Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Bo Lang,Ian Foster,Frank Siebenlist,Rachana Ananthakrishnan,Tim Freeman

DOI: https://doi.org/10.1007/s10723-008-9112-1

2008-01-01

Journal of Grid Computing

Abstract:Grid systems have huge and changeable user groups, and different autonomous domains always have different security policies. The attribute based access control (ABAC) model, which is flexible and scalable, is more suitable for Grid systems. This paper describes a method of building a flexible access control mechanism that is based on ABAC and supports multiple policies for Grid computing. Firstly an attribute based multipolicy access control model ABMAC is submitted. Compared with ABAC, ABMAC can describe multiple heterogeneous policies, and each policy is encapsulated without changing its descriptions. Then by extending the authorization architecture of XACML, the paper puts forward an authorization framework that supports ABMAC and is implemented in the Globus Toolkit release 4 (GT4) (Few parts of the authorization framework described in this paper can only be found in Globus Toolkit CVS repository. A more completed authorization framework will be appeared in the Globus Toolkit release 4.2). Basing on the concept of policy encapsulation, the framework provides a flexible and scalable authorization mechanism that can support multiple existing policies in a Grid system. The design and implementation details of GT4 authorization framework are also well discussed.

Bo Lang,Ian Foster,Frank Siebenlist,Rachana Ananthakrishnan,Tim Freeman

2006-01-01

Abstract:Grid systems, which are composed of autonomous domains, are open and dynamic. In such systems, there are usually a large number of users, the users are changeable, and different domains have their own policies. The traditional access control models that are identity based are closed and inflexible. The Attribute Based Access Control (ABAC) model, which makes decisions relying on attributes of requestors, resources, and environment, is scalable and flexible and thus is more suitable for distributed, open systems. But no ABAC model meets the special authorization requirements of Grid computing. This paper presents an Attribute Based Multipolicy Access Control (ABMAC) model based on the concept of ABAC and the authorization requirements of Grid systems. Also described is an authorization framework that was implemented in the Globus Toolkit release 4 and supports ABMAC. This attribute-based authorization framework supports several different policies and integrates third-party attribute-based authorization systems. It shows great advantages in supporting Grid application access control, which not only demonstrates the effectiveness of ABMAC model but also provides an open architecture for Grid authorization systems.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Hung-Min Sun,King-Hang Wang,Pa Saffiong Kebbeh

DOI: https://doi.org/10.1109/tencon.2007.4429022

2007-01-01

Abstract:This paper proposes a system to provide security for the grid infrastructure where authorization and authentication will be made scalable by setting up an authorization framework at the resource provider's end. Our proposed architecture intends to relieve the grid middleware from taking the responsibility of the authorization mechanism, as well as improves the resource provider's trust in the event of a request from the data portal, since the authorization policy will be pulled from its own organizational server. We will demonstrate that this architecture is secure, scalable, and robust, by improving the existing authorization mechanism in grid infrastructures.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

Ma Tian-chi,Li Shan-ping

DOI: https://doi.org/10.1631/jzus.2005.a0405

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:New challenges are introduced when people try to build a general-purpose mobile agent middleware in Grid environment. In this paper, an instance-oriented security mechanism is proposed to deal with possible security threats in such mobile agent systems. The current security support in Grid Security Infrastructure (GSI) requires the users to delegate their privileges to certain hosts. This host-oriented solution is insecure and inflexible towards mobile agent applications because it cannot prevent delegation abuse and control well the diffusion of damage. Our proposed solution introduces security instance, which is an encapsulation of one set of authorizations and their validity specifications with respect to the agent’s specific code segments, or even the states and requests. Applications can establish and configure their security framework flexibly on the same platform, through defining instances and operations according to their own logic. Mechanisms are provided to allow users delegating their identity to these instances instead of certain hosts. By adopting this instance-oriented security mechanism, a Grid-based general-purpose MA middleware, Everest, is developed to enhance Globus Toolkit’s security support for mobile agent applications.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

YAO Hong-yan,LI Ming-chu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.30.003

2007-01-01

Abstract:The paper explores deeply on authorization in grid with respect to some key concept,including authorization parameters,authorization sequence and authorization model,then proposes in theory a framework for distributed authorization.Framework divides authorization into five parts.They are called in turn the trust management,policy management,privilege management,authorization mechanism & protocol management and authorization request management.Each part's function is also prescribed.Not only this framework makes technology development for each part is more specific,but also clarifies the way of establishing concrete authorization mechanism.

Huaji Shi,Xibin Zhao

DOI: https://doi.org/10.1109/SOSE.2006.17

2006-01-01

Abstract:This paper analyzes the requirement of authorization service for grid computing systems and proposes the use of threshold closure as a basic mechanism for implementing authorization service in grid computing systems. While pointing out the desirable features of threshold closure for complex authorization policies, the paper also discusses the practical limitations of threshold closure in such an environment, and then puts forward a new authorization service for virtual organization. In addition, an access control protocol which is based on PKI is designed in the paper. By segregating the policy and mechanism aspects of threshold closure, the new service can use existing security infrastructure in grid computing system while keep the ability to express complex authorization policy effectively

Weizhong Qiang,Aleksandr Konstantinov,Hai Jin

DOI: https://doi.org/10.1109/GCC.2010.39

2010-01-01

Abstract:Grid has been proved to be a promising technology for integrating heterogeneous resources. However, with the emerging of various Grid middle wares, the heterogeneous problem also occurs for Grid middleware themselves, as well as for the Grid services developed on those middle wares, which is an obstacle for the interoperation. SOA(Service Oriented Architecture) has been introduced into the development of Grid middewares and services to solve this problem. One of the challenging tasks in the development, integration and deployment of Grid middle wares is to provide security framework. In this paper, the key issue of Grid security framework, i.e., authorization, is focused, and an attribute-based authorization framework is presented. Due to the adoption of SAML, XACML and the generic Web Service specifications, the proposed framework can achieve interoperability to other standard-based attribute authority services, as well as other standard-based policy evaluation services.

