Role-based access control for grid database services using the community authorization service

In this paper, we propose a role-based access control (RBAC) method for grid database services in open grid services architecture-data access and integration (OGSA-DAI). OGSA-DAI is an efficient grid-enabled middleware implementation of interfaces and services to access and control data sources and sinks. However, in OGSA-DAI, access control causes substantial administration overhead for resource providers in virtual organizations (VOs) because each of them has to manage a role-map file containing authorization information for individual grid users. To solve this problem, we used the community authorization service (CAS) provided by the globus toolkit to support the RBAC within the OGSA-DAI framework. The CAS grants the membership on VO roles to users. The resource providers then need to maintain only the mapping information from VO roles to local database roles in the role-map files, so that the number of entries in the role-map file is reduced dramatically. Furthermore, the resource providers control the granting of access privileges to the local roles. Thus, our access control method provides increased manageability for a large number of users and reduces day-to-day administration tasks of the resource providers, while they maintain the ultimate authority over their resources. Performance analysis shows that our method adds very little overhead to the existing security infrastructure of OGSA-DAI

[1]  Ramaswamy Chandramouli,et al.  Role-Based Access Control Features in Commercial Database Management Systems , 1998 .

[2]  Hamideh Afsarmanesh,et al.  A Roadmap For Strategic Research On Virtual Organizations , 2003, PRO-VE.

[3]  V. Welch,et al.  Attributes , Anonymity , and Access : Shibboleth and Globus Integration to Facilitate Grid Collaboration , 2005 .

[4]  Von Welch,et al.  Using CAS to Manage Role-Based VO Sub-Groups , 2003, ArXiv.

[5]  Steven Tuecke,et al.  The Physiology of the Grid An Open Grid Services Architecture for Distributed Systems Integration , 2002 .

[6]  Marty Humphrey,et al.  Toward explicit policy management for virtual organizations , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[7]  Elisa Bertino,et al.  Access-control language for multidomain environments , 2004, IEEE Internet Computing.

[8]  Gavin Lowe,et al.  Managing Dynamic User Communities in a Grid of Autonomous Resources , 2003, ArXiv.

[9]  Norman W. Paton,et al.  The design and implementation of Grid database services in OGSA‐DAI , 2005, Concurr. Pract. Exp..

[10]  David W. Chadwick,et al.  A Comparison of the Akenti and PERMIS Authorization Infrastructures , 2003 .

[11]  Jim Melton,et al.  Standards for databases on the grid , 2003, SGMD.

[12]  Jim Smith,et al.  Distributed Query Processing on the Grid , 2003, Int. J. High Perform. Comput. Appl..

[13]  Ian Foster,et al.  The Globus toolkit , 1998 .

[14]  Mario Antonioletti,et al.  Performance Analysis of the OGSA-DAI Software , 2004 .

[15]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[16]  Robert L. Grossman,et al.  Data integration in a bandwidth-rich world , 2003, CACM.

[17]  Ian T. Foster,et al.  Grid Services for Distributed System Integration , 2002, Computer.

[18]  Stefan Wesner,et al.  Toward Web Services Profiles for Trust and Security in Virtual Organisations , 2005, PRO-VE.

[19]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[20]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[21]  Clifford Neuman Security, accounting, and assurance , 1998 .

[22]  John M. Boone,et al.  Integrity in Automated Information Systems , 1991 .

[23]  Ami Marowka,et al.  The GRID: Blueprint for a New Computing Infrastructure , 2000, Parallel Distributed Comput. Pract..

[24]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[25]  Ian T. Foster,et al.  The Community Authorization Service: Status and Future , 2003, ArXiv.

[26]  Steven Tuecke,et al.  Grid Service Specification , 2002 .

[27]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[28]  Marty Humphrey,et al.  Policy and enforcement in virtual organizations , 2003, Proceedings. First Latin American Web Congress.

[29]  William H. Bell,et al.  Project Spitfire - Towards Grid Web Service Databases , 2002 .

[30]  Heinz Stockinger Distributed Database Management Systems and the Data Grid , 2001, 2001 Eighteenth IEEE Symposium on Mass Storage Systems and Technologies.

[31]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[32]  Gavin McCance,et al.  Project Spitfire-Towards Grid Web Service Databases Informational Document Global Grid Forum 5 Edinburgh , Scotland , July 21-24 , 2002 , 2002 .

[33]  Von Welch,et al.  Fine-Grained Authorization for Job and Resource Management Using Akenti and the Globus Toolkit , 2003, ArXiv.

[34]  Ian Foster,et al.  The Security Architecture for Open Grid Services , 2002 .

[35]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[36]  Marty Humphrey,et al.  Security for Grids , 2005, Proceedings of the IEEE.

[37]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.