0

I have a webapp running on Linux that uses Delegation to effectively mirror the permissions of the User that makes requests. The webapp uses a keytab that looks something like this:

KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 12/31/69 18:00:00 HTTP/my-website.com@DOMAIN

And the appropriate SPN is added to the webapp's service account, which looks something like this:

HTTP/my-website.com@DOMAIN

This all works fine.

There is a new requirement for the webapp to also be able to access resources it needs independent from the Delegation it does on behalf of users. For example, there are databases it needs to access that users of the app don't necessarily have access to. Is there a way for the webapp to use the same Keytab to generate tickets such that it can both continue to delegate on behalf of users AND access the resources it requires?

Howard_Roark
  • 4,088
  • 1
  • 14
  • 24
  • I've summarized delegation related code snippets here - https://stackoverflow.com/questions/39743700/java-spnego-authentication-kerberos-constrained-delegation-kcd-to-backend-se/57377671#57377671 – Bhushan Karmarkar Sep 30 '20 at 09:52
  • You did a nice job explaining different cases, but I don’t know if you covered this specific case. This specific case is the webapp needs to access databases independent of delegation AND it needs to access resources via delegation. How can I do both with a single keytab file? – Howard_Roark Sep 30 '20 at 14:09
  • If user doesn't have access to the resource, then it is not possible to access it using any mechanisms. End system will always deny the accecss. – Bhushan Karmarkar Oct 05 '20 at 04:33
  • 1
    1) I assume there is a db system which will be accessed every time irrespective of which user is logging into your system. A dedicated common system account can be used. -> Answer is Yes, you can do it using a single keytab. Attach the SPN of your DBMS to a service account. Generate keytab. In JAAS config, make sure to set "isInitiator" flag to true. – Bhushan Karmarkar Oct 05 '20 at 04:35
  • 2) Assuming a user has access to a resource -> accessing resource on user's behalf then the constrained delegation (optionally with protocol transition) is the way to go. Which i explained in my another answer. – Bhushan Karmarkar Oct 05 '20 at 04:37

0 Answers0