import CS gssproxy-0.8.4-6.el9
This commit is contained in:
parent
725e015d4c
commit
59d3edb623
139
SOURCES/0001-Add-an-option-for-minimum-lifetime.patch
Normal file
139
SOURCES/0001-Add-an-option-for-minimum-lifetime.patch
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
From 7945bd756c5e41ec223c058b2c698809f04f3c77 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Scott Mayhew <smayhew@redhat.com>
|
||||||
|
Date: Thu, 2 Sep 2021 12:44:27 -0400
|
||||||
|
Subject: [PATCH] Add an option for minimum lifetime
|
||||||
|
|
||||||
|
It's possible for gssproxy to return a cached credential with a very
|
||||||
|
small remaining lifetime. This can be problematic for NFS clients since
|
||||||
|
it requires a round trip to the NFS server to establish a GSS context.
|
||||||
|
Add a min_lifetime option that represents the lowest value that the
|
||||||
|
lifetime of the cached credential can be. Any lower than that, and
|
||||||
|
gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that
|
||||||
|
gp_add_krb5_creds() is forced to try to obtain a new credential.
|
||||||
|
|
||||||
|
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
|
||||||
|
---
|
||||||
|
examples/99-nfs-client.conf.in | 1 +
|
||||||
|
man/gssproxy.conf.5.xml | 15 +++++++++++++++
|
||||||
|
src/gp_config.c | 12 ++++++++++++
|
||||||
|
src/gp_creds.c | 12 ++++++++++--
|
||||||
|
src/gp_proxy.h | 1 +
|
||||||
|
5 files changed, 39 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in
|
||||||
|
index c0985d9..9dd1891 100644
|
||||||
|
--- a/examples/99-nfs-client.conf.in
|
||||||
|
+++ b/examples/99-nfs-client.conf.in
|
||||||
|
@@ -7,3 +7,4 @@
|
||||||
|
allow_any_uid = yes
|
||||||
|
trusted = yes
|
||||||
|
euid = 0
|
||||||
|
+ min_lifetime = 60
|
||||||
|
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
|
||||||
|
index 67dce68..f02b1d3 100644
|
||||||
|
--- a/man/gssproxy.conf.5.xml
|
||||||
|
+++ b/man/gssproxy.conf.5.xml
|
||||||
|
@@ -331,6 +331,21 @@
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>min_lifetime (integer)</term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>Minimum lifetime of a cached credential, in seconds.</para>
|
||||||
|
+ <para>If non-zero, when gssproxy is deciding whether to use
|
||||||
|
+ a cached credential, it will compare the lifetime of the
|
||||||
|
+ cached credential to this value. If the lifetime of the
|
||||||
|
+ cached credential is lower, gssproxy will treat the cached
|
||||||
|
+ credential as expired and will attempt to obtain a new
|
||||||
|
+ credential.
|
||||||
|
+ </para>
|
||||||
|
+ <para>Default: min_lifetime = 15</para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
<varlistentry>
|
||||||
|
<term>program (string)</term>
|
||||||
|
<listitem>
|
||||||
|
diff --git a/src/gp_config.c b/src/gp_config.c
|
||||||
|
index 88d5f29..6a6aa90 100644
|
||||||
|
--- a/src/gp_config.c
|
||||||
|
+++ b/src/gp_config.c
|
||||||
|
@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {
|
||||||
|
|
||||||
|
#define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
|
||||||
|
#define DEFAULT_ENFORCED_FLAGS 0
|
||||||
|
+#define DEFAULT_MIN_LIFETIME 15
|
||||||
|
|
||||||
|
static void free_str_array(const char ***a, int *count)
|
||||||
|
{
|
||||||
|
@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;
|
||||||
|
+ ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);
|
||||||
|
+ if (ret == 0) {
|
||||||
|
+ if (valnum >= 0) {
|
||||||
|
+ cfg->svcs[n]->min_lifetime = valnum;
|
||||||
|
+ } else {
|
||||||
|
+ GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",
|
||||||
|
+ valnum, secname);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
safefree(secname);
|
||||||
|
}
|
||||||
|
diff --git a/src/gp_creds.c b/src/gp_creds.c
|
||||||
|
index 92a6f13..843d1a3 100644
|
||||||
|
