Kerberized authorization service
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Feb 11 09:48:17 EST 2008
>I presented a paper at the Kerberos/AFS workshop a couple of years ago
>on an open-architecture authorization model and API. The conceptual
>approach is extremely simple, very powerful and architecturally similar
>to what you propose.
Well, I'm sorry ... I remember that paper, and ... well, I cannot agree
with your statements (and to be fair, I just went and re-read that
presentation again; it's available from the 2006 AFS Workshop archives).
Here are my beefs with your proposal:
- "Simple?" Uh, you ARE kidding, right? Right off the bat you start
talking about n-bit vectors and cryptographic hashes. And the
diagram on slide 18 ... ouch. And you use XML? What exactly is
SIMPLE about this idea? I consider myself reasonably intelligent and
I've spent a fair amount of time thinking about authorization, and I
can barely follow your proposal. Off-line discussions I have had
with others in the Kerberos community have seen similar reactions to
mine. So, in short: your proposal is really complicated. If this
complexity was necessary, I could forgive that ... but we have
real-world experience that shows that it is not.
- Your proposal did not include an API (there was not one shown in your
slides). Well, you included KDC and library plug-ins, but not how this
API would look on an application server. I am gathering that it would
involve LDAP queries (although perhaps you hid that inside of a wrapper
library).
During our authz server prototype work, we developed an API. It was
one function - it returned a "yes/no" answer, and a text string which
included a string you could display/log for the "no" reason. Would have
been a few lines of code to add to all of the application servers that
we use.
- History has shown us that adding authorization data to the Kerberos
protocol isn't the best idea. DCE did it, Microsoft does it, and there
are a host of problems with this approach; from an architectural
perspective (operational experience has shown us repeatedly that having
the ability to change authorization information more quickly than Kerberos
ticket lifetimes is very important) to the practical (authz data in Kerberos
tickets brings larger tickets which present problems for some applications,
it locks you to a particular KDC, and those are only a few).
- Your model is simply not extensible enough. For example, it is not
possible to easily extend it to make the authorization decisions that
our site needs to make. Why? Well, we make authorization decisions
on the application server based on information that is not available
at service ticket creation time. Maybe I am mis-understanding your
model and perhaps it is possible ... but that just gets back to the
whole "complexity" issue. Also, I cannot see how to make use of
your scheme with cross-realm authentication ... and we use that a lot.
Let's take two real world counter-examples: the AFS PTS server, and
John Hascall's double-secret authz server (Stanford's wallet might
be another example, but I don't know enough about it to say so
let's not bring that into the mix right now).
Both services work in roughly the same way: you send them an identity
which you have derived from your authentication service (Kerberos in
both cases) and the service responds with what you are allowed to
do. In the AFS PTS server's case you get a set of groups that the
identity belongs to which are used by the AFS fileserver to determine
permissions based on ACLs stored on directories. In the Hascall
double-secret authz server you get a "yes/no" answer regarding access
to a particular service (John, if I've got this wrong, please correct me).
Note that both of these services are pretty simple, and don't involve
adding bits to the Kerberos protocol. They both predate LDAP, so it's
hard to say whether or not they would have used them. Personally, I
think LDAP is a crappy protocol to use for authorization queries ...
it is fine for _managing_ authorization data, but I want something with
fewer round-trips in the authorization path (I would probably do a custom
protocol).
DCE tried to put authz data into Kerberos, and I think everyone would
agree that DCE has been a failure. Now obviously putting authz data
into Kerberos is not the reason that they failed, but it just shows
one of the fundamental problems with DCE - over-engineering. You could
bring up Microsoft as a counter-example. That would be true, but Microsoft
has the advantage of having tons of paid programmers to implement their
designs and they control all aspects of their software at all levels.
In the open-source world we do not have those luxuries ... we need to
be able to have designs that are simple to implement and understand, and
we need to be able to play nicely in heterogenous environments.
BTW, there is a "simple" way to prove that I am full of crap. All you
have to do is implement your design and get people to use it. Clearly
there is a desire for a reasonable authorization service that ties into
Kerberos, so if what you come up with is workable you should have plenty
of users.
--Ken
More information about the Kerberos
mailing list