You are here
Prometheus: multiple identities
Tue, 05/06/2014 - 07:34 - toby
Project ID:
305
Current stage:
Assigned Priority:
2
Manager:
Unit:
Summary:
Add support and tools to Prometheus for managing multiple identities
What:
Prometheus was designed to support the management of multiple identities for users, e.g. in the KDC case somebody/admin, somebody/cron. The various parts need to be tied together to implement this. It should be possible to support:
- Creation of additional identities for any entity
- Creation of account objects (e.g. AFS pts) for identities
- Users creating additional identities (of form 'user/something' themselves)
- Distribution of keytabs
Why:
Multiple identities gives a way of separating a user's privileges. Also it allows for automation of authenticated access to resources (e.g. an identity with an AFS account and keytab allows authenticated file system access to be automated).
When:
This work has already been started, as part of prometheus development. This project ties all the loose ends together.
How:
Adding multiple identities support to prometheus involves the following work:
- Ensure multiple identity and account objects are supported as planned in prometheus
- Add support to AFS PTS conduit to create new accounts (with uid automatically allocated from range)
- Add support to command-line 'theogony' tool to allow sysadmins to create identities and accounts
- Add support to prometheus remctl interface for identity/account creation
- Adapt password setting CGI or write a new one to use remctl interface for users to manage identities (create, set password)
- Configure wallet to support distribution of keytabs for additional identities
Effort estimate:
4 weeks
Other:
Dependencies:
Risks: