Bug 1031710

Summary: Add filter to remove DELEG flags and know to optionally allow it
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: gssproxyAssignee: Simo Sorce <ssorce>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: gdeschner, jiyin
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gssproxy-0.3.0-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-16 10:21:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dmitri Pal 2013-11-18 15:22:43 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/gss-proxy/ticket/109

A client process can request that its credentials be forwarded to the target by setting the GSS_C_DELEG_FLAG at context initialization.

However this is not desirable if gssproxy is being used to prevent the caller from getting access to credentials, because in that case, normally the caller should also be prevented from exposing them to the target.

A default list of flags forcibly on or forcibly off should be created and a configuration option to forcibly add or forcibly remove flags should be created.

The option should be something like:

init_flags = +GSS_C_DELEG_FLAG
or also
init_flags = +0x0001

The second notation can be used in in future new flags that do not have a name in the binry are introduced that needs tweaking.
Comment 1 Guenther Deschner 2013-11-20 14:46:08 UTC 
Fix pushed.
Comment 3 JianHong Yin 2014-03-12 04:27:50 UTC 
test with nfs OK, sanityOnly
Comment 4 Ludek Smid 2014-06-16 10:21:54 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.