Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Jinpeng Huai,Yu Zhang,Xianxian Li,Yunhao Liu

DOI: https://doi.org/10.1109/ICPP.2005.33

2005-01-01

Abstract:Security in collaborative groups is an active research topic and has been recognized by many organizations in the past few years. In this paper, we propose a fine-grained and attribute-based access control framework for our key project, CROWN grid. To avoid single point of failure and enhance scalability of the system, we employ a distributed delegation authorization mechanism. We successfully implement our proposed access control in CROWN grid, and evaluate this approach by comprehensive experiments.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Hailong Sun,Yanmin Zhu,Chunming Hu,Jinpeng Huai,Yunhao Liu,Jianxin Li

DOI: https://doi.org/10.1007/11573937_33

2005-01-01

Abstract:CROWN Grid aims to empower in-depth integration of resources and cooperation of researchers nationwide and worldwide. In such a distributed environment, to facilitate adoption of services, remote and hot service deployment is highly desirable. Furthermore, when the deployer and the target container are from different domains, great security challenges arise when a service is deployed to the remote container. In this paper, we present ROST, an original scheme of Remote & hOt Service deployment with Trustworthiness. By dynamically updating runtime environment configurations, ROST avoids restarting the runtime system during deployment. Moreover, we adopt trust negotiation in ROST to assure the security of service deployment. We conduct experiments in a real grid environment, and evaluate ROST comprehensively.

Ying-Ying Chen,Tie-Jun Wu

DOI: https://doi.org/10.1002/cpe.1672

2010-01-01

Concurrency and Computation Practice and Experience

Abstract:The optimal load redistribution problem is solved in this paper for heterogeneous non‐dedicated service grids in a decentralized way. A coordination policy is proposed to make networked servers reach their optimal generic task acceptance rates in order to minimize the average service time of all the generic tasks in a grid. Autonomous servers networked in the grid only need to coordinate with their neighbors iteratively, and their optimal generic acceptance rates are reached by task migration among them. The design scheme of the policy is introduced, and the convergence properties and the implementation aspects of the coordination system are discussed in detail in this paper. A set of computer simulations have been conducted, validating the effectiveness of the proposed approach. Copyright © 2010 John Wiley & Sons, Ltd.

Min HU,Yan-jun LI,Tie-jun WU

DOI: https://doi.org/10.3785/j.issn.1008-973X.2007.07.004

2007-01-01

Abstract:An intelligent resource scheduling strategy for grid systems was proposed based on the theory of multi-agent. Grid nodes independently chose subtasks in grid systems. Due to the autonomous characteristics of grid nodes, different support degrees were assigned to each grid node for different tasks. The fuzzy cognitive map was employed to construct a support degree negotiation model. Considering that each grid node possesses different types of resources, definition of the standard support degree was presented to ensure feasibility and validity of the support degree negotiation model. Without the upper level resource scheduling unit, task teams were constituted by multiple grid nodes through competition and negotiation to maximize interests of each grid node. The proposed scheduling method is applicable for distributed computation, which makes the grid computation system possess better real-time performance and robustness.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Zhang RunLian,Dong XiaoShe,Wu XiaoNian

DOI: https://doi.org/10.1109/gcc.2006.5

2006-01-01

Abstract:The same grid user may have another identity in different domains, and same to grid resource which have been restored and maintained in different domains. It is a challenging task for executing grid jobs successfully to make the same user have the consistent privileges in grid. However, distributed characteristic of grid makes it difficult to define and maintain global privileges consistency. And dynamic characteristic of grid seriously threatens global privileges consistency defined in grid access control. This paper proposes a dynamic access control model embodying access policies and its dynamic negotiating. The model supports to define global privileges consistency and automatically resume consistency when conflict has occurred. We also describe a prototype implementation of this model and its performance.

Jinpeng Huai,Hailong Sun,Chunming Hu,Yanmin Zhu,Yunhao Liu,Jianxin Li

DOI: https://doi.org/10.1016/j.future.2007.01.004

IF: 7.307

2007-01-01

Future Generation Computer Systems

Abstract:The main goal of our key project, the CROWN Grid, is to empower in-depth integration of resources and the cooperation of researchers nationwide and worldwide. CROWN exploits a service-oriented architecture based on OGSA. In CROWN, remote service deployment is highly desirable. To the best of our knowledge, however, there is no successful solution to ensure the enabling remote and hot service deployment in grid systems. Traditionally, remote deployment is supported in a cold fashion, which results in many disadvantages, such as low efficiency. Moreover, since the deployer and the target container may be in different domains, great security challenges arise when a service is deployed to a remote container. In this paper, we present ROST, an original scheme of Remote and hOt Service deployment with Trustworthiness. By dynamically updating runtime environment configurations, ROST avoids restarting the runtime system during deployment. In addition, we include trust negotiation in ROST, which greatly increases the flexibility and security of the CROWN Grid. ROST has been successfully implemented. We conduct comprehensive experiments with real applications, and the results show that ROST is viable and significantly improves the service efficiency and quality of CROWN. We believe that the wide deployment of ROST would also benefit other grid systems.

