kadm5/kadmin: Add read-only mode
Now we can have read-only kadmind instances.
This commit is contained in:
Nicolas Williams
51
kadmin/rpc.c
51
kadmin/rpc.c
@@ -689,7 +689,7 @@ proc_init(kadm5_server_context *contextp,
|
||||
struct krb5_proc {
|
||||
const char *name;
|
||||
void (*func)(kadm5_server_context *, krb5_storage *, krb5_storage *);
|
||||
} procs[] = {
|
||||
} rwprocs[] = {
|
||||
{ "NULL", NULL },
|
||||
{ "create principal", proc_create_principal },
|
||||
{ "delete principal", proc_delete_principal },
|
||||
@@ -712,6 +712,29 @@ struct krb5_proc {
|
||||
{ "chpass principal v3", NULL },
|
||||
{ "chrand principal v3", NULL },
|
||||
{ "setkey principal v3", NULL }
|
||||
}, roprocs[] = {
|
||||
{ "NULL", NULL },
|
||||
{ "create principal", NULL },
|
||||
{ "delete principal", NULL },
|
||||
{ "modify principal", NULL },
|
||||
{ "rename principal", NULL },
|
||||
{ "get principal", proc_get_principal },
|
||||
{ "chpass principal", NULL },
|
||||
{ "chrand principal", NULL },
|
||||
{ "create policy", NULL },
|
||||
{ "delete policy", NULL },
|
||||
{ "modify policy", NULL },
|
||||
{ "get policy", NULL },
|
||||
{ "get privs", NULL },
|
||||
{ "init", NULL },
|
||||
{ "get principals", NULL },
|
||||
{ "get polices", NULL },
|
||||
{ "setkey principal", NULL },
|
||||
{ "setkey principal v4", NULL },
|
||||
{ "create principal v3", NULL },
|
||||
{ "chpass principal v3", NULL },
|
||||
{ "chrand principal v3", NULL },
|
||||
{ "setkey principal v3", NULL }
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
@@ -742,8 +765,10 @@ struct gctx {
|
||||
|
||||
static int
|
||||
process_stream(krb5_context contextp,
|
||||
unsigned char *buf, size_t ilen,
|
||||
krb5_storage *sp)
|
||||
unsigned char *buf,
|
||||
size_t ilen,
|
||||
krb5_storage *sp,
|
||||
int readonly)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_storage *msg, *reply, *dreply;
|
||||
@@ -884,6 +909,7 @@ process_stream(krb5_context contextp,
|
||||
int conf_state;
|
||||
uint32_t seq;
|
||||
krb5_storage *sp1;
|
||||
struct krb5_proc *procs = readonly ? roprocs : rwprocs;
|
||||
|
||||
INSIST(gcred.service == rpg_privacy);
|
||||
|
||||
@@ -921,11 +947,16 @@ process_stream(krb5_context contextp,
|
||||
*/
|
||||
CHECK(krb5_store_uint32(dreply, gctx.seq_num));
|
||||
|
||||
if (chdr.proc >= sizeof(procs)/sizeof(procs[0])) {
|
||||
if (chdr.proc >= sizeof(rwprocs)/sizeof(rwprocs[0])) {
|
||||
krb5_warnx(contextp, "proc number out of array");
|
||||
} else if (procs[chdr.proc].func == NULL) {
|
||||
krb5_warnx(contextp, "proc '%s' never implemented",
|
||||
procs[chdr.proc].name);
|
||||
if (readonly && rwprocs[chdr.proc].func)
|
||||
krb5_warnx(contextp,
|
||||
"proc '%s' not allowed (readonly mode)",
|
||||
procs[chdr.proc].name);
|
||||
else
|
||||
krb5_warnx(contextp, "proc '%s' never implemented",
|
||||
procs[chdr.proc].name);
|
||||
} else {
|
||||
krb5_warnx(contextp, "proc %s", procs[chdr.proc].name);
|
||||
INSIST(server_handle != NULL);
|
||||
@@ -1101,7 +1132,11 @@ process_stream(krb5_context contextp,
|
||||
|
||||
|
||||
int
|
||||
handle_mit(krb5_context contextp, void *buf, size_t len, krb5_socket_t sock)
|
||||
handle_mit(krb5_context contextp,
|
||||
void *buf,
|
||||
size_t len,
|
||||
krb5_socket_t sock,
|
||||
int readonly)
|
||||
{
|
||||
krb5_storage *sp;
|
||||
|
||||
@@ -1110,7 +1145,7 @@ handle_mit(krb5_context contextp, void *buf, size_t len, krb5_socket_t sock)
|
||||
sp = krb5_storage_from_socket(sock);
|
||||
INSIST(sp != NULL);
|
||||
|
||||
process_stream(contextp, buf, len, sp);
|
||||
process_stream(contextp, buf, len, sp, readonly);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user