Skip to main content
Springer Nature Link
Log in

Experiences of Applying Advanced Grid Authorisation Infrastructures

  • Conference paper
Advances in Grid Computing - EGC 2005 (EGC 2005)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 3470))

Included in the following conference series:

  • 497 Accesses

Abstract

The widespread acceptance and uptake of Grid technology can only be achieved if it can be ensured that the security mechanisms needed to support Grid based collaborations are at least as strong as local security mechanisms. The predominant way in which security is currently addressed in the Grid community is through Public Key Infrastructures (PKI) to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (authorisation). The Grid community have put forward numerous software proposals for authorisation infrastructures such as AKENTI [1], CAS [2], CARDEA [3], GSI [4], PERMIS [5,6,7] and VOMS [8,9]. It is clear that for the foreseeable future a collection of solutions will be the norm. To address this, the Global Grid Forum (GGF) have proposed a generic SAML based authorisation API which in principle should allow for fine grained control for authorised access to any Grid service. Experiences in applying and stress testing this API from a variety of different application domains are essential to give insight into the practical aspects of large scale usage of authorisation infrastructures. This paper presents experiences from the DTI funded BRIDGES project [10] and the JISC funded DyVOSE project [11] in using this API with Globus version 3.3 [12] and the PERMIS authorisation infrastructure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Johnston, W., Mudumbai, S., Thompson, M.: Authorization and Attribute Certificates for Widely Distributed Access Control. In: IEEE 7th Int. Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, http://www-itg.lbl.gov/security/Akenti/

  2. Pearlman, L., et al.: A Community Authorisation Service for Group Collaboration. In: Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks (2002)

    Google Scholar 

  3. Lepro, R.: Cardea: Dynamic Access Control in Distributed Systems, NASA Technical Report NAS-03-020 (November 2003)

    Google Scholar 

  4. Globus Grid Security Infrastructure (GSI), http://www-unix.globus.org/toolkit/docs/3.2/gsi/index.html

  5. Chadwick, D.W., Otenko, A., Ball, E.: Role-based Access Control with X.509 Attribute Certificates. IEEE Internet Computing, 62–69 (March-April 2003)

    Google Scholar 

  6. Chadwick, D.W., Otenko, A.: The PERMIS X.509 Role Based Privilege Management Infrastructure. Future Generation Computer Systems 936, 1–13 (2002)

    Google Scholar 

  7. Privilege and Role Management Infrastructure Standards Validation project, http://www.permis.org

  8. VOMS Architecture. European Datagrid Authorization Working group, September 5 (2002)

    Google Scholar 

  9. Steven Newhouse. Virtual Organisation Management. The London E-Science centre, http://www.lesc.ic.ac.uk/projects/oscar-g.html

  10. BioMedical Research Informatics Delivered by Grid Enabled Services project (BRIDGES), http://www.nesc.ac.uk/hub/projects/bridges

  11. Dynamic Virtual Organisations in e-Science Education project (DyVOSE), http://www.nesc.ac.uk/hub/projects/dyvose

  12. Globus, http://www.globus.org

  13. Housley, R., Polk, T.: Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructures. Wiley Computer Publishing, Chichester (2001)

    Google Scholar 

  14. ITU-T Recommendation X.509, ISO/IEC 9594-8: 2001, Information technology – Open Systems Interconnection – Public-Key and Attribute Certificate Frameworks (2001)

    Google Scholar 

  15. JISC Authentication, Authorisation and Accounting (AAA) Programme Technologies for Information Environment Security (TIES), http://www.edina.ac.uk/projects/ties/ties_23-9.pdf

  16. Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Paper presented at the 9th USENIX security symposium, Washington (1999)

    Google Scholar 

  17. Chadwick, D., Otenko, O.: A Comparison of the Akenti and PERMIS Authorization Infrastructures, in Ensuring Security in IT Infrastructures. In: El-Hadidi, M.T. (ed.) Proceedings of ITI First International Conference on Information and Communications Technology (ICICT 2003), Cairo University, pp. 5–26 (2003)

    Google Scholar 

  18. Conceptual AuthZ Framework and Classification (DOC), https://forge.gridforum.org/docman2/ViewCategory.php?group_id=55&category_id=458

  19. Stell, A.J.: Grid Security: An Evaluation of Authorisation Infrastructures for Grid Computing, MSc Dissertation, University of Glasgow (2004)

    Google Scholar 

  20. ITU-T Rec. X.509, ISO/IEC 9594-8. The Directory: Authentication Framework (2000)

    Google Scholar 

  21. UK e-Science Certification Authority, http://www.grid-support.ac.uk

  22. ITU-T Rec X.812, ISO/IEC 10181-3:1996, Security Frameworks for open systems: Access control framework (1995)

    Google Scholar 

  23. Welch, V., Siebenlist, F., Chadwick, D., Meder, S., Pearlman, L.: Use of SAML for OGSA Authorization (June 2004), https://forge.gridforum.org/projects/ogsa-authz

  24. OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) v1.1. September 2 (2003), http://www.oasis-open.org/committees/security/

  25. Cardiovascular Functional Genomics project, http://www.brc.dcs.gla.ac.uk/projects/cfg/

  26. Open Grid Service Architecture – Data Access and Integration project (OGSA-DAI), http://www.ogsadai.org.uk

  27. IBM Information Integrator, http://www.ibm.com

  28. EMBL-EBI European Bioinformatics Institute, http://www.ebi.ac.uk/ensembl/

  29. OpenSSL to create certificates, http://www.flatmtn.com/computer/Linux-SSLCertificates.html

  30. Von Welch/Jennifer Schopf personal communications

    Google Scholar 

  31. Jokl, J., Basney, J., Humphrey, M.: Experiences using Bridge CAs for Grids. In: Proceedings of UK Workshop on Grid Security Practice, Oxford (July 2004)

    Google Scholar 

  32. Virtual Organisations for Trials and Epidemiological Studies project (VOTES), http://www.nesc.ac.uk/hub/projects/votes

  33. Shibboleth, http://shibboleth.internet2.edu/

Download references

Author information

Authors and Affiliations

  1. National e-Science Centre, University of Glasgow,  

    R. O. Sinnott & A. J. Stell

  2. Department of Computing Science, University of Kent,  

    D. W. Chadwick

  3. IS Security Research Centre, University of Salford,  

    O. Otenko

Authors
  1. R. O. Sinnott
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. A. J. Stell
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. D. W. Chadwick
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. O. Otenko
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Sciences, Section of Computational Science, University of Amsterdam, Kruislaan 403, 1098, Amsterdam, SJ, The Netherlands

    Peter M. A. Sloot

  2. Section Computational Science, University of Amsterdam, The Netherlands

    Alfons G. Hoekstra

  3. INRIA Rennes - Bretagne Atlantique, Campus de Beaulieu, 35042, Rennes Cedex, France

    Thierry Priol

  4. Zuse Institute Berlin,  

    Alexander Reinefeld

  5. Institute of Computer Science, AGH, Poland

    Marian Bubak

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sinnott, R.O., Stell, A.J., Chadwick, D.W., Otenko, O. (2005). Experiences of Applying Advanced Grid Authorisation Infrastructures. In: Sloot, P.M.A., Hoekstra, A.G., Priol, T., Reinefeld, A., Bubak, M. (eds) Advances in Grid Computing - EGC 2005. EGC 2005. Lecture Notes in Computer Science, vol 3470. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11508380_28

Download citation

  • DOI: https://doi.org/10.1007/11508380_28

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26918-2

  • Online ISBN: 978-3-540-32036-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics