Skip to main content
SpringerLink
Log in

Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

In this paper, we propose a role-based access control (RBAC) system for data resources in the Storage Resource Broker (SRB). The SRB is a Data Grid management system, which can integrate heterogeneous data resources of virtual organizations (VOs). The SRB stores the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT schema structure, this information can only be used by the SRB applications. If VOs also have many non-SRB applications, each with its own storage format for user access control information, it creates a scalability problem with regard to administration. To solve this problem, we developed a RBAC system with Shibboleth, which is an attribute authorization service currently being used in many Grid environments. Thus, the administration overhead is reduced because the role privileges of individual users are now managed by Shibboleth, not by MCAT or applications. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructure of the SRB.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alfieri, R., Cecchini, R., Ciaschini, V., dell’Agnello, L., Gianoli, A., Spataro, F., et al.: Managing dynamic user communities in a Grid of autonomous resources. In: Proceedings of International Conference for Computing in High Energy and Nuclear Physics. La Jolla, California (2003)

  2. Antonioletti, M., Atkinson, M., Baxter, R., Borley, A., Chue Hong, N., Dantressangle, P., Hume, A., et al.: OGSA-DAI status and benchmarks. In: Proceedings of the UK e-Science All Hands Meeting. Nottingham, UK (2005)

  3. Atkinson, M., Karasavvas, K., Antonioletti, M., Baxter, R., Borley, A., Chue Hong, N., Hume, A., et al.: A new architecture for OGSA-DAI. In: Proceedings of the UK e-Science All Hands Meeting. Nottingham, UK (2005)

  4. Baker, M., Apon, A., Ferner, C., Brown, J.: Emerging Grid standards. Computer 38(4), 43–50 (2005)

    Article  Google Scholar 

  5. Baru, C., Moore, R., Rajasekar, A., Wan, M.: The SDSC storage resource broker. In: Proceedings of Conference of the Centre for Advanced Studies on Collaborative Research. Toronto, Ontario, Canada (1998)

  6. Baru, C., Rajasekar, A.: A hierarchical access control scheme for digital libraries. In: Proceedings of the 3rd ACM Conference on Digital Libraries, pp. 275–276. Pittsburgh, PA (1998)

  7. Butler, R., Welch, V., Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C.: A national-scale authentication infrastructure. Computer 33(12), 60–66 (2000)

    Article  Google Scholar 

  8. Carmody, S.: Shibboleth overview and requirements. Shibboleth Working Group Document, Available via http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html (2001)

  9. Demchenko, Y., de Laat, C., Gommans, L., van Buuren, R.: Domain based access control model for distributed collaborative applications. In: Proceedings of the 2nd IEEE International Conference on e-Science and Grid Computing (2006)

  10. Ferraiolo, D., Kuhn, R.: Role-based access control. In: Proceedings of the 15th National Computer Security Conference. Baltimore, MD (1992)

  11. Ferraiolo, D., Barkley, J., Kuhn, D.R.: A role-based access control model and reference implementation within a corporate intranet. ACM Trans. Inf. Syst. Secur. 2(1), 34–64 (1999)

    Article  Google Scholar 

  12. Foster, I., Kesselman, C.: Security, accounting, and assurance. In: Foster, I., Kesselman, C. (eds.) The Grid: Blueprint for a New Computing Infrastructure, pp. 395–420. Morgan Kaufmann, San Francisco (1999)

    Google Scholar 

  13. Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the Grid: enabling scalable virtual organizations. Int. J. Supercomput. Appl. High Perform. Comput. 15(3), 200–222 (2001)

    Article  Google Scholar 

  14. Foster, I., Grossman, R.L.: Data integration in a bandwidth-rich world. Commun. ACM 46(11), 50–57 (2003)

    Article  Google Scholar 

  15. Freudenthal, E., Pesin, T., Port, L., Keenan, E., Karamcheti, V.: dRBAC: distributed role-based access control for dynamic coalition environments. In: Proceedings of the 22nd International Conference on Distributed Computing Systems, pp. 411–420. Vienna, Austria (2002)

  16. The Globus Security Team: Globus Toolkit version 4 Grid security infrastructure: a standards perspective. Available via http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf (2005)

  17. Humphrey, M., Thompson, M.R., Jackson, K.R.: Security for Grids. Proc. IEEE 93(3), 644–652 (2005)

    Article  Google Scholar 

  18. Joshi, J.B.D., Bhatti, R., Bertino, E., Ghafoor, A.: Access-control language for multidomain environments. IEEE Internet Comput. 8(6), 40–50 (2004)

    Article  Google Scholar 

  19. Joshi, J.B.D., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)

    Article  Google Scholar 

  20. Lee, H.K., Luedemann, H.: A lightweight decentralized authorization model for inter-domain collaborations. In: Proceedings of the ACM Workshop on Secure Web Services, pp. 83–89. Fairfax, VA (2007)

