Managing Dynamic User Communities in a Grid of Autonomous Resources (original) (raw)
Related papers
2008
was created to provide a simple but flexible authorization system for the FusionGrid computational grid. ROAM builds on and extends previous community efforts by both responding to access authorization requests and by providing a Web interface for resource management. ROAM works with the Globus Resource Allocation Manager (GRAM), and is general enough to be used by other virtual organizations that use Globus middleware or X.509/TLS authentication schemes to secure a grid of distributed resources. In addition to describing ROAM, this paper discusses the basic design parameters of a grid authorization system and the reasons for the choices made in the ROAM design. 1
Supporting Secure Ad-hoc User Collaboration in Grid Environments
Lecture Notes in Computer Science, 2002
We envision that many usage scenarios involving computational grids will be based on small, dynamic working groups for which the ability to establish transient collaboration with little or no intervention from resource administrators is a key requirement. Current grid security mechanisms support individual users who are members of well-defined virtual organizations. Recent research seeks to provide manageable grid security services for self-regulating, stable communities. Our prior work with component-based systems for grid computation demonstrated a need to support spontaneous, limited, short-lived collaborations. The mechanisms we are developing focus on two key issues: binding and enforcement. Standard attribute certificates bind rights to users (or their surrogates); such rights may be freely delegated, t raded, and combined. Enforcement is provided by operating systems extensions that regulate resource usage through access control lists. These extensions are available for common platforms and fully support legacy services. In combination, these mechanisms are compatible with and enable the usage of fine -grained rights, leverage other work in the grid computing and security communities, reduce administrative costs to resource providers, enable ad-hoc collaboration through incremental trust relationships and can be used to provide improved security service to long-lived communities.
From gridmap-file to VOMS: managing authorization in a Grid environment
Future Generation Computer Systems, 2005
Grids are potentially composed of several thousands of users from different institutions sharing their computing resources (or using resources provided by third parties). Controlling access to these resources is a difficult problem, as it depends on the policies of the organizations the users belong to and of the resource owners. Moreover, a simple authorization implementation, based on a direct user registration on the resources, is not applicable to a large scale environment. In this paper, we describe the solution to this problem developed in the framework of the European DataGrid [M. Draoli, G. Mascari, R. Piccinelli, Project Presentation, DataGrid-11-NOT-0103-_1] and DataTAG [http://www.datatag.org/\] projects: the Virtual Organization Membership Service (VOMS) [R. Alfieri, et al., Managing Dynamic User Communities in a Grid of Autonomous Resources, TUBT005, in: Proceedings of the CHEP 2003, 2003]. VOMS allows a fine grained control of the use of the resources both to the users’ organizations and to the resource owners.
Enabling scientific collaboration on the Grid
Future Generation Computer Systems, 2010
We examine the problem of supporting access by collaborations of scientists to Grid resources. Our aim is to support dynamic collaborations, by which we mean collaborations that can be easily formed and easily dissolved. We argue that current technology for creating Virtual Organisations has difficulty meeting this requirement. We propose an alternative structure, called an Alliance, based on a separation of the mechanisms for forming collaborations of people from the mechanisms for allocating and integrating resources in a Grid infrastructure. The key tools for achieving the Alliance are, firstly, a security architecture and, secondly, an ontological approach to the defining of roles and processes within an organisation. An example is presented to show how these tools can be implemented without needing to change current existing Grid middleware.
Embedding Community-Specific Resource Managers in General-Purpose Grid Infrastructure
An important mode of Grid operation is one in which a community or (as we call it here) a virtual organization (VO) negotiates an allocation from a resource provider and then disperses that allocation across its members according to VO policy. Implementing this model requires that a VO be able to deploy and operate its own resource management services within the Grid. We argue that a mechanism that allows for the creation, and subsequent monitoring and control, of managed computations provides a simple yet flexible solution to this requirement. We present an architectural framework that addresses the security, policy specification, and policy enforcement concerns that arise in this context. We also describe an implementation based on Globus Toolkit and Condor components, and present performance results.
VO-based Dynamic Security Associations in Collaborative Grid Environment
ACM Transactions on Multimedia Computing, Communications, and Applications, 2006
This paper discusses how the Virtual Organisation (VO) concept can be used for managing dynamic security associations in collaborative Grid applications and for complex resource provisioning. The paper contains both research part and discusses further development of the popular VO management software VO Membership Service (VOMS). The paper provides an overview of current practices in VO management in major Grid projects including operational procedures and supporting security middleware.
ROAM: An Authorization Manager for Grids
Journal of Grid Computing, 2006
The Resource Oriented Authorization Manager (ROAM) was created to provide a simple but flexible authorization system for the FusionGrid computational grid. ROAM builds on and extends previous community efforts by both responding to access authorization requests and by providing a Web interface for resource management. ROAM works with the Globus Resource Allocation Manager (GRAM), and is general enough to be used by other virtual organizations that use Globus middleware or X.509/TLS authentication schemes to secure a grid of distributed resources. In addition to describing ROAM, this paper discusses the basic design parameters of a grid authorization system and the reasons for the choices made in the ROAM design.
Access and Usage Control in Grid Systems
2010
This chapter describes some approaches that have been proposed for access and usage control in grid systems. The first part of the chapter addresses the security challenges in grid systems and describes the standard security infrastructure provided by the Globus Toolkit, the most used middleware to establish grids. Since the standard Globus authorization system provides very basic mechanisms that do not completely fulfill the requirements of this environment, a short overview of well-known access control frameworks that have been integrated in Globus is also given: Community Authorization Service (CAS), PERMIS, Akenti, Shibboleth, Virtual Organization Membership Service (VOMS), Cardea, and PRIMA. Then, the chapter describes the usage control model UCON, a novel model for authorization, along with an implementation of UCON in grid systems. The last part of the chapter describes the authorization model for grid computational services designed by the Grid Trust project. This authorization model is also based on UCON.