Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

CQ Huang,DR Chen,HL Hu

DOI: https://doi.org/10.1109/cmpsac.2004.1342652

2004-01-01

Abstract:Grid computing is becoming a new computing infrastructure for large-scale scientific computation and cooperative work. The Globus toolkit is the most popular grid environment and de facto grid standard, and it has adopted OGSA architecture to provide applications with grid service level. This study focuses on the requirement for scientists in engineering computation field and narrows the gap between grid service and the engineering community. The engineering computation architecture supplies the users with a visual application development and deployment environment for engineering computation. The whole is characterized by grid service. At the same time, QoS driven user-centric scheduling, community-based efficient authorization and flexible task management are designed and implemented.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Wang Qianghua,Zhou Mingquan,Geng Guohua,Xu Ti

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.11.010

2006-01-01

Abstract:Grid is an open distributed system environment.The purpose of Grid is to provide for sharing the resources between virtual organizations with distributed,heterogeneous,dynamic characteristics.Security is one of the key factors in Grid environment.The Grid security include data integrity,data privacy,authentication,authorization and audit.In this paper,the security model and the authentication,authorization framework of open system environment are analyzed,the security protocols and infrastructures of the OGSA grid service are discussed.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

Z Lei,TY Zang,W Jie,WT Cai,LH Wang

DOI: https://doi.org/10.1142/9781860949524_0171

2003-01-01

Abstract:Grid is a promising computing platform that integrates resources from different organizations in a shared, coordinated and collaborative manner to solve large-scale science and engineering problems. Recently Grid technologies are evolving towards an Open Grid Services Architecture (OGSA). The OGSA provides a uniform service-oriented architecture and integrates Grid technologies with emerging Web services standards. We are constructing a Grid computing platform based on the OGSA. This platform provides Grid services such as directory service, scheduling services and execution management services to support the execution of various Grid applications. Each Grid service in this platform is viewed as a Web service, and all these services are seamlessly integrated together to form a Grid computing environment. This paper describes the basic requirements and initial design of the architecture of this Grid computing platform, including the essential components of the platform, the key Grid services provided, as well as how these components and services are integrated. The implementation issues of this OGSA-based Grid computing platform are also discussed.

都志辉,陈渝,刘鹏,王小鸽,杜江,周念生

DOI: https://doi.org/10.3969/j.issn.1002-137X.2003.07.008

2003-01-01

Abstract:OGSA(Open Grid Services Architecture) is called the next generation grid architecture. It evolves from theearly five levels hourglass model architecture. OGSA consists of two key technologies: grid technology and Web Ser-vice technology. OGSA gives emphasis to services and all things in OGSA are services. After explaining the basic ideaof OGSA,this paper introduces the composition of OGSA-based hosting environment and virtual organization. Todemonstrate the process of how an application is executed in an OGSA-based environment,the paper gives an exampleof data mining which illustrates the basic functions and working mechanism of OGSA. A brief comparison to relatedgrid architecture is also given in the paper. The paper concludes that OGSA is not mature and it needs improvementtogether with related technology and grid applications.

YAN Jian-wei,LIANG Li,LIU Yong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.08.035

2005-01-01

Abstract:Introduces some prototypes of computational grid security. According to the domestic research actuality, this paper proposes a new grid security model with group authentication and collaboration. This model extends the current grid security model. The paper also discusses the security framework and collaboration mechanism in detail.

BS Liao,J Gao,J Hu,JJ Chen

2004-01-01

Abstract:OGSA-compliant Grid Computing has emerged as an important technology for large scale service sharing and integration. However, the management of massive, distributed, heterogeneous, and dynamic Grid services is becoming increasingly complex. This paper proposes a model of agent-enabling autonomic Grid service system to relieve the management burdens such as configuration, deployment, discovery, composition, and monitoring of Grid services. We adopt intelligent agents as autonomic elements to manage Grid services from two aspects: internal management and external transaction and cooperation. On the one hand, within an autonomic element (agent), goal-based planning and scheduling mechanism autonomously (re-) configures, and monitors the enforcement of, managed elements (Grid services or other agents). On the other hand, the automated discovery, negotiation, and contract-based service providing and monitoring among various agents treat with the relationships among autonomic elements.