  21. Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of the ACM Workshop on XML Security, pp. 25–37 (2003)

  22. Mayfield, T., Roskos, J.E., Welke, S.R., Boone, J.M.: Integrity in automated information systems. Technical Report, National Computer Security Center (1991)

  23. MCAT. Available via http://www.sdsc.edu/srb/index.php/MCAT

  24. Nagaratnam, N., Janson, P., Dayka, J., Nadalin, A., Siebenlist, F., Welch, V., Foster, I., Tuecke, S.: The security architecture for open Grid services. Open Grid Service Architecture Security Working Group, Global Grid Forum (2002)

  25. Organization for the Advancement of Structured Information Standards (OASIS): ebXML registry technical committee. Available via http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=regrep

  26. Organization for the Advancement of Structured Information Standards (OASIS): Assertions and protocols for the OASIS Security Assertion Markup Language (SAML) v1.1. Available via http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security (2003)

  27. Organization for the Advancement of Structured Information Standards (OASIS): Core and hierarchical role based access control (RBAC) profile of XACML v2.0. Available via http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf (2005)

  28. Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML) version 2.0. Available via http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf (2005)

  29. Organization for the Advancement of Structured Information Standards (OASIS): ebXML registry information model version 3.0. Available via http://docs.oasis-open.org/regrep/v3.0/specs/regrep-rim-3.0-os.pdf (2005)

  30. Organization for the Advancement of Structured Information Standards (OASIS): SAML 2.0 profile of XACML v2.0. Available via http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf (2005)

  31. Object, Metadata and Artifacts Registry. Available via http://ebxmlrr.sourceforge.net/3.0/

  32. Otenko, S., Chadwick, D.: A comparison of the Akenti and PERMIS authorization infrastructures. Available via http://sec.isi.salford.ac.uk/download/AkentiPERMISDeskComparison2–1.pdf (2003)

  33. Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A community authorization service for group collaboration. In: Proceedings of the 3rd IEEE International Workshop on Policies for Distributed Systems and Networks. Monterey, CA (2002)

  34. Pereira, A.L., Muppavarapu, V., Chung, S.M.: Role-based access control for Grid database services using the community authorization service. IEEE TDSC 3(2), 156–166 (2006)

    Google Scholar 

  35. Pereira, A.L., Muppavarapu, V., Chung, S.M.: Managing role-based access control policies for Grid databases in OGSA-DAI using CAS. J. Grid Comput. 5(1), 65–81 (2007)

    Article  Google Scholar 

  36. Rajasekar, A., Wan, M., Moore, R.: MySRB & SRB: components of a data Grid. In: Proceedings of the 11th IEEE International Symposium on High Performance Distributed Computing, pp. 301–310. Edinburgh, Scotland, UK (2002)

    Chapter  Google Scholar 

  37. Rajasekar, A., Wan, M., Moore, R., et al.: Storage resource broker-managing distributed data in a Grid. Comput. Soc. India J. 33(4) (2003)

  38. Ramaswamy, C., Sandhu, R.S.: Role-based access control features in commercial database management systems. In: Proceedings of the 21st National Information Systems Security Conference. Arlington, VA (1998)

  39. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  40. Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM. Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)

    Article  Google Scholar 

  41. Sandhu, R., Ferraiolo, D.F., Kuhn, D.R.: The NIST model for role based access control: towards a unified standard. In: Proceedings of the 5th ACM Workshop on Role Based Access Control. Berlin, Germany (2000)

  42. Scavo, T., Welch, V.: A Grid authorization model for science gateways. In: International Workshop on Grid Computing Environments. Reno, NV (2007)

  43. Secretariat of Information Technology Industry Council (ITI): American National Standard for Information Technology—Role based access control. Available via http://csrc.nist.gov/rbac/rbac-std-ncits.pdf (2003)

  44. Thompson, M.R., Essiari, A., Keahey, K., Welch, V., Lang, S., Liu, B.: Fine-grained authorization for job and resource management using Akenti and the Globus Toolkit. In: Proceedings of International Conference for Computing in High Energy and Nuclear Physics. La Jolla, California (2003)

  45. Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, L., Tuecke, S.: Security for Grid services. In: Proceedings of the 12th International Symposium on High-Performance Distributed Computing, pp. 48–57. Seattle, WA (2003)

  46. Welch, V., Barton, T., Keahey, K., Siebenlist, F.: Attributes, anonymity, and access: Shibboleth and Globus integration to facilitate Grid collaboration. In: Proceedings of the 4th Annual PKI R&D Workshop. Gaithersburg, MD (2005)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Wright State University, Dayton, OH, 45435, USA

    Vineela Muppavarapu & Soon M. Chung

Authors
  1. Vineela Muppavarapu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Soon M. Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Soon M. Chung.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Muppavarapu, V., Chung, S.M. Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth. J Grid Computing 7, 265–283 (2009). https://doi.org/10.1007/s10723-009-9116-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10723-009-9116-5

Keywords

Search

Navigation