A Flexible Attribute Based Access Control Method for Grid Computing
Tóm tắt
Grid systems have huge and changeable user groups, and different autonomous domains always have different security policies. The attribute based access control (ABAC) model, which is flexible and scalable, is more suitable for Grid systems. This paper describes a method of building a flexible access control mechanism that is based on ABAC and supports multiple policies for Grid computing. Firstly an attribute based multipolicy access control model ABMAC is submitted. Compared with ABAC, ABMAC can describe multiple heterogeneous policies, and each policy is encapsulated without changing its descriptions. Then by extending the authorization architecture of XACML, the paper puts forward an authorization framework that supports ABMAC and is implemented in the Globus Toolkit release 4 (GT4) (Few parts of the authorization framework described in this paper can only be found in Globus Toolkit CVS repository. A more completed authorization framework will be appeared in the Globus Toolkit release 4.2). Basing on the concept of policy encapsulation, the framework provides a flexible and scalable authorization mechanism that can support multiple existing policies in a Grid system. The design and implementation details of GT4 authorization framework are also well discussed.
Tài liệu tham khảo
Lampson, B.W.: Protection. In: Proceedings of the 5th Princeton Conference on Information Sciences and Systems, pp. 437–443. Princeton University, Princeton, N.J. (1971)
Bell, D.E., LaPadula, L.: Secure computer systems: a mathematical model. Mitre Corporation, Bedford, MA (1973, January)
Sandhu, R.S., Samaratiy, P.: Access control: principles and practice. IEEE Commun. 32(9), 40–48 (1994)
Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the grid: enabling scalable virtual organizations. Intern. J. Supercomp Appl. 15(3), 200–222 (2001)
Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A multipolicy authorization framework for grid security. In: Proceedings of the 5th IEEE International Symposium on Network Computing and Applications, Cambridge, USA (2006, July)
ITU-T Recommendation X.509: Information technology—open systems interconnection—the directory: authentication framework, ISO/IEC 9594-8 (1993)
Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile (1998, September)
Park, J.S., Sandhu, R.: RBAC on the web by smart certificates. In: Proceedings of the 4th ACM Workshop on Role-Based Access Control. ACM, Fairfax, VA, October 28–29 (1999)
Rivest, R.L., Lampson, B.: SDSI—a simple distributed security infrastructure. Presented at CRYPTO ‘96 Rumpsession (1996, April)
Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiani, A.: Certificate-based access control for widely distributed resources. In: Proceedings of the Usenix Security Symposium, August (1999)
Park, J.S., Sandhu, R.: Smart Certificates: Extending X.509 for Secure Attribute Service on the Web. NISSC (1999)
Farrell, S., Housley, R.: An Internet attribute certificate profile for authorization. IETF–RFC 3281 (2002)
Damiani, E., Vimercati, S.D.C., Samarati, P.: New paradigms for access control in open environments. In: Proceedings of the 5th IEEE International Symposium on Signal Processing and Information, Athens, Greece, December 18–21 (2005)
Bonatti, P., Samarati, P.: A unified framework for regulating access and information release on the web. J. Comput. Secur. 10(3), 241–272 (2002)
Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, Washington, DC, October (2004)
Yuan, E., Tong, J.: Attributed based access control (ABAC) for Web services. In: Proceedings of the IEEE International Conference on Web Services (ICW’05) (2005, July)
Squicciarini, A.C., Bertino, E., Goasguen, S.: Access control strategies for virtualized environments in grid computing systems. In: Proceedings of the 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS’07) (2007)
Thompson, M., Essiari, A., Mudumbai, S.: Certificate-based authorization policy in a PKI environment. ACM Trans. Inform. Syst. Secur. (TISSEC) 6(4), 566–588 (2003, November)
Chadwick, D.: Authorization in grid computing. Inform. Secur. Tech. Rep. 10(1), 33–40 (2005)
Chadwick, D., Otenko, A.: The PERMIS X.509 role based privilege management infrastructure. Future Gener. Comput. Systs. 19(2), 277–289 (2003, February)
Welch, V., Barton, T., Keahey, K., Siebenlist, F.: Attributes, anonymity, and access: Shibboleth and Globus integration to facilitate grid collaboration. In: 4th Annual PKI R&D Workshop, April (2005)
Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K.: Identity federation and attribute-based authorization through the globus toolkit, Shibboleth, Gridshib, and MyProxy. In: 5th Annual PKI R&D Workshop, April (2006)
Alfteri, R., Cecchini, R., Ciaschini, V., Dellagnello, L., Frohner, A., Gianoli, A., Lorentey, K., Spataro, F.: VOMS, an authorization system for virtual organizations. In: 1st European Across Grids Conference, Santiago de Compostela, February 13–14 (2003)
OASIS, Extensible Access Control Markup Language (XACML), V2.0 (February 2005)
OASIS, Security Assertion Markup Language (SAML), V2.0 (March 2005)
Foster, I., Frey, J., Graham, S., Tuecke, S., Czajkowski, K., Ferguson, D., Leymann, F., Nally, M., Storey, T., Weerawaranna, S.: Modeling stateful resources with Web Services. Globus Alliance (2004)
Czajkowski, K., Ferguson, D.F., Foster, I., Frey, J., Graham, S., Sedukhin, I., Snelling, D., Tuecke, S., Vambenepe, W.: The WS-Resource Framework, Version 1.0, March 5 (2004)