wallet

An architect
who does not believe
in privacy
may also lack faith
in keeping out the rain
John M. Ford, Growing Up Weightless

Description

The wallet is a system for managing secure data, authorization rules to retrieve or change that data, and audit rules for documenting actions taken on that data. Objects of various types may be stored in the wallet or generated on request and retrieved by authorized users. The wallet tracks ACLs, metadata, and trace information. It is built on top of the remctl protocol and uses Kerberos GSS-API authentication. One of the object types it supports is Kerberos keytabs, making it suitable as a user-accessible front-end to Kerberos kadmind with richer ACL and metadata operations.

The wallet client is written in C and uses the remctl C libraries. The wallet server is written in Perl and is designed to be easily extensible to add new managed object types and new ACL verifiers.

Requirements

The wallet client is written in C and hence requires a C compiler. It links with the remctl C libraries, so you must obtain and build remctl before building wallet. The wallet client will build with either MIT Kerberos or Heimdal.

The wallet server requires Perl 5.6.0 or later, the Perl DBI module, and a DBD module for the database backend you intend to use. It has been tested against SQLite 3 and MySQL 5.0 (InnoDB tables are required). Other database backends will probably require some porting. It is intended to run under remctld and will require porting of the front end to run under another server.

The file object support in the wallet server requires the Digest::MD5 Perl module, which comes with recent versions of Perl and is available on CPAN for older versions.

Keytab support in the wallet server requires either Heimdal::Kadm5 for Heimdal (available from CPAN) or the MIT Kerberos kadmin client, and a keytab with appropriate access to the KDC. Unchanging flag support on keytab objects with MIT Kerberos requires the Net::Remctl Perl module (available as part of the remctl package, remctld running on a KDC, the included keytab-backend script installed on the KDC, and an MIT Kerberos kadmin.local program that supports the -norandkey option to ktadd. This option is included in MIT Kerberos 1.7 and later. Heimdal doesn't require any special support for the unchanging flag.

To support the NetDB ACL verifier (only of interest at sites using NetDB to manage DNS), the Net::Remctl Perl module must be installed on the server.

Running the full test suite requires all of the above software, Perl 5.8 or later, the Test::More, Test::Pod, and IO::String Perl modules, kinit, kvno or kgetcred, and remctld, as well as appropriate keytabs and srvtabs to make changes in a test Kerberos realm and AFS kaserver. The test suite tries to selectively disable itself if all of the prerequisites are not available and still test what is available.

To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later.

Download

The distribution:

wallet 0.12

2010-08-26

Download

PGP signature

An archive of older releases is also available.

wallet is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/wallet.git

You can also browse the current development source.

Documentation

User documentation:

Manual pages:

Developer documentation:

Stanford-specific policy documentation:

Stanford wallet naming policy

Contributed programs:

wallet-summary manual page

Server API documentation:

Wallet::ACL
Wallet::ACL::Base
Wallet::ACL::Krb5
Wallet::ACL::Krb5::Regex
Wallet::ACL::NetDB
Wallet::ACL::NetDB::Root
Wallet::Admin
Wallet::Config (same as configuration options above)
Wallet::Database
Wallet::Kadmin
Wallet::Kadmin::Heimdal
Wallet::Kadmin::MIT
Wallet::Object::Base
Wallet::Object::File
Wallet::Object::Keytab
Wallet::Report
Wallet::Schema
Wallet::Server

License

The wallet package as a whole is covered under the following license:

Copyright 2006, 2007, 2008, 2009, 2010 Board of Trustees, Leland Stanford Jr. University. All rights reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the wallet source distribution.

Last modified and spun 2010-08-26

wallet

Download

Documentation

Development

Description

Requirements

Download

Documentation

License