RBAC and Kerberos?

Digant Kasundra digant at uta.edu
Wed Jun 2 18:24:59 EDT 2004

In a core enterprise IT, you have 2 "systems": AuthN (authentication) and
AuthZ (authorization).  Kerberos fits in best as an AuthN system.  It can
very easily tie into LDAP which can support your AuthZ needs.

-- DK

> -----Original Message-----
> From: kerberos-bounces at MIT.EDU 
> [mailto:kerberos-bounces at MIT.EDU] On Behalf Of bart.w.jenkins
> Sent: Wednesday, June 02, 2004 1:12 PM
> To: kerberos at MIT.EDU
> Subject: RBAC and Kerberos?
> All,
> I would love to use MIT's Kerberos, but it looks as though it 
> can NOT do Role Based Access Control (RBAC) out of the box.  
> It seems that MIT's Kerberos stores only principals and knows 
> nothing about any roles those principals might or might not 
> have.  For any particular user, I would love to be able to 
> attach a list of roles that person plays.  For example, for 
> user Joe, I need to be able to say that principal Joe has 
> roles: Admin, Superuser or Manager or Supervisor, or 
> Team1Leader etc.  Then, when Joe authenticates to the KDC, if 
> both the principal (what Java JAAS calls the
> subject) could also return a list of roles (JAAS principals), 
> I could then do RBAC.  Microsoft had to add some separate 
> user-to-role database that is consulted when user's 
> authenticate in their Active Directory realm.  I would like 
> to not have to do this.  Does anyone know of a Kerberos 
> implementation that does RBAC and, BTW, works with Sun's JAAS 
> (Java security)?
> I could just have user Kerberos principals and Role 
> principals, but then when someone logged in with a Role user 
> id, I would not know who the underlying user was.  It seems 
> that adding some Role attributes to the kerb principal would 
> help alot here.
> Thanks
> Bart
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list