Skip to main content
SpringerLink
Log in

Role-based access control for a Grid system using OGSA-DAI and Shibboleth

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

In this paper, we propose a new role-based access control (RBAC) system for Grid data resources in the Open Grid Services Architecture Data Access and Integration (OGSA-DAI). OGSA-DAI is a widely used framework for integrating data resources in Grids. However, OGSA-DAI’s identity-based access control causes substantial administration overhead for the resource providers in virtual organizations (VOs) because of the direct mapping between individual Grid users and the privileges on the resources. To solve this problem, we used the Shibboleth, an attribute authorization service, to support RBAC within the OGSA-DAI. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies and the user-role assignments, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. It also supports dynamic delegation of rights and user-role assignments, and reduces the administration overheads for the resource providers because they need to maintain only the mapping information from VO roles to local database roles. Moreover, unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows that our RBAC system adds only a small overhead to the existing security infrastructure of OGSA-DAI.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alfieri R et al (2003) Managing dynamic user communities in a grid of autonomous resources. In: Proc of int’l conf for computing in high energy and nuclear physics

  2. Atkinson M et al (2005) A new architecture for OGSA-DAI. In: Proc of the UK e-science all hands meeting

  3. Baker M, Apon A, Ferner C, Brown J (2005) Emerging grid standards. Computer 38(4):43–50

    Article  Google Scholar 

  4. Butler R et al (2000) A national-scale authentication infrastructure. Computer 33(12):60–66

    Article  Google Scholar 

  5. Carmody S (2001) Shibboleth overview and requirements. Shibboleth Working Group Document. http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html

  6. Ferraiolo D, Kuhn R (1992) Role-based access control. In: Proc of the 15th national computer security conference

  7. Ferraiolo DF, Barkley JF, Kuhn DR (1999) A role-based access control model and reference implementation within a corporate Intranet. ACM Trans Inf Syst Sec 2(1):34–64

    Article  Google Scholar 

  8. Foster I, Kesselman C (1999) Security, accounting, and assurance. In: Foster I, Kesselman C (eds) The Grid: Blueprint for a new computing infrastructure. Morgan Kaufmann, Los Altos, pp 395–420

    Google Scholar 

  9. Foster I, Kesselman C, Tuecke S (2001) The anatomy of the grid: enabling scalable virtual organizations. Int J Supercomput Appl High-Perform Comput 15(3):200–222

    Article  Google Scholar 

  10. Foster I, Kesselman C, Nick JM, Tuecke S (2002) Grid services for distributed system integration. Computer 35(6):37–46

    Article  Google Scholar 

  11. Globus Toolkit Version 4 Grid security infrastructure: A standards perspective (2005) The Globus Security Team. http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf

  12. Humphrey M, Thompson MR, Jackson KR (2005) Security for grids. Proc IEEE 93(3):644–652

    Article  Google Scholar 

  13. Joshi JBD, Bhatti R, Bertino E, Ghafoor A (2004) Access-control language for multidomain environments. IEEE Internet Comput 8(6):40–50

    Article  Google Scholar 

  14. Malaika S, Eisenberg A, Melton J (2003) Standards for databases on the grid. ACM SIGMOD Rec 32(3):92–100

    Article  Google Scholar 

  15. Mayfield T, Roskos JE, Welke SR, Boone JM (1991) Integrity in automated information systems. Technical report, National Computer Security Center

  16. Nagaratnam N et al (2002) The security architecture for open grid services. In: Open Grid Service Architecture Security Working Group, Global Grid Forum

  17. Organization for the Advancement of Structured Information Standards (OASIS) ebXML Registry Technical Committee. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=regrep

  18. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v1.1 (2003) Organization for the Advancement of Structured Information Standards (OASIS). http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

  19. Core and hierarchical role based access control (RBAC) profile of XACML v2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf

  20. eXtensible Access Control Markup Language (XACML) Version 2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

  21. ebXML Registry Information Model Version 3.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/regrep/v3.0/specs/regrep-rim-3.0-os.pdf

