OSDI 2000 Abstract
End-to-end authorization
Jon Howell, Consystant Design Technologies, and David Kotz, Dartmouth College
Abstract
Many boundaries impede the flow of authorization
information, forcing applications that span those
boundaries into hop-by-hop approaches to authorization.
We present a unified approach to authorization.
Our approach allows applications that span
administrative, network, abstraction, and protocol
boundaries to understand the end-to-end authority
that justifies any given request. The resulting distributed
systems are more secure and easier to audit.
We describe boundaries that can interfere with
end-to-end authorization, and outline our unified approach.
We describe the system we built and the
applications we adapted to use our unified authorization
system, and measure its costs. We conclude
that our system is a practical approach to the desirable
goal of end-to-end authorization.
|