| 1. |
- Ahsant, Mehran, et al.
(author)
-
Dynamic Trust Federation in Grids
- 2006
-
In: Trust Management, Proceedings. - Berlin, Heidelberg : Springer Berlin Heidelberg. - 9783540342953 ; , s. 3-18
-
Conference paper (peer-reviewed)abstract
- Grids are becoming economically viable and productive tools. They provide a way of utilizing a vast array of linked resources such as computing systems, databases and services online within Virtual Organizations (VO). However, today's Grid architectures are not capable of supporting dynamic, agile federation across multiple administrative domains and the main barrier, which hinders dynamic federation over short time scales is security. Federating security and trust is one of the most significant architectural issues in Grids. Existing relevant standards and specifications can be used to federate security services, but do not directly address the dynamic extension of business trust relationships into the digital domain. In this paper we describe an experiment which highlights those challenging architectural issues and forms the basis of an approach that combines a dynamic trust federation and a dynamic authorization mechanism for addressing dynamic security trust federation in Grids. The experiment made with the prototype described in this paper is used in the NextGRID(1) project to define the requirements of next generation Grid architectures adapted to business application needs.
|
|
| 2. |
- Ahsant, Mehran, et al.
(author)
-
Grid Delegation Protocol
- 2004
-
In: Workshop on Grid Security Practice and Experience. ; , s. 81-91
-
Conference paper (peer-reviewed)abstract
- We propose a delegation protocol based on the WS-Trust specification, which is applicablefor a wide range of Grid applications. The protocol is independent of underlying securitymechanisms and is therefore applicable to all security mechanisms of common use in Gridenvironments, such as X.509 proxy certificates, Kerberos based delegation, and SAML assertions.We emphasize that this is work in progress. In this paper, we document our thoughtsand current strategy, and we solicit comments and feedback on our approach.
|
|
| 3. |
- Ahsant, Mehran, et al.
(author)
-
Streamlining Grid Operations : Definition and Deployment of a Portal-based User Registration Service
- 2006
-
In: Journal of Grid Computing. - : Springer Science and Business Media LLC. - 1572-9184 .- 1570-7873. ; 4:2, s. 135-144
-
Journal article (peer-reviewed)abstract
- Manual management of public key credentials can be a significant and often off-putting obstacle to Grid use, particularly for casual users. We describe the Portal-based User Registration Service (PURSE), a set of tools for automating user registration, credential creation, and credential management tasks. PURSE provides the system developer with a set of customizable components, suitable for integration with portals, that can be used to address the full lifecycle of Grid credential management. We describe the PURSE design and its use in portals for two systems, the Earth System Grid data access system and the Swegrid computational Grid. In both cases, the user is entirely freed from the need to create or manage public key credentials, thus simplifying the Grid experience and reducing opportunities for error. We argue that this capturing of common use cases in a reusable ‘solution’ can be a model for how Grid ease-of-use can be addressed in other domains as well.
|
|
| 4. |
- Ahsant, Mehran, et al.
(author)
-
Toward An On-demand Restricted Delegation Mechanism for Grids
- 2006
-
In: 2006 7TH IEEE/ACM INTERNATIONAL CONFERENCE ON GRID COMPUTING. - New York : IEEE. - 9781424403431 ; , s. 152-159
-
Conference paper (peer-reviewed)abstract
- Grids are intended to enable cross-organizationalinteractions which makes Grid security a challenging and nontrivialissue. In Grids, delegation is a key facility that canbe used to authenticate and authorize requests on behalf ofdisconnected users. In current Grid systems there is a tradeoffbetween flexibility and security in the context of delegation.Applications must choose between limited or full delegation: onone hand, delegating a restricted set of rights reduces exposure toattack but also limits the flexibility/dynamism of the application;on the other hand, delegating all rights provides maximumflexibility but increases exposure. In this paper, we propose anon-demand restricted delegation mechanism, aimed at addressingthe shortcomings of current delegation mechanisms by providingrestricted delegation in a flexible fashion as needed for Grid applications.This mechanism provides an ontology-based solutionfor tackling one the most challenging issues in security systems,which is the principle of least privileges. It utilizes a callbackmechanism, which allows on-demand provisioning of delegatedcredentials in addition to observing, screening, and auditingdelegated rights at runtime. This mechanism provides supportfor generating delegation credentials with a very limited andwell-defined range of capabilities or policies, where a delegatoris able to grant a delegatee a set of restricted and limited rights,implicitly or explicitly.
|
|
| 5. |
- Cornwall, L. A., et al.
