Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

Ma Tian-chi,Li Shan-ping

DOI: https://doi.org/10.1631/jzus.2005.a0405

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:New challenges are introduced when people try to build a general-purpose mobile agent middleware in Grid environment. In this paper, an instance-oriented security mechanism is proposed to deal with possible security threats in such mobile agent systems. The current security support in Grid Security Infrastructure (GSI) requires the users to delegate their privileges to certain hosts. This host-oriented solution is insecure and inflexible towards mobile agent applications because it cannot prevent delegation abuse and control well the diffusion of damage. Our proposed solution introduces security instance, which is an encapsulation of one set of authorizations and their validity specifications with respect to the agent’s specific code segments, or even the states and requests. Applications can establish and configure their security framework flexibly on the same platform, through defining instances and operations according to their own logic. Mechanisms are provided to allow users delegating their identity to these instances instead of certain hosts. By adopting this instance-oriented security mechanism, a Grid-based general-purpose MA middleware, Everest, is developed to enhance Globus Toolkit’s security support for mobile agent applications.

Laura Pearlman,Von Welch,Ian Foster,Carl Kesselman,Steven Tuecke

DOI: https://doi.org/10.48550/arXiv.cs/0306053

2003-06-12

Distributed, Parallel, and Cluster Computing

Abstract:In "Grids" and "collaboratories," we find distributed communities of resource providers and resource consumers, within which often complex and dynamic policies govern who can use which resources for which purpose. We propose a new approach to the representation, maintenance, and enforcement of such policies that provides a scalable mechanism for specifying and enforcing these policies. Our approach allows resource providers to delegate some of the authority for maintaining fine-grained access control policies to communities, while still maintaining ultimate control over their resources. We also describe a prototype implementation of this approach and an application in a data management context.

Hung-Min Sun,King-Hang Wang,Pa Saffiong Kebbeh

DOI: https://doi.org/10.1109/tencon.2007.4429022

2007-01-01

Abstract:This paper proposes a system to provide security for the grid infrastructure where authorization and authentication will be made scalable by setting up an authorization framework at the resource provider's end. Our proposed architecture intends to relieve the grid middleware from taking the responsibility of the authorization mechanism, as well as improves the resource provider's trust in the event of a request from the data portal, since the authorization policy will be pulled from its own organizational server. We will demonstrate that this architecture is secure, scalable, and robust, by improving the existing authorization mechanism in grid infrastructures.

K. Keahey,V. Welch

DOI: https://doi.org/10.48550/arXiv.cs/0301031

2003-01-28

Cryptography and Security

Abstract:In this document we describe our work-in-progress for enabling fine-grain authorization of resource management. In particular, we address the needs of Virtual Organizations (VOs) to enforce their own policies in addition to those of the resource owners.

W Liu,Jp Wu,Hx Duan,X Li,P Ren

DOI: https://doi.org/10.1007/978-3-540-30208-7_47

2004-01-01

Abstract:This paper presents an authorization solution for resource management and control developed as part of the China Education and Research Network (CERNET) to perform fine-grained authorization of job and resource management requests in a Grid environment which meets the Fusion-Grid's security needs in large scale networks such as CERNET. It integrates the GT2 job manager and X.509 authorization and this model can be extended to other authorization decision functions. It allows the system to evaluate a user's resource specification language request against authorization policies on resource usage. Furthermore, based on XML integrated authorization policies, it allows other virtual organization members to manage the user's resources.

Huaji Shi,Xibin Zhao

DOI: https://doi.org/10.1109/SOSE.2006.17

2006-01-01

Abstract:This paper analyzes the requirement of authorization service for grid computing systems and proposes the use of threshold closure as a basic mechanism for implementing authorization service in grid computing systems. While pointing out the desirable features of threshold closure for complex authorization policies, the paper also discusses the practical limitations of threshold closure in such an environment, and then puts forward a new authorization service for virtual organization. In addition, an access control protocol which is based on PKI is designed in the paper. By segregating the policy and mechanism aspects of threshold closure, the new service can use existing security infrastructure in grid computing system while keep the ability to express complex authorization policy effectively

