Kerberized authorization service
g.w@hurderos.org
g.w at hurderos.org
Mon Feb 11 08:25:28 EST 2008
On Jan 27, 11:35am, edward at murrell.co.nz wrote:
} Subject: Re: Kerberized authorization service
Good morning, hope the weekend is going well for everyone.
Ah, authorization, my favorite topic......
> Hm, yes, I see where you are coming from.
>
> I think this is an area where the OSS world has the infrastructure,
> but not the details to pull off what you want. I am personally a bit
> loathe to suggest adding yet another service to the mix of account
> management, especially given that it's unlikely to be supported by
> Win/Mac any time soon, whereas the LDAP solution is already what
> they do. Hence why I would suggest something tying into that. I can
> see the benefit of the service you are suggesting though.
As attractive as it may sound architecturally there is no rationale or
justification for the concept of an 'authorization server'. It brings
no value and simply adds complexity, latency and an additional attack
vector to the IAA stack.
>From an application perspective there are three possible answers when
an authorization decision is requested, they are as follows:
1.) Yes
2.) No
3.) Maybe
The 'maybe' decision is what makes an authorization server an
unrealistic approach. The 'maybe' answer is also what organizations
are most interested in.
In order to resolve the 'maybe' answer the application has to apply
some form of decision making process (rules) to a set of
attributes/information which for all practical purposes is going to be
supplied by LDAP.
In order to make the decision for the application the authorization
server either needs to have a copy of the rules or alternately provide
the informational attributes needed to make the decision back to the
application. The net result is complexity with little added value.
What is desperately needed in the field is the following:
1.) A model for authorization.
2.) An API for accessing that model.
I've always contended OSS was in a superb position strategically to
solve this very difficult problem for the industry. Unfortunately
there has either been a lack of interest or understanding in the
importance of the issue.
It ultimately may be the reason why we, as a community, end up
presiding over the descent of open source IAA infra-structure (LDAP,
Kerberos, Samba) into irrelevancy.
> *Diverges a bit into LDAP*
>
> In a perfect world, I would have the machine in the LDAP tree, with
> containers of some description off for various services, and/or a
> default. The containers would hold a list of allow/deny groups. It
> would be possible to alias groups for allow/deny lists, along with
> creating custom groups just for that service on that machine if so
> desired.
There is already a considerable body of research and architectural
development on a concept similar to this.
I presented a paper at the Kerberos/AFS workshop a couple of years ago
on an open-architecture authorization model and API. The conceptual
approach is extremely simple, very powerful and architecturally similar
to what you propose.
I don't have the URL handy but anyone interested should be able to
turn it up with a little bit of GOOGLE'ing.
LDAP and Kerberos are the only two fundamental tools needed to
implement an architecture for modeling authorization decisions. As I
noted earlier what is missing is the model, an API to access it and
source/tools to implement the API.
Open-source 'messaging' seems to be all the rage. Presentations I've
done to CIO/CTO groups lead me to believe that open-source solutions
in this venue would certainly ring resonant.
Best wishes for a pleasant weekend to everyone.
}-- End of excerpt from edward at murrell.co.nz
As always,
Greg Wettstein
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
http://www.hurderos.org
"If I'd listened to customers, I'd have given them a faster horse."
-- Henry Ford
More information about the Kerberos
mailing list