oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
c3eb3341c2bc853ace83b56925fe667c72c47c19
heimdal/lib/kadm5/kadm5_err.et
Nicolas Williams 20df2c8706 Two-phase HDB commit via iprop log, + GC for log 
We used to update the iprop log and HDB in different orders depending on
the kadm5 operation, which then led to various race conditions.

The iprop log now functions as a two-phase commit (with roll forward)
log for HDB changes.  The log is auto-truncated, keeping the latest
entries that fit in a configurable maximum number of bytes (defaults to
50MB).  See the log-max-size parameter description in krb5.conf(5).

The iprop log format and the protocol remain backwards-compatible with
earlier versions of Heimdal.  This is NOT a flag-day; there is NO need
to update all the slaves at once with the master, though it is advisable
in general.  Rolling upgrades and downgrades should work.

The sequence of updates is now (with HDB and log open and locked):

a) check that the HDB operation will succeed if attempted,
b) append to iprop log and fsync() it,
c) write to HDB (which should fsync()),
d) mark last log record committed (no fsync in this case).

Every kadm5 write operation recover transactions not yet confirmed as
committed, thus there can be at most one unconfirmed commit on a master
KDC.

Reads via kadm5_get_principal() also attempt to lock the log, and if
successful, recover unconfirmed transactions; readers must have write
access and must win any race to lock the iprop log.

The ipropd-master daemon also attempts to recover unconfirmed
transactions when idle.

The log now starts with a nop record whose payload records the offset of
the logical end of the log: the end of the last confirmed committed
transaction.  This is kown as the "uber record".  Its purpose is
two-fold: act as the confirmation of committed transactions, and provide
an O(1) method of finding the end of the log (i.e., without having to
traverse the entire log front to back).

Two-phase commit makes all kadm5 writes single-operation atomic
transactions (though some kadm5 operations, such as renames of
principals, and changes to principals' aliases, use multiple low-level
HDB write operations, but still all in one transaction).  One can still
hold a lock on the HDB across many operations (e.g., by using the lock
command in a kadmin -l or calling kadm5_lock()) in order to push
multiple transactions in sequence, but this sequence will not be atomic
if the process or host crashes in the middle.

As before, HDB writes which do not go through the kadm5 API are excluded
from all of this, but there should be no such writes.

Lastly, the iprop-log(1) command is enhanced as follows:

 - The dump, last-version, truncate, and replay sub-commands now have an
   option to not lock the log.  This is useful for inspecting a running
   system's log file, especially on slave KDCs.

 - The dump, last-version, truncate, and replay sub-commands now take an
   optional iprop log file positional argument, so that they may be used
   to inspect log files other than the running system's
   configured/default log file.

Extensive code review and some re-writing for clarity by Viktor Dukhovni.
2016-02-26 00:55:33 -06:00

69 lines
4.0 KiB
Plaintext
Raw Blame History

#
# Error messages for the kadm5 library
#
# This might look like a com_err file, but is not
#
id "$Id$"
error_table ovk kadm5
prefix KADM5
error_code FAILURE, "Operation failed for unspecified reason"
error_code AUTH_GET, "Operation requires `get' privilege"
error_code AUTH_ADD, "Operation requires `add' privilege"
error_code AUTH_MODIFY, "Operation requires `modify' privilege"
error_code AUTH_DELETE, "Operation requires `delete' privilege"
error_code AUTH_INSUFFICIENT, "Insufficient authorization for operation"
error_code BAD_DB, "Database inconsistency detected"
error_code DUP, "Principal or policy already exists"
error_code RPC_ERROR, "Communication failure with server"
error_code NO_SRV, "No administration server found for realm"
error_code BAD_HIST_KEY, "Password history principal key version mismatch"
error_code NOT_INIT, "Connection to server not initialized"
error_code UNK_PRINC, "Principal does not exist"
error_code UNK_POLICY, "Policy does not exist"
error_code BAD_MASK, "Invalid field mask for operation"
error_code BAD_CLASS, "Invalid number of character classes"
error_code BAD_LENGTH, "Invalid password length"
error_code BAD_POLICY, "Invalid policy name"
error_code BAD_PRINCIPAL, "Invalid principal name."
error_code BAD_AUX_ATTR, "Invalid auxillary attributes"
error_code BAD_HISTORY, "Invalid password history count"
error_code BAD_MIN_PASS_LIFE, "Password minimum life is greater than password maximum life"
error_code PASS_Q_TOOSHORT, "Password is too short"
error_code PASS_Q_CLASS, "Password does not contain enough character classes"
error_code PASS_Q_DICT, "Password is in the password dictionary"
error_code PASS_REUSE, "Can't reuse password"
error_code PASS_TOOSOON, "Current password's minimum life has not expired"
error_code POLICY_REF, "Policy is in use"
error_code INIT, "Connection to server already initialized"
error_code BAD_PASSWORD, "Incorrect password"
error_code PROTECT_PRINCIPAL, "Can't change protected principal"
error_code BAD_SERVER_HANDLE, "Programmer error! Bad Admin server handle"
error_code BAD_STRUCT_VERSION, "Programmer error! Bad API structure version"
error_code OLD_STRUCT_VERSION, "API structure version specified by application is no longer supported"
error_code NEW_STRUCT_VERSION, "API structure version specified by application is unknown to libraries"
error_code BAD_API_VERSION, "Programmer error! Bad API version"
error_code OLD_LIB_API_VERSION, "API version specified by application is no longer supported by libraries"
error_code OLD_SERVER_API_VERSION,"API version specified by application is no longer supported by server"
error_code NEW_LIB_API_VERSION, "API version specified by application is unknown to libraries"
error_code NEW_SERVER_API_VERSION,"API version specified by application is unknown to server"
error_code SECURE_PRINC_MISSING,"Database error! Required principal missing"
error_code NO_RENAME_SALT, "The salt type of the specified principal does not support renaming"
error_code BAD_CLIENT_PARAMS, "Invalid configuration parameter for remote KADM5 client"
error_code BAD_SERVER_PARAMS, "Invalid configuration parameter for local KADM5 client."
error_code AUTH_LIST, "Operation requires `list' privilege"
error_code AUTH_CHANGEPW, "Operation requires `change-password' privilege"
error_code BAD_TL_TYPE, "Invalid tagged data list element type"
error_code MISSING_CONF_PARAMS, "Required parameters in kdc.conf missing"
error_code BAD_SERVER_NAME, "Bad krb5 admin server hostname"
error_code KS_TUPLE_NOSUPP, "Key/salt tuples not supported by this function"
error_code SETKEY3_ETYPE_MISMATCH, "Key/salt tuples don't match keys"
error_code DECRYPT_USAGE_NOSUPP, "Given usage of kadm5_decrypt() not supported"
error_code POLICY_OP_NOSUPP, "Policy operations not supported"
error_code KEEPOLD_NOSUPP, "Keep old keys option not supported"
error_code AUTH_GET_KEYS, "Operation requires `get-keys' privilege"
error_code ALREADY_LOCKED, "Database already locked"
error_code NOT_LOCKED, "Database not locked"
error_code LOG_CORRUPT, "Incremental propagation log got corrupted"
Reference in New Issue View Git Blame Copy Permalink