Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Yongwei Wu,Song Wu,Huashan Yu,Chunming Hu

DOI: https://doi.org/10.1007/11576259_26

2005-01-01

Abstract:ChinaGrid aims at building a public service system for Chinese education and research. ChinaGrid Support Platform (CGSP) is a grid middleware developed for the construction of the ChinaGrid. Function modules of CGSP for system running are Domain Manager, Information Center, Job Manager, Data Manager, Service Container and Security Manager. Developing tools for gird constructor and application developers consist of Service Packaging Tool, Job Defining Tool, Portal Constructor and Programming API. CGSP architecture is introduced first. Then, CGSP function modules and developing tools are described. At last, job executing flow in CGSP is also put forward in the paper.

Hai Jin,Wenjun Gong,Song Wu,Muzhou Xiong,Li Qi,Chengwei Wang

DOI: https://doi.org/10.1007/11573937_31

2005-01-01

Abstract:There are a great number of data intensive applications in ChinaGrid. They require an efficient and high performance data management. The data management in ChinaGrid Support Platform (CGSP) supplies a data access mechanism with location transparency, name transparency, and protocol transparency as while as ensuring the transfer efficiency. The data management system consists of five parts: the storage data server based on Global Distributed Storage System to guarantee the reliability and performance of data transfer; the storage resource agent to discover, publish and catalog the storage resources; the data logical domain management to enable applications to select specific storage resources; the metadata management to publish, query and access metadata; and the uniform data access entry to organize grid users’ data space. We present the design philosophy of the efficient data management system with high scalability for CGSP and also give preliminary performance results.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Deqing Zou,Hai Jin,Xueguang Chen,Zongfen Han

DOI: https://doi.org/10.1109/FGCN.2007.142

2007-01-01

Abstract:Grid computing emerges as an effective technology to couple geographically distributed resources and solve large-scale computational problems in wide area networks. There are several popular grid platforms, such as UNICORE and Globus Toolkit. Many famous grid projects are constructed with these platforms, each of which manages different distributed resources. In order to aggregate resources managed by different grid platforms, it is necessary to implement the interoperation among these grid platforms. Security interoperation is one of key issues for the interoperation. CGSP (ChinaGrid Support Platform) and VEGA are two popular grid platforms in China. To achieve security interoperation between these two platforms, four mapping policies, including user-user mapping, user-agora mapping, role-user mapping, role-agora mapping, are proposed in this paper. The security interoperation process is proposed based on SAML specification and the mapping policies. We also analyze the flexibility of mapping policies and the security of the interoperation process.

Yiduo Mei,Xiaoshe Dong,Weiguo Wu,Shangyuan Guan,Jing Xu

DOI: https://doi.org/10.1109/cis.workshops.2007.198

2007-01-01

Abstract:The dynamic and multi-institutional nature of the grid environments introduces challenging security issues that demand new technical approaches. But traditional access control models consider static authorization decisions based on subjects' pre-assigned permissions on target objects and focus on a closed system, therefore, they are not suitable for the dynamic grid environments. To address the above problems, we propose UCGS, a novel usage control approach for grid services. Our approach is inspired by the Usage Control Model (UCON). UCGS improves the security of the grid services by employing a continuous usage control of the grid services, monitoring the behavior of the subjects. It enables richer and finer-grained control over authorization and usage of grid services and resources than that of traditional access control models. "Blacklist", "unilateral contract" and "arbitrator" are introduced in UCGS to guarantee that a subject can not deny its obligations after service is complete, which contributes to maintain the normal order of the grid environments and the security and interests of the service providers.

Ruyue Ma,Xiangxu Meng,Shijun Liu,Yongwei Wu

DOI: https://doi.org/10.1109/GCC.2006.42

2006-01-01

Abstract:ChinaGrid Supporting Platform (CGSP) is a core Grid middleware developed for the construction of ChinaGrid. CGSP provides the infrastructure services and the sets of tools to facilitate the seamless use and management of distributed, heterogeneous resources. Execution management, an important function module in CGSP, enables applications to have coordinated access to underlying resources, regardless of their physical location or access mechanism. Execution management is concerned with the problems of instantiating and managing, to completion, units of work (jobs). In CGSP, we provide the execution managements of two categories of atomic job (legacy program job and hyper-service job) and two categories of composite job (workflow job and GridPPI job). In this paper, we will in detail describe the design architecture and key aspects of implementation of execution management in CGSP.

Song Wu,Hai Jin,Muzhou Xiong,Wei Wang

DOI: https://doi.org/10.1504/ijwgs.2007.015424

2007-01-01

International Journal of Web and Grid Services

Abstract:ChinaGrid is a nationwide grid project supported by the Chinese government that aims at integrating massive heterogeneous resources distributed on the China Education and Research Network (CERNET). The ChinaGrid Supporting Platform (CGSP) is a grid middleware developed for ChinaGrid. It provides a series of system-level services for ChinaGrid, helps to build application portals and integrate grid resources, and supports the secondary development of grid services. Data Management Services (DMS) is a group of system-level services in CGSP for managing storage and data resources, supporting transparent data access, and guaranteeing high-performance data transfer on the grid. It consists of metadata management service, storage resource management service, replication management service, storage agent and transfer client. It offers the fundamental support for data access on ChinaGrid. In this paper, we introduce the design principle and implementation of DMS and its transfer scheme.

