Zhang Runlian,Wu Xiaonian,Dong Xiaoshe,Guan Shangyuan

DOI: https://doi.org/10.1109/HPCC.2008.108

2008-01-01

Abstract:With the dynamic change of users and resources in different secure domains of Grid, the overall consistency of privileges defined would be broken. This would compromise Grid system and waste system overhead on dealing with the increasing grid jobs with invalid privileges. To address the problem, this paper proposes an authorization mechanism based on privilege negotiation policy. This mechanism can detect timely the change of privileges, negotiate automatically and resume quickly the overall consistency of privileges between different secure domains. The test result of the mechanism implementation shows that it shortens greatly the period of resuming the overall consistency of privileges between different secure domains when the consistency was broken. This reduces the number of grid jobs with invalid privileges. Thereby, it avoids wasting more system overhead of dealing with the increasing grid jobs with invalid privileges and improves system performance.

Zhang RunLian,Dong XiaoShe,Wu XiaoNian

DOI: https://doi.org/10.1109/gcc.2006.5

2006-01-01

Abstract:The same grid user may have another identity in different domains, and same to grid resource which have been restored and maintained in different domains. It is a challenging task for executing grid jobs successfully to make the same user have the consistent privileges in grid. However, distributed characteristic of grid makes it difficult to define and maintain global privileges consistency. And dynamic characteristic of grid seriously threatens global privileges consistency defined in grid access control. This paper proposes a dynamic access control model embodying access policies and its dynamic negotiating. The model supports to define global privileges consistency and automatically resume consistency when conflict has occurred. We also describe a prototype implementation of this model and its performance.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Min HU,Yan-jun LI,Tie-jun WU

DOI: https://doi.org/10.3785/j.issn.1008-973X.2007.07.004

2007-01-01

Abstract:An intelligent resource scheduling strategy for grid systems was proposed based on the theory of multi-agent. Grid nodes independently chose subtasks in grid systems. Due to the autonomous characteristics of grid nodes, different support degrees were assigned to each grid node for different tasks. The fuzzy cognitive map was employed to construct a support degree negotiation model. Considering that each grid node possesses different types of resources, definition of the standard support degree was presented to ensure feasibility and validity of the support degree negotiation model. Without the upper level resource scheduling unit, task teams were constituted by multiple grid nodes through competition and negotiation to maximize interests of each grid node. The proposed scheduling method is applicable for distributed computation, which makes the grid computation system possess better real-time performance and robustness.

Yan He,Miaoliang Zhu

DOI: https://doi.org/10.4108/infoscale.2007.888

2007-01-01

Abstract:Traditional security model, where the identity of all possible requesting subjects must be pre-registered in advance, is not suitable for the distributed applications with strong real-time requirements, especially recently popular P2P networks and Grid computing. A promising approach is represented by automated trust negotiation, which establishes trust between strangers through the exchange of digital credentials and the use of access control policies. An automated trust negotiation strategy needs to be adopted to establish trust between two parties based on their disclosure policies. Previously proposed negotiation strategies may fail when in fact success is possible, disclose irrelevant credentials, or have high communication or computational complexity. In this paper, we model the policies participating trust negotiation as Negotiation Petri Net and propose a trust negotiation Strategy based on Negotiation Petri Net (SNPN) by combining the characteristics of Negotiation Petri Net architecture with the behaviors of auto trust negotiation. We prove that SNPN is efficient with O(n) communication complexity and O(nm) computational complexity including Negotiation Petri Net building process and the negotiation process in the worst case, where n is the number of credentials and m is the size of the credential disclosure policies. Meanwhile SNPN is complete and makes sure that no irrelevant credentials will be disclosed during negotiations.

Ying-Ying Chen,Tie-Jun Wu

DOI: https://doi.org/10.1002/cpe.1672

2010-01-01

Concurrency and Computation Practice and Experience

Abstract:The optimal load redistribution problem is solved in this paper for heterogeneous non‐dedicated service grids in a decentralized way. A coordination policy is proposed to make networked servers reach their optimal generic task acceptance rates in order to minimize the average service time of all the generic tasks in a grid. Autonomous servers networked in the grid only need to coordinate with their neighbors iteratively, and their optimal generic acceptance rates are reached by task migration among them. The design scheme of the policy is introduced, and the convergence properties and the implementation aspects of the coordination system are discussed in detail in this paper. A set of computer simulations have been conducted, validating the effectiveness of the proposed approach. Copyright © 2010 John Wiley & Sons, Ltd.

W Xue,JP Huai,YH Liu

DOI: https://doi.org/10.1109/e-science.2005.11

2007-01-01

Abstract:Service grid is a widely distributed environment, where service deployers and containers may be located in different autonomous domains. In such cases, different from traditional scenarios such as J2EE applications, the access control policy should not be determined by a deployer or a container only. Existing grid application deployment solutions do not address this unique requirement. In this paper, we propose a general approach, namely CROWN.ST, an access control policy negotiation solution for remote hot-deployment of grid services in CROWN (China R&D Environment Over Wide-area Network). Based on an access control policy language derived from non-recursive stratified Datalog with constraints, we design the negotiation procedure and three types of meta-policies. We implement a CROWN.ST prototype and evaluate our design by comprehensive experiments.

Zhang Runlian,Wu Xiaonian,Xiaoshe Dong

DOI: https://doi.org/10.1109/GCC.2008.67

2008-01-01

Abstract:It is an important direction of the development of Parallel Computer Architecture to implement Single System Image (SSI) on clusters, since SSI supports easier programming and administration on clusters. Currently, most SSI studies focused on the middleware ...

