This change updates the server and FAQ documentation, fully
describing the changes made to the server authentication and
access control systems. Specifically, the new third-party auth
plugin system is described, along with the new group-based
operation policy structure and policy file active monitoring.
Information on running the integration and functional tests testing
these changes is included.
The FAQ is updated to point to these changes in the server docs.
The original relevant FAQ content has been removed.
This update includes new operations and features for the client
and server, in addition to other minor updates and bug fixes:
* Add Sphinx-based client and server library documentation
* Add server support for third-party authentication systems
* Add client support for the Check operation
* Add client support for the Rekey operation
* Add client support for attestation credentials
* Add functional tests for server auth. and access control
* Add payloads for the Archive and Cancel operations
* Add payloads for the GetUsageAllocation and Poll operations
* Add payloads for the ObtainLease and Recover operations
* Update the server to support group-based operation policies
* Update the server to support live loading of policy files
* Update the server to support custom database file paths
* Update the server to raise PermissionDenied on violations
* Update the client to support custom configuration file paths
* Update the ProxyKmipClient to support Registering names
* Update the ProxyKmipClient to set usage masks for Derived keys
* Update the README to reference the new documentation
* Update the Travis CI config to test building the docs
* Update the Travis CI config to run integration tests
* Remove support for Python 3.3
* Fix a DOS bug by setting the server socket timeout
* Fix a ProxyKmipClient bug with cryptographic parameter handling
* Fix a ProxyKmipClient bug with usage mask processing
This change changes the error the server uses when access control
violations occur, specifically swapping from the more agnostic
ItemNotFound to the more explicit PermissionDenied. This change
better conforms with the expected behavior of a KMIP server.
This change tweaks the format of operation policy files, renaming
the 'default' section of each policy to 'preset'. This reinforces
the idea that this section of the policy is used only when group-
based access control is disabled. It also removes any ambiguity
between this section of the policy and the actual 'default'
policy built into the server.
This change adds a basic error message that gets raised when
attempting to read an unparseable attribute (i.e., an attribute
that is not supported by the library).
Fixes#429
This change adds a new integration test suite, named 'functional',
that is specifically intended to test third-party authentication
and group-based access control with the PyKMIP server. A new tox
environment is added to handle running these tests separately from
the existing 'integration' test suite. New Travis CI configuration
and setup files have also been added to facilitate running these
tests automatically.
This change fixes a potential denial-of-service bug with the
server, setting a default timeout for all server sockets. This
allows the server to drop hung connections without blocking
forever. The interrupt triggered during accept calls is expected
and is now handled appropriately. Server unit tests have been
updated to reflect this change.
Closes#430
This change adds client support for setting custom configuration
file paths, allowing users and developers to place their settings
file wherever they want. All client demo scripts have been updated
to support a '-s' flag that can be used to set the configuration
file for the demo. Client unit tests have also been updated to
include this change.
This change updates the server, adding in support for customizing
the backend storage file used to store all server data. The server
currently uses a simple SQLite database for storage. Prior versions
of the server kept this database file in /tmp, to emphasize the
testing focus of the server. This change loosens that restriction,
now allowing users to customize where the database file lives. A
new configuration option, 'database_path', has been added that will
override the default /tmp location for the database file. This
value can also be passed in if invoking the server via script using
the '-d' flag.
This change adds Rekey operation support to the KMIPProxy client.
The client unit test suite has been updated to cover the new
additions.
Partially addresses #405
This change adds the request/response payloads for the Rekey
operation. Unit tests are included to cover the new payloads. The
payloads package is also updated to allow direct import of the
Rekey payloads going forward.
Partially addresses #405
This change fixes how the ProxyKmipClient handles cryptographic
usage mask values for the CreateKeyPair operation. Originally,
both Encrypt and Decrypt were set by default for both public and
private keys. This is incorrect behavior for certain algorithms.
Now, only the masks specified by the caller are set on the key
pair.
Fixes#412
This change updates the ProxyKmipClient support for the DeriveKey
operation, now allowing the caller to specify a list of
CryptographicUsageMask enumerations to set on the newly derived
key.
Fixes#417
This change updates the server, integrating policy file monitoring
and restructuring the engine. The top-level server entity now
handles loading policy files using the PolicyDirectoryMonitor
subprocess. A shared memory dictionary is used to share newly
modified policy data across the session threads managed by the
server and used by the engine. The legacy policy loading code in
the engine has been removed.
Unit tests have been added and modified for both the server and
engine to verify the functionality of these modifications.
This change adds a PolicyDirectoryMonitor subprocess that can be
used by the server to continuously monitor and load operation
policies from the configured operation policy directory. The
monitor tracks policy file modifications, file creation, and file
deletion, restoring legacy policies from existing policy files
should the current file backing a policy get deleted. Changes to
existing policies are detected and updated as soon as the backing
policy file is saved to disk.
An extensive unit test is included to exercise the different
operating conditions the monitor may encounter.
This change adds Check operation support to the ProxyKmipClient.
The client unit test suite has been updated to cover the new code.
Partially addresses #405
This change adds Check operation support to the KMIPProxy client.
The client unit test suite has been updated to cover the new
additions.
Partially addresses #405
This change fixes a bug with the ProxyKmipClient handling of
cryptographic parameters, specifically handling the case where
no cryptographic parameters are provided for an operation method
call. When no parameters are specified, None is now correctly
propagated through to request handling. A client unit test has
been added to cover this fix.
Fixes#406
This change adds the ability to set the operation policy name
attribute to object creation demo scripts, including demos for
the Create, CreateKeyPair, and Register operations.
This change adds a certificate creation script to the library bin,
allowing for easy creation of root CA, server, and various client
certificates. The resulting certificates can be used for testing
and the script itself can be adapted to generate any certificates
needed by users or PyKMIP deployers.
Peter Hamilton
Peter Hamilton