[Authentication] Refactoring the realmd DBus interface

Stef Walter stefw at gnome.org
Tue Aug 14 07:35:01 PDT 2012 

Stephen did a quick review of the realmd DBus interface yesterday.
Thanks Stephen!

One of the main things he pointed out was that the realmd interface
needed to be more extensible in order to be useful for non-kerberos
realms in the future, like LDAP or others.


Notes about some of the changes:

INTERFACE: org.freedesktop.realmd.Realm

 *
http://people.freedesktop.org/~stefw/docs/realmd-dbus-refactor/gdbus-org.freedesktop.realmd.Realm.html

 * a new generic interface for realms which contains generic
   properties and methods relevant to any kind of realm (kerberos
   or not).

 * It has a Configured property. If this property is blank, then
   the realm is not configured (for example just been discovered).
   Otherwise it contains the string of the interface that was
   used to configure (ie: enroll, join) the realm.

   An example of such an interface is
   o.f.r.KerberosMembership, see below.

 * A realm has a generic displayable Name property.

 * A realm has a SupportedInterfaces property, which lists all the
   other interfaces that the realm supports. These include interfaces
   which are relevant to getting more information about the realm
   such as o.f.r.Kerberos and also interfaces that
   are relevant to configuring the realm such as
   o.f.r.KerberosMembership.

   It is possible to also get a list of SupportedInterfaces through
   standard DBus introspection. The SupportedInterfaces property
   just makes things easier for some callers.

 * Details, LoginFormats, LoginPolicy and PermittedLogins are properties
   on the new generic o.f.r.Realm interface and behave the same
   way they did on the old o.f.r.Kerberos interface. Ditto for
   ChangeLoginPolicy().

 * The new Deconfigure() method allows deconfiguring a realm in a
   generic way. It is not possible to configure a realm in a generic
   way as this requires input of information, but it should be possible
   to deconfigure a realm without realm or method specific info like
   credentials.

   The realm specific configuration interfaces still contain more
   fine grained methods for deconfiguring a realm, such as:
   o.f.r.KerberosMembership.Leave(). And these do require realm
   specific input, such as credentials.

INTERFACE: org.freedesktop.realmd.Kerberos

 *
http://people.freedesktop.org/~stefw/docs/realmd-dbus-refactor/gdbus-org.freedesktop.realmd.Kerberos.html

 * This used to be the main realm interface, but most of the
   functionality is now elsewhere. It now only contains a few
   extra properties to do with kerberos realms.

 * Renamed the 'Domain' property to 'DomainName' so it's clearer.
   Ditto for 'RealmName'.

 * This interface is always implemented on a DBus object that also
   implements o.f.r.Realm. It is an extra one of the
   'SupportedInterfaces'

INTERFACE: org.freedesktop.realmd.KerberosMembership

 *
http://people.freedesktop.org/~stefw/docs/realmd-dbus-refactor/gdbus-org.freedesktop.realmd.KerberosMembership.html

 * This is a new interface that exposes functionality to configure
   a kerberos realm by having the machine become a member of that
   realm.

 * The Join() and Leave() methods are the same as the Enroll() and
   Unenroll() methods of the old o.f.r.Kerberos interface.


OTHER CHANGES

 * Documented which PolicyKit authorizations are required for the
   various realmd methods.

The interface documentation for this refactor is currently here
until it gets merged:

http://people.freedesktop.org/~stefw/docs/realmd-dbus-refactor/index.html

I've done an initial untested port of realmd to this new interface,
which is found here:
http://cgit.freedesktop.org/realmd/realmd/log/?h=wip/dbus-refactor

Stephen, if I missed anything you pointed out, please give me a heads up :)

Cheers,

Stef

More information about the Authentication mailing list