diff options
| author | Russ Allbery <eagle@eyrie.org> | 2016-01-03 15:21:30 -0800 |
|---|---|---|
| committer | Russ Allbery <eagle@eyrie.org> | 2016-01-03 15:21:30 -0800 |
| commit | 3b8a786a0e4d77bfc63cc8d4373972ef578115ea (patch) | |
| tree | 97429c8d854e2f7c6a53076f7467e5710861a79e | |
| parent | 45fa535256e8272511d1f6769069536248b565dd (diff) | |
Flesh out NEWS and update TODO for merged changes
Change-Id: I714a6298c36e6fd7eca6ee3acb01637a96773647
| -rw-r--r-- | NEWS | 35 | ||||
| -rw-r--r-- | TODO | 28 |
2 files changed, 36 insertions, 27 deletions
@@ -2,10 +2,27 @@ wallet 1.3 (unreleased) - A new object type, password (Wallet::Object::Password), is now - supported. This is a subclass of the file object that will randomly + A new ACL type, nested (Wallet::ACL::Nested), is now supported. The + identifier of this ACL names another ACL, and access is granted if + that ACL would grant access. This lets one combine multiple other + ACLs and apply the union to an object. To enable this ACL type for an + existing wallet database, use wallet-admin to register the new + verifier. + + A new variation on the ldap-attr ACL type, ldap-attr-root + (Wallet::ACL::LDAP::Attribute::Root), is now supported. This is + similar to netdb-root (compared to netdb): the authenticated principal + must end in /root, and the LDAP entry checked will be for the same + principal without the /root component. This is useful for limiting + access to certain privileged objects to Kerberos root instances. To + enable this ACL type for an existing wallet database, use wallet-admin + to register the new verifier. + + A new object type, password (Wallet::Object::Password), is now + supported. This is a subclass of the file object that will randomly generate content for the object if you do a get before storing any - content inside it. + content inside it. To enable this object type for an existing + database, use wallet-admin to register the new object. Add a new command to wallet-backend, update. This will update the contents of an object before running a get on it, and is only valid @@ -17,7 +34,8 @@ wallet 1.3 (unreleased) warrants. Add an acl replace command, to change all objects owned by one ACL to - be owned by another. + be owned by another. This currently only handles owner, not any of + the more specific ACLs. All ACL operations now refer to the ACL by name rather than ID. @@ -25,11 +43,20 @@ wallet 1.3 (unreleased) help for the existing unused report that implied it showed unstored as well as unused. + Add reports that list all object types (types) and all ACL schemes + (schemes) currently registered in the wallet database. + + Add a report of all ACLs that nest a given ACL. This requires some + additional local configuration (and probably some code). See + Wallet::Config for more information. + Took contributions from Commerzbank AG to improve wallet history. Add a command to dump all object history for searching on to wallet-report, and add a new script for more detailed object history operations to the contrib directory. + Displays of ACLs and ACL entries are now sorted correctly. + wallet 1.2 (2014-12-08) The duo object type has been split into several sub-types, each for a @@ -35,10 +35,11 @@ Server Interface: * Provide a way to get history for deleted objects and ACLs. * Provide an interface to mass-change all instances of one ACL to - another. + another. (Owner changes are currently supported, but not the other + ACLs.) - * Add help functions to wallet-backend, wallet-report, and wallet-admin - listing the commands. + * Add help functions to wallet-backend and wallet-admin listing the + commands. * Catch exceptions on object creation in wallet-backend so that we can log those as well. @@ -70,8 +71,6 @@ Server Interface: (maybe). Or, alternately, maybe we allow get of any keytab? Requires more thought. - * Add command to list available types and schemes. - * Add a mechanism to automate owner updates based on default_owner. * Partially merge create and autocreate. create and autocreate should do @@ -79,8 +78,6 @@ Server Interface: available. If not, autocreate should fail and create should fall back on checking for ADMIN privileges. - * Support file object renaming. - * Rewrite server backends to use Net::Remctl::Backend. * Merge the Wallet::Logger support written by Commerzbank AG: create a @@ -109,8 +106,6 @@ ACLs: * Pass a reference to the object for which the ACL is interpreted to the ACL API so that ACL APIs can make more complex decisions. - * A group-in-groups ACL schema. - * Provide an API for verifiers to syntax-check the values before an ACL is set and implement syntax checking for the krb5 and ldap-attr verifiers. @@ -122,10 +117,7 @@ ACLs: for whether a particular user is authorized to create host-based objects for a particular host. - * Add ldap-group ACL scheme. - - * Provide a root-instance version of the ldap-attr (and possibly the - ldap-group) ACL schemes. + * Add ldap-group ACL scheme (and possibly a root-only version). * Add a comment field to ACLs. @@ -170,14 +162,6 @@ Objects: * Support returning the checksum of a file object stored in wallet so that one can determine whether the version stored on disk is identical. - * Implement new password wallet object, which is like file except that it - generates a random, strong password when retrieved the first time - without being stored. - - * Support interrogating objects to find all host-based objects for a - particular host, allowing cleanup of all of those host's objects after - retiring the host. - * Support setting the disallow-svr flag on created principals. In general, support setting arbitrary principal flags. @@ -187,8 +171,6 @@ Reports: previous versions before ACL deletion was checked with database backends that don't do referential integrity. - * Add report for all objects that have never been stored. - * For objects tied to hostnames, report on objects referring to hosts which do not exist. For the initial pass, this is probably only keytab objects with names containing a slash where the part after the slash |