Distributed policy framework across multiple grid domains

A key feature of grid environment is the sharing of computing and storage: users operate on resources not directly owned by them. Often users working on the same research project are grouped in a virtual organization (VO) to use a common authorization policy on this resources. Many international experiments, however, use different Grid middleware platforms with their own authorization framework. This leads to interoperability problems for scientists of the same experiment, using their national Grid infrastructure. Usually VOs and resource providers share contracts to regulate resource usage. The enforcement of such arrangements needs an agreed interoperable authorization mechanism based on policies that can be written by VOs and resources providers. This process can be applied using a flexible and distributed policy framework, where complex relationships can be enforced being able to manage both policies created by VOs and policies created by Grid sites. G-PBox policy framework, in conjunction with VOMS Attribute Authority, is our proposal to represent, manage and distribute such policies in a transparent way. G-PBox approach is based on a set of XACML policies databases belonging separately to VOs and resource providers, each containing at least policies regarding it own organization. In this paper we describe how VO oriented tools like VOMS and G-PBox can be deployed across different VOs and resource providers. It will show how VO managers and sites administrators can set up agreed policies for resource sharing optimization and experiment computing prioritization, making best use of their time and resources. It will underline also that adoption of assertion and policy Grid standard, as SAML and XACML, provides an effective advantage in order to allow an accepted authentication and authorization interoperability among services of different Grid domains based on different mechanisms.

[1]  Andrea Ferraro,et al.  G-PBox : a Policy Framework for Grid Environments , 2005 .

[2]  Francine Berman,et al.  Overview of the Book: Grid Computing – Making the Global Infrastructure a Reality , 2003 .

[3]  David W. Chadwick,et al.  Building a Modular Authorization Infrastructure , 2006 .

[4]  Duckeck Günter,et al.  ATLAS computing: Technical design report. , 2005 .

[5]  Ian T. Foster,et al.  The Community Authorization Service: Status and Future , 2003, ArXiv.

[6]  Jim Basney,et al.  Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Grid , 2006 .

[7]  Francine Berman,et al.  Grid Computing: Making the Global Infrastructure a Reality , 2003 .

[8]  Eleonora Luppi,et al.  BABAR Experience of Large Scale Production on the Grid , 2006, 2006 Second IEEE International Conference on e-Science and Grid Computing (e-Science'06).

[9]  Neil Geddes The BaBar computing model , 1998 .

[10]  Eve Maler OASIS Security Assertion Markup , 2002 .

[11]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[12]  Ashok Agarwal,et al.  GridX1: A Canadian computational grid , 2007, Future Gener. Comput. Syst..

[13]  Ákos Frohner,et al.  From gridmap-file to VOMS: managing authorization in a Grid environment , 2005, Future Gener. Comput. Syst..

[14]  Ian T. Foster,et al.  A Multipolicy Authorization Framework for Grid Security , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[15]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..