Abstract
The use of gateways as a user-friendly way to access the Grid is increasing, as evidenced, for example, by the popularity of TeraGrid Science Gateways. Such gateways, however, imply additional layers of software abstraction, which in turn implies more levels of trust delegation - thus compounding security problems of enforcing trust at different layers.
In this paper we present the Domain Account Model (DAM), extending the Shibboleth and GridShib ones to enable interoperability between identity-based (i.e. GSI) and attribute-based (i.e. SAML) Grid authorization mechanisms, to ease the administration of user attributes by allowing domain separation between Real and Virtual Organizations (VO), and to improve the trust management by means of the OAuth protocol.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Introduction to the laws of identity (2005), http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf
Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the Grid. International J. Supercomputer Applications 15 (2001)
MyProxy Credentials Management Service, http://grid.ncsa.uiuc.edu/myproxy
Shibboleth Architecture, http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-protocols-200509.pdf
OpenID, http://openid.net
OASIS Security Services (SAML) Technical Committee, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
Welch, V., Barlow, J., Basney, J., Marcusiu, D., Wilkins-Diehr, N.: A AAAA model to support science gateways with community accounts. Concurrency and Computation: Practice and Experience 19(6), 893–904 (2006)
GridShib Deployement Scenarios, http://gridshib.globus.org/about.html#gridshib-deploy
Scavo, T., Welch, V.: A Grid Authorization Model for Science Gateways. Concurrency and Computation: Practice and Experience (to appear), http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf
Ferraiolo, D., Kuhn, R.: Role-based Access Control. In: Proceedings of 15th National Computer Security Conference (1992)
OAuth Core 1.0 Final Specfications, http://oauth.net/core/1.0/
XACML 2.0 Core: Specification Document, http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdfvo
Core and hierarchical role based access control (RBAC) profile of XACML v2.0, http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf
International Grid Trust Federation, www.gridpma.org/IGTF-Federation-Constitution.pdf
Enabling Grids for E-science (EGEE), http://www.eu-egee.org/
Open Science Grid, http://www.opensciencegrid.org
Alfieri, R., Cecchini, R., Ciaschini, V., dell’Agnello, L., Frohner, Á., Gianoli, A., Lörentey, K., Spataro, F.: VOMS, an Authorization System for Virtual Organizations. In: Fernández Rivera, F., Bubak, M., Gómez Tato, A., Doallo, R. (eds.) Across Grids 2003. LNCS, vol. 2970, pp. 33–40. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Galiero, G., Roccetti, P., Turli, A. (2008). Domain Account Model. In: Lovrek, I., Howlett, R.J., Jain, L.C. (eds) Knowledge-Based Intelligent Information and Engineering Systems. KES 2008. Lecture Notes in Computer Science(), vol 5178. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85565-1_46
Download citation
DOI: https://doi.org/10.1007/978-3-540-85565-1_46
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85564-4
Online ISBN: 978-3-540-85565-1
eBook Packages: Computer ScienceComputer Science (R0)