Role-based access control for a Grid system using OGSA-DAI and Shibboleth

In this paper, we propose a new role-based access control (RBAC) system for Grid data resources in the Open Grid Services Architecture Data Access and Integration (OGSA-DAI). OGSA-DAI is a widely used framework for integrating data resources in Grids. However, OGSA-DAI’s identity-based access control causes substantial administration overhead for the resource providers in virtual organizations (VOs) because of the direct mapping between individual Grid users and the privileges on the resources. To solve this problem, we used the Shibboleth, an attribute authorization service, to support RBAC within the OGSA-DAI. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies and the user-role assignments, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. It also supports dynamic delegation of rights and user-role assignments, and reduces the administration overheads for the resource providers because they need to maintain only the mapping information from VO roles to local database roles. Moreover, unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows that our RBAC system adds only a small overhead to the existing security infrastructure of OGSA-DAI.

[1]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[2]  Elisa Bertino,et al.  Access-control language for multidomain environments , 2004, IEEE Internet Computing.

[3]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[4]  V. Welch,et al.  Attributes , Anonymity , and Access : Shibboleth and Globus Integration to Facilitate Grid Collaboration , 2005 .

[5]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[6]  Clifford Neuman Security, accounting, and assurance , 1998 .

[7]  John M. Boone,et al.  Integrity in Automated Information Systems , 1991 .

[8]  Marty Humphrey,et al.  Security for Grids , 2005, Proceedings of the IEEE.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Ami Marowka,et al.  The GRID: Blueprint for a New Computing Infrastructure , 2000, Parallel Distributed Comput. Pract..

[11]  Von Welch,et al.  Fine-Grained Authorization for Job and Resource Management Using Akenti and the Globus Toolkit , 2003, ArXiv.

[12]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[13]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[14]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[15]  Mario Antonioletti,et al.  Performance Analysis of the OGSA-DAI Software , 2004 .

[16]  Ramaswamy Chandramouli,et al.  Role-Based Access Control Features in Commercial Database Management Systems , 1998 .

[17]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[18]  Q. He A Framework for Modeling Privacy Requirements in Role Engineering , 2003 .

[19]  Soon Myoung Chung,et al.  Managing Role-Based Access Control Policies for Grid Databases in OGSA-DAI Using CAS , 2007, Journal of Grid Computing.

[20]  Jim Melton,et al.  Standards for databases on the grid , 2003, SGMD.

[21]  Richard O. Sinnott,et al.  Comparison of advanced authorisation infrastructures for grid computing , 2005, 19th International Symposium on High Performance Computing Systems and Applications (HPCS'05).

[22]  Gavin Lowe,et al.  Managing Dynamic User Communities in a Grid of Autonomous Resources , 2003, ArXiv.

[23]  Soon Myoung Chung,et al.  Role-based access control for grid database services using the community authorization service , 2006, IEEE Transactions on Dependable and Secure Computing.

[24]  David W. Chadwick,et al.  A Comparison of the Akenti and PERMIS Authorization Infrastructures , 2003 .

[25]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[26]  Mark Baker,et al.  Emerging grid standards , 2005, Computer.

[27]  Ian T. Foster,et al.  Grid Services for Distributed System Integration , 2002, Computer.

[28]  Norman W. Paton,et al.  A new Architecture for OGSA-DAI , 2005 .

[29]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[30]  Ian Foster,et al.  The Security Architecture for Open Grid Services , 2002 .

[31]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[32]  Ian T. Foster,et al.  A National-Scale Authentication Infrastructur , 2000, Computer.

[33]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .