[5416] in Kerberos
Re: replacement for kprop?
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Fri Jun 23 11:48:35 1995
Date: Fri, 23 Jun 1995 11:35:42 -0400
From: "Barry Jaspan" <bjaspan@cam.ov.com>
To: gwz@geek.ocsg.com
Cc: kerberos@MIT.EDU
In-Reply-To: [5414]
!!!COMMERCIAL COMMERCIAL!!!
CyberSAFE Challenger (aka K5) has incremental database propagation
built in to the current beta. In the next _rea_ release, it will
do away with master/slave KDCs in favor of true peer-to-peer
database updates.
!!!END COMMERCIAL!!!
Fascinating. The next release of OpenV*Secure, OpenVision's Kerberos
5-based security product, will also have incremental database
propagation. Furthermore, the major product revision of Secure
currently underway will switch to using real database technology.
You'd almost think we were competing in the same market. :-)
So as to make this a not entirely commercial message to a
non-commercial list, I'll mention one of the ways that incremental
database propagation could be added to the MIT release without too
much pain. If you modify the lowest-level database write routines
(krb5_db_put_principal and krb5_db_delete_principal, I believe) to
maintain a "transaction log" for the kdb, you can then propagate just
those log entries to each slave server---just make sure that your
admin server uses those functions to make all of its changes. Of
course, you also have to worry about keeping a database version number
and maintaining state on the current version of each slave in case a
slave is down when a propagation occurs. But it is not really that
hard a problem.
If anyone wants to implement it, I'm sure MIT would be delighted to
accept incremental propagation patches for inclusion in its
distribution. :-)
Barry Jaspan, bjaspan@cam.ov.com