  22. SAML 2.0 profile of XACML v2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf

  23. Hierarchical resource profile of XACML v2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf

  24. Object, Metadata and Artifacts Registry. http://ebxmlrr.sourceforge.net/3.0/

  25. Otenko S, Chadwick D (2003) A comparison of the Akenti and PERMIS authorization infrastructures. http://sec.cs.kent.ac.uk/download/AkentiPERMISDeskComparison2-1.pdf

  26. Pearlman L, Welch V, Foster I, Kesselman C, Tuecke S (2002) A community authorization service for group collaboration. In: Proc of the 3rd IEEE int’l workshop on policies for distributed systems and networks

  27. Pereira AL, Muppavarapu V, Chung SM (2006) Role-based access control for grid database services using the community authorization service. IEEE Trans Dependable Secure Comput 3(2):156–166

    Article  Google Scholar 

  28. Pereira AL, Muppavarapu V, Chung SM (2007) Managing role-based access control policies for grid databases in OGSA-DAI using CAS. J Grid Comput 5(1):65–81

    Google Scholar 

  29. Ramaswamy C, Sandhu RS (1998) Role-based access control features in commercial database management systems. In: Proc of the 21st national information systems security conference

  30. Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. Computer 29(2):38–47

    Article  Google Scholar 

  31. Secretariat of Information Technology Industry Council (ITI) (2003) American National Standard for Information Technology—Role Based Access Control. http://csrc.nist.gov/rbac/rbac-std-ncits.pdf

  32. Signet. http://middleware.internet2.edu/signet.

  33. Thompson MR et al (2003) Fine-grained authorization for job and resource management using Akenti and the globus toolkit. In: Proc of int’l conf. for computing in high energy and nuclear physics

  34. Welch V et al (2003) Security for grid services. In: Proc of the 12th int’l symp on high-performance distributed computing, pp 48–57

  35. Welch V, Barton T, Keahey K, Siebenlist F (2005) Attributes, anonymity, and access: shibboleth and globus integration to facilitate grid collaboration. In: Proc of the 4th annual PKI R&D workshop

  36. Zhang G, Parasher M (2003) Dynamic context-aware access control for grid applications. In: Proc of the 4th int’l workshop on grid computing, pp 101–108

  37. Coyne EJ (1996) Role engineering. In: Proc of 1st ACM workshop on role-based access control

  38. Neumann G, Strembeck M (2002) A scenario-driven role engineering process for functional RBAC roles. In: Proc of the 7th ACM symposium on access control models and technologies

  39. Fernandez EB, Hawkins JC (1997) Determining role rights from use cases. In: Proc of 2nd ACM workshop on role-based access control, pp 121–125

  40. He Q, Anton AI (2003) A framework for modeling privacy requirements in role engineering. In: Proc of the 9th int’l workshop on requirements engineering: foundation for software quality (REFSQ’03), pp 137–146

  41. Jackson M, Antonioletti M, Hong NC, Hume A, Krause A, Sugden T, Westhead M (2004) Performance analysis of the OGSA-DAI software. In: Proc of UK e-science all hands meeting

  42. Joshi JBD, Bertino E, Latif U, Ghafoor A (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4–23

    Article  Google Scholar 

  43. Stell AJ, Sinnott RO, Watt JP (2005) Comparison of advanced authorisation infrastructures for grid computing. In: Proc of int’l symposium on high performance computing systems and applications, pp 195–201

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Wright State University, Dayton, OH, 45435, USA

    Vineela Muppavarapu, Anil L. Pereira & Soon M. Chung

Authors
  1. Vineela Muppavarapu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anil L. Pereira
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Soon M. Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Soon M. Chung.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Muppavarapu, V., Pereira, A.L. & Chung, S.M. Role-based access control for a Grid system using OGSA-DAI and Shibboleth. J Supercomput 54, 154–179 (2010). https://doi.org/10.1007/s11227-009-0306-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-009-0306-5

Keywords

Search

Navigation