[jira] [Created] (DIRKRB-458) Update KrbOptions to include all KDC Option flags

Thu, 19 Nov 2015 05:05:06 -0800 

Steve Moyer created DIRKRB-458:
----------------------------------

             Summary: Update KrbOptions to include all KDC Option flags
                 Key: DIRKRB-458
                 URL: https://issues.apache.org/jira/browse/DIRKRB-458
             Project: Directory Kerberos
          Issue Type: Bug
            Reporter: Steve Moyer


When creating a client request, one uses the KrbOptions to specify many aspects 
of the AsRequest.  Most of the methods that retrieve tickets from the Kerberos 
server are simply for convenient - all the packets are structured in a similar 
way underneath.

The KDC Options are collection of fifteen boolean flags that are spread out in 
a 32 bit field.  Currently, not all the KDC Option flags are represented in the 
KrbOption enum but those that are have the following structure:

{code}
FORWARDABLE("forwardable"),
NOT_FORWARDABLE("not forwardable"),
PROXIABLE("proxiable"),
NOT_PROXIABLE("not proxiable"),
{code}

The code I submitted as a resolution to DIRKRB-450 doesn't actually use the 
"NOT" flags (e.g. NOT_FORWARDABLE or NOT_PROXIABLE),  it simply treats the 
absence of a flag as a false.  The changes made to manage the KDC Options 
bitmap in DIRKRB-449 allow the bitmap to be expressed as an integer, and the 
code included in DIRKRB-450 effectively builds that integer by logical-or'ing 
these flags together (e.g. FORWARDABLE | PROXIABLE | RENEWABLE_OK).

I'd like to propose that the KrbOption enum be updated to include all fifteen 
of the KDC Option flags, and that the "negatives" of those flags be removed.  
For reference, the complete list of KDC Options is:

-   Forwardable
-   Forwarded
-   Proxiable
-   Proxy
-   Allow Postdate
-   Postdated
-   Renewable
-   Opt HW Auth
-   Constrained Delegation
-   Canonicalize
-   Disable
-   Renewable OK
-   Enc-Tkt-in-Skey
-   Renew
-   Validate

I've pushed the change to KrbOption for RENEWABLE_OK we discussed on the 
mailing list to GitHub 
(https://github.com/PennState/directory-kerby/blob/master/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbOption.java)
 but I think this is a better long-term solution to managing the KDC Options.

I'd be happy to reedit the KrbOption file to make these changes - assign this 
issue to me if it makes sense in the grand scheme of things.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to