Weizhong Qiang,Hai Jin,Xuanhua Shi,Deqing Zou

DOI: https://doi.org/10.3321/j.issn:1671-4512.2005.12.036

2005-01-01

Abstract:The existed grid security mechanism is able not to meet the dynamic, autonomous and scalable requirements of virtual organization. Thus, a model for grid decentralized authorization based on the decentralized trust management mechanism was proposed. The naming relationship and delegation relationship between grid entities were defined in this model. The definition of the naming relationship can express the local naming relationship on the basis of meeting the requirements of the global naming relationship definition. The delegation relationship can implement the autonomous and dynamic authorization delegation, and being characterized by good scalability. On the basis of the model, HowU grid authorization system was realized. The storage of the authorization relationship and its discovery mechanism in grid authorization system were explained.

Yongwei Wu,Song Wu,Huashan Yu,Chunming Hu

DOI: https://doi.org/10.1007/11573937_32

2005-01-01

Abstract:ChinaGrid Support Platform (CGSP) is proposed to provide grid toolkit for ChinaGrid application developers and specific grid constructors, in order to reduce their development cost as greatly as possible. CGSP extensible and reconfigurable framework, which satisfies the expansion and autonomy requirement of ChinaGrid, is mainly discussed in the paper. In the framework, domain is presented to denote one unit which could provide grid service for end users by itself. Layered structure of domains and corresponding interactive relationship are paid much more attention. CGSP design motivation and simple execution management mechanism are also described in this paper.

Weimin Zheng,Lisen Mu,Qing Wang,Yongwei Wu

DOI: https://doi.org/10.1007/11573937_34

2005-01-01

Abstract:Grid computing is becoming a mainstream technology for multi-institutional distributed resources sharing and system integration. Normally, the programmer’s productivity in designing and implementing efficient parallel applications over grid remains a very time-consuming task, especially for the non-compute users. At the same time, the development of grid programming environments, which would enable programmers to efficiently exploit grid technologies, becomes an important and hot research issue too. In this paper, grid developing environment (GDE) based on ChinaGrid Support Platform (CGSP) is discussed. GDE supplies the portal building, job defining, programming interface, and administration tools for CGSP. The GDE motivations, architecture and corresponding implementation over CGSP are presented respectively.

Haihui Zhang,Xingshe Zhou,Zhiyi Yang,Xiaojun Wu,Yin Luo

DOI: https://doi.org/10.1109/GCC.2006.51

2006-01-01

Abstract:Grid information service, a key component of grid, implements the management of grid system and its resources. This paper presents Grid Information Service Architecture (GISA2.0) that developed for ChinaGrid Support Platform (CGSP2.0). GISA2.0 is a service-oriented hierarchy management model, which supports unified management of all grid resources. It implements a hierarchical monitoring model, which collects information effectively with low system intrusion and discovery of state change in time. Domain autonomy and grid information security are emphasized, and secure global information sharing is achieved with a standard domain exchange mechanism

CQ Huang,DR Chen,HL Hu

DOI: https://doi.org/10.1109/cmpsac.2004.1342652

2004-01-01

Abstract:Grid computing is becoming a new computing infrastructure for large-scale scientific computation and cooperative work. The Globus toolkit is the most popular grid environment and de facto grid standard, and it has adopted OGSA architecture to provide applications with grid service level. This study focuses on the requirement for scientists in engineering computation field and narrows the gap between grid service and the engineering community. The engineering computation architecture supplies the users with a visual application development and deployment environment for engineering computation. The whole is characterized by grid service. At the same time, QoS driven user-centric scheduling, community-based efficient authorization and flexible task management are designed and implemented.

Hai Jin,Li Qi

DOI: https://doi.org/10.1109/ccgrid.2006.1630896

2006-01-01

Abstract:Grid computing is becoming more and more attractive for coordinating large-scale heterogeneous resource sharing and problem solving. From the viewpoint of decentralization and interoperability, we add agent layer based on ChinaGrid Support Platform (CGSP) system services. By describing these agent technologies in detail, we prove that agents can be implemented in WSRF specification as a web service resource. It works well to extend the autonomy and interoperability for CGSP system.

Song Wu,Wei Wang,Muzhou Xiong,Hai Jin

DOI: https://doi.org/10.1007/978-3-540-77018-3_42

2007-01-01

Abstract:Grid systems, as large-scale distributed computing environments, are widely used by data mining communities. This paper proposes a set of system-level Grid services to form an infrastructure supporting data-intensive applications and data mining. ChinaGrid, aiming at integrate heterogeneous massive resources distributed on China Education and Research Network (CERNET), is a national-wide Grid project supported by the Chinese government. ChinaGrid Supporting Platform (CGSP) is a Grid middleware developed for the ChinaGrid.It provides a series of system-level services of the ChinaGrid, helps to build application portals and integrate Grid resources, and supports the secondary development of Grid services. The Data Management Services (DMS) is a group of Grid services in CGSP to manage storage and data resources, support transparent data access, and guarantee high-performance data transfer on the Grid. It consists of metadata management service, storage resource management service, replication management service, storage agent and transfer client. It offers the fundamental support for data mining applications on ChinaGrid. In this paper, we introduce the design principle and implementation of DMS.

Shaohua Tang,Sunan Shen

2009-01-01

Abstract:Due to computing grid's large scale, distributed and dynamic nature, the security issues around grid applications are more pervasive than computer network in general and thus call for more complicated solutions. In order to solve key problems such as security mechanism integration in heterogeneous grid, identity authentication and trust delegation, a cross-domain authentication and authorization model based on role translation and delegation is proposed. This model allows the establishment of trust among heterogeneous domains via certain protocols so that resource sharing across grid domains becomes possible. After a user logins to a local grid domain, its role in the local domain is mapped to a role in resource domain by using RBAC based role translation. This removes the need for cross-domain user logins while they are accessing resources across different domains, which results in much higher efficiency. The use of Security Assertion Markup Language (SAML) based delegation for transferring user privileges enables submitting operation by delegation assertion and the cross-domain federation is done automatically. This can greatly reduce users' manual involvement.