Kerberized authorization service
John Hascall
john at iastate.edu
Mon Feb 11 09:30:55 EST 2008
Greg Wettstein writes:
> As attractive as it may sound architecturally there is no rationale or
> justification for the concept of an 'authorization server'. It brings
> no value and simply adds complexity, latency and an additional attack
> vector to the IAA stack.
There certianly is value in rationally organizing authorization information.
> >From an application perspective there are three possible answers when
> an authorization decision is requested, they are as follows:
>
> 1.) Yes
> 2.) No
> 3.) Maybe
>
> The 'maybe' decision is what makes an authorization server an
> unrealistic approach. The 'maybe' answer is also what organizations
> are most interested in.
Maybe just means you haven't asked the right question.
> In order to resolve the 'maybe' answer the application has to apply
> some form of decision making process (rules) to a set of
> attributes/information which for all practical purposes is going to be
> supplied by LDAP.
>
> In order to make the decision for the application the authorization
> server either needs to have a copy of the rules or alternately provide
> the informational attributes needed to make the decision back to the
> application.
Sounds like you've just reinvented shibboleth.
> The net result is complexity with little added value.
There is tremendous value in having a canonical place to make
statements like "X is no longer an employee" and have *all* of
X's access rights quickly and accurately reflect this.
As soon as you talk about doing this in a space larger than
one computer you are talking about a network protocol. Now,
I suppose one could, to a certain scale, do this with some
sort of mass data provisioning scheme. When you get large
enough, certainly once you start crossing trust domains,
this is clearly unworkable.
John
More information about the Kerberos
mailing list