Abstract
In a distributed environment, a specific right may be required while a task is controlled and processed. A user should delegate enough rights to a task for processing. Tasks cannot work correctly if delegated rights are insufficient, or security threats may occur if delegated rights are excessive. Restricted delegation is the step that delegates proper rights to a task, and that enables fine-grained authorization in the Grid. In this paper, we propose the WAS architecture as a method for supporting restricted delegation and rights management. In contrast to traditional architecture, the WAS architecture uses a workflow that describes the sequence of rights required for normal execution of a task. By using the workflow, the WAS architecture is able to check whether the task exercises allowed rights. The WAS architecture is implemented on Globus toolkit 2.0 and extended on Globus toolkit 3.0.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
G. Vogt, “Delegation of Tasks and Rights”, in 12th Annual IFIP/IEEE International Workshop on Distributed Systems: Operations & Management (DSOM 2001), Nancy, France, October 15–17, 2001, pp. 327–337.
L. Kagal, T. Finin and Y. Peng, “A Delegation Based Model for Distributed Trust”, in IJCAI-01 Workshop on Autonomy, Delegation, and Control: Interacting with Autonomous Agents, Seattle, USA, August 6, 2001, pp. 73–80.
B.C. Neuman, “Proxy-Based Authorization and Accounting for Distributed Systems”, in 13th International Conference on Distributed Computing Systems, Pittsburgh, USA, May 25–28, 1993, pp. 283–291.
K. Keahey and V. Welch, “Fine-Grain Authorization for Resource Management in the Grid Environment”, in 3rd International Workshop on Grid Computing, Baltimore, USA, November 18, 2002, pp. 199–206.
K. Keahey, V. Welch, S. Lang, B. Liu and S. Meder, “Fine-Grain Authorization Policies in the GRID: Design and Implementation”, in 1st International Workshop on Middleware for Grid Computing, Rio de Janeiro, Brazil, June 17, 2003.
I. Foster, C. Kesselman and S. Tuecke, “The Anatomy of the Grid: Enabling Scalable Virtual Organizations”, International Journal of Supercomputer Applications, Vol. 15, No. 3, pp. 200–222, 2001.
I. Foster, C. Kesselman, J. Nick and S. Tuecke, “Grid Services for Distributed System Integration”, Computer, Vol. 35, No. 6, pp. 37–46, 2002.
I. Foster, C. Kesselman, J. Nick and S. Tuecke, “The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration”, in Open Grid Service Infrastructure WG (GGF), June, 2002.
I. Foster and C. Kesselman, “Globus: A Metacomputing Infrastructure Toolkit”, International Journal of Supercomputer Applications, Vol. 11, No. 2, pp. 115–128, 1997.
I. Foster and C. Kesselman, “The Globus Project: A Status Report”, Future Generation Computer Systems, Vol. 15, Nos. 5–6, pp. 607–621, 1999.
I. Foster, C. Kesselman, G. Tsudik and S. Tuecke, “A Security Architecture for Computational Grids”, in 5th ACM Conference on Computer and Communications Security, San Francisco, USA, November 2–5, 1998, pp. 83–92.
V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Czajkowski, J. Gawor, C. Kesselman, S. Meder, L. Pearlman and S. Tuecke, “Security for Grid Services”, in 12th International Symposium on High Performance Distributed Computing, Seattle, USA, June 22–24, 2003, pp. 48–57.
M. Thompson, W. Johnston, S. Mudumbai, G. Hoo, K. Jackson and A. Essiari, “Certificate-based Access Control for Widely Distributed Resources”, in 8th USENIX Security Symposium, Washington, DC, USA, August 23–26, 1999, pp. 215–227.
L. Pearlman, V. Welch, I. Foster and C. Kesselman, “A Community Authorization Service for Group Collaboration”, in IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, Monterey, USA, June 5–7, 2002, pp. 50–59.
R. Baker, L. Gommans, A. McNab, M. Lorch, L. Ramakrishnan, K. Sankar and M. Thompson, “Conceptual Grid Authorization Framework and Classification”, in 7th Global Grid Forum Workshop (GGF7), March, 2003.
R. Sandhu, E. Coyne, H. Feinstein and C. Youman, “Role-based Access Control Models”, IEEE Computer, Vol. 29, No. 2, pp. 38–47, 1996.
R. Thomas and R. Sandhu, “Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management”, in IFIP Workshop on Database Security, Lake Tahoe, USA, August 10–13, 1997, pp. 166–181.
S.H. Kim, J. Kim, S.J. Hong and S. Kim, “Workflow-based Authorization Service in Grid”, in 4th International Workshop on Grid Computing, Phoenix, USA, November 17, 2003, pp. 94–100.
R. Alfieri, R. Cecchini, V. Ciaschini, L. Agnello, A. Frohner, A. Gianoli, K. Lorentey and F. Spataro, “VOMS, an Authorization System for Virtual Organizations”, in 1st European Across Grids Conference, Santiago de Compostela, Spain, February 13–14, 2003.
The Globus Project: http://www.globus.org/
The DataGrid Project: http://www.eu-datagrid.org/
D.W. Chadwick and A. Otenko, “The PERMIS X.509 Role Based Privilege Management Infrastructure”, in 7th ACM Symposium on Access Control Models and Technologies, Monterey, USA, June 3–4, 2002, pp. 135–140.
L. Pearlman, C. Kesselman, V. Welch, I. Foster and S. Tuecke, “The Community Authorization Service: Status and Future”, in 2003 Conference for Computing in High Energy and Nuclear Physics, La Jolla, USA, March 24–28, 2003.
J. Bester, I. Foster, C. Kesselman, J. Tedesco and S. Tuecke, “GASS: A Data Movement and Access Service for Wide Area Computing Systems”, in 6th Workshop on I/O in Parallel and Distributed Systems, Atlanta, USA, May 5, 1999, pp. 78–88.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kim, SH., Kim, K.H., Kim, J. et al. Workflow-Based Authorization Service in the Grid. J Grid Computing 2, 43–55 (2004). https://doi.org/10.1007/s10723-004-2080-1
Issue Date:
DOI: https://doi.org/10.1007/s10723-004-2080-1