Abstract
In this paper, we propose a new role-based access control (RBAC) system for Grid data resources in the Open Grid Services Architecture Data Access and Integration (OGSA-DAI). OGSA-DAI is a widely used framework for integrating data resources in Grids. However, OGSA-DAI’s identity-based access control causes substantial administration overhead for the resource providers in virtual organizations (VOs) because of the direct mapping between individual Grid users and the privileges on the resources. To solve this problem, we used the Shibboleth, an attribute authorization service, to support RBAC within the OGSA-DAI. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies and the user-role assignments, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. It also supports dynamic delegation of rights and user-role assignments, and reduces the administration overheads for the resource providers because they need to maintain only the mapping information from VO roles to local database roles. Moreover, unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows that our RBAC system adds only a small overhead to the existing security infrastructure of OGSA-DAI.
Similar content being viewed by others
References
Alfieri R et al (2003) Managing dynamic user communities in a grid of autonomous resources. In: Proc of int’l conf for computing in high energy and nuclear physics
Atkinson M et al (2005) A new architecture for OGSA-DAI. In: Proc of the UK e-science all hands meeting
Baker M, Apon A, Ferner C, Brown J (2005) Emerging grid standards. Computer 38(4):43–50
Butler R et al (2000) A national-scale authentication infrastructure. Computer 33(12):60–66
Carmody S (2001) Shibboleth overview and requirements. Shibboleth Working Group Document. http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html
Ferraiolo D, Kuhn R (1992) Role-based access control. In: Proc of the 15th national computer security conference
Ferraiolo DF, Barkley JF, Kuhn DR (1999) A role-based access control model and reference implementation within a corporate Intranet. ACM Trans Inf Syst Sec 2(1):34–64
Foster I, Kesselman C (1999) Security, accounting, and assurance. In: Foster I, Kesselman C (eds) The Grid: Blueprint for a new computing infrastructure. Morgan Kaufmann, Los Altos, pp 395–420
Foster I, Kesselman C, Tuecke S (2001) The anatomy of the grid: enabling scalable virtual organizations. Int J Supercomput Appl High-Perform Comput 15(3):200–222
Foster I, Kesselman C, Nick JM, Tuecke S (2002) Grid services for distributed system integration. Computer 35(6):37–46
Globus Toolkit Version 4 Grid security infrastructure: A standards perspective (2005) The Globus Security Team. http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf
Humphrey M, Thompson MR, Jackson KR (2005) Security for grids. Proc IEEE 93(3):644–652
Joshi JBD, Bhatti R, Bertino E, Ghafoor A (2004) Access-control language for multidomain environments. IEEE Internet Comput 8(6):40–50
Malaika S, Eisenberg A, Melton J (2003) Standards for databases on the grid. ACM SIGMOD Rec 32(3):92–100
Mayfield T, Roskos JE, Welke SR, Boone JM (1991) Integrity in automated information systems. Technical report, National Computer Security Center
Nagaratnam N et al (2002) The security architecture for open grid services. In: Open Grid Service Architecture Security Working Group, Global Grid Forum
Organization for the Advancement of Structured Information Standards (OASIS) ebXML Registry Technical Committee. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=regrep
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v1.1 (2003) Organization for the Advancement of Structured Information Standards (OASIS). http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
Core and hierarchical role based access control (RBAC) profile of XACML v2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf
eXtensible Access Control Markup Language (XACML) Version 2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
ebXML Registry Information Model Version 3.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/regrep/v3.0/specs/regrep-rim-3.0-os.pdf
SAML 2.0 profile of XACML v2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf
Hierarchical resource profile of XACML v2.0 (2005) Organization for the Advancement of Structured Information Standards (OASIS). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf
Object, Metadata and Artifacts Registry. http://ebxmlrr.sourceforge.net/3.0/
Otenko S, Chadwick D (2003) A comparison of the Akenti and PERMIS authorization infrastructures. http://sec.cs.kent.ac.uk/download/AkentiPERMISDeskComparison2-1.pdf
Pearlman L, Welch V, Foster I, Kesselman C, Tuecke S (2002) A community authorization service for group collaboration. In: Proc of the 3rd IEEE int’l workshop on policies for distributed systems and networks
Pereira AL, Muppavarapu V, Chung SM (2006) Role-based access control for grid database services using the community authorization service. IEEE Trans Dependable Secure Comput 3(2):156–166
Pereira AL, Muppavarapu V, Chung SM (2007) Managing role-based access control policies for grid databases in OGSA-DAI using CAS. J Grid Comput 5(1):65–81
Ramaswamy C, Sandhu RS (1998) Role-based access control features in commercial database management systems. In: Proc of the 21st national information systems security conference
Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. Computer 29(2):38–47
Secretariat of Information Technology Industry Council (ITI) (2003) American National Standard for Information Technology—Role Based Access Control. http://csrc.nist.gov/rbac/rbac-std-ncits.pdf
Thompson MR et al (2003) Fine-grained authorization for job and resource management using Akenti and the globus toolkit. In: Proc of int’l conf. for computing in high energy and nuclear physics
Welch V et al (2003) Security for grid services. In: Proc of the 12th int’l symp on high-performance distributed computing, pp 48–57
Welch V, Barton T, Keahey K, Siebenlist F (2005) Attributes, anonymity, and access: shibboleth and globus integration to facilitate grid collaboration. In: Proc of the 4th annual PKI R&D workshop
Zhang G, Parasher M (2003) Dynamic context-aware access control for grid applications. In: Proc of the 4th int’l workshop on grid computing, pp 101–108
Coyne EJ (1996) Role engineering. In: Proc of 1st ACM workshop on role-based access control
Neumann G, Strembeck M (2002) A scenario-driven role engineering process for functional RBAC roles. In: Proc of the 7th ACM symposium on access control models and technologies
Fernandez EB, Hawkins JC (1997) Determining role rights from use cases. In: Proc of 2nd ACM workshop on role-based access control, pp 121–125
He Q, Anton AI (2003) A framework for modeling privacy requirements in role engineering. In: Proc of the 9th int’l workshop on requirements engineering: foundation for software quality (REFSQ’03), pp 137–146
Jackson M, Antonioletti M, Hong NC, Hume A, Krause A, Sugden T, Westhead M (2004) Performance analysis of the OGSA-DAI software. In: Proc of UK e-science all hands meeting
Joshi JBD, Bertino E, Latif U, Ghafoor A (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4–23
Stell AJ, Sinnott RO, Watt JP (2005) Comparison of advanced authorisation infrastructures for grid computing. In: Proc of int’l symposium on high performance computing systems and applications, pp 195–201
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Muppavarapu, V., Pereira, A.L. & Chung, S.M. Role-based access control for a Grid system using OGSA-DAI and Shibboleth. J Supercomput 54, 154–179 (2010). https://doi.org/10.1007/s11227-009-0306-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-009-0306-5