kadmin authorization interface (kadm5_auth)ΒΆ
The kadm5_auth interface (new in release 1.16) allows modules to
determine whether a client principal is authorized to perform an
operation in the kadmin protocol, and to apply restrictions to
principal operations. For a detailed description of the kadm5_auth
interface, see the header file <krb5/kadm5_auth_plugin.h>
.
A module can create and destroy per-process state objects by implementing the init and fini methods. State objects have the type kadm5_auth_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object.
The kadm5_auth interface has one method for each kadmin operation, with parameters specific to the operation. Each method can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access.
The addprinc and modprinc methods can also impose restrictions
on the principal operation by returning a struct
kadm5_auth_restrictions
object. The module should also implement
the free_restrictions method if it dynamically allocates
restrictions objects for principal operations.
kadm5_auth modules can optionally inspect principal or policy objects.
To do this, the module must also include <kadm5/admin.h>
to gain
access to the structure definitions for those objects. As the kadmin
interface is explicitly not as stable as other public interfaces,
modules which do this may not retain compatibility across releases.
On this page
Table of contents
- For users
- For administrators
- For application developers
- For plugin module developers
- General plugin concepts
- Client preauthentication interface (clpreauth)
- KDC preauthentication interface (kdcpreauth)
- Credential cache selection interface (ccselect)
- Password quality interface (pwqual)
- KADM5 hook interface (kadm5_hook)
- kadmin authorization interface (kadm5_auth)
- Host-to-realm interface (hostrealm)
- Local authorization interface (localauth)
- Server location interface (locate)
- Configuration interface (profile)
- GSSAPI mechanism interface
- Internal pluggable interfaces
- PKINIT certificate authorization interface (certauth)
- KDC policy interface (kdcpolicy)
- Building Kerberos V5
- Kerberos V5 concepts
- Protocols and file formats
- MIT Kerberos features
- How to build this documentation from the source
- Contributing to the MIT Kerberos Documentation
- Resources