directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRKRB-458) Update KrbOptions to include all KDC Option flags
Date Thu, 19 Nov 2015 13:33:11 GMT

    [ https://issues.apache.org/jira/browse/DIRKRB-458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15013540#comment-15013540
] 

Kai Zheng commented on DIRKRB-458:
----------------------------------

Hi Steve,

Thanks for this well documented proposal!
bq. it simply treats the absence of a flag as a false...I'd like to propose that the KrbOption
enum be updated to include all fifteen of the KDC Option flags, and that the "negatives" of
those flags be removed.
It sounds reasonable. Then *KrbClient* will be able to have enhancements to set such flags
when adding to support more APIs.

> Update KrbOptions to include all KDC Option flags
> -------------------------------------------------
>
>                 Key: DIRKRB-458
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-458
>             Project: Directory Kerberos
>          Issue Type: Bug
>            Reporter: Steve Moyer
>            Assignee: Steve Moyer
>
> When creating a client request, one uses the KrbOptions to specify many aspects of the
AsRequest.  Most of the methods that retrieve tickets from the Kerberos server are simply
for convenient - all the packets are structured in a similar way underneath.
> The KDC Options are collection of fifteen boolean flags that are spread out in a 32 bit
field.  Currently, not all the KDC Option flags are represented in the KrbOption enum but
those that are have the following structure:
> {code}
> FORWARDABLE("forwardable"),
> NOT_FORWARDABLE("not forwardable"),
> PROXIABLE("proxiable"),
> NOT_PROXIABLE("not proxiable"),
> {code}
> The code I submitted as a resolution to DIRKRB-450 doesn't actually use the "NOT" flags
(e.g. NOT_FORWARDABLE or NOT_PROXIABLE),  it simply treats the absence of a flag as a false.
 The changes made to manage the KDC Options bitmap in DIRKRB-449 allow the bitmap to be expressed
as an integer, and the code included in DIRKRB-450 effectively builds that integer by logical-or'ing
these flags together (e.g. FORWARDABLE | PROXIABLE | RENEWABLE_OK).
> I'd like to propose that the KrbOption enum be updated to include all fifteen of the
KDC Option flags, and that the "negatives" of those flags be removed.  For reference, the
complete list of KDC Options is:
> -   Forwardable
> -   Forwarded
> -   Proxiable
> -   Proxy
> -   Allow Postdate
> -   Postdated
> -   Renewable
> -   Opt HW Auth
> -   Constrained Delegation
> -   Canonicalize
> -   Disable
> -   Renewable OK
> -   Enc-Tkt-in-Skey
> -   Renew
> -   Validate
> I've pushed the change to KrbOption for RENEWABLE_OK we discussed on the mailing list
to GitHub (https://github.com/PennState/directory-kerby/blob/master/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java)
but I think this is a better long-term solution to managing the KDC Options.
> I'd be happy to reedit the KrbOption file to make these changes - assign this issue to
me if it makes sense in the grand scheme of things.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message