Kerberized authorization service

Russ Allbery rra at stanford.edu
Mon Feb 11 13:27:22 EST 2008


John Hascall <john at iastate.edu> writes:
> Russ Allbery <rra at stanford.edu> writes:

>> Stanford currently very much loses on this, in a wide variety of ways.
>> We really only have one authorization system that copes correctly with
>> role status changes (provided that it's used properly), and it only
>> knows how to talk to the financial system and isn't (currently) usable
>> as a general authorization solution.  There is some active work in the
>> Internet2 arena on this, but not to the point where I think people are
>> deploying it.
>
>    The problem with the Internet2's work in this area
>    (i.e., Signet and Grouper) is that
>    they seem like they've never met a problem
>    that they didn't think the answer to it was:
>
>     while (problem) {
>       Throw the most complicated XML and Java possible at it.
>     }
>
>     (And they forgot to catch deathByBloatAndComplexityException)

Yeah, I should probably not get started on that.  (Signet is essentially
the next generation of Authority Manager, which is the above-mentioned
application that talks to the financial system.)

Our middleware group is very fond of Java and XML.

I'm, er, not so much.  (Although XML does have its place.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list