Authorization Strategies for Virtualized Environments in Grid Computing Systems

The development of adequate security solutions, and in particular of authentication and authorization techniques, for grid computing systems is a challenging task. Recent trends of service oriented architectures (SOA), where users access grids through a science gateway — a web service that serves as a portal between users of a virtual organizations (VO) and the various computation resources, further complicate the authorization problem. Currently, the security component developed as part of the Globus Toolkit, the de facto standard for grid infrastructures, is not fully equiped with the capabilities to meet those challenges. The main drawback of the current approach is that it relies on a low level identity-based authorization scheme. A low-level access control policy maps a user’s identity (distinguished name) to a local account. This approach does not scale and is hard to manage in a distributed environment. The goal of this paper is to make a first step towards new authorization solutions that better fit novel grid infrastructures characterized by virtual organizations and science gateways. We review and analyze several solutions proposed, in particular GridShib and the VO Privilege Project, as they represent the most innovative techniques currently under development to achieve attribute-based authorization. We then propose several solutions for grid authorization through science gateways, and discuss how those existing projects can be leveraged to implement the solutions we propose.