Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Hung-Min Sun,King-Hang Wang,Pa Saffiong Kebbeh

DOI: https://doi.org/10.1109/tencon.2007.4429022

2007-01-01

Abstract:This paper proposes a system to provide security for the grid infrastructure where authorization and authentication will be made scalable by setting up an authorization framework at the resource provider's end. Our proposed architecture intends to relieve the grid middleware from taking the responsibility of the authorization mechanism, as well as improves the resource provider's trust in the event of a request from the data portal, since the authorization policy will be pulled from its own organizational server. We will demonstrate that this architecture is secure, scalable, and robust, by improving the existing authorization mechanism in grid infrastructures.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Weizhong Qiang,Hai Jin,Xuanhua Shi,Deqing Zou

DOI: https://doi.org/10.3321/j.issn:1671-4512.2005.12.036

2005-01-01

Abstract:The existed grid security mechanism is able not to meet the dynamic, autonomous and scalable requirements of virtual organization. Thus, a model for grid decentralized authorization based on the decentralized trust management mechanism was proposed. The naming relationship and delegation relationship between grid entities were defined in this model. The definition of the naming relationship can express the local naming relationship on the basis of meeting the requirements of the global naming relationship definition. The delegation relationship can implement the autonomous and dynamic authorization delegation, and being characterized by good scalability. On the basis of the model, HowU grid authorization system was realized. The storage of the authorization relationship and its discovery mechanism in grid authorization system were explained.

ZHAO Xi-Bin,GUO Zhi,YONG Jian-Ping,GU Ming

2005-01-01

Computer Science

Abstract:It is a challenging work to implement authorization service for Virtual Organization in Grid Computing Sys- tem because of the dynamic and distributed nature of Virtual Organication. After analyzing the requirement of autho- rization service and the existing mechanisms for implementing authorization services in Grid Computing Systems, the paper proposes an efficient multi-level architecture named MLA for implementing authorization in Grid Computing Systems. With the use of threshold closure mechanism, the proposed architecture has the scalability and the strong power to express authorization policy, hence can provide flexible and efficient approach to implement authorization service in GCS.

R Wong,HJ Chen,ZH Wu

DOI: https://doi.org/10.1109/nwesp.2005.16

2005-01-01

Abstract:In a database grid environment, which is composed of highly diverse, widely distributed and autonomously managed database resources, how to control access right to these resources is a meaningful problem to discuss, because it's not only depends on policies in virtual organization, but also depends on policies at database end, we cannot ignore requirements of any of them. Besides this, database is a special resource. Its authorization permission is structured, first it has levels such as DB, table, and column level, and each level has several kind of privileges like delete, update and so on, so it's a great burden to map grid users to permissions directly. Secondly, databases already have sophisticated technologies and products in authorization; we need integrate them to our system. To address these issues, we design and implement an authorization system for database grid. It supports building agreements between virtual organization administrator and database administrator to authorize users collaboratively. It based on XML-formed config file now and can be extended to files in other policy language like Rei or Ponder. As one part of DartGrid project, which has been used to build a database grid for traditional Chinese medicine in China, it satisfies realistic requirements in authorization and is working now.

Huaji Shi,Xibin Zhao

DOI: https://doi.org/10.1109/SOSE.2006.17

2006-01-01

Abstract:This paper analyzes the requirement of authorization service for grid computing systems and proposes the use of threshold closure as a basic mechanism for implementing authorization service in grid computing systems. While pointing out the desirable features of threshold closure for complex authorization policies, the paper also discusses the practical limitations of threshold closure in such an environment, and then puts forward a new authorization service for virtual organization. In addition, an access control protocol which is based on PKI is designed in the paper. By segregating the policy and mechanism aspects of threshold closure, the new service can use existing security infrastructure in grid computing system while keep the ability to express complex authorization policy effectively

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

Bo Lang,Foster, I.,Siebenlist, F.,Ananthakrishnan, R.,T. Freeman

DOI: https://doi.org/10.1109/NCA.2006.4

2006-01-01

Abstract:A grid system is a virtual organization that is composed of several autonomous domains. Authorization in such a system needs to be flexible and scalable to support multiple security policies. Basing on the Web services security specifications such as XACML, SAML, and the special security needs of the grid computing, we have constructed an authorization framework in the Globus Toolkit 4 that can support multiple policies. This paper describes the concepts of our design and introduces the structure and the components of the authorization framework. To show the flexibility and scalability of the framework, we introduce a new blacklist/whitelist-based authorization mechanism that can be seamlessly integrated into the framework

Gang Yin,Huai-min Wang,Tao Liu,Dian-xi Shi,Ming-feng Chen

DOI: https://doi.org/10.1007/11576259_53

2005-01-01

Abstract:In Grid environments, virtual organizations (VOs) often need to define access control policies to govern who can use which resources for which purpose over multiple policy domains. This is challenging, not only because the entities in VOs must collaborate with each other to share resources across administrative domains, but also because there usually exist a large amount of underlying sites (resource providers) and users in VOs. In this paper, we introduce to use trust management approach to address these problems in Grid environments. We propose a rule-based policy language (RPL) framework to describe the authorization and delegation policies related to VOs, sites and users. This paper also introduces the design of an enhanced community authorization service (ECAS) based on RPL framework, which can be seamlessly integrated with local authorization mechanisms. ECAS uses different kinds of delegation policies for flexible collaboration on authorization between entities in VOs. Compared with similar research works, ECAS enhances the flexibility and scalability of decentralized authorization in Grid environments.