(author)
-
Authentication and authorization mechanisms for multi-domain grid environments
- 2004
-
In: Journal of Grid Computing. - : Springer Science and Business Media LLC. - 1570-7873 .- 1572-9184. ; 2:4, s. 301-311
-
Journal article (peer-reviewed)abstract
- This article discusses the authentication and the authorization aspects of security in grid environments spanning multiple administrative domains. Achievements in these areas are presented using the EU DataGrid project as an example implementation. It also gives an outlook on future directions of development.
|
|
| 6. |
- Demchenko, Yuri, et al.
(author)
-
Dynamic security context management in Grid-based applications
- 2008
-
In: Future generations computer systems. - : Elsevier BV. - 0167-739X .- 1872-7115. ; 24:5, s. 434-441
-
Journal article (peer-reviewed)abstract
- This paper summarises ongoing research and recent results on the development of flexible access control infrastructure for complex resource provisioning in Grid-based collaborative applications and on-demand network services provisioning. The paper analyses the general access control model for Grid-based applications and discusses what mechanisms can be used for expressing and handling dynamic domain or process/workflowrelated security context. Suggestions are given on what specific functionality should be added to the Grid-oriented authorization frameworks to handle such dynamic security context. As an example, the paper explains how such functionality can be achieved in the GAAA Authorization framework (GAAA-AuthZ) and GAAA toolkit. Additionally, the paper describes AuthZ ticket format for extended AuthZ session management. The paper is based on experiences gained from major Grid-based and Grid-oriented projects such as EGEE, Phosphorus, NextGRID, and GigaPort Research on Network.
|
|
| 7. |
- Demchenko, Y., et al.
(author)
-
Using workflow for dynamic security context management in Grid-based applications
- 2006
-
In: Proc. IEEE ACM Int. Workshop Grid Comput.. - 1424403448 - 9781424403448 ; , s. 72-79
-
Conference paper (peer-reviewed)abstract
- This paper presents ongoing research and current results on the development of flexible access control infrastructures for complex resource provisioning in Grid-based collaborative applications and on-demand network services provisioning. We investigate the use of workflow concepts for the required orchestration of multiple Grid resources and/or services across multiple administrative and security domains. In particular, workflow execution and management tools can be used to track security context changes that are dependent on the application domain, execution stage defined policies, or user and/or service attributes. The paper discusses what specific functionality should be added to Grid-oriented authorization frameworks to handle such dynamic service-related security contexts. As an example, the paper explains how such functionality can be achieved in the GAAA Authorization framework and GAAA toolkit. Suggestions are given about integration with the Globus Toolkit's Authorization Framework. Additionally, the paper analyses what possibilities of expressing and handling dynamic security contexts are available in XACML and SAML, and how the VO concept can be used for managing dynamic security associations of users and resources. The paper is based on experiences gained from major Grid based and Grid oriented projects such as EGEE, NextGrid, Collaboratory.nl and GigaPort Research on Network.
|
|
| 8. |
|
|
| 9. |
- Elmroth, Erik, 1964-, et al.
(author)
-
An OGSA-based Bank Service for Grid Accounting Systems
- 2006
-
In: State-of-the-art in Scientific Computing. - Berlin, Heidelberg : Springer-Verlag. ; , s. 1051-1060, s. 1051-1060
-
Conference paper (peer-reviewed)abstract
- This contribution presents the design and implementation of a bank service, constituting a key component in a recently developed Grid accounting system. The Grid accounting system maintains a Grid-wide view of the resources consumed by members of a virtual organization (VO). The bank is designed as an online service, managing the accounts of VO projects. Each service request is transparently intercepted by the accounting system, which acquires a reservation on a portion of the project’s bank account prior to servicing the request. Upon service completion, the account is charged for the consumed resources. We present the overall bank design and technical details of its major components, as well as some illustrative examples of relevant service interactions. The system, which has been implemented using the Globus Toolkit, is based on state-of-the-art Web and Grid services technology and complies with the Open Grid Services Architecture (OGSA).
|
|
| 10. |
|
|
