DyVOSE Project: Experiences in Applying Privilege Management Infrastructures

نویسنده

  • J. Watt
چکیده

Privilege Management Infrastructures (PMI) are emerging as a necessary alternative to authorization through Access Control Lists (ACL) as the need for finer grained security on the Grid increases in numerous domains. The 2-year JISC funded DyVOSE Project has investigated applying PMIs within an e-Science education context. This has involved establishing a Grid Computing module as part of Glasgow University’s Advanced MSc degree in Computing Science. A laboratory infrastructure was built for the students realising a PMI with the PERMIS software, to protect Grid Services they created.. The first year of the course centered on building a static PMI at Glasgow. The second year extended this to allow dynamic attribute delegation between Glasgow and Edinburgh to support dynamic establishment of fine grained authorization based virtual organizations across multiple institutions. This dynamic delegation was implemented using the DIS (Delegation Issuing) Web Service supplied by the University of Kent. This paper describes the experiences and lessons learned from setting up and applying the advanced Grid authorization infrastructure within the Grid Computing course, focusing primarily on the second year and the dynamic virtual organisation setup between Glasgow and Edinburgh. 1. Project Background The DyVOSE Project (Dynamic Virtual Organisations in e-Science Education) is a JISC funded two-year project investigating the establishment of a Privilege Management Infrastructure (PMI) that supports dynamic delegation of authority in the context of a Grid Computing Advanced MSc. module at the University of Glasgow. Specifically the project is investigating the application of the PERMIS software in creating an attribute management infrastructure that allows institutions to establish trust relationships that will assert and enforce the privileges presented by attributes issued by external institutions. In the first year of the project a static PMI was implemented using the PERMIS authorization function. This allows two teams of students to author their own GT3.3 services and restrict access to certain methods provided the student held the appropriate ‘team’ attribute. In this case, all privileges were issued by Glasgow so no cross-organisational infrastructure was necessary [1]. In the second year the students created a GT3.3 service which ran a BLAST [2] query against a set of data retrieved from a data store hosted at Edinburgh University. Students were again split into two teams, one running a query against nucleotide data and one against protein data. PERMIS was used to secure the services at both sides, denying access to students in the protein team who attempted to extract and match nucleotide data and vice versa. In this scenario, inter-institution interaction was required, so user attributes needed to be recognized at both institutions. This may be implemented statically in the same way as the first year assignment by completely sharing user information between sites, but this is highly undesirable if we wish to deploy this kind of setup using existing campus directories. A more scalable and realistic Grid model is where local sites maintain information on their own users and define their own local security policies restricting access to local resources by both local users and trusted remote users/sites. The Delegation Issuing Service (DIS) aims to provide a safe, intuitive environment in which institutions may establish chains of trust without surrendering sensitive local user information. The fundamental benefit of the DIS with regard to Grids