Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

CQ Huang,DR Chen,HL Hu

DOI: https://doi.org/10.1109/cmpsac.2004.1342652

2004-01-01

Abstract:Grid computing is becoming a new computing infrastructure for large-scale scientific computation and cooperative work. The Globus toolkit is the most popular grid environment and de facto grid standard, and it has adopted OGSA architecture to provide applications with grid service level. This study focuses on the requirement for scientists in engineering computation field and narrows the gap between grid service and the engineering community. The engineering computation architecture supplies the users with a visual application development and deployment environment for engineering computation. The whole is characterized by grid service. At the same time, QoS driven user-centric scheduling, community-based efficient authorization and flexible task management are designed and implemented.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Laura Pearlman,Von Welch,Ian Foster,Carl Kesselman,Steven Tuecke

DOI: https://doi.org/10.48550/arXiv.cs/0306053

2003-06-12

Distributed, Parallel, and Cluster Computing

Abstract:In "Grids" and "collaboratories," we find distributed communities of resource providers and resource consumers, within which often complex and dynamic policies govern who can use which resources for which purpose. We propose a new approach to the representation, maintenance, and enforcement of such policies that provides a scalable mechanism for specifying and enforcing these policies. Our approach allows resource providers to delegate some of the authority for maintaining fine-grained access control policies to communities, while still maintaining ultimate control over their resources. We also describe a prototype implementation of this approach and an application in a data management context.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

Bo Lang,Foster, I.,Siebenlist, F.,Ananthakrishnan, R.,T. Freeman

DOI: https://doi.org/10.1109/NCA.2006.4

2006-01-01

Abstract:A grid system is a virtual organization that is composed of several autonomous domains. Authorization in such a system needs to be flexible and scalable to support multiple security policies. Basing on the Web services security specifications such as XACML, SAML, and the special security needs of the grid computing, we have constructed an authorization framework in the Globus Toolkit 4 that can support multiple policies. This paper describes the concepts of our design and introduces the structure and the components of the authorization framework. To show the flexibility and scalability of the framework, we introduce a new blacklist/whitelist-based authorization mechanism that can be seamlessly integrated into the framework

Zhang Runlian,Wu Xiaonian,Dong Xiaoshe,Guan Shangyuan

DOI: https://doi.org/10.1109/HPCC.2008.108

2008-01-01

Abstract:With the dynamic change of users and resources in different secure domains of Grid, the overall consistency of privileges defined would be broken. This would compromise Grid system and waste system overhead on dealing with the increasing grid jobs with invalid privileges. To address the problem, this paper proposes an authorization mechanism based on privilege negotiation policy. This mechanism can detect timely the change of privileges, negotiate automatically and resume quickly the overall consistency of privileges between different secure domains. The test result of the mechanism implementation shows that it shortens greatly the period of resuming the overall consistency of privileges between different secure domains when the consistency was broken. This reduces the number of grid jobs with invalid privileges. Thereby, it avoids wasting more system overhead of dealing with the increasing grid jobs with invalid privileges and improves system performance.

R Wong,HJ Chen,ZH Wu

DOI: https://doi.org/10.1109/nwesp.2005.16

2005-01-01

Abstract:In a database grid environment, which is composed of highly diverse, widely distributed and autonomously managed database resources, how to control access right to these resources is a meaningful problem to discuss, because it's not only depends on policies in virtual organization, but also depends on policies at database end, we cannot ignore requirements of any of them. Besides this, database is a special resource. Its authorization permission is structured, first it has levels such as DB, table, and column level, and each level has several kind of privileges like delete, update and so on, so it's a great burden to map grid users to permissions directly. Secondly, databases already have sophisticated technologies and products in authorization; we need integrate them to our system. To address these issues, we design and implement an authorization system for database grid. It supports building agreements between virtual organization administrator and database administrator to authorize users collaboratively. It based on XML-formed config file now and can be extended to files in other policy language like Rei or Ponder. As one part of DartGrid project, which has been used to build a database grid for traditional Chinese medicine in China, it satisfies realistic requirements in authorization and is working now.