Zhang Runlian,Wu Xiaonian,Dong Xiaoshe

DOI: https://doi.org/10.1109/ICCIT.2008.158

2008-01-01

Abstract:The unilateral dynamic change of access policy between different domains in the Grid computing platforms would incur global inconsistent privileges. To address the problem, this paper proposes a new component named Coordinated Negotiation Policy and introduces it into authorization mechanism in the Grid system. Based on the policy repository stating how to response to the change of privileges, the coordinated negotiation policy refers to several negotiation primitives to automatically negotiate and make the decision how to deal with negotiation proposals for the changed privileges and enforce the decision to renew global consistency of privileges between distributed domains. The test result of implementation shows that the coordinated negotiation policy shortens greatly the period of resolving the conflict or inconsistency of privileges, compared with the negotiation by manual work. As a result, it reduces grid jobs with inconsistent privileges, and avoids system wasting increasing overhead to deal with these meaningless grid jobs rejected ultimately because of inconsistent privileges, and improves system performance.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

Yiduo Mei,Xiaoshe Dong,Weiguo Wu,Shangyuan Guan,Jing Xu

DOI: https://doi.org/10.1109/cis.workshops.2007.198

2007-01-01

Abstract:The dynamic and multi-institutional nature of the grid environments introduces challenging security issues that demand new technical approaches. But traditional access control models consider static authorization decisions based on subjects' pre-assigned permissions on target objects and focus on a closed system, therefore, they are not suitable for the dynamic grid environments. To address the above problems, we propose UCGS, a novel usage control approach for grid services. Our approach is inspired by the Usage Control Model (UCON). UCGS improves the security of the grid services by employing a continuous usage control of the grid services, monitoring the behavior of the subjects. It enables richer and finer-grained control over authorization and usage of grid services and resources than that of traditional access control models. "Blacklist", "unilateral contract" and "arbitrator" are introduced in UCGS to guarantee that a subject can not deny its obligations after service is complete, which contributes to maintain the normal order of the grid environments and the security and interests of the service providers.

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

Wanchun Dou,Jinjun Chen,Jianxun Liu,S. C. Cheung,Guihai Chen,Shaokun Fan

DOI: https://doi.org/10.1177/1094342007086227

2008-01-01

Abstract:The grid has been proposed as a promising service-orientedplatform for increasingly complex cooperative computing. Theplatforms of service-oriented grids are often Web-based whereparticipants collaborate to achieve a common goal by sharing scarceWeb-Based Computational/ Computing Resources (WBCR). To share theWBCR effectively is a challenging problem in boundary-spanning gridenvironments, particularly when these resources are subject to bothstatic and dynamic usage. To set up the certificate-based usagepolicy described in this paper, we first explore a workflowengine-driven SOA-based resource access control mechanism. Then,aiming at setting up a cooperative computing paradigm from theresource sharing perspective, an infrastructure derived from aspecific project of SOA&EDSCCE(SOA-Based&Engine-Driven Structured Cooperative ComputingEnvironment) is proposed for promoting its cooperative computing ingrid environment based on the control disciplines and the WBCRusage policy. The main contributions of this paper are twofold: 1)a workflow engine-driven SOA-based WBCR sharing mechanism ispresented in accordance with to the certificate-based usage policy;and 2) a specific infrastructure of cooperative computing is putforward for the collaboration based on the WBCR sharingmechanism.

Bei Shui Liao,Ji Gao,Jun Hu,Jiu Jun Chen

DOI: https://doi.org/10.1109/ICSMC.2004.1401073

2004-01-01

Abstract:The emergence and the development of OGSA-compliant Grid provide powerful means for the integration and interaction of applications (Grid services) within a virtual organization (VO). However, it is still a challenge to control the composition, transaction, and coordination, of Grid services, according to the dynamic business requirements of a VO. Based on the policy-based management and autonomous intelligent agents, this paper proposes a framework for OGSA-compliant Grid control. In this system, individual agent (Task Agent) is in charge of composing Grid services and taking part in the social interactions within a VO. Several Task Agents and a management agent (AM) form a VO. The business requirements or user's preferences are represented as policies, which are used to control the behaviors of agents.

Hailong Sun,Liang Zhong,Jinpeng Huai,Yunhao Liu

DOI: https://doi.org/10.1109/E-SCIENCE.2005.62

2005-01-01

Abstract:Our key project, CROWN (China Research and Development Environment Over Wide-area Network), aims to empower in-depth integration of resources and cooperation of researchers nationwide and worldwide using grid technologies. It adopts service oriented architecture. Current service grids do not consider the separation of services and underlying resources, potentially causing low job processing efficiency and resource utilization. In this paper, we propose a novel architecture for grid systems, called Open Service Provisioning and Consuming Environment (OpenSPACE). OpenSPACE is adopted by CROWN and is evaluated by prototype implementation based on real applications

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.