Abstract
The rapid advancement of technologies such as Grid computing, peer-to-peer networking, Web Services to name a few, offer for companies and organizations an open and decentralized environment for dynamic resource sharing and integration. Globus toolkit emerged as the main resource sharing tool used in the Grid community.
Access control and access rights management become one of the main bottleneck when using Globus because in such an environment there are potentially unbounded number of users and resource providers without a priori established trust relationships. Thus, Grid computational resources could be executed by unknown applications running on behalf of distrusted users and therefore the integrity of those resources must be guaranteed.
To address this problem, the paper proposes an access control system that enhances the Globus toolkit with a number of features: (i) fine-grained behavioral control; (ii) application-level management of user’s credentials for access control; (iii) full-fledged integration with X.509 certificate standard; (iv) access control feedback when users do not have enough permissions.
This work is partially funded under the IST program of the EU Commission by the 2003-S116-00018 PAT-MOSTRO project, the STREP-project ”ONE” (INFSO-IST-034744), the NoE-project ”OPAALS” (INFSO-IST-034824), the STREP-project ”S3MS” and the STREP-project ”GRIDTrust”.
An erratum to this chapter can be found at http://dx.doi.org/10.1007/11914952_55.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the grid: Enabling scalable virtual organizations. International Journal of Supercomputer Applications 15(3), 200–222 (2001)
Foster, I., Kesselman, C., Nick, J., Tuecke, S.: The physiology of the grid: An open grid service architecture for distributed system integration. Globus Project (2002), http://www.globus.org/research/papers/ogsa.pdf
X.509: The directory: Public-key and attribute certificate frameworks (2001) ITU-T Recommendation X.509:2000(E) ∣ ISO/IEC 9594-8:2001(E)
Foster, I.: Globus toolkit version 4: Software for service-oriented systems. In: Jin, H., Reed, D., Jiang, W. (eds.) NPC 2005. LNCS, vol. 3779, pp. 2–13. Springer, Heidelberg (2005)
Foster, I., Kesselman, C., Pearlman, L., Tuecke, S., Welch, V.: A community authorization service for group collaboration. In: Proceedings of the 3rd IEEE Int. Workshop on Policies for Distributed Systems and Networks (POLICY 2002), pp. 50–59 (2002)
Pearlman, L., Kesselman, C., Welch, V., Foster, I., Tuecke, S.: The community authorization service: Status and future. In: Proceedings of Computing in High Energy and Nuclear Physics (CHEP 2003): ECONF C0303241 (2003) (TUBT003)
XACML: eXtensible Access Control Markup Language (XACML) (2005), www.oasis-open.org/committees/xacml
SAML: Security Assertion Markup Language (SAML) (2005), www.oasis-open.org/committees/security
Keahey, K., Welch, V.: Fine-grain authorization for resource management in the grid environment. In: Parashar, M. (ed.) GRID 2002. LNCS, vol. 2536, pp. 199–206. Springer, Heidelberg (2002)
Thompson, M., Essiari, A., Keahey, K., Welch, V., Lang, S., Liu, B.: Fine-grained authorization for job and resource management using akenti and the globus toolkit. In: Proceedings of Computing in High Energy and Nuclear Physics (CHEP 2003) (2003)
Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-based access control for widely distributed resources. In: Proceedings of Eighth USENIX Security Symposium (Security 1999), pp. 215–228 (1999)
Stell, A.J., Sinnott, R.O., Watt, J.P.: Comparison of advanced authorisation infrastructures for grid computing. In: Proceedings of High Performance Computing System and Applications 2005, HPCS, pp. 195–201 (2005)
Chadwick, D.W., Otenko, A.: The PERMIS X.509 role-based privilege management infrastructure. In: Seventh ACM Symposium on Access Control Models and Technologies, pp. 135–140. ACM Press, New York (2002)
Koshutanski, H., Martinelli, F., Mori, P., Vaccarelli, A.: Fine-grained and history-based access control with trust management for autonomic grid services. In: Proceedings of the 2nd International Conference on Autonomic and Autonomous Systems (ICAS 2006). IEEE Computer Society, Los Alamitos (2006)
Koshutanski, H., Massacci, F.: Interactive access control for Web Services. In: Proceedings of the 19th IFIP Information Security Conference (SEC 2004), Toulouse, France, pp. 151–166. Kluwer Press, Dordrecht (2004)
Martinelli, F., Mori, P., Vaccarelli, A.: Towards continuous usage control on grid computational services. In: Proceedings of Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services (ICAS-ICNS 2005), p. 82. IEEE Computer Society, Los Alamitos (2005)
Liang, S.: Java(TM) Native Interface: Programmer’s Guide and Specification. Addison-Wesley, Reading (1999)
Alpern, B., Attanasio, C., Barton, J., et al.: The jalapeño virtual machine. IBM System Journal 39(1), 211–221 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Koshutanski, H., Martinelli, F., Mori, P., Borz, L., Vaccarelli, A. (2006). A Fine-Grained and X.509-Based Access Control System for Globus. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems 2006: CoopIS, DOA, GADA, and ODBASE. OTM 2006. Lecture Notes in Computer Science, vol 4276. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11914952_21
Download citation
DOI: https://doi.org/10.1007/11914952_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-48274-1
Online ISBN: 978-3-540-48283-3
eBook Packages: Computer ScienceComputer Science (R0)