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Yan He,Miaoliang Zhu,Chunying Zheng

DOI: https://doi.org/10.1109/CSSE.2008.867

2008-01-01

Abstract:Traditional security model, where the identity of all possible requesting subjects must be pre-registered in advance, is not suitable for the distributed applications with strong real-time requirements. A promising approach is represented by automated trust negotiation, which establishes trust between strangers through the exchange of digital credentials and the use of access control policies. As the credentials contain sensitive information, entities disclose credentials circumspectly. Given multiple credential exchange sequences achieving the same result, it is desirable to pick the sequence that discloses a set of minimum sensitive credentials. In this paper, we model the policies participating trust negotiation as a Negotiation Petri Net and propose a trust negotiation MSC strategy, which works by the characteristics of Negotiation Petri Net architecture, the behaviors of auto trust negotiation and the greedy algorithm. We prove that the MSC strategy is complete, efficient and mini-sensitivity cost. It also makes sure that no irrelevant credentials will be disclosed during negotiations.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Bei-shui Liao,Ji Gao

DOI: https://doi.org/10.1007/11590354_23

2005-01-01

Abstract:Currently, the management of grid services is becoming increasingly complex. To resolve this complexity problem, autonomic computing and policy-based multi-agent technology have been proposed as promising methods. However, there are many challenges to be resolved. Among them, policy refinement is a great problem that hampers the development of policy-based system. To cope with this issue, this paper presents a policy refinement mechanism based on recipes. Recipes define possible refinement alternatives for each abstract policy. And the policy refinement engine automatically refines the policies by choosing the refinement branch in terms of the conditions of each branch.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

LIU Duan-yang,CAO Yan-long

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.09.010

2010-01-01

Abstract:The penalty policies on incentives were researched to restrict malicious and dishonest participants in computational grids,ensure incentives' effectiveness,and satisfy various penalty needs of grids.Based on analysis of the old simple method,this work introduced power functions and proposed a new flexible penalty model,which could flexibly modulate a parameter,and agree with different penalty needs and dynamic computing environment.Furthermore,this model was introduced into the mechanism design theory,and a penalty principal was defined according to the volunteer participation condition,based on which a specific grid scheduling problem was resolved.Simulation experiments demonstrated the flexibility of power functions in different penalty cases,and proved the model's correctness and effectiveness.

Shaohua Tang,Xue Ke,Lina Ge

DOI: https://doi.org/10.1109/isdpe.2007.85

2007-01-01

Abstract:In current Grid systems there is a tradeoff between flexibility and security in the context of delegation. Based on the traditional Role-Based-Access-Control module, in order to fulfill the "least privilege" principle, a new delegation model is proposed. This model introduces a task-policy based method to restrict the max privileges a task can delegate; combines static and dynamic delegation method to avoid task being interrupted by lack of privileges during execution; makes use of the credit card mechanism to ensure convenience and reduce risks.

Bei Shui Liao,Ji Gao,Jun Hu,Jiu Jun Chen

DOI: https://doi.org/10.1109/ICSMC.2004.1401073

2004-01-01

Abstract:The emergence and the development of OGSA-compliant Grid provide powerful means for the integration and interaction of applications (Grid services) within a virtual organization (VO). However, it is still a challenge to control the composition, transaction, and coordination, of Grid services, according to the dynamic business requirements of a VO. Based on the policy-based management and autonomous intelligent agents, this paper proposes a framework for OGSA-compliant Grid control. In this system, individual agent (Task Agent) is in charge of composing Grid services and taking part in the social interactions within a VO. Several Task Agents and a management agent (AM) form a VO. The business requirements or user's preferences are represented as policies, which are used to control the behaviors of agents.

Shaohua Tang,Sunan Shen

2009-01-01

Abstract:Due to computing grid's large scale, distributed and dynamic nature, the security issues around grid applications are more pervasive than computer network in general and thus call for more complicated solutions. In order to solve key problems such as security mechanism integration in heterogeneous grid, identity authentication and trust delegation, a cross-domain authentication and authorization model based on role translation and delegation is proposed. This model allows the establishment of trust among heterogeneous domains via certain protocols so that resource sharing across grid domains becomes possible. After a user logins to a local grid domain, its role in the local domain is mapped to a role in resource domain by using RBAC based role translation. This removes the need for cross-domain user logins while they are accessing resources across different domains, which results in much higher efficiency. The use of Security Assertion Markup Language (SAML) based delegation for transferring user privileges enables submitting operation by delegation assertion and the cross-domain federation is done automatically. This can greatly reduce users' manual involvement.

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

R Wong,HJ Chen,ZH Wu

DOI: https://doi.org/10.1109/nwesp.2005.16

2005-01-01

Abstract:In a database grid environment, which is composed of highly diverse, widely distributed and autonomously managed database resources, how to control access right to these resources is a meaningful problem to discuss, because it's not only depends on policies in virtual organization, but also depends on policies at database end, we cannot ignore requirements of any of them. Besides this, database is a special resource. Its authorization permission is structured, first it has levels such as DB, table, and column level, and each level has several kind of privileges like delete, update and so on, so it's a great burden to map grid users to permissions directly. Secondly, databases already have sophisticated technologies and products in authorization; we need integrate them to our system. To address these issues, we design and implement an authorization system for database grid. It supports building agreements between virtual organization administrator and database administrator to authorize users collaboratively. It based on XML-formed config file now and can be extended to files in other policy language like Rei or Ponder. As one part of DartGrid project, which has been used to build a database grid for traditional Chinese medicine in China, it satisfies realistic requirements in authorization and is working now.