| Age | Commit message (Collapse) | Author |
|---|
|
|
|
A new ACL type, external (Wallet::ACL::External), is now supported.
This ACL runs an external command to check if access is allowed, and
passes the principal and the ACL identifier to that command. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
Change-Id: I21b72b4373eefc92985aca1505e2d1a1ec699602
|
|
Change-Id: I714a6298c36e6fd7eca6ee3acb01637a96773647
|
|
Change-Id: I97f466b2221b71ffcc60dd4f1b48e5986496ff46
|
|
JIRA's structure has been reorganized, so change the JIRA issue
references to be accurate again. Add JIRA issues for the things
that hadn't been entered into JIRA yet.
Change-Id: I385d19b09108d94430bbe142a2b3f6f80b5e4c39
Reviewed-on: https://gerrit.stanford.edu/1588
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix the ordering of table drops during a wallet-admin destroy action
to remove tables with foreign key references before the tables they
are referencing. Should fix destroy in MySQL and other database
engines that enforce referential integrity.
Change-Id: I9b37c516f67acdf1d9e25222f067df6749e8c769
Reviewed-on: https://gerrit.stanford.edu/1558
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I478ed7812a4d25641ee85846e4092e17536e5a1d
Reviewed-on: https://gerrit.stanford.edu/1557
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I8f63cfd9692039f37ecfd46ab6072aa2f71c344d
Reviewed-on: https://gerrit.stanford.edu/1328
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Install the wallet schema files generated by DBIx::Class for the
various supported database engines into /usr/local/share/wallet
(by default, using pkgdatadir) on make install. Set the default
$DB_DDL_DIRECTORY value in Wallet::Config accordingly.
Change-Id: I7ec52b171bc6aca2c3e1040c037e7cf24553231f
Reviewed-on: https://gerrit.stanford.edu/794
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: If4bd4a62517572fed6fe911bc39a0e5c6be36e76
Reviewed-on: https://gerrit.stanford.edu/732
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Add a new acl check command which, given an ACL ID, prints yes if that
ACL already exists and no otherwise. This is parallel to the check
command for objects.
Also fix some documentation errors in the wallet client documentation,
saying that the check command doesn't require any ACL and fixing one
place where "show" was used instead of "store".
|
|
|
|
|
|
|
|
|
|
|
|
A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
supported. This ACL type grants access if the LDAP entry
corresponding to the principal contains the attribute name and value
specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are
required to use this ACL type. New configuration settings are
required as well; see Wallet::Config for more information. To enable
this ACL type for an existing wallet database, use wallet-admin to
register the new verifier.
|
|
|
|
Add a missing TODO item for purging host-related objects that was
filed in JIRA.
|
|
|
|
Add a comment field to objects and corresponding commands to
wallet-backend and wallet to set and retrieve it. The comment field
can only be set by the owner or wallet administrators but can be seen
by anyone on the show ACL.
|
|
|
|
|
|
|
|
Add a objects unused report to wallet-report and Wallet::Report,
returning all objects that have never been downloaded (in other words,
have never been the target of a get command).
|
|
|
|
|
|
|
|
|
|
Remove some TODO items that are no longer relevant, either because they've
been implemented or because we no longer care about Kerberos v4 principal
name conversion.
|
|
|
|
Move all reporting from Wallet::Admin to Wallet::Report and simplify
the method names since they're now part of a dedicated reporting
class. Similarly, create a new wallet-report script to wrap
Wallet::Report, moving all reporting commands to it from wallet-admin,
and simplify the commands since they're for a dedicated reporting
script.
Remove the contrib script wallet-report to wallet-summary so that it
doesn't conflict with the new reporting backend script.
|
|
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol. Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't. Implement the non-rekeying interface for Heimdal. Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
|
|
Pull the sync code out into separate methods to avoid a really long and
awkward attr method. Document the limited object support for the sync
attribute.
|
|
|
|
Now that we support multiple versions of Kerberos, use generic names
for the functions in the Wallet::Kadmin interface rather than the
commands from the MIT kadmin interface.
|
|
The wallet client now uses a temporary disk ticket cache when
obtaining tickets with the -u option rather than an in-memory cache,
allowing for a libremctl built against a different Kerberos
implementation than the wallet client. This primarily helps with
testing.
|
|
The wallet client no longer enables kaserver synchronization when a
srvtab is requested with -S. Instead, it just extracts the DES key
from the keytab and writes it to a srvtab. It no longer forces the
kvno of the srvtab to 0 (a Stanford-specific action) and instead
preserves the kvno from the key in the keytab. This should now do the
right thing for sites that use a KDC that serves both Kerberos v4 and
Kerberos v5 from the same database.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
file (using -f) or from standard input (if -f wasn't given) when the
data isn't specified on the command line. The data still must not
contain nul characters.
|
|
|
|
|
|
|
