kinit_if_necessary

src/runtime/security/init.cpp

@@ -28,6 +28,7 @@ namespace dsn {
 namespace security {
 DSN_DECLARE_string(krb5_config);
 DSN_DECLARE_string(krb5_keytab);
+DSN_DECLARE_bool(is_kinit_performed);
 
 /***
  * set kerberos envs(for more details:
@@ -43,6 +44,12 @@ void set_krb5_env(bool is_server)
 
 error_s init_kerberos(bool is_server)
 {
+    // If kinit has been executed outside the program, then directly obtain the principal
+    // information of the unix account for permission verification.
+    if (FLAGS_is_kinit_performed) {
+        return run_get_current_unix_account_principal();
+    }
+
     // set kerberos env
     set_krb5_env(is_server);
 

src/runtime/security/kinit_context.cpp

@@ -61,6 +61,10 @@ DSN_DEFINE_string(security, krb5_config, "", "absolute path of krb5_config file"
 DSN_DEFINE_string(security, krb5_principal, "", "kerberos principal");
 DSN_DEFINE_string(security, service_fqdn, "", "the fully qualified domain name of the server");
 DSN_DEFINE_string(security, service_name, "", "service name");
+DSN_DEFINE_bool(security,
+                is_kinit_performed,
+                false,
+                "whether kinit has been executed outside program");
 
 // Attention: we can't do these check work by `DSN_DEFINE_validator`, because somebody may don't
 // want to use security, so these configuration may not setted. In this situation, these checks
@@ -93,6 +97,7 @@ class kinit_context : public utils::singleton<kinit_context>
 public:
     // implementation of 'kinit -k -t <keytab_file> <principal>'
     error_s kinit();
+    error_s get_current_unix_account_principal();
     const std::string &username() const { return _user_name; }
 
 private:
@@ -174,6 +179,26 @@ error_s kinit_context::kinit()
     return error_s::ok();
 }
 
+// obtain _principal info under the current unix account for permission verification.
+error_s kinit_context::get_current_unix_account_principal()
+{
+    // get krb5_ctx
+    init_krb5_ctx();
+
+    // acquire credential cache handle
+    KRB5_RETURN_NOT_OK(krb5_cc_default(_krb5_context, &_ccache),
+                       "couldn't acquire credential cache handle");
+
+    // get '_principal' from '_ccache'
+    KRB5_RETURN_NOT_OK(krb5_cc_get_principal(_krb5_context, _ccache, &_principal),
+                       "get principal from cache failed");
+
+    // get '_user_name' from '_principal'
+    RETURN_NOT_OK(parse_username_from_principal());
+
+    return error_s::ok();
+}
+
 void kinit_context::init_krb5_ctx()
 {
     static std::once_flag once;
@@ -333,6 +358,11 @@ error_s kinit_context::wrap_krb5_err(krb5_error_code krb5_err, const std::string
 
 error_s run_kinit() { return kinit_context::instance().kinit(); }
 
+error_s run_get_current_unix_account_principal()
+{
+    return kinit_context::instance().get_current_unix_account_principal();
+}
+
 const std::string &get_username() { return kinit_context::instance().username(); }
 } // namespace security
 } // namespace dsn

src/runtime/security/kinit_context.h

@@ -24,6 +24,7 @@
 namespace dsn {
 namespace security {
 extern error_s run_kinit();
+extern error_s run_get_current_unix_account_principal();
 extern const std::string &get_username();
 } // namespace security
 } // namespace dsn