R Wong,HJ Chen,ZH Wu

DOI: https://doi.org/10.1109/nwesp.2005.16

2005-01-01

Abstract:In a database grid environment, which is composed of highly diverse, widely distributed and autonomously managed database resources, how to control access right to these resources is a meaningful problem to discuss, because it's not only depends on policies in virtual organization, but also depends on policies at database end, we cannot ignore requirements of any of them. Besides this, database is a special resource. Its authorization permission is structured, first it has levels such as DB, table, and column level, and each level has several kind of privileges like delete, update and so on, so it's a great burden to map grid users to permissions directly. Secondly, databases already have sophisticated technologies and products in authorization; we need integrate them to our system. To address these issues, we design and implement an authorization system for database grid. It supports building agreements between virtual organization administrator and database administrator to authorize users collaboratively. It based on XML-formed config file now and can be extended to files in other policy language like Rei or Ponder. As one part of DartGrid project, which has been used to build a database grid for traditional Chinese medicine in China, it satisfies realistic requirements in authorization and is working now.

Menglong Yan,Yong Gao,Lun Wu,Pengfei Wu,Yong Zhao,Yixian Sun

DOI: https://doi.org/10.1109/geoinformatics.2009.5293537

2009-01-01

Abstract:A spatial data access control model in grid environment was proposed base on Globus Security Infrastructure (GSI). Firstly, A spatial datasets sharing framework was built up by Monitor and Discover Service (MDS), and then a common control model was proposed to realize spatial data access control. In this model, every user was mapped to a given role, and every role had a unique digital certificate to distinguish its identification, then every role had the given permission to access the resources. Moreover, a further designed model was proposed to control the role's accessibility of rectangle in given spatial datasets. Two scenarios were put forward to control spatial data access between different organizations. The first was that all of the organizations shared the same roles, and then the organization realized self-control by enduing different roles with different rights. While the second was that every organization had its own users, roles and resource controls, and then the self-control was enhanced. The model was implemented by Globus Toolkits (GT), and experiment results illustrated that the proposed model could control the spatial data access effectively in a grid environment.

W Xue,JP Huai,YH Liu

DOI: https://doi.org/10.1109/e-science.2005.11

2007-01-01

Abstract:Service grid is a widely distributed environment, where service deployers and containers may be located in different autonomous domains. In such cases, different from traditional scenarios such as J2EE applications, the access control policy should not be determined by a deployer or a container only. Existing grid application deployment solutions do not address this unique requirement. In this paper, we propose a general approach, namely CROWN.ST, an access control policy negotiation solution for remote hot-deployment of grid services in CROWN (China R&D Environment Over Wide-area Network). Based on an access control policy language derived from non-recursive stratified Datalog with constraints, we design the negotiation procedure and three types of meta-policies. We implement a CROWN.ST prototype and evaluate our design by comprehensive experiments.

Morris Riedel,Wolfgang Frings,Sonja Habbinga,Thomas Eickermann,Daniel Mallmann,Achim Streit,Felix Wolf,Thomas Lippert,Andreas Ernst,Rainer Spurzem

DOI: https://doi.org/10.1109/grid.2008.4662788

2008-01-01

Abstract:Especially within grid infrastructures driven by high-performance computing (HPC), collaborative online visualization and steering (COVS) has become an important technique to dynamically steer the parameters of a parallel simulation or to just share the outcome of simulations via visualizations with geographically dispersed collaborators. In earlier work, we have presented a COVS framework reference implementation based on the UNICORE grid middleware used within DEISA. This paper lists current limitations of the COVS framework design and implementation related to missing fine-grained authorization capabilities that are required during collaborative COVS sessions. Such capabilities use end-user information about roles, project membership, or participation in a dedicated virtual organization (VO). We outline solutions and present a design and implementation of our architecture extension that uses attribute authorities such as the recently developed virtual organization membership service (VOMS) based on the security assertion markup language (SAML).

ZHAO Xi-Bin,GUO Zhi,YONG Jian-Ping,GU Ming

2005-01-01

Computer Science

Abstract:It is a challenging work to implement authorization service for Virtual Organization in Grid Computing Sys- tem because of the dynamic and distributed nature of Virtual Organication. After analyzing the requirement of autho- rization service and the existing mechanisms for implementing authorization services in Grid Computing Systems, the paper proposes an efficient multi-level architecture named MLA for implementing authorization in Grid Computing Systems. With the use of threshold closure mechanism, the proposed architecture has the scalability and the strong power to express authorization policy, hence can provide flexible and efficient approach to implement authorization service in GCS.