Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Cq Huang,Zt Zhu,Xq Wang,D Chen

DOI: https://doi.org/10.1007/11568421_6

2004-01-01

Abstract:In this paper, we propose Subtask-based Authorization Service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and Community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus's gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

Bo Lang,Foster, I.,Siebenlist, F.,Ananthakrishnan, R.,T. Freeman

DOI: https://doi.org/10.1109/NCA.2006.4

2006-01-01

Abstract:A grid system is a virtual organization that is composed of several autonomous domains. Authorization in such a system needs to be flexible and scalable to support multiple security policies. Basing on the Web services security specifications such as XACML, SAML, and the special security needs of the grid computing, we have constructed an authorization framework in the Globus Toolkit 4 that can support multiple policies. This paper describes the concepts of our design and introduces the structure and the components of the authorization framework. To show the flexibility and scalability of the framework, we introduce a new blacklist/whitelist-based authorization mechanism that can be seamlessly integrated into the framework

Laura Pearlman,Von Welch,Ian Foster,Carl Kesselman,Steven Tuecke

DOI: https://doi.org/10.48550/arXiv.cs/0306053

2003-06-12

Distributed, Parallel, and Cluster Computing

Abstract:In "Grids" and "collaboratories," we find distributed communities of resource providers and resource consumers, within which often complex and dynamic policies govern who can use which resources for which purpose. We propose a new approach to the representation, maintenance, and enforcement of such policies that provides a scalable mechanism for specifying and enforcing these policies. Our approach allows resource providers to delegate some of the authority for maintaining fine-grained access control policies to communities, while still maintaining ultimate control over their resources. We also describe a prototype implementation of this approach and an application in a data management context.

Sunan Shen,Shaohua Tang

DOI: https://doi.org/10.1109/CIS.2008.185

2008-01-01

Abstract:As grid’s dynamic, distributed and open nature, the issue of mutual trust among grid entities is challenging, not only because of the entities in different domains, but also because the fact that those domains may deploy different security mechanisms. A federal authentication and authorization scheme based upon trust management and delegation is proposed. Different security domains can join in the federation through the interface that our approach provides. The establishment of trust relationship among domains is based on trust negotiation and PKI cross-certification. We make authorization relay on dynamic role translation and on delegation. The Security Assertion Markup Language (SAML) is adopted by exploiting its AttributeStatement to create Delegation Assertion for grid.

Hai Jin,Chuanjiang Yi,Song Wu,Li Qi,Deqing Zou

DOI: https://doi.org/10.1007/11576259_25

2005-01-01

Abstract:Users in grid computing environments typically interact with a lot of computing resource, storage resources and I/O devices. Different users are allowed to access different subsets of services, resources. These permissions should be executed correctly to guarantee the security of grid computing. In ChinaGrid Support Platform (CGSP), there are large numbers of users, services, and resources. To ensure the security of CGSP, we build a user management mechanism to identify every entity, assign different rights based on user role and the properties of services and resources to ensure containers, services and resources in CGSP being used in a right way, and return the results to the correct user. We also consider the access control of files. These are designed in a uniform authorization management mechanism in CGSP.

Hung-Min Sun,King-Hang Wang,Pa Saffiong Kebbeh

DOI: https://doi.org/10.1109/tencon.2007.4429022

2007-01-01

Abstract:This paper proposes a system to provide security for the grid infrastructure where authorization and authentication will be made scalable by setting up an authorization framework at the resource provider's end. Our proposed architecture intends to relieve the grid middleware from taking the responsibility of the authorization mechanism, as well as improves the resource provider's trust in the event of a request from the data portal, since the authorization policy will be pulled from its own organizational server. We will demonstrate that this architecture is secure, scalable, and robust, by improving the existing authorization mechanism in grid infrastructures.

Weizhong Qiang,Aleksandr Konstantinov,Mattias Ellert,Hai Jin

DOI: https://doi.org/10.1007/978-3-642-13067-0_34

2010-01-01

Abstract:Grid middleware provides a way to integrate computational and storage resouces for supporting large-scale applications that span across multiple domains Implicitly, Grid middlware eliminates the interoperability obstacle between different resources However, with the emerging of a bunch of Grid middlewares, to provide interoperability between Grid middlewares themselves is an important challenge in production Grid infrasturtures Web Service technologies (specifically, Simple Object Access Protocol) have been adopted in most of the Grid middlewares as the XML messaging protocol for the interoperability in the application layer For other layers, standard protocols are also adopted for interoperability, e.g., HTTP is utilized as service transport protocol On the other hand, security is a key issue that needs to be taken into account on each layer, for instance, WS-Security (Web Service Security) is considered as an augment on SOAP protocol for applying security to Web Services; GSI (Globus Security Infrastructure) is considered as an protocol for applying security to transport layer We present the design consideration and implementation about how to provide flexible support for security protocols in the Advanced Resource Connector(ARC) Grid middleware, and this way clients or/and services developed in ARC middleware can easily interoperate with service/client developed in other middlewares, such as gLite and Globus Toolkit Also, a flexible authorization framework is presented that can secure the Grid services with configurable authorization modules, as well as a variety of authorization policies.

