Skip to main content
SpringerLink
Log in

The PRIMA Grid Authorization System

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

PRIMA, a system for PRIvilege Management and Authorization, provides enhanced Grid security services. The requirements for these services are derived from usage scenarios and supported by a survey of Grid users. The requirements for added flexibility, increased expressiveness, and more precise enforcement are met by a combination of three mechanisms: (1) use of secure, fine-grained privileges representing externalized access rights for Grid resources that can be freely created, shared, and employed by Grid users; (2) a dynamic policy generated for each request combining the request’s user-provided privileges with the resource’s access control policy; and (3) dynamic execution environments specially provisioned for each request that are enforced by the resource’s native operating system and which support legacy applications. PRIMA has been implemented as an extension of the Globus Toolkit Grid middleware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Abbreviations

API:

Application Programming Interface

CAS:

Community Authorization Service

GSS:

Generic Security Services

PDP:

Policy Decision Point

PEP:

Policy Enforcement Point

PRIMA:

A system for Privilege Management and Authorization

VO:

Virtual Organization

VOMS:

Virtual Organization Membership Service

XACML:

The eXtensible Access Control Markup Language

References

  1. I. Foster, C. Kesselman and S. Tuecke, “The Anatomy of the Grid: Enabling Scalable Virtual Organizations”, International Journal of Supercomputer Applications, 2001.

  2. I. Foster, C. Kesselman, G. Tsudik and S. Tuecke “A Security Architecture for Computational Grids”, Fifth ACM Conference on Computers and Communications Security, November 1998.

  3. I. Foster and C. Kesselman, “Globus: A Toolkit-Based Grid Architecture”, in I. Foster and C. Kesselman (eds), The Grid, Blueprint for a Future Computing Infrastructure, Morgan Kaufmann, San Francisco, 1999, pp. 259–278.

    Google Scholar 

  4. C. Ribbens, D. Kafura, A. Karnik and M. Lorch, “The Virginia Tech Computational Grid: A Research Agenda”, Virginia Tech Technical Report TR-02-31, December 2002, http://eprints.cs.vt.edu:8000/archive/00000641/

  5. M. Lorch and D. Kafura, “Symphony – A Java-Based Composition and Manipulation Framework for Computational Grids”, in Proc. Second Int. Symposium on Cluster Computing and the Grid, Berlin, Germany, May 2002.

  6. D. Agarwal, B. Corrie, J. Leigh, M. Lorch, J. Myers, R. Olson, M.E. Papka and M. Thompson, “Security Requirements of Advanced Collaborative Environments”, Global Grid Forum Informational Document, Draft.

  7. S. Mullen, M. Crawford, M. Lorch and D. Skow, “Site Authentication, Authorization, and Accounting Requirements”, Global Grid Forum Informational Document GFD-I.032, October 2004.

  8. M. Lorch and D. Kafura, “Grid Community Characteristics and their Relation to Grid Security”, Technical Report TR-03-20, Computer Science, Virginia Tech, June 2003, http://eprints.cs.vt.edu:8000/archive/00000678/

  9. S. Godik, T. Moses et al., “eXtensible Access Control Markup Language (XACML) Version 1.0”, OASIS Standard, February 18th, 2003.

  10. E. Damiani, S. De Capitani di Vimercati, S. Paraboschi and P. Samarati, “A Fine-Grained Access Control System for XML Documents”, ACM Transactions on Information and System Security (TISSEC), Vol. 5, No. 2, May 2002, pp. 169–202.

    Google Scholar 

  11. S. Varadarajan and N. Ramakrishnan, “Novel Runtime Systems Support for Adaptive Compositional Modeling in PSEs”, Future Generation Computing Systems (Special Issue on “Complex PSEs for Grid Computing”), 2004, to appear, http://people.cs.vt.edu/~ramakris/papers/pseruntimesupport.pdf

  12. I. Goldberg, D. Wagner, R. Thomans and E. Brewer, “A Secure Environment for Untrusted Helper Applications”, Proceedings of the Sixth USENIX UNIX Security Symposium, July 1996.

  13. Virtual Executing Environment, http://www.intes.odessa.ua/vxe, visited 2004-04-04.

  14. V. Sehkri, I. Mandrichenko and D. Skow, “Site Authorization Service (SAZ)”, Computing in High Energy and Nuclear Physics (CHEP03), La Jolla, CA, USA, March 2003, available from http://arxiv.org/pdf/cs.DC/0306100

  15. J. Linn, “The Generic Security Service Application Program Interface, Version 2”, Internet RFC2078, Internet Engineering Task Force, Network Working Group, January 1997.

  16. http://www.openssl.org, visited 2004-04-04.

  17. http://www.jiffysoftware.com, visited 2004-04-04.

  18. P. Hallam-Baker, E. Maler et al., “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)”, Oasis Standard, November 5th, 2002.

  19. http://sunxacml.sourceforge.net, visited 2004-04-04.

  20. “IEEE Standard Portable Operating System Interface for Computer Environments”, Withdrawn IEEE Draft Standard 17, Posix 1003.1, 1988, http://wt.xpilot.org/publications/posix.1e

  21. A. McNab, “SlashGrid – a Framework for Grid Aware Filesystems”, http://www.gridpp.ac.uk/authz/slashgrid/, visited 2004-03-03.

  22. http://www.netfilter.org, visited 2004-04-04.

  23. M. Satyanarayanan, “Mobile Information Access”, IEEE Personal Communications, February 1996, pp. 26–33.

  24. D.W. Chadwick and O. Otenko, “The PERMIS X.509 Role Based Privilege Management Infrastructure”, in Proc. of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002), June 2002.

  25. M. Thompson, A. Essiari and S. Mudumbai, “Certificate-based Authorization Policy in a PKI Environment,” ACM Transactions on Information and System Security (TISSEC), Vol. 6, No. 4 (November 2003), pp. 566–588.

    Google Scholar 

  26. L. Pearlman, V. Welch, I. Foster, C. Kesselman and S. Tuecke, “A Community Authorization Service for Group Collaboration”, Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks, 2002, pp. 50–59.

  27. Lepro, R., “Cardea: Dynamic Access Control in Distributed Systems”, NASA Technical Report NAS-03-020, November 2003.

  28. Alfieri et al., “VOMS: an Authorization System for Virtual Organizations”, 1st European Across Grids Conference, Santiago de Compostela, Feb. 13–14, 2003.

  29. I. Foster, C. Kesselman, J. Nick and S. Tuecke, “The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration”, Open Grid Service Infrastructure WG, Global Grid Forum, June 22, 2002.

  30. K. Keahey, M. Ripeanu and K. Doering, “Dynamic Creation and Management of Runtime Environments in the Grid”, Workshop on Designing and Building Grid Services, GGF-9, Chicago, IL, October 8, 2003.

  31. ITU-T Recommendation X.812, “Data Networks and Open System Communications Security”, November 1995.

  32. J. Vollbrecht et al., “AAA Framework”, Internet RFC2904, Internet Engineering Task Force, Network Working Group, August 2000.

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Virginia Tech, Blacksburg, VA, 24061, USA

    Markus Lorch & Dennis Kafura

Authors
  1. Markus Lorch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dennis Kafura
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markus Lorch.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lorch, M., Kafura, D. The PRIMA Grid Authorization System. J Grid Computing 2, 279–298 (2004). https://doi.org/10.1007/s10723-004-5408-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10723-004-5408-y

Keywords

Search

Navigation