Skip to main content
SpringerLink
Log in

A Flexible Attribute Based Access Control Method for Grid Computing

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

Grid systems have huge and changeable user groups, and different autonomous domains always have different security policies. The attribute based access control (ABAC) model, which is flexible and scalable, is more suitable for Grid systems. This paper describes a method of building a flexible access control mechanism that is based on ABAC and supports multiple policies for Grid computing. Firstly an attribute based multipolicy access control model ABMAC is submitted. Compared with ABAC, ABMAC can describe multiple heterogeneous policies, and each policy is encapsulated without changing its descriptions. Then by extending the authorization architecture of XACML, the paper puts forward an authorization framework that supports ABMAC and is implemented in the Globus Toolkit release 4 (GT4) (Few parts of the authorization framework described in this paper can only be found in Globus Toolkit CVS repository. A more completed authorization framework will be appeared in the Globus Toolkit release 4.2). Basing on the concept of policy encapsulation, the framework provides a flexible and scalable authorization mechanism that can support multiple existing policies in a Grid system. The design and implementation details of GT4 authorization framework are also well discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Lampson, B.W.: Protection. In: Proceedings of the 5th Princeton Conference on Information Sciences and Systems, pp. 437–443. Princeton University, Princeton, N.J. (1971)

    Google Scholar 

  2. Bell, D.E., LaPadula, L.: Secure computer systems: a mathematical model. Mitre Corporation, Bedford, MA (1973, January)

    Google Scholar 

  3. Sandhu, R.S., Samaratiy, P.: Access control: principles and practice. IEEE Commun. 32(9), 40–48 (1994)

    Article  Google Scholar 

  4. Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the grid: enabling scalable virtual organizations. Intern. J. Supercomp Appl. 15(3), 200–222 (2001)

    Article  Google Scholar 

  5. Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A multipolicy authorization framework for grid security. In: Proceedings of the 5th IEEE International Symposium on Network Computing and Applications, Cambridge, USA (2006, July)

  6. ITU-T Recommendation X.509: Information technology—open systems interconnection—the directory: authentication framework, ISO/IEC 9594-8 (1993)

  7. Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile (1998, September)

  8. Park, J.S., Sandhu, R.: RBAC on the web by smart certificates. In: Proceedings of the 4th ACM Workshop on Role-Based Access Control. ACM, Fairfax, VA, October 28–29 (1999)

    Google Scholar 

  9. Rivest, R.L., Lampson, B.: SDSI—a simple distributed security infrastructure. Presented at CRYPTO ‘96 Rumpsession (1996, April)

  10. Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiani, A.: Certificate-based access control for widely distributed resources. In: Proceedings of the Usenix Security Symposium, August (1999)

  11. Park, J.S., Sandhu, R.: Smart Certificates: Extending X.509 for Secure Attribute Service on the Web. NISSC (1999)

  12. Farrell, S., Housley, R.: An Internet attribute certificate profile for authorization. IETF–RFC 3281 (2002)

  13. Damiani, E., Vimercati, S.D.C., Samarati, P.: New paradigms for access control in open environments. In: Proceedings of the 5th IEEE International Symposium on Signal Processing and Information, Athens, Greece, December 18–21 (2005)

  14. Bonatti, P., Samarati, P.: A unified framework for regulating access and information release on the web. J. Comput. Secur. 10(3), 241–272 (2002)

    Google Scholar 

  15. Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, Washington, DC, October (2004)

  16. Yuan, E., Tong, J.: Attributed based access control (ABAC) for Web services. In: Proceedings of the IEEE International Conference on Web Services (ICW’05) (2005, July)

  17. Squicciarini, A.C., Bertino, E., Goasguen, S.: Access control strategies for virtualized environments in grid computing systems. In: Proceedings of the 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS’07) (2007)

  18. Thompson, M., Essiari, A., Mudumbai, S.: Certificate-based authorization policy in a PKI environment. ACM Trans. Inform. Syst. Secur. (TISSEC) 6(4), 566–588 (2003, November)

    Article  Google Scholar 

  19. Chadwick, D.: Authorization in grid computing. Inform. Secur. Tech. Rep. 10(1), 33–40 (2005)

    Article  Google Scholar 

  20. Chadwick, D., Otenko, A.: The PERMIS X.509 role based privilege management infrastructure. Future Gener. Comput. Systs. 19(2), 277–289 (2003, February)

    Article  Google Scholar 

  21. Welch, V., Barton, T., Keahey, K., Siebenlist, F.: Attributes, anonymity, and access: Shibboleth and Globus integration to facilitate grid collaboration. In: 4th Annual PKI R&D Workshop, April (2005)

  22. Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K.: Identity federation and attribute-based authorization through the globus toolkit, Shibboleth, Gridshib, and MyProxy. In: 5th Annual PKI R&D Workshop, April (2006)

  23. Alfteri, R., Cecchini, R., Ciaschini, V., Dellagnello, L., Frohner, A., Gianoli, A., Lorentey, K., Spataro, F.: VOMS, an authorization system for virtual organizations. In: 1st European Across Grids Conference, Santiago de Compostela, February 13–14 (2003)

  24. OASIS, Extensible Access Control Markup Language (XACML), V2.0 (February 2005)

  25. OASIS, Security Assertion Markup Language (SAML), V2.0 (March 2005)

  26. Foster, I., Frey, J., Graham, S., Tuecke, S., Czajkowski, K., Ferguson, D., Leymann, F., Nally, M., Storey, T., Weerawaranna, S.: Modeling stateful resources with Web Services. Globus Alliance (2004)

  27. Czajkowski, K., Ferguson, D.F., Foster, I., Frey, J., Graham, S., Sedukhin, I., Snelling, D., Tuecke, S., Vambenepe, W.: The WS-Resource Framework, Version 1.0, March 5 (2004)

Download references

Author information

Authors and Affiliations

  1. Mathematics and Computer Science Division, Argonne National Laboratory, Argonne, IL, USA

    Bo Lang, Ian Foster, Frank Siebenlist, Rachana Ananthakrishnan & Tim Freeman

  2. State Key Lab of Software Development Environment, Beihang University, Beijing, China

    Bo Lang

  3. University of Chicago, Chicago, IL, USA

    Ian Foster, Frank Siebenlist & Tim Freeman

Authors
  1. Bo Lang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ian Foster
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frank Siebenlist
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rachana Ananthakrishnan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tim Freeman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bo Lang.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lang, B., Foster, I., Siebenlist, F. et al. A Flexible Attribute Based Access Control Method for Grid Computing. J Grid Computing 7, 169–180 (2009). https://doi.org/10.1007/s10723-008-9112-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10723-008-9112-1

Keywords

Search

Navigation