Skip to main content
SpringerLink
Log in

Managing Role-Based Access Control Policies for Grid Databases in OGSA-DAI Using CAS

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

In this paper, we present a role-based access control method for accessing databases through the Open Grid Services Architecture – Data Access and Integration (OGSA-DAI) framework. OGSA-DAI is an efficient Grid-enabled middleware implementation of interfaces and services to access and control data sources and sinks. However, in OGSA-DAI, access control causes substantial administration overhead for resource providers in virtual organizations (VOs) because each of them has to manage a role-map file containing authorization information for individual Grid users. To solve this problem, we used the Community Authorization Service (CAS) provided by the Globus Toolkit to support the role-based access control (RBAC) within OGSA-DAI. CAS uses the Security Assertion Markup Language (SAML). Our method shows that CAS can support a wide range of security policies using role-privileges, role hierarchies, and constraints. The resource providers need to maintain only the mapping information from VO roles to local database roles and the local policies in the role-map files, so that the number of entries in the role-map file is reduced dramatically. Also, unnecessary authentication, mapping and connections can be avoided by denying invalid requests at the VO level. Thus, our access control method provides increased manageability for a large number of users and reduces day-to-day administration tasks of the resource providers, while they maintain the ultimate authority over their resources. Performance analysis shows that our method adds very little overhead to the existing security infrastructure of OGSA-DAI.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the Grid: enabling scalable virtual organizations. Int. J. Supercomput. Appl. High Perform. Comput. 15(3), 200–222 (2001)

    Article  Google Scholar 

  2. Foster, I., Kesselman, C., Nick, J.M., Tuecke, S.: Grid services for distributed system integration. IEEE Computer 35(6), 37–46 (2002)

    Google Scholar 

  3. Camarinha-Matos, L.M., Afsarmanesh, H.: A roadmap for strategic research on virtual organizations. In: Proceedings of the 4th IFIP Working Conference on Virtual Enterprises, Lugano, Switzerland, pp. 33–46 (2003)

  4. Arenas, A.E., Djordjevic, I., Dimitrakos, T., Titkov, L., et al.: Toward web services profiles for trust and security in virtual organizations. In: Proceedings of the 6th IFIP Working Conference on Virtual Enterprises, Valencia, Spain, pp. 26–28 (2005)

  5. Wasson, G., Humphrey, M.: Policy and enforcement in virtual organizations. In: Proceedings of the 4th International Workshop on Grid Computing, Phoenix, Arizona, pp. 125–132 (2003)

  6. Wasson, G., Humphrey, M.: Towards explicit policy management for virtual organizations. In: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, Lake Como, Italy, pp. 173–182 (2003)

  7. Malaika, S., Eisenberg, A., Melton, J.: Standards for databases on the Grid. ACM SIGMOD Record 32(3), 92–100 (2003)

    Article  Google Scholar 

  8. Ferraiolo, D., Kuhn, R.: Role-based access control. In: Proceedings of the 15th National Computer Security Conference, Baltimore, MD (1992)

  9. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Google Scholar 

  10. Ramaswamy, C., Sandhu, R.S.: Role-based access control features in commercial database management systems. In: Proceedings of the 21st National Information Systems Security Conference, Arlington, VA (1998)

  11. Foster, I., Kesselman, C.: The Globus Toolkit. In: Foster, I., Kesselman, C. (eds.) The Grid: Blueprint for a New Computing Infrastructure, pp. 259–278. Morgan Kaufmann, San Francisco, CA (1999)

    Google Scholar 

  12. Butler, R., Welch, V., Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C.: A National-scale authentication infrastructure. IEEE Computer 33(12), 60–66 (2000)

    Google Scholar 

  13. Anjomshoaa, A., Antonioletti, M., Atkinson, M., Baxter, R., Borley, A., et al.: The design and implementation of Grid database services in OGSA-DAI. In: Proceedings of UK e-Science All Hands Meeting, Nottingham, UK (2003)

  14. Tuecke, S., Czajkowski, K., Foster, I., Frey, J., Graham, S., Kesselman, C., Vanderbilt, P.: Grid Service Specification, Draft 4. Open Grid Service Infrastructure Working Group, Global Grid Forum (2002)

  15. Joshi, J.B.D., Bhatti, R., Bertino, E., Ghafoor, A.: Access-control language for multidomain environments. IEEE Internet Comput. 8(6), 40–50 (2004)

    Article  Google Scholar 

  16. Mayfield, T., Roskos, J.E., Welke, S.R., Boone, J.M.: Integrity in automated information systems. Technical Report, National Computer Security Center (1991)

  17. Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A Community authorization service for group collaboration. In: Proceedings of the 3rd IEEE International Workshop on Policies for Distributed Systems and Networks (2002)

  18. Organization for the Advancement of Structured Information Standards (OASIS): Assertions and protocols for the OASIS Security Assertion Markup Language (SAML) V1.1. Available via http://www.oasis-open.org/committees/tc-home.php?wg-abbrev=security (2003)

  19. Ferraiolo, D.F., Barkley, J.F., Kuhn, D.R.: A role-based access control model and reference implementation within a corporate intranet. ACM Trans. Inf. Syst. Secur. 2(1), 34–64 (1999)

    Article  Google Scholar 

  20. Zhang, G., Parasher, M.: Dynamic context-aware access control for Grid applications. In: Proceedings of the 4th International Workshop on Grid Computing, pp. 101–108 (2003)

  21. Cannon, S., Chan, S., Olson, D., Tull, C., Welch, V., Pearlman, L.: Using CAS to manage role-based VO sub-groups. In: Proceedings of International Conference for Computing in High Energy and Nuclear Physics (2003)

  22. Sandhu, R., Ferraiolo, D.F., Kuhn, D.R.: The NIST model for role based access control: towards a unified standard. In: Proceedings of the 5th ACM Workshop on Role Based Access Control, Berlin, Germany (2000)

  23. Jackson, M., Antonioletti, M., Hong, N. C., Hume, A., Krause, A., Sugden, T., Westhead, M.: Performance analysis of the OGSA-DAI software. In: Proceedings of UK e-Science All Hands Meeting, Nottingham, UK (2004)

  24. Yee, K.: Secure interaction design and the principle of least authority. In: Proceedings of Workshop on Human–Computer Interaction and Security Systems, Fort Lauderdale, FL (2003)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Wright State University, Dayton, Ohio, 45435, USA

    Anil L. Pereira, Vineela Muppavarapu & Soon M. Chung

Authors
  1. Anil L. Pereira
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vineela Muppavarapu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Soon M. Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Soon M. Chung.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Pereira, A.L., Muppavarapu, V. & Chung, S.M. Managing Role-Based Access Control Policies for Grid Databases in OGSA-DAI Using CAS. J Grid Computing 5, 65–81 (2007). https://doi.org/10.1007/s10723-006-9054-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10723-006-9054-4

Key words

Search

Navigation