RBAC and Kerberos?
digant at uta.edu
Wed Jun 2 18:24:59 EDT 2004
In a core enterprise IT, you have 2 "systems": AuthN (authentication) and
AuthZ (authorization). Kerberos fits in best as an AuthN system. It can
very easily tie into LDAP which can support your AuthZ needs.
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU
> [mailto:kerberos-bounces at MIT.EDU] On Behalf Of bart.w.jenkins
> Sent: Wednesday, June 02, 2004 1:12 PM
> To: kerberos at MIT.EDU
> Subject: RBAC and Kerberos?
> I would love to use MIT's Kerberos, but it looks as though it
> can NOT do Role Based Access Control (RBAC) out of the box.
> It seems that MIT's Kerberos stores only principals and knows
> nothing about any roles those principals might or might not
> have. For any particular user, I would love to be able to
> attach a list of roles that person plays. For example, for
> user Joe, I need to be able to say that principal Joe has
> roles: Admin, Superuser or Manager or Supervisor, or
> Team1Leader etc. Then, when Joe authenticates to the KDC, if
> both the principal (what Java JAAS calls the
> subject) could also return a list of roles (JAAS principals),
> I could then do RBAC. Microsoft had to add some separate
> user-to-role database that is consulted when user's
> authenticate in their Active Directory realm. I would like
> to not have to do this. Does anyone know of a Kerberos
> implementation that does RBAC and, BTW, works with Sun's JAAS
> (Java security)?
> I could just have user Kerberos principals and Role
> principals, but then when someone logged in with a Role user
> id, I would not know who the underlying user was. It seems
> that adding some Role attributes to the kerb principal would
> help alot here.
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos