RAD Functionality
RAD provides the following main functionalities:
-
Management and Configuration
-
Two SMF services:
svc:/system/rad:local
andsvc:/system/rad:remote
-
Structured and browsable namespace.
-
Inspectable, typed, and versioned interfaces.
-
Asynchronous event sources.
-
XML-based interactive data language (IDL) abstract data representation (ADR) that supports formal definitions of APIs. The IDL compiler
radadrgen
generates client language bindings.
-
-
Security
-
Full PAM conversation support including use of
pam_setcred
(3PAM) to set the audit context. -
Authentication by using GSSAPI in deployments where Kerberos is configured.
-
Implicit authentication by using
getpeerucred
(3C) when possible. -
Non-local network connectivity is not available by default. RAD is preconfigured to use TLS.
-
Most operations are automatically delegated to lesser-privileged processes.
-
Defines two authorizations and two rights profiles to provide fine-grained separation of powers for managing and configuring the RAD SMF services.
-
RAD authorizations
-
solaris.smf.manage.rad
– Grants the authorization to enable, disable, or restart the RAD SMF services. -
solaris.smf.value.rad
– Grants the authorization to change RAD SMF property values.
-
-
RAD rights profiles
-
RAD Management – Includes the solaris.smf.manage.rad authorization.
-
RAD Configuration – Includes the solaris.smf.value.rad authorization.
-
-
-
Generates
AUE_rad_login
,AUE_logout
,AUE_role_login
,AUE_role_logout
, andAUE_passwd
audit events. -
Customizes the process attributes for each RAD module to conform to the Principle of Least Privilege.
-
-
Connectivity
-
Local access by using AF_UNIX sockets.
-
Remote access by using TCP sockets.
-
Secure remote access by using TLS sockets.
-
Captive execution with access through a pipe.
-
Connection points are completely configurable at the command line or by using SMF.
-
-
Client support
-
Java language binding provides access to all defined server interfaces.
-
Python language binding provides access to all defined server interfaces.
-
C language binding provides access to all defined server interfaces.
-
-
Extension
-
A public native C module interface supports addition of third-party content.
-
radadrgen
can generate server-side type definitions and stubs from IDL input. -
A native execution system can automatically run modules with authenticated user's privilege and audit context, simplifying authentication and auditing.
-
Private module interfaces enable the defining of new transports.
-