RBAC and Kerberos?

Douglas E. Engert deengert at anl.gov
Wed Jun 2 16:58:13 EDT 2004 


"bart.w.jenkins" wrote:
> 
> All,
> I would love to use MIT's Kerberos, but it looks as though it can NOT do
> Role Based Access Control (RBAC) out of the box.  It seems that MIT's
> Kerberos stores only principals and knows nothing about any roles those
> principals might or might not have.  For any particular user, I would love
> to be able to attach a list of roles that person plays.  For example, for
> user Joe, I need to be able to say that principal Joe has roles: Admin,
> Superuser or Manager or Supervisor, or Team1Leader etc.  Then, when Joe
> authenticates to the KDC, if both the principal (what Java JAAS calls the
> subject) could also return a list of roles (JAAS principals), I could then
> do RBAC.  Microsoft had to add some separate user-to-role database that is
> consulted when user's authenticate in their Active Directory realm.  I would
> like to not have to do this.  Does anyone know of a Kerberos implementation
> that does RBAC and, BTW, works with Sun's JAAS (Java security)?

Microsoft and DCE before them, added Authorization data to the KDC. DCE
did it in a more standard way, But Microsoft added the PAC to the Kerberos
ticket. 

Many think that this was the wrong thing to do, that authorization data
should be seperate from authentication.  Users ,HR and security people are 
concerned with authentication. Resource stake holders are concerned with 
authorized access to thier resources.  Many resource stake holders are not 
concerned with the  resourcs of others, and may have different roles for the same
users when using thier resources.  

> 
> I could just have user Kerberos principals and Role principals, but then
> when someone logged in with a Role user id, I would not know who the
> underlying user was.  It seems that adding some Role attributes to the kerb
> principal would help alot here.

Another way to do this is to look up the Kerberos principal in your LDAP
data base and get the roles for the uses while accesing your resources. 
  

> 
> Thanks
> 
> Bart
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list