Von Welch,Frank Siebenlist,Ian Foster,John Bresnahan,Karl Czajkowski,Jarek Gawor,Carl Kesselman,Sam Meder,Laura Pearlman,Steven Tuecke

DOI: https://doi.org/10.48550/arXiv.cs/0306129

2003-06-25

Abstract:Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a service oriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Jesus Luna,Manel Medina,Oscar Manso

DOI: https://doi.org/10.1007/11533733_3

2005-01-01

Abstract:The OGSA definition of a Grid Service as a transient, stateful and dynamically instantiated Web Service introduced new authentication and authorization requirements beyond those already established for existing Grid environments. However such design features have begun to be developed currently following a pre-Web Services approach in two aspects: in the first place making a clear separation of authentication from authorization issues, and in the second place not designing them over the OGSI/WSRF defined mechanisms and specifications. In this paper we are proposing a new Security Framework that unifies identified common points of both features, Authentication and Authorization, into a mechanism called validation policy which is expected to improve service performance and security. Our framework seeks to implement these aspects over the Grid Service’s Operations and Service Data concepts to fully exploit its functionalities. The paper also presents the integration of an enhanced OCSP Service Provider into the Globus Toolkit 3.9.4 as a first proof of concept.

Li Ma,Yongmei Zhang

DOI: https://doi.org/10.1109/AMS.2009.41

2009-01-01

Abstract:The grid is an heterogeneous distributed environment, it has many new characteristics that are different with the traditional Internet, for example, it have many users and resources. These characteristics have decided complexity of the grid safety mechanism. Thus security is an important element of the practical of grid computing technology. In paper, we described a hybrid model of authentication against centralized, hierarchical structure, other traditional forms of authentication features and combining grid security needs. Compare and analyzed the hybrid model authentication mechanisms, performance, and the implement methods of these models, and verified the safety and effectiveness of the hybrid mode. It described the design process of hybrid mode in detail . Given the specific systems certification flow and the performance analysis of application , it is great significance for grid security and management.

Jingshu Chen,Hong Wu,Qingyang Wang,Qingguan Wang

DOI: https://doi.org/10.1109/GCC.2006.15

2006-01-01

Abstract:A fundamental concern in building a secure grid computing environment is authentication of local and remote entities in the environment. The existing authentication technologies in the grid computing environments can effectively guarantee the valid authentication, but they cannot meet the demands of new security challenges in dynamic grid environment, such as flexibility, lightweight, and extensibility. In order to satisfy the security needs of the computational grid, we propose a reflective authentication framework which aims to improve the customizing ability of platform and adaptive ability in the open and dynamic grid environment

Wei Jie,Junaid Arshad,Pascal Ekin

DOI: https://doi.org/10.1007/s11227-009-0267-8

2009-01-01

Abstract:Authentication and authorization for Grids is a challenging security issue. In this paper, key issues for the establishment of Grid authentication and authorization infrastructures are discussed, and an overview of major Grid authentication and authorization technologies is presented. Related to this, recent developments in Grid authentication and authorization infrastructures suggest adoption of the Shibboleth technology which offers advantages in terms of usability, confidentiality, scalability and manageability. When combined with advanced authorization technologies, Shibboleth-based authentication and authorization infrastructures provide role-based, fine-grained authorization. We share our experience in constructing a Shibboleth-based authentication and authorization infrastructure and believe that such infrastructure provides a promising solution for the security of many application domains.

Bei Shui Liao,Ji Gao,Jun Hu,Jiu Jun Chen

DOI: https://doi.org/10.1109/ICSMC.2004.1401073

2004-01-01

Abstract:The emergence and the development of OGSA-compliant Grid provide powerful means for the integration and interaction of applications (Grid services) within a virtual organization (VO). However, it is still a challenge to control the composition, transaction, and coordination, of Grid services, according to the dynamic business requirements of a VO. Based on the policy-based management and autonomous intelligent agents, this paper proposes a framework for OGSA-compliant Grid control. In this system, individual agent (Task Agent) is in charge of composing Grid services and taking part in the social interactions within a VO. Several Task Agents and a management agent (AM) form a VO. The business requirements or user's preferences are represented as policies, which are used to control the behaviors of agents.

Yongkai Cai,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.187

2008-01-01

Abstract:A federated security scheme based on WS-Security standard for cross-domain Grid is proposed. It integrates the WS-Security standard and the Grid security mechanism. A trust model is established based on WS-Trust specification. A communication is established based on WS-SecureConversation specification. The architecture is implemented in a SAML-based federated authentication and authorization cross-domain Grid. Through experiment and analysis, it is shown that our scheme is secure, effective and efficient.