Attribute Based Access Control for Grid Computing

Grid systems, which are composed of autonomous domains, are open and dynamic. In such systems, there are usually a large number of users, the users are changeable, and different domains have their own policies. The traditional access control models that are identity based are closed and inflexible. The Attribute Based Access Control (ABAC) model, which makes decisions relying on attributes of requestors, resources, and environment, is scalable and flexible and thus is more suitable for distributed, open systems. But no ABAC model meets the special authorization requirements of Grid computing. This paper presents an Attribute Based Multipolicy Access Control (ABMAC) model based on the concept of ABAC and the authorization requirements of Grid systems. Also described is an authorization framework that was implemented in the Globus Toolkit release 4 and supports ABMAC. This attribute-based authorization framework supports several different policies and integrates third-party attribute-based authorization systems. It shows great advantages in supporting Grid application access control, which not only demonstrates the effectiveness of ABMAC model but also provides an open architecture for Grid authorization systems.

[1]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[2]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[3]  Len LaPadula,et al.  Secure Computer Systems: A Mathematical Model , 1996 .

[4]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[5]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[6]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[7]  Ravi S. Sandhu,et al.  RBAC on the Web by smart certificates , 1999, RBAC '99.

[8]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[9]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[10]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[11]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[12]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[13]  Frank Leymann,et al.  Modeling Stateful Resources with Web Services , 2004 .

[14]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[15]  Donald F. Ferguson,et al.  The WS-Resource Framework , 2004 .

[16]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[17]  E. Damiani,et al.  New paradigms for access control in open environments , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[18]  Attributes , Anonymity , and Access : Shibboleth and Globus Integration to Facilitate Grid Collaboration , 2005 .

[19]  Jim Basney,et al.  Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Grid , 2006 .