Authorization Walk-through

Here we present an authorization scenario to demonstrate the use of the authorization framework for the case of printing a document. Assume Kerberos V5 is used for principal authentication. Assume that printer ps12a has the following ordered EACL shown in Table 2. stored in the Printer Manager authorization database.

Table 2.

Let's consider a request from user Tom who is connecting from the ORG.EDU domain to print a document on the printer ps12a at 7:30 PM. When a client process running on behalf of the user contacts the Printer Manager with the request to submit_print_job to printer ps12a, the Printer Manager first calls gaa_get_object_policy_info to obtain a handle to the EACL of printer ps12a. The upcall function for retrieving the EACL for the specified object from the Authorization Database system is passed to the GAA API and is called by gaa_get_object_policy_info, which returns the EACL handle. The Printer Manager must place the principal's authenticated identity in the security context to pass into the gaa_check_authorization function. This context may be constructed according to the first or second scenario, described in Section 8. If Tom is authenticated successfully, then verified identity credentials are placed into the security context, specifying Tom as the Kerberos principal tom@ORG.EDU. Next, the Printer Manager calls the gaa_check_authorization function. In evaluating the EACL, the first entry applies. It grants the requested operation, but there two conditions that must be evaluated. The first condition is generic and is evaluated directly by the GAA API. Since, the request was issued at 7:30 PM this condition is satisfied. The second condition is specific. If the security context defined a condition evaluation function for upcall, then this function is invoked and if this condition is met then the final answer is YES (authorized) and detailed answer contains authorization expiration time : 8PM (assume that authentication credential has expiration time 9PM), allowed operation submit_print_job and two conditions. Both conditions are marked as evaluated and met. During the execution of the task the Printer Manager is enforcing the limits imposed on the local resources and authorization time. If the corresponding upcall function was not passed to the GAA API, the answer is MAYBE and the second condition is marked as not evaluated and must be checked by the Printer Manager. When additional credentials are needed, if the security context defines a credential retrieval function for the upcall, it is invoked. If the requested credential is obtained, then the final answer is YES. If the upcall function was not passed to the GAA API, the answer is NO.