Bo Lang,Ian Foster,Frank Siebenlist,Rachana Ananthakrishnan,Tim Freeman

DOI: https://doi.org/10.1007/s10723-008-9112-1

2008-01-01

Journal of Grid Computing

Abstract:Grid systems have huge and changeable user groups, and different autonomous domains always have different security policies. The attribute based access control (ABAC) model, which is flexible and scalable, is more suitable for Grid systems. This paper describes a method of building a flexible access control mechanism that is based on ABAC and supports multiple policies for Grid computing. Firstly an attribute based multipolicy access control model ABMAC is submitted. Compared with ABAC, ABMAC can describe multiple heterogeneous policies, and each policy is encapsulated without changing its descriptions. Then by extending the authorization architecture of XACML, the paper puts forward an authorization framework that supports ABMAC and is implemented in the Globus Toolkit release 4 (GT4) (Few parts of the authorization framework described in this paper can only be found in Globus Toolkit CVS repository. A more completed authorization framework will be appeared in the Globus Toolkit release 4.2). Basing on the concept of policy encapsulation, the framework provides a flexible and scalable authorization mechanism that can support multiple existing policies in a Grid system. The design and implementation details of GT4 authorization framework are also well discussed.

Qian WAGN,Guang-Chao YANG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.12.019

2006-01-01

Computer Science

Abstract:Resource on authorization problem in grid environment is a hot topic in grid security. The Community Authorization Service, CAS, is an authorization mechanism of Grid Security Infrastructure, GSI. For resources in CAS authorization mechanism can only provide a course-grained authorization to CAS server, which is difficult to control authorization of client. A new authorization model which adopts SPKI certificate is proposed. Compared with CAS, this authorization model is more flexible, it improves scalability of the authorization system using delegation and can give fine-grained access control to client.

Gang Yin,Huai-min Wang,Tao Liu,Dian-xi Shi,Ming-feng Chen

DOI: https://doi.org/10.1007/11576259_53

2005-01-01

Abstract:In Grid environments, virtual organizations (VOs) often need to define access control policies to govern who can use which resources for which purpose over multiple policy domains. This is challenging, not only because the entities in VOs must collaborate with each other to share resources across administrative domains, but also because there usually exist a large amount of underlying sites (resource providers) and users in VOs. In this paper, we introduce to use trust management approach to address these problems in Grid environments. We propose a rule-based policy language (RPL) framework to describe the authorization and delegation policies related to VOs, sites and users. This paper also introduces the design of an enhanced community authorization service (ECAS) based on RPL framework, which can be seamlessly integrated with local authorization mechanisms. ECAS uses different kinds of delegation policies for flexible collaboration on authorization between entities in VOs. Compared with similar research works, ECAS enhances the flexibility and scalability of decentralized authorization in Grid environments.

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

Weizhong Qiang,Hai Jin,Xuanhua Shi,Deqing Zou,Hao Zhang

DOI: https://doi.org/10.1007/978-3-540-24679-4_91

2005-01-01

International Journal of Grid and Utility Computing

Abstract:Grid computing is emerging as a new format of wide area distributed computing. Because the distribution of services and resources in wide-area networks are heterogeneous, dynamic, and multi-domain, security is a critical concern in grid computing. Authorisation and access control, which are important aspects of security, have obtained more and more attention. This paper proposes a universal, scalable authorisation and access control architecture, RB-GACA, for grid computing. It is based on classical access control mechanism in distributed applications, Role Based Access Control (RBAC). The paper provides a flexible policy management approach for various grid environments. We also use a standard policy language for the presentation of access control policies to provide a general and standard support for different services and resources.

JZ Luo,XP Wang,AB Song

DOI: https://doi.org/10.1109/cscwd.2005.194196

2005-01-01

Abstract:Grid computing is appropriate for supporting cooperative work Many designers and engineers from different companies or institutions can dynamically form a virtual organization for a given design task. In order to protect each company's sensitive data and services, access control is therefore necessary and important. In this paper, we present a new approach to authorize and administrate access requests, in which the requests are obliged to negotiate with a policy enforcement point in order to gain access to the target grid service. The new access control model will exploit semantic Web technology, and use machine reasoning about the messages and policies at a semantic level.

Hai Jin,Chuanjiang Yi,Song Wu,Li Qi,Deqing Zou

DOI: https://doi.org/10.1007/11576259_25

2005-01-01

Abstract:Users in grid computing environments typically interact with a lot of computing resource, storage resources and I/O devices. Different users are allowed to access different subsets of services, resources. These permissions should be executed correctly to guarantee the security of grid computing. In ChinaGrid Support Platform (CGSP), there are large numbers of users, services, and resources. To ensure the security of CGSP, we build a user management mechanism to identify every entity, assign different rights based on user role and the properties of services and resources to ensure containers, services and resources in CGSP being used in a right way, and return the results to the correct user. We also consider the access control of files. These are designed in a uniform authorization management mechanism in CGSP.