Qian WAGN,Guang-Chao YANG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.12.019

2006-01-01

Computer Science

Abstract:Resource on authorization problem in grid environment is a hot topic in grid security. The Community Authorization Service, CAS, is an authorization mechanism of Grid Security Infrastructure, GSI. For resources in CAS authorization mechanism can only provide a course-grained authorization to CAS server, which is difficult to control authorization of client. A new authorization model which adopts SPKI certificate is proposed. Compared with CAS, this authorization model is more flexible, it improves scalability of the authorization system using delegation and can give fine-grained access control to client.

邵学军,施化吉,赵曦滨

DOI: https://doi.org/10.3321/j.issn:1001-506x.2009.01.049

2009-01-01

Abstract:This article analyzes authorized demand for management of virtual organization in the grid computing system and consequently proposes using threshold closure as authorized service mechanism for virtual organizations in the grid computing system.The study not only analyzes the applicability of the threshold closure but presents the limitations of the specific implementation and based on which,a new authorization service system is put forward and the access control protocol based on the public key infrastructure as well as the corresponding authorization service architecture combined with the existing security infrastructure in grid computing system are designed.The architecture guarantees the processing efficiency and capacity of the complex authorized strategy,and meanwhile it makes full use of the existing grid security infrastructure through the separation strategy of the threshold closure and implementation mechanism.

Wang Demin,Wen Ziyan,Liu Xin,Zhu Hong,Hu Ping

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.12.016

2007-01-01

Abstract:The existing authorization schema in grid has only realized caurse-grained resource access control.The right of the access control belongs to the hosts that provide the resource.To resolve the drawback,firstly a common grid organization model is designed,and then a grid privilege management and authorization service infrastructutre GPMI based on PKI,PMI and information service is constructed.In the grid privilege management and authorization service infrastructure,the right of the access control belongs to the resource suppliers,and the access control is managed concentratedly.Also a fine-grained resource access control is realized which provides the foundation for the trace work in gird such as cost counting.

Weizhong Qiang,Aleksandr Konstantinov,Hai Jin

DOI: https://doi.org/10.1109/GCC.2010.39

2010-01-01

Abstract:Grid has been proved to be a promising technology for integrating heterogeneous resources. However, with the emerging of various Grid middle wares, the heterogeneous problem also occurs for Grid middleware themselves, as well as for the Grid services developed on those middle wares, which is an obstacle for the interoperation. SOA(Service Oriented Architecture) has been introduced into the development of Grid middewares and services to solve this problem. One of the challenging tasks in the development, integration and deployment of Grid middle wares is to provide security framework. In this paper, the key issue of Grid security framework, i.e., authorization, is focused, and an attribute-based authorization framework is presented. Due to the adoption of SAML, XACML and the generic Web Service specifications, the proposed framework can achieve interoperability to other standard-based attribute authority services, as well as other standard-based policy evaluation services.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

Zhang Runlian,Wu Xiaonian,Dong Xiaoshe,Guan Shangyuan

DOI: https://doi.org/10.1109/HPCC.2008.108

2008-01-01

Abstract:With the dynamic change of users and resources in different secure domains of Grid, the overall consistency of privileges defined would be broken. This would compromise Grid system and waste system overhead on dealing with the increasing grid jobs with invalid privileges. To address the problem, this paper proposes an authorization mechanism based on privilege negotiation policy. This mechanism can detect timely the change of privileges, negotiate automatically and resume quickly the overall consistency of privileges between different secure domains. The test result of the mechanism implementation shows that it shortens greatly the period of resuming the overall consistency of privileges between different secure domains when the consistency was broken. This reduces the number of grid jobs with invalid privileges. Thereby, it avoids wasting more system overhead of dealing with the increasing grid jobs with invalid privileges and improves system performance.

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

XN Wu,RL Zhang,N Xiao

2005-01-01

Abstract:How to guarantee permissions consistency for resources, and how to gain fine-grained access control efficiently are two main problems in grid about controlling users access. This paper presents a community authorization mechanism based on RBAC aiming at GridDaEn structure, which mainly solves these two problems in GridDaEn. The mechanism can guarantee permissions consistency by negotiating and building access policies between community and resource system, and provide efficient authorization mechanism by RBAC Also it can support autonomy between different communities, between a community and a resource provider, and obtain global consistency by hiberarchy.