top | item 43447798

(no title)

wsh | 11 months ago

I’ve always thought of Kerberos as a centralized authentication system, to establish users’ identities.

Authorization, in the sense of deciding to allow or deny a requested action by a known user on a specific object, remains distributed, even with Kerberos. For example, a Windows file server, having received a Kerberos ticket showing a user’s identity and security group memberships, consults its own access control lists to determine what operations to allow on files and directories.

The article here argues that those authorization decisions should also be centralized, presumably using the sponsor’s “cloud-native authorization platform,” instead of being made within each service or application.

discuss

Animats|11 months ago

Kerberos does support authorization. Windows supports this at the Windows group level.[1] Finer grained control requires something else.

Outsourcing "authorization" to an external service comes across as a really bad idea with huge "backdoor" potential.

[1] https://security.stackexchange.com/questions/36072/what-is-i...