A Flexible Attribute Based Access Control Method for Grid Computing

Grid systems have huge and changeable user groups, and different autonomous domains always have different security policies. The attribute based access control (ABAC) model, which is flexible and scalable, is more suitable for Grid systems. This paper describes a method of building a flexible access control mechanism that is based on ABAC and supports multiple policies for Grid computing. Firstly an attribute based multipolicy access control model ABMAC is submitted. Compared with ABAC, ABMAC can describe multiple heterogeneous policies, and each policy is encapsulated without changing its descriptions. Then by extending the authorization architecture of XACML, the paper puts forward an authorization framework that supports ABMAC and is implemented in the Globus Toolkit release 4 (GT4) (Few parts of the authorization framework described in this paper can only be found in Globus Toolkit CVS repository. A more completed authorization framework will be appeared in the Globus Toolkit release 4.2). Basing on the concept of policy encapsulation, the framework provides a flexible and scalable authorization mechanism that can support multiple existing policies in a Grid system. The design and implementation details of GT4 authorization framework are also well discussed.

[1]  Donald F. Ferguson,et al.  The WS-Resource Framework , 2004 .

[2]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[3]  David W. Chadwick,et al.  Authorisation in Grid computing , 2005, Inf. Secur. Tech. Rep..

[4]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2002, RFC.

[5]  E. Damiani,et al.  New paradigms for access control in open environments , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[6]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[7]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[8]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2003, Future Gener. Comput. Syst..

[9]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[10]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[11]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[12]  Ravi S. Sandhu,et al.  RBAC on the Web by smart certificates , 1999, RBAC '99.

[13]  Jim Basney,et al.  Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Grid , 2006 .

[14]  V. Welch,et al.  Attributes , Anonymity , and Access : Shibboleth and Globus Integration to Facilitate Grid Collaboration , 2005 .

[15]  Joon S. Park,et al.  Smart Certi cates: Extending X.509 for Secure Attribute Services on the Web , 1999 .

[16]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[17]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[18]  B. Lampson,et al.  Protection 1 , 2022 .

[19]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[20]  Len LaPadula,et al.  Secure Computer Systems: A Mathematical Model , 1996 .

[21]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[22]  Ian T. Foster,et al.  A Multipolicy Authorization Framework for Grid Security , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[23]  Elisa Bertino,et al.  Access Control Strategies for Virtualized Environments in Grid Computing Systems , 2007, 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS'07).

[24]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[25]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[26]  Frank Leymann,et al.  Modeling Stateful Resources with Web Services , 2004 .