I'm pleased to announce release 0.4 of wallet. This still isn't ready for
production use, but now can be considered beta code.

The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data. Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users. The wallet
tracks ACLs, metadata, and trace information. It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication. One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadmind with richer ACL and metadata
operations.

Changes from previous release:

Maintain a global cache of ACL verifiers in Wallet::ACL and reuse them
over the life of the process if we see another ACL line from the same
scheme, rather than only reusing ACL verifiers within a single ACL.

Add a subclass of the NetDB ACL verifier that requires the principal
have an instance of "root" and strips that instance before checking
NetDB roles.

Determine the class for object and ACL schema implementations from the
database rather than a hard-coded list and provide Wallet::Schema
methods for adding new class mappings.

Add a missing class mapping for the netdb ACL schema verifier.

Various coding style fixes and cleanup based on a much-appreciated
code audit by Simon Cozens. I didn't take all of his advise, and he
shouldn't be blamed for any remaining issues.

You can download it from:



Please let me know of any problems or feature requests not already listed
in the TODO file.

--
Russ Allbery (rra@stanford.edu)