Return-Path: X-Original-To: apmail-directory-kerby-archive@minotaur.apache.org Delivered-To: apmail-directory-kerby-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A411918B4F for ; Tue, 24 Nov 2015 08:33:20 +0000 (UTC) Received: (qmail 42497 invoked by uid 500); 24 Nov 2015 08:33:20 -0000 Delivered-To: apmail-directory-kerby-archive@directory.apache.org Received: (qmail 42465 invoked by uid 500); 24 Nov 2015 08:33:20 -0000 Mailing-List: contact kerby-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: kerby@directory.apache.org Delivered-To: mailing list kerby@directory.apache.org Received: (qmail 42452 invoked by uid 99); 24 Nov 2015 08:33:20 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Nov 2015 08:33:20 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id C71D61A0CAA for ; Tue, 24 Nov 2015 08:33:19 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.121 X-Spam-Level: X-Spam-Status: No, score=-0.121 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id zeHvvYt1jI9a for ; Tue, 24 Nov 2015 08:33:19 +0000 (UTC) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id E9F1020562 for ; Tue, 24 Nov 2015 08:33:18 +0000 (UTC) Received: by padhx2 with SMTP id hx2so15339808pad.1 for ; Tue, 24 Nov 2015 00:33:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=oq8lYQHS09rzaD5hka5OEnQej8ZVuCBZZFSsgcTE5wE=; b=dvKSWzUSiKovjeM1SqWo6a3WPPSSZVf9klHEslM6wbmaKcICs9NRqTN+oq2H0n54ee c1WzUbGDK74uf807BHmS0zxgbTds8Z9ke1SSOoksUAxfzrs/21KEitOdmgXGGiipaLfT rqJ0cR6+ni2xrCC1X7eYy+ns2FtUloE/KQshE4QyT7N/bp1cMa7ZBBtnXk0HAgehahYh o0ZsS+wQlnMjvw8bcfVGJpsUuK7K6tu++2AT0LidILe1Ltd/zU1x0GyNGHrMaDvNqCP7 S2KsscTLZ6qpqBflCdPiAlN3UmCsnHyHALFlGyyRWXcngURWPv8UInvlsUFEA+xO4JH4 lfwg== X-Received: by 10.68.65.6 with SMTP id t6mr40568339pbs.90.1448353992739; Tue, 24 Nov 2015 00:33:12 -0800 (PST) Received: from [192.168.1.29] (AMontsouris-651-1-155-192.w82-123.abo.wanadoo.fr. [82.123.46.192]) by smtp.googlemail.com with ESMTPSA id vu7sm9352395pbc.11.2015.11.24.00.33.11 for (version=TLSv1/SSLv3 cipher=OTHER); Tue, 24 Nov 2015 00:33:12 -0800 (PST) Subject: Re: Kerby client library refactoring To: kerby@directory.apache.org References: <8D5F7E3237B3ED47B84CF187BB17B66611CD3F1C@SHSMSX152.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66611CD3F37@SHSMSX152.ccr.corp.intel.com> From: =?UTF-8?Q?Emmanuel_L=c3=a9charny?= Message-ID: <565420C6.6030701@gmail.com> Date: Tue, 24 Nov 2015 09:33:10 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B66611CD3F37@SHSMSX152.ccr.corp.intel.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Le 24/11/15 06:59, Zheng, Kai a écrit : > There are good feedbacks from Steve recently. Based on discussions with him and Emmanuel, I assembled below thoughts. > > KrbClient and its relatives like KrbOption would be broken down according to supported mechanisms and functionalities. > Eventually we would have these client side APIs for applications to use. > > == KrbClient == > Focus on classical Kerberos protocol, allowing to request/update tickets to KDC using password, keytab, credential cache and etc. > > == KrbPkinitClient == > Support PKINIT mechanism, allowing to request tickets to KDC using anonymous and x509 certficate. > > == KrbTokenClient == > Support standard JWT token, allowing to request tickets to KDC using JWT token. > > == KrbPwChange == > Change passwd client, interacting with KDC using the change password protocol. > > == KrbAdmin == > KDC admin utilities compatible with MIT kadmin tool in either local or remote mode. In remote mode interacting with KDC, though no spec standardizing that. > > Note there're already keytab and credential cache utilities. > > All these components will define their own options with good specific descriptions; > For the components that use configurations, krb5.conf is default format; > For the components that interacts with KDC side servers, common network and message support will be used; > All will provide both intuitive functions and advanced function that supports directly calling into the underlying layer. > These library APIs can be used to write tools like kinit, or embedded in applications. > > It would be good to provide corresponding server side components or supports, but not mandatory. Better to have at least for easier tests. > > When sounds good, we can break this down into smaller tasks and get the major work done before the 1.0.0 formal release. If those elements are going to be Enum, keep in mind that you can inherit from another enum. So if you have common elements, feel free to put them in a parent Enum. Otherwise, sounds a good idea.