Abstract
The OGSA definition of a Grid Service as a transient, stateful and dynamically instantiated Web Service introduced new authentication and authorization requirements beyond those already established for existing Grid environments. However such design features have begun to be developed currently following a pre-Web Services approach in two aspects: in the first place making a clear separation of authentication from authorization issues, and in the second place not designing them over the OGSI/WSRF defined mechanisms and specifications. In this paper we are proposing a new Security Framework that unifies identified common points of both features, Authentication and Authorization, into a mechanism called validation policy which is expected to improve service performance and security. Our framework seeks to implement these aspects over the Grid Service’s Operations and Service Data concepts to fully exploit its functionalities. The paper also presents the integration of an enhanced OCSP Service Provider into the Globus Toolkit 3.9.4 as a first proof of concept.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Foster, I., Kesselman, C., Nick, J., Tuecke, S.: The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration. Globus Project (2002), http://www.globus.org/research/papers/ogsa.pdf
The WS-Resource Framework, http://www.globus.org/wsrf/
Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective. The Globus Security Team. Version 2 (December 2004), http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf
Burrows, M., Abadi, M., Needham, R.M.: A Logic of Authentication. ACM Transactions on Computer Systems 8(1), 18–36 (1990); A Formal Semantics for Evaluating Cryptographic Protocols p. 14, http://citeseer.ist.psu.edu/burrows90logic.html
Baker, R., Gommans, L., McNab, A., Lorch, M., Ramakrishnan, L., Sarkar, K., Thompson, M.R.: Conceptual Grid Authorization Framework and Classification. In: Global Grid Forum Working Group on Authorization Frameworks and Mechanisms (February 2003), http://www.ggf.org/Meetings/ggf7/drafts/authz01.pdf
Vollbrecht, J., et al.: RFC 2904: AAA Authorization Framework (August 2000)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder policy specification language. In: Sloman, M. (ed.) Proc. of Policy Worshop, Bristol UK (January 2001), http://citeseer.ist.psu.edu/damianou01ponder.html
Welch, V., et al.: Use of SAML for OGSA Authorization. In: OGSA-Security Working Group, Global Grid Forum. Working document (February 2003), http://www.cs.virginia.edu/~humphrey/ogsa-sec-wg/
Pearlman, L., et al.: A Community Authorization Service for Group Collaboration. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY 2002). IEEE Computer Society, Los Alamitos (2002)
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS Security Services Technical Committee. Version 1.1 (September 2003), http://www.oasis-open.org/committees/security/
Welch, V., et al.: OGSA Authorization Requirements. In: OGSA-Authorization Working Group, Global Grid Forum. Working document (June 2003), https://forge.gridforum.org/projects/ogsa-authz/document/
Cruellas, J.C., et al.: OASIS: DSS Profiles Discussion Document. Working Draft 02 (February 2004), http://www.oasis-open.org/committees/dss/
ETSI TR 102 041: Electronic Signatures and Infrastructures (ESI); Signature Policies Report. ETSI ESI group. Version 1.1.1 (February 2002), http://portal.etsi.org/esi/el-sign.asp
CertiVeR: Certificate Revocation and Validation Service, http://www.certiver.com
von Laszewski, G., Foster, I., Gawor, J., Lane, P.: A Java Commodity Grid Kit. Concurrency and Computation: Practice and Experience 13(8-9), 643–662 (2001), http://www.cogkit.org/
Thompson, M., Essiari, A., Mudumbai, S.: Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Information and System Security (TISSEC) 6(4), 566–588 (2003), http://dsd.lbl.gov/security/Akenti/Papers/
Thompson, M., et al.: Distributed Security Architectures – Providing security services for Grids. Working Document (March 2004), http://dsd.lbl.gov/security/SciDac-DistSec-2pager04.pdf
Chadwick, D., Otenko, A.: The PERMIS X.509 Role based privilege management infrastructure. In: 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002) (June 2002), http://www.acm.org/sigs/sigsac/sacmat
Sinnott, R.O., Stell, A.J., Chadwick, D.W., Otenko, O.: Experiences of Applying Advanced Grid Authorisation Infrastructures. In: Accepted for the European Grid Conference (EGC 2005), Science Park Amsterdam, The Netherlands, February 14-16 (2005), http://labserv.nesc.gla.ac.uk/projects/dyvose/publicity/eGridFinalv4.pdf
Carmody, S.: Shibboleth Overview and requirements. Shibboleth Working Group Overview and Requirements Document (February 2001), http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html
GridShib: A Policy Controlled Attribute Framework, http://grid.ncsa.uiuc.edu/GridShib/
Cardea: Dynamic Access Control in Distributed Systems. NASA Advanced Supercomputing Division. Technical Report (November 2003), http://www.nas.nasa.gov/News/Techreports/2003/PDF/nas-03-020.pdf
Moses, T., et al.: OASIS eXtensible Access Control Markup Language (XACML) 2.0. Committee Draft 4 (December 2004), http://www.oasis-open.org/committees/xacml/
Alfieri, R., et al.: VOMS, an Authorization System for Virtual Organizations. In: Presented at the 1st European Across Grids Conference, Santiago de Compostela, Spain (February 2003), http://infnforge.cnaf.infn.it/voms/VOMS-Santiago.pdf
OCSP Requirements for Grids. Global Grid Forum, CA Operations Work Group. Working Document (February 2005), https://forge.gridforum.org/projects/caops-wg
ETSI TR 102 038: Electronic Signatures and Infrastructures (ESI); XML format for signature policies. ETSI ESI group. Version 1.1.1 (April 2002), http://portal.etsi.org/esi/el-sign.asp
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Luna, J., Medina, M., Manso, O. (2005). Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT4. In: Chadwick, D., Zhao, G. (eds) Public Key Infrastructure. EuroPKI 2005. Lecture Notes in Computer Science, vol 3545. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11533733_3
Download citation
DOI: https://doi.org/10.1007/11533733_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28062-0
Online ISBN: 978-3-540-31585-8
eBook Packages: Computer ScienceComputer Science (R0)