Cq Huang,Zt Zhu,Xq Wang,D Chen

DOI: https://doi.org/10.1007/11568421_6

2004-01-01

Abstract:In this paper, we propose Subtask-based Authorization Service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and Community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus's gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Mingchu Li,Yongrui Cui,Yizhi Ren,Yuan Tian

DOI: https://doi.org/10.1109/ICNSC.2008.4525388

2008-01-01

Abstract:The paper presents an intelligent multi-agent security framework for grid computing. The framework is intended to deal with the increasing heavy security burden of the grid computing along with its growing adoption in industrial and commercial applications. The paper defines a multi-agent architecture which combines the intelligent, cooperative an autonomous capabilities of agents as well as the foundational security mechanism of the Grid Security Infrastructure (GSI). The architecture consists of a security enforcement agent and some security function agents, such as user interface agent, authentication agent, authorization agent and audit agent. Our system is embedded into Globus system, and the implementation of our framework shows that the framework can lighten the security burden of users and administrators effectively.

Weizhong Qiang,Aleksandr Konstantinov,Mattias Ellert,Hai Jin

DOI: https://doi.org/10.1007/978-3-642-13067-0_34

2010-01-01

Abstract:Grid middleware provides a way to integrate computational and storage resouces for supporting large-scale applications that span across multiple domains Implicitly, Grid middlware eliminates the interoperability obstacle between different resources However, with the emerging of a bunch of Grid middlewares, to provide interoperability between Grid middlewares themselves is an important challenge in production Grid infrasturtures Web Service technologies (specifically, Simple Object Access Protocol) have been adopted in most of the Grid middlewares as the XML messaging protocol for the interoperability in the application layer For other layers, standard protocols are also adopted for interoperability, e.g., HTTP is utilized as service transport protocol On the other hand, security is a key issue that needs to be taken into account on each layer, for instance, WS-Security (Web Service Security) is considered as an augment on SOAP protocol for applying security to Web Services; GSI (Globus Security Infrastructure) is considered as an protocol for applying security to transport layer We present the design consideration and implementation about how to provide flexible support for security protocols in the Advanced Resource Connector(ARC) Grid middleware, and this way clients or/and services developed in ARC middleware can easily interoperate with service/client developed in other middlewares, such as gLite and Globus Toolkit Also, a flexible authorization framework is presented that can secure the Grid services with configurable authorization modules, as well as a variety of authorization policies.

Jesus Luna,Manel Medina,Oscar Manso

DOI: https://doi.org/10.1007/11533733_3

2005-01-01

Abstract:The OGSA definition of a Grid Service as a transient, stateful and dynamically instantiated Web Service introduced new authentication and authorization requirements beyond those already established for existing Grid environments. However such design features have begun to be developed currently following a pre-Web Services approach in two aspects: in the first place making a clear separation of authentication from authorization issues, and in the second place not designing them over the OGSI/WSRF defined mechanisms and specifications. In this paper we are proposing a new Security Framework that unifies identified common points of both features, Authentication and Authorization, into a mechanism called validation policy which is expected to improve service performance and security. Our framework seeks to implement these aspects over the Grid Service’s Operations and Service Data concepts to fully exploit its functionalities. The paper also presents the integration of an enhanced OCSP Service Provider into the Globus Toolkit 3.9.4 as a first proof of concept.

ZHANG Run-lian,WU Xiao-nian

DOI: https://doi.org/10.3969/j.issn.1673-808x.2007.03.009

2007-01-01

Abstract:Generalized Framework for Access Control(GFAC) explicitly recognizes two parts of access control-adjudication and enforcement.Enforcement is independent of a special security policy.GFAC thus does not need to change its own enforcement when GFAC faces multiple different security policies.This paper proposes a generalized framework for access control in grid(GGFAC) by expanding GFAC,aiming at multiple different security policies in grid.Based on GFAC,GGFAC sets the metadata to abstract and describe what security policies systems are.When grid users want to access resources resided in different secure domains with different security policies,GGFAC can adjudicate easily and call its enforcement according to the metadata.Testing result shows that GGFAC can support multiple security policies in grid and improve system performance.

Laura Pearlman,Von Welch,Ian Foster,Carl Kesselman,Steven Tuecke

DOI: https://doi.org/10.48550/arXiv.cs/0306053

2003-06-12

Distributed, Parallel, and Cluster Computing

Abstract:In "Grids" and "collaboratories," we find distributed communities of resource providers and resource consumers, within which often complex and dynamic policies govern who can use which resources for which purpose. We propose a new approach to the representation, maintenance, and enforcement of such policies that provides a scalable mechanism for specifying and enforcing these policies. Our approach allows resource providers to delegate some of the authority for maintaining fine-grained access control policies to communities, while still maintaining ultimate control over their resources. We also describe a prototype implementation of this approach and an application in a data management context.