Advertisement

Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT4

  • Jesus Luna
  • Manel Medina
  • Oscar Manso
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3545)

Abstract

The OGSA definition of a Grid Service as a transient, stateful and dynamically instantiated Web Service introduced new authentication and authorization requirements beyond those already established for existing Grid environments. However such design features have begun to be developed currently following a pre-Web Services approach in two aspects: in the first place making a clear separation of authentication from authorization issues, and in the second place not designing them over the OGSI/WSRF defined mechanisms and specifications. In this paper we are proposing a new Security Framework that unifies identified common points of both features, Authentication and Authorization, into a mechanism called validation policy which is expected to improve service performance and security. Our framework seeks to implement these aspects over the Grid Service’s Operations and Service Data concepts to fully exploit its functionalities. The paper also presents the integration of an enhanced OCSP Service Provider into the Globus Toolkit 3.9.4 as a first proof of concept.

Keywords

Grid Environment Grid Service Policy Decision Point Globus Toolkit Authorization Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Foster, I., Kesselman, C., Nick, J., Tuecke, S.: The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration. Globus Project (2002), http://www.globus.org/research/papers/ogsa.pdf
  2. 2.
    The WS-Resource Framework, http://www.globus.org/wsrf/
  3. 3.
    Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective. The Globus Security Team. Version 2 (December 2004), http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf
  4. 4.
    Burrows, M., Abadi, M., Needham, R.M.: A Logic of Authentication. ACM Transactions on Computer Systems 8(1), 18–36 (1990); A Formal Semantics for Evaluating Cryptographic Protocols p. 14, http://citeseer.ist.psu.edu/burrows90logic.html
  5. 5.
    Baker, R., Gommans, L., McNab, A., Lorch, M., Ramakrishnan, L., Sarkar, K., Thompson, M.R.: Conceptual Grid Authorization Framework and Classification. In: Global Grid Forum Working Group on Authorization Frameworks and Mechanisms (February 2003), http://www.ggf.org/Meetings/ggf7/drafts/authz01.pdf
  6. 6.
    Vollbrecht, J., et al.: RFC 2904: AAA Authorization Framework (August 2000)Google Scholar
  7. 7.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder policy specification language. In: Sloman, M. (ed.) Proc. of Policy Worshop, Bristol UK (January 2001), http://citeseer.ist.psu.edu/damianou01ponder.html
  8. 8.
    Welch, V., et al.: Use of SAML for OGSA Authorization. In: OGSA-Security Working Group, Global Grid Forum. Working document (February 2003), http://www.cs.virginia.edu/~humphrey/ogsa-sec-wg/
  9. 9.
    Pearlman, L., et al.: A Community Authorization Service for Group Collaboration. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY 2002). IEEE Computer Society, Los Alamitos (2002)Google Scholar
  10. 10.
    Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS Security Services Technical Committee. Version 1.1 (September 2003), http://www.oasis-open.org/committees/security/
  11. 11.
    Welch, V., et al.: OGSA Authorization Requirements. In: OGSA-Authorization Working Group, Global Grid Forum. Working document (June 2003), https://forge.gridforum.org/projects/ogsa-authz/document/
  12. 12.
    Cruellas, J.C., et al.: OASIS: DSS Profiles Discussion Document. Working Draft 02 (February 2004), http://www.oasis-open.org/committees/dss/
  13. 13.
    ETSI TR 102 041: Electronic Signatures and Infrastructures (ESI); Signature Policies Report. ETSI ESI group. Version 1.1.1 (February 2002), http://portal.etsi.org/esi/el-sign.asp
  14. 14.
    CertiVeR: Certificate Revocation and Validation Service, http://www.certiver.com
  15. 15.
    von Laszewski, G., Foster, I., Gawor, J., Lane, P.: A Java Commodity Grid Kit. Concurrency and Computation: Practice and Experience 13(8-9), 643–662 (2001), http://www.cogkit.org/
  16. 16.
    Thompson, M., Essiari, A., Mudumbai, S.: Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Information and System Security (TISSEC) 6(4), 566–588 (2003), http://dsd.lbl.gov/security/Akenti/Papers/
  17. 17.
    Thompson, M., et al.: Distributed Security Architectures – Providing security services for Grids. Working Document (March 2004), http://dsd.lbl.gov/security/SciDac-DistSec-2pager04.pdf
  18. 18.
    Chadwick, D., Otenko, A.: The PERMIS X.509 Role based privilege management infrastructure. In: 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002) (June 2002), http://www.acm.org/sigs/sigsac/sacmat
  19. 19.
    Sinnott, R.O., Stell, A.J., Chadwick, D.W., Otenko, O.: Experiences of Applying Advanced Grid Authorisation Infrastructures. In: Accepted for the European Grid Conference (EGC 2005), Science Park Amsterdam, The Netherlands, February 14-16 (2005), http://labserv.nesc.gla.ac.uk/projects/dyvose/publicity/eGridFinalv4.pdf
  20. 20.
    Carmody, S.: Shibboleth Overview and requirements. Shibboleth Working Group Overview and Requirements Document (February 2001), http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html
  21. 21.
    GridShib: A Policy Controlled Attribute Framework, http://grid.ncsa.uiuc.edu/GridShib/
  22. 22.
    Cardea: Dynamic Access Control in Distributed Systems. NASA Advanced Supercomputing Division. Technical Report (November 2003), http://www.nas.nasa.gov/News/Techreports/2003/PDF/nas-03-020.pdf
  23. 23.
    Moses, T., et al.: OASIS eXtensible Access Control Markup Language (XACML) 2.0. Committee Draft 4 (December 2004), http://www.oasis-open.org/committees/xacml/
  24. 24.
    Alfieri, R., et al.: VOMS, an Authorization System for Virtual Organizations. In: Presented at the 1st European Across Grids Conference, Santiago de Compostela, Spain (February 2003), http://infnforge.cnaf.infn.it/voms/VOMS-Santiago.pdf
  25. 25.
    OCSP Requirements for Grids. Global Grid Forum, CA Operations Work Group. Working Document (February 2005), https://forge.gridforum.org/projects/caops-wg
  26. 26.
    ETSI TR 102 038: Electronic Signatures and Infrastructures (ESI); XML format for signature policies. ETSI ESI group. Version 1.1.1 (April 2002), http://portal.etsi.org/esi/el-sign.asp

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jesus Luna
    • 1
  • Manel Medina
    • 1
  • Oscar Manso
    • 2
  1. 1.Computer Architecture DepartmentPolytechnic University of CataloniaBarcelonaSpain
  2. 2.CertiVeR, Technical DirectorBarcelonaSpain

Personalised recommendations