Abstract
To span administrative boundaries, metacomputing systems require the integration of strong authentication and authorization methods. The problem is complicated because different components of the system may have different security policies. This paper presents a distributed model for authorization that we have integrated with the Prospero Resource Manager, a metacomputing resource allocation system developed at USC. The integration of authorization with PRM was accomplished through the specification of a policy language and the use of a Generic Authorization and Access-control API (GAA API). The language supports the specification of diverse authorization policies including ACLs, capabilities and lattice-based access controls. The GAA API provides a uniform authorization service interface for facilitating access control decisions and requesting authorization information about a particular resource. We describe a prototype of our system.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
M. Abadi, M. Burrows, B. Lampson and G. Plotkin, A calculus for Access Control in Distributed Systems, ACM Transactions on Programming Languages and Systems 15(4) (September 1993) pp. 706-734.
E. Belany, A. Vahdat, T. Anderson and M. Dahlin, The CRISIS wide area security architecture, in: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX (January 1998).
I. Foster and C. Kesselman, Globus: A metacomputing infrastructure toolkit, International Journal of Supercomputer Applications (Summer 1997).
I. Foster and C. Kesselman, eds., The GRID: Blueprint for a New Computing Infrastructure (Morgan Kauffman, San Mateo, CA, 1999).
IBM, TME 10 security management, http://www.tivoli.com/redbooks/html/sg242021/2021fm.html (October 1997).
W. Johnson and C. Larsen, A use-condition centered approach to authenticated global capabilities: Security architectures for large-scale distributed collaboratory environments, LBNL Report 38850.
S.B. Lipner, Non-discretionary controls for commercial applications, in: Proceedings of IEEE Symposium on Security and Privacy (1982).
N. Nagaratnam and S.B. Byrne, Resource access control for internet user agent, in: Proceedings of the 3rd USENIX Conference on Object-Oriented Technologies and Systems, Portland, OR (June 1997).
B.C. Neuman, Proxy-based authorization and accounting for distributed systems, in: Proceedings of the 13th International Conference on Distributed Computing Systems, Pittsburgh (May 1993).
B.C. Neuman, S. Augart and S. Upasani, Using Prospero to support integrated location-independent computing, in: Proceedings of the Symposium on Mobile and Location-Independent Computing (August 1993) pp. 29-34.
B.C. Neuman and S. Rao, The Prospero Resource Manager: A scalable framework for processor allocation in distributed systems, Concurrency: Practice and Experience 6(4) (June 1994) 339-355.
B.C. Neuman and T. Ts'o, Kerberos: An authentication service for computer networks, IEEE Communications Magazine (September 1994) pp. 33-38.
W. Shen and P. Dewan, Access control for collaborative environments, in: Proceedings of the CSCW (November, 1992) pp. 51-58.
Technical details about the HAARP Program, http://w3.nrl.navy.mil/projects/haarp/tech.html (October 1997).
N. Salehi, K. Obraczka and C. Neuman, The performance of a reliable, request-response transport protocol, to appear in: Proceedings of the Fourth IEEE Symposium on Computers and Communications (July 6–8, 1999).
T.Y.C. Woo and S.S. Lam, A framework for distributed authorization, in: Proceedings of the ACM Conference on Computer and Communications Security, Fairfax, VA (November 1993).
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Ryutov, T., Gheorghiu, G. & Neuman, B. An authorization framework for metacomputing applications. Cluster Computing 2, 165–175 (1999). https://doi.org/10.1023/A:1019078709098
Issue Date:
DOI: https://doi.org/10.1023/A:1019078709098