Increasingly, independent institutions with similar goals and interests are forming loosely coupled virtual organizations for collaboration and resource sharing. The construction of virtual organizations is hampered, however, by two conflicting goals: all members of the organization should have access to a resource as if it was their own, but participating institutions must not be required to change local security mechanisms or surrender control over their access control policies. We describe our experience designing, developing, and deploying the Grid Security Infrastructure (GSI), an authentication and authorization infrastructure that meets these requirements. GSI capabilities include single sign-on, no plaintext passwords, proxy credentials, mapping to local security mechanisms (including Kerberos), site control over access control policies, and user-controlled delegation. We have deployed GSI in the NSF-funded Partnerships in Advanced Computational Infrastructure, a national-scale virtual organization that comprises major research universities and laboratories. GSI-based versions of popular utilities including ssh and ftp are being used to provide access to dozens of supercomputers and storage systems nationwide.
[1]
John Linn,et al.
Generic Security Service Application Program Interface
,
1993,
RFC.
[2]
A Use-Condition Centered Approach to Authenticated Global Capabilities : 1 Security Architectures for Large-Scale Distributed Collaboratory Environments
,
1996
.
[3]
Wan-Sup Um,et al.
An Authentication System for Open Network Systems
,
1998
.
[4]
Ian T. Foster,et al.
A security architecture for computational grids
,
1998,
CCS '98.
[5]
Tatyana Ryutov,et al.
Access Control Framework for Distributed Applications
,
2000
.