App with multiple keytabs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

App with multiple keytabs

Bradley Kite
Hi there,

I'm quite new to the gssapi, but my use-case is slightly different from the
norm.

I'm trying to write a "multi-tenanted" app where different threads need to
run gssapi functions but using different keytab files (based on the tenant)
- so setting KRB5_KTNAME (via putenv()) is not going to work unless I use
some kind of locking/synchronisation which is going to be horrible for
performance.

I've looked through the docs for some kind of profile or configuration
context that can be passed into a variant of gss_accept_sec_context() but
I've not been able to find anything so far.

Am I trying to do something that is not currently possible?

I'd be glad to hear of any ideas that anyone might have for how to solve
this problem.

Many thanks in advance.
--
Brad.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: App with multiple keytabs

Sorin Manolache
On 2016-08-31 12:38, Bradley Kite wrote:

> Hi there,
>
> I'm quite new to the gssapi, but my use-case is slightly different from the
> norm.
>
> I'm trying to write a "multi-tenanted" app where different threads need to
> run gssapi functions but using different keytab files (based on the tenant)
> - so setting KRB5_KTNAME (via putenv()) is not going to work unless I use
> some kind of locking/synchronisation which is going to be horrible for
> performance.
>
> I've looked through the docs for some kind of profile or configuration
> context that can be passed into a variant of gss_accept_sec_context() but
> I've not been able to find anything so far.
>
> Am I trying to do something that is not currently possible?
>
> I'd be glad to hear of any ideas that anyone might have for how to solve
> this problem.
>
> Many thanks in advance.

I think I have a similar use-case and I use gss_acquire_cred_from:

gss_cred_id_t tgt;
OM_uint32 ms, tm;
gss_key_value_element_desc e[] = {{"client_keytab", NULL}};
gss_key_value_set_desc kv = {1, &e[0]};

e[0].value = keytab_name;
rc = gss_acquire_cred_from(&ms, NULL, GSS_C_INDEFINITE,
(gss_OID_set)gss_mech_set_krb5, GSS_C_INITIATE, kv, &tgt, NULL, &tm);

HTH,
Sorin
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: App with multiple keytabs

Bradley Kite
In reply to this post by Bradley Kite
On 2016-08-31 12:38, Bradley Kite wrote:

>> Hi there,
>>
>
> I think I have a similar use-case and I use gss_acquire_cred_from:
>
>
> gss_cred_id_t tgt;
> OM_uint32 ms, tm;
> gss_key_value_element_desc e[] = {{"client_keytab", NULL}};
>
> gss_key_value_set_desc kv = {1, &e[0]};
>
> > e[0].value = keytab_name;
> rc = gss_acquire_cred_from(&ms, NULL, GSS_C_INDEFINITE,
> (gss_OID_set)gss_mech_set_krb5, GSS_C_INITIATE, kv, &tgt, NULL, &tm);
>
>
>
> HTH,
> Sorin

That's just the pointer I needed, many thanks in advance!

I have found the URN's that can be supported
in src/lib/gssapi/krb5/gssapiP_krb5.h.

Thanks
--
Brad.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev