Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityContext#delegated_creds should be a property with documentation #95

Closed
DirectXMan12 opened this issue Feb 23, 2016 · 4 comments
Closed

SecurityContext#delegated_creds should be a property with documentation #95

DirectXMan12 opened this issue Feb 23, 2016 · 4 comments
Assignees
@DirectXMan12
Labels
bug documentation
Milestone
1.2.0

Comments

@DirectXMan12
Copy link
Member

Currently, SecurityContext#delegated_creds is just a normal instance attribute of SecurityContext, which means that it can be accidentally overwritten, and it does not show up in the documentation. This should be fixed.
@DirectXMan12 DirectXMan12 added this to the 1.1.5 milestone Feb 23, 2016
@DirectXMan12 DirectXMan12 self-assigned this Feb 23, 2016
@simo5
Copy link
Contributor

simo5 commented Feb 24, 2016

I think it should be possible to drop the delegated credentials esp if we allow to pickle the whole security context and then restore it.
Someone may want to pass around a security context but not transfer any delegated credentials to a lower priviliged process as dellegated credentials may include a delegated tgt.

@DirectXMan12
Copy link
Member Author

Pickling the SecurityContext uses a special pickle process that doesn't actually pickle the object -- it just uses export_sec_context() (so the unpickling process just reconstitutes the SecurityContext using import_sec_context()).

@simo5
Copy link
Contributor

simo5 commented Feb 24, 2016

This means delegated credentials get lost in the process.
On the one hand I think this is more secure, OTOH it may come as a suprise to the user and should be carefully documented.

@DirectXMan12
Copy link
Member Author

Yeah. The only reason delegated creds are stored as a field is so that the "step" method can return only a token. It should definitely be documented, though

DirectXMan12 added a commit that referenced this issue Feb 25, 2016
@DirectXMan12
Expose SecurityContext#delegated_creds
b0023ca 
This commit exposes `SecurityContext#delegated_creds` as a documented
property.  Previously, it existed as a field, but was undocumented.

Fixes #95
@DirectXMan12 DirectXMan12 mentioned this issue Feb 25, 2016
Merged
@DirectXMan12 DirectXMan12 modified the milestones: 1.2.0, 1.1.5 Mar 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DirectXMan12 DirectXMan12

Labels
bug documentation
Projects
None yet
Milestone
1.2.0
Development

No branches or pull requests
2 participants
@DirectXMan12 @simo5