Commit 3b8a786a authored by Russ Allbery's avatar Russ Allbery
Browse files

Flesh out NEWS and update TODO for merged changes

Change-Id: I714a6298c36e6fd7eca6ee3acb01637a96773647
parent 45fa5352
......@@ -2,10 +2,27 @@
wallet 1.3 (unreleased)
A new object type, password (Wallet::Object::Password), is now
supported. This is a subclass of the file object that will randomly
A new ACL type, nested (Wallet::ACL::Nested), is now supported. The
identifier of this ACL names another ACL, and access is granted if
that ACL would grant access. This lets one combine multiple other
ACLs and apply the union to an object. To enable this ACL type for an
existing wallet database, use wallet-admin to register the new
A new variation on the ldap-attr ACL type, ldap-attr-root
(Wallet::ACL::LDAP::Attribute::Root), is now supported. This is
similar to netdb-root (compared to netdb): the authenticated principal
must end in /root, and the LDAP entry checked will be for the same
principal without the /root component. This is useful for limiting
access to certain privileged objects to Kerberos root instances. To
enable this ACL type for an existing wallet database, use wallet-admin
to register the new verifier.
A new object type, password (Wallet::Object::Password), is now
supported. This is a subclass of the file object that will randomly
generate content for the object if you do a get before storing any
content inside it.
content inside it. To enable this object type for an existing
database, use wallet-admin to register the new object.
Add a new command to wallet-backend, update. This will update the
contents of an object before running a get on it, and is only valid
......@@ -17,7 +34,8 @@ wallet 1.3 (unreleased)
Add an acl replace command, to change all objects owned by one ACL to
be owned by another.
be owned by another. This currently only handles owner, not any of
the more specific ACLs.
All ACL operations now refer to the ACL by name rather than ID.
......@@ -25,11 +43,20 @@ wallet 1.3 (unreleased)
help for the existing unused report that implied it showed unstored as
well as unused.
Add reports that list all object types (types) and all ACL schemes
(schemes) currently registered in the wallet database.
Add a report of all ACLs that nest a given ACL. This requires some
additional local configuration (and probably some code). See
Wallet::Config for more information.
Took contributions from Commerzbank AG to improve wallet history. Add
a command to dump all object history for searching on to
wallet-report, and add a new script for more detailed object history
operations to the contrib directory.
Displays of ACLs and ACL entries are now sorted correctly.
wallet 1.2 (2014-12-08)
The duo object type has been split into several sub-types, each for a
......@@ -35,10 +35,11 @@ Server Interface:
* Provide a way to get history for deleted objects and ACLs.
* Provide an interface to mass-change all instances of one ACL to
another. (Owner changes are currently supported, but not the other
* Add help functions to wallet-backend, wallet-report, and wallet-admin
listing the commands.
* Add help functions to wallet-backend and wallet-admin listing the
* Catch exceptions on object creation in wallet-backend so that we can
log those as well.
......@@ -70,8 +71,6 @@ Server Interface:
(maybe). Or, alternately, maybe we allow get of any keytab? Requires
more thought.
* Add command to list available types and schemes.
* Add a mechanism to automate owner updates based on default_owner.
* Partially merge create and autocreate. create and autocreate should do
......@@ -79,8 +78,6 @@ Server Interface:
available. If not, autocreate should fail and create should fall back
on checking for ADMIN privileges.
* Support file object renaming.
* Rewrite server backends to use Net::Remctl::Backend.
* Merge the Wallet::Logger support written by Commerzbank AG: create a
......@@ -109,8 +106,6 @@ ACLs:
* Pass a reference to the object for which the ACL is interpreted to the
ACL API so that ACL APIs can make more complex decisions.
* A group-in-groups ACL schema.
* Provide an API for verifiers to syntax-check the values before an ACL
is set and implement syntax checking for the krb5 and ldap-attr
......@@ -122,10 +117,7 @@ ACLs:
for whether a particular user is authorized to create host-based
objects for a particular host.
* Add ldap-group ACL scheme.
* Provide a root-instance version of the ldap-attr (and possibly the
ldap-group) ACL schemes.
* Add ldap-group ACL scheme (and possibly a root-only version).
* Add a comment field to ACLs.
......@@ -170,14 +162,6 @@ Objects:
* Support returning the checksum of a file object stored in wallet so
that one can determine whether the version stored on disk is identical.
* Implement new password wallet object, which is like file except that it
generates a random, strong password when retrieved the first time
without being stored.
* Support interrogating objects to find all host-based objects for a
particular host, allowing cleanup of all of those host's objects after
retiring the host.
* Support setting the disallow-svr flag on created principals. In
general, support setting arbitrary principal flags.
......@@ -187,8 +171,6 @@ Reports:
previous versions before ACL deletion was checked with database
backends that don't do referential integrity.
* Add report for all objects that have never been stored.
* For objects tied to hostnames, report on objects referring to hosts
which do not exist. For the initial pass, this is probably only keytab
objects with names containing a slash where the part after the slash
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment