RBAC and Kerberos?

bart.w.jenkins bart.w.jenkins at saic.com
Wed Jun 2 14:11:52 EDT 2004

I would love to use MIT's Kerberos, but it looks as though it can NOT do
Role Based Access Control (RBAC) out of the box.  It seems that MIT's
Kerberos stores only principals and knows nothing about any roles those
principals might or might not have.  For any particular user, I would love
to be able to attach a list of roles that person plays.  For example, for
user Joe, I need to be able to say that principal Joe has roles: Admin,
Superuser or Manager or Supervisor, or Team1Leader etc.  Then, when Joe
authenticates to the KDC, if both the principal (what Java JAAS calls the
subject) could also return a list of roles (JAAS principals), I could then
do RBAC.  Microsoft had to add some separate user-to-role database that is
consulted when user's authenticate in their Active Directory realm.  I would
like to not have to do this.  Does anyone know of a Kerberos implementation
that does RBAC and, BTW, works with Sun's JAAS (Java security)?

I could just have user Kerberos principals and Role principals, but then
when someone logged in with a Role user id, I would not know who the
underlying user was.  It seems that adding some Role attributes to the kerb
principal would help alot here.



More information about the Kerberos mailing list