20df2c8706
We used to update the iprop log and HDB in different orders depending on the kadm5 operation, which then led to various race conditions. The iprop log now functions as a two-phase commit (with roll forward) log for HDB changes. The log is auto-truncated, keeping the latest entries that fit in a configurable maximum number of bytes (defaults to 50MB). See the log-max-size parameter description in krb5.conf(5). The iprop log format and the protocol remain backwards-compatible with earlier versions of Heimdal. This is NOT a flag-day; there is NO need to update all the slaves at once with the master, though it is advisable in general. Rolling upgrades and downgrades should work. The sequence of updates is now (with HDB and log open and locked): a) check that the HDB operation will succeed if attempted, b) append to iprop log and fsync() it, c) write to HDB (which should fsync()), d) mark last log record committed (no fsync in this case). Every kadm5 write operation recover transactions not yet confirmed as committed, thus there can be at most one unconfirmed commit on a master KDC. Reads via kadm5_get_principal() also attempt to lock the log, and if successful, recover unconfirmed transactions; readers must have write access and must win any race to lock the iprop log. The ipropd-master daemon also attempts to recover unconfirmed transactions when idle. The log now starts with a nop record whose payload records the offset of the logical end of the log: the end of the last confirmed committed transaction. This is kown as the "uber record". Its purpose is two-fold: act as the confirmation of committed transactions, and provide an O(1) method of finding the end of the log (i.e., without having to traverse the entire log front to back). Two-phase commit makes all kadm5 writes single-operation atomic transactions (though some kadm5 operations, such as renames of principals, and changes to principals' aliases, use multiple low-level HDB write operations, but still all in one transaction). One can still hold a lock on the HDB across many operations (e.g., by using the lock command in a kadmin -l or calling kadm5_lock()) in order to push multiple transactions in sequence, but this sequence will not be atomic if the process or host crashes in the middle. As before, HDB writes which do not go through the kadm5 API are excluded from all of this, but there should be no such writes. Lastly, the iprop-log(1) command is enhanced as follows: - The dump, last-version, truncate, and replay sub-commands now have an option to not lock the log. This is useful for inspecting a running system's log file, especially on slave KDCs. - The dump, last-version, truncate, and replay sub-commands now take an optional iprop log file positional argument, so that they may be used to inspect log files other than the running system's configured/default log file. Extensive code review and some re-writing for clarity by Viktor Dukhovni.
90 lines
2.1 KiB
Plaintext
90 lines
2.1 KiB
Plaintext
# $Id$
|
|
|
|
HEIMDAL_KAMD5_SERVER_1.0 {
|
|
global:
|
|
kadm5_ad_init_with_password;
|
|
kadm5_ad_init_with_password_ctx;
|
|
kadm5_all_keys_are_bogus;
|
|
kadm5_add_passwd_quality_verifier;
|
|
kadm5_check_password_quality;
|
|
kadm5_chpass_principal;
|
|
kadm5_chpass_principal_3;
|
|
kadm5_chpass_principal_with_key;
|
|
kadm5_chpass_principal_with_key_3;
|
|
kadm5_create_policy;
|
|
kadm5_create_principal;
|
|
kadm5_create_principal_3;
|
|
kadm5_delete_principal;
|
|
kadm5_destroy;
|
|
kadm5_decrypt_key;
|
|
kadm5_delete_policy;
|
|
kadm5_flush;
|
|
kadm5_free_key_data;
|
|
kadm5_free_name_list;
|
|
kadm5_free_policy_ent;
|
|
kadm5_free_principal_ent;
|
|
kadm5_get_policy;
|
|
kadm5_get_policies;
|
|
kadm5_get_principal;
|
|
kadm5_get_principals;
|
|
kadm5_get_privs;
|
|
kadm5_init_with_creds;
|
|
kadm5_init_with_creds_ctx;
|
|
kadm5_init_with_password;
|
|
kadm5_init_with_password_ctx;
|
|
kadm5_init_with_skey;
|
|
kadm5_init_with_skey_ctx;
|
|
kadm5_lock;
|
|
kadm5_modify_principal;
|
|
kadm5_modify_policy;
|
|
kadm5_randkey_principal;
|
|
kadm5_randkey_principal_3;
|
|
kadm5_rename_principal;
|
|
kadm5_ret_key_data;
|
|
kadm5_ret_principal_ent;
|
|
kadm5_ret_principal_ent_mask;
|
|
kadm5_ret_tl_data;
|
|
kadm5_setup_passwd_quality_check;
|
|
kadm5_setkey_principal;
|
|
kadm5_setkey_principal_3;
|
|
kadm5_some_keys_are_bogus;
|
|
kadm5_store_key_data;
|
|
kadm5_store_principal_ent;
|
|
kadm5_store_principal_ent_mask;
|
|
kadm5_store_principal_ent_nokeys;
|
|
kadm5_store_tl_data;
|
|
kadm5_unlock;
|
|
kadm5_s_init_with_password_ctx;
|
|
kadm5_s_init_with_password;
|
|
kadm5_s_init_with_skey_ctx;
|
|
kadm5_s_init_with_skey;
|
|
kadm5_s_init_with_creds_ctx;
|
|
kadm5_s_init_with_creds;
|
|
kadm5_s_chpass_principal_cond;
|
|
kadm5_log_set_version;
|
|
kadm5_log_signal_master;
|
|
kadm5_log_signal_socket;
|
|
kadm5_log_previous;
|
|
kadm5_log_goto_end;
|
|
kadm5_log_foreach;
|
|
kadm5_log_get_version_fd;
|
|
kadm5_log_get_version;
|
|
kadm5_log_recover;
|
|
kadm5_log_replay;
|
|
kadm5_log_end;
|
|
kadm5_log_reinit;
|
|
kadm5_log_init;
|
|
kadm5_log_init_nb;
|
|
kadm5_log_init_nolock;
|
|
kadm5_log_init_sharedlock;
|
|
kadm5_log_nop;
|
|
kadm5_log_truncate;
|
|
kadm5_log_modify;
|
|
_kadm5_acl_check_permission;
|
|
_kadm5_unmarshal_params;
|
|
_kadm5_s_get_db;
|
|
_kadm5_privs_to_string;
|
|
local:
|
|
*;
|
|
};
|