--- a/src/gp_creds.c
|
||||||
|
+++ b/src/gp_creds.c
|
||||||
|
@@ -492,6 +492,7 @@ done:
|
||||||
|
}
|
||||||
|
|
||||||
|
static uint32_t gp_check_cred(uint32_t *min,
|
||||||
|
+ struct gp_service *svc,
|
||||||
|
gss_cred_id_t in_cred,
|
||||||
|
gssx_name *desired_name,
|
||||||
|
gss_cred_usage_t cred_usage)
|
||||||
|
@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min,
|
||||||
|
if (lifetime == 0) {
|
||||||
|
ret_maj = GSS_S_CREDENTIALS_EXPIRED;
|
||||||
|
} else {
|
||||||
|
- ret_maj = GSS_S_COMPLETE;
|
||||||
|
+ if (svc->min_lifetime && lifetime < svc->min_lifetime) {
|
||||||
|
+ GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "
|
||||||
|
+ "for service \"%s\" - returning\n",
|
||||||
|
+ __func__, lifetime, svc->min_lifetime, svc->name);
|
||||||
|
+ ret_maj = GSS_S_CREDENTIALS_EXPIRED;
|
||||||
|
+ } else {
|
||||||
|
+ ret_maj = GSS_S_COMPLETE;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
|
||||||
|
* function completely */
|
||||||
|
|
||||||
|
/* just check if it is a valid krb5 cred */
|
||||||
|
- ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
|
||||||
|
+ ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage);
|
||||||
|
if (ret_maj == GSS_S_COMPLETE) {
|
||||||
|
return GSS_S_COMPLETE;
|
||||||
|
} else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
|
||||||
|
diff --git a/src/gp_proxy.h b/src/gp_proxy.h
|
||||||
|
index 3f58a43..f56d640 100644
|
||||||
|
--- a/src/gp_proxy.h
|
||||||
|
+++ b/src/gp_proxy.h
|
||||||
|
@@ -45,6 +45,7 @@ struct gp_service {
|
||||||
|
gss_cred_usage_t cred_usage;
|
||||||
|
uint32_t filter_flags;
|
||||||
|
uint32_t enforce_flags;
|
||||||
|
+ uint32_t min_lifetime;
|
||||||
|
char *program;
|
||||||
|
|
||||||
|
uint32_t mechs;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Name: gssproxy
|
Name: gssproxy
|
||||||
|
|
||||||
Version: 0.8.4
|
Version: 0.8.4
|
||||||
Release: 4%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: GSSAPI Proxy
|
Summary: GSSAPI Proxy
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -14,6 +14,7 @@ Source1: rwtab
|
|||||||
%global gpstatedir %{_localstatedir}/lib/gssproxy
|
%global gpstatedir %{_localstatedir}/lib/gssproxy
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
|
Patch0001: 0001-Add-an-option-for-minimum-lifetime.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
Requires: krb5-libs >= 1.12.0
|
Requires: krb5-libs >= 1.12.0
|
||||||
@ -110,6 +111,16 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy
|
|||||||
%systemd_postun_with_restart gssproxy.service
|
%systemd_postun_with_restart gssproxy.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 05 2023 Julien Rische <jrische@redhat.com> - 0.8.4-6
|
||||||
|
- Use openldap-servers from EPEL repo for testing
|
||||||
|
- Resolves: rhbz#2187634
|
||||||
|
|
||||||
|
* Mon Apr 03 2023 Julien Rische <jrische@redhat.com> - 0.8.4-5
|
||||||
|
- Add an option for minimum lifetime
|
||||||
|
- Resolves: rhbz#2184333
|
||||||
|
- Remove unused patch files
|
||||||
|
- Fix date typographical error in changelog
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
Related: rhbz#1991688
|
Related: rhbz#1991688
|
||||||
@ -120,7 +131,7 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy
|
|||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.4-2
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.4-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
* Wed Jan 13 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.4-1
|
* Wed Jan 13 2021 Robbie Harwood <rharwood@redhat.com> - 0.8.4-1
|
||||||
- New upstream release (0.8.4)
|
- New upstream release (0.8.4)
|
||||||
|
|
||||||
* Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-6
|
* Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-6
|
||||||
|
Loading…
Reference in New Issue
Block a user