Don't cache active master key list in kadmind

"kdb5_util use_mkey" should not require a kadmind restart to take
effect.  At the cost of fetching the K/M principal once for each key
change operation, make kadmind use the current active master key list
for each operation.

ticket: 7685
target_version: 1.12
tags: pullup

diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
index 220e2b694f6de2b87c7da991337870ec39bfb765..e506e12ea7f17acf0f2265eae734ccd085db2c99 100644 (file)
--- a/src/lib/kadm5/server_internal.h
+++ b/src/lib/kadm5/server_internal.h
@@ -78,6 +78,9 @@ kadm5_ret_t    passwd_check(kadm5_server_handle_t handle,
 kadm5_ret_t    principal_exists(krb5_principal principal);
 krb5_error_code     kdb_init_master(kadm5_server_handle_t handle,
                                     char *r, int from_keyboard);
+krb5_error_code     kdb_get_active_mkey(kadm5_server_handle_t handle,
+                                        krb5_kvno *act_kvno_out,
+                                        krb5_keyblock **act_mkey_out);
 krb5_error_code     kdb_init_hist(kadm5_server_handle_t handle,
                                   char *r);
 krb5_error_code     kdb_get_hist_key(kadm5_server_handle_t handle,

diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 8a82237c34c7c064602fb68e59318d4754d585bd..20a8db7b450e225f3e2ffb7fffda4289f56e0ebc 100644 (file)
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -18,7 +18,6 @@
 
 krb5_principal      master_princ;
 krb5_keyblock       master_keyblock; /* local mkey */
-krb5_actkvno_node   *active_mkey_list = NULL;
 krb5_db_entry       master_db;
 
 krb5_principal      hist_princ;
@@ -73,12 +72,6 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
         return (ret);
     }
 
-    if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
-                                           &active_mkey_list))) {
-        krb5_db_fini(handle->context);
-        return (ret);
-    }
-
 done:
     if (r == NULL)
         free(realm);
@@ -86,6 +79,24 @@ done:
     return(ret);
 }
 
+/* Fetch the currently active master key version number and keyblock. */
+krb5_error_code
+kdb_get_active_mkey(kadm5_server_handle_t handle, krb5_kvno *act_kvno_out,
+                    krb5_keyblock **act_mkey_out)
+{
+    krb5_error_code ret;
+    krb5_actkvno_node *active_mkey_list;
+
+    ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
+                                      &active_mkey_list);
+    if (ret)
+        return ret;
+    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list,
+                                 act_kvno_out, act_mkey_out);
+    krb5_dbe_free_actkvno_list(handle->context, active_mkey_list);
+    return ret;
+}
+
 /*
  * Function: kdb_init_hist
  *

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d6035b0e31701834eb547bbcc9cb3bc8fb83a433..7681636a73dba1041226e29f9960bd33e7794be3 100644 (file)
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -25,7 +25,6 @@
 extern  krb5_principal      master_princ;
 extern  krb5_principal      hist_princ;
 extern  krb5_keyblock       master_keyblock;
-extern  krb5_actkvno_node  *active_mkey_list;
 extern  krb5_db_entry       master_db;
 
 static int decrypt_key_data(krb5_context context,
@@ -512,8 +511,7 @@ kadm5_create_principal_3(void *server_handle,
 
     /* initialize the keys */
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, &act_kvno, &act_mkey);
     if (ret)
         goto cleanup;
 
@@ -1431,8 +1429,7 @@ kadm5_chpass_principal_3(void *server_handle,
                             principal)))
         goto done;
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, &act_kvno, &act_mkey);
     if (ret)
         goto done;
 
@@ -1629,8 +1626,7 @@ kadm5_randkey_principal_3(void *server_handle,
         new_n_ks_tuple = 1;
     }
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
     if (ret)
         goto done;
 
@@ -1779,8 +1775,7 @@ kadm5_setv4key_principal(void *server_handle,
     keysalt.data.length = 0;
     keysalt.data.data = NULL;
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
     if (ret)
         goto done;
 
@@ -2027,8 +2022,7 @@ kadm5_setkey_principal_3(void *server_handle,
         }
         memset (&tmp_key_data, 0, sizeof(tmp_key_data));
 
-        ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
-                                     &act_mkey);
+        ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
         if (ret)
             goto done;