6 +64,7 @@ struct kcm_ctx {
|
|
|
bb7cd1 |
struct resp_ctx *rctx;
|
|
|
bb7cd1 |
int fd_limit;
|
|
|
bb7cd1 |
char *socket_path;
|
|
|
bb7cd1 |
+ enum kcm_ccdb_be cc_be;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
struct kcm_resp_ctx *kcm_data;
|
|
|
bb7cd1 |
};
|
|
|
bb7cd1 |
--
|
|
|
bb7cd1 |
2.9.3
|
|
|
bb7cd1 |
|