Deqing Zou,Laurence T. Yang,Wezhong Qiang,Xueguang Chen,Zongfen Han

DOI: https://doi.org/10.1109/aina.2007.33

2007-01-01

Abstract:Collaboration is used for information sharing and activity coordinating, and it exists broadly in many fields. Group communication enables efficient communication between a set of processes logically organized into groups and communicating via multicast in an asynchronous environment. One of the key technologies for collaborative applications is secure group communication. Current research on secure group communication scarcely considers the existing security mechanism in local systems. As a result, group communication systems couldn't provide general support for collaborative applications running on a specific system. Based on the existing grid security technologies, we propose an authentication and access control framework at Virtual Organization (VO) level for group communication in grid environment. By introducing Role-Based Access Control (RBAC) and attribute-based approach, we define group management policies and design group control protocols. The protocols are analyzed from three aspects: compatibility, performance, and security. Finally, we implement a prototype based on GridShib.

Weizhong Qiang,Aleksandr Konstantinov

DOI: https://doi.org/10.1007/s00450-009-0084-6

2009-01-01

Computer Science

Abstract:When pursuing the task of making access to Grids as simple as possible, security is one of the most important challenges in production Grid infrastructures, especially when the Grid applications span multiple administrative domains as well as heterogeneous Grid middlewares. A typical example is wide scale e-Science applications which need to coordinate resources shared among a number of independent institutions with different Grid middlewares deployed on these resources. In this paper, we describe security implementation and considerations used in the upcoming version of the Advanced Resource Connector (ARC) middleware, where the heterogeneity issue has been addressed. The main goal of ARC implementation in terms of security is to let the middleware be capable of interoperating with other Grid middlewares by leveraging on standard specifications. The key aspect of the work is to enhance the current proxy certificate based authentication and single sign-on by utilizing and enhancing the standardized Web Service specifications such as Security Assertion Markup Languages (SAML), single sign-on (SSO) profile and Web Services Security in order to achieve cross-middleware authentication and single sign-on.

Lc Huang,Zh Wu

DOI: https://doi.org/10.1007/978-3-540-24680-0_166

2004-01-01

Abstract:Scalable security is a vital important issue for scalable Grid. There are several issues to be solved for scalable Grid security such as mapping from global subjects to local subjects, centralized certificate authority center, large number of users, many heterogenous security policies. In this paper, we present a scalable Grid security infrastructure(SGSI) to solve the above problems. We here describe the models and related protocols for scalable Grid authentication and authorization.

XIAO Zheng-Hong,HU Zhong-Wang,YIN Hao

2006-01-01

Computer Science

Abstract:A significant challenge for Grid computing is to develop an efficient set of mechanisms and polices for securing grid processes. Auditing and accounting are fundamental requirements of large sites.In this paper,we identify security auditing requirements,and propose a Cross-Domain Security Auditing(CDSA)architecture based on Mobile agent. To make the least influence on the performance,a new secure mechanism for authorizing is implemented by way of modifying the traditional manner “route once,switch many” in network to the new manner “audit once,authorize many ” in Grid. The dynamic auditing is carried out by constructing a multi-value trust relationship model. The system enforces these mechanisms to enable cross-domain security auditing in the aid of user-defined services of Globus Toolkit Version 3.0 and IBM Aglet.

Zhang Runlian,Wu Xiaonian,Dong Xiaoshe,Guan Shangyuan

DOI: https://doi.org/10.1109/HPCC.2008.108

2008-01-01

Abstract:With the dynamic change of users and resources in different secure domains of Grid, the overall consistency of privileges defined would be broken. This would compromise Grid system and waste system overhead on dealing with the increasing grid jobs with invalid privileges. To address the problem, this paper proposes an authorization mechanism based on privilege negotiation policy. This mechanism can detect timely the change of privileges, negotiate automatically and resume quickly the overall consistency of privileges between different secure domains. The test result of the mechanism implementation shows that it shortens greatly the period of resuming the overall consistency of privileges between different secure domains when the consistency was broken. This reduces the number of grid jobs with invalid privileges. Thereby, it avoids wasting more system overhead of dealing with the increasing grid jobs with invalid privileges and improves system performance.

Shaohua Tang,Sunan Shen

2009-01-01

Abstract:Due to computing grid's large scale, distributed and dynamic nature, the security issues around grid applications are more pervasive than computer network in general and thus call for more complicated solutions. In order to solve key problems such as security mechanism integration in heterogeneous grid, identity authentication and trust delegation, a cross-domain authentication and authorization model based on role translation and delegation is proposed. This model allows the establishment of trust among heterogeneous domains via certain protocols so that resource sharing across grid domains becomes possible. After a user logins to a local grid domain, its role in the local domain is mapped to a role in resource domain by using RBAC based role translation. This removes the need for cross-domain user logins while they are accessing resources across different domains, which results in much higher efficiency. The use of Security Assertion Markup Language (SAML) based delegation for transferring user privileges enables submitting operation by delegation assertion and the cross-domain federation is done automatically. This can greatly reduce users' manual involvement.