Shibboleth and Community Authorization Services: Enabling Role-Based Grid Access

Classical authentication and authorization in grid environments can become a user management issue due to the flat nature of credentials based on X.509 certificates. While such credentials are able to identify user affiliations, such systems typically leave out a crucial aspect in user management and resource allocation: privilege levels. Shibboleth-based authentication mechanisms facilitate the secure communication of such user attributes within a trust federation. This paper describes a role-based access control framework that exploits Shibboleth attribute handling and CAS (Community Authorization Services) within a Grid environment. Users are able obtain appropriate access levels to resources outside of their domain on the basis of their native privileges and resource policies. This paper describes our framework and discusses issues of security and manageability.

[1]  E. F. Michiels,et al.  ISO/IEC 10181-4:1995 Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework , 1996 .

[2]  David Spence,et al.  Grid Single Sign-On in CCLRC , 2006 .

[3]  Ian T. Foster,et al.  A Multipolicy Authorization Framework for Grid Security , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[4]  Junzhou Luo,et al.  A Trust Degree Based Access Control for Multi-domains in Grid Environment , 2007, 2007 11th International Conference on Computer Supported Cooperative Work in Design.

[5]  Anirban Chakrabarti Grid computing security , 2007 .

[6]  Peter Gutmann,et al.  PKI: It's Not Dead, Just Resting , 2002, Computer.

[7]  Soon Myoung Chung,et al.  Role-based access control for grid database services using the community authorization service , 2006, IEEE Transactions on Dependable and Secure Computing.

[8]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[9]  Wei Jie,et al.  Authentication and authorization infrastructure for Grids—issues, technologies, trends and experiences , 2009, The Journal of Supercomputing.

[10]  Douglas Thain,et al.  Cacheable Decentralized Groups for Grid Resource Access Control , 2006, 2006 7th IEEE/ACM International Conference on Grid Computing.

[11]  Richard O. Sinnott,et al.  Shibboleth-based Access to and Usage of Grid Resources , 2006, 2006 7th IEEE/ACM International Conference on Grid Computing.

[12]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2003, Future Gener. Comput. Syst..

[13]  Neil Daswani,et al.  Foundations of Security - What Every Programmer Needs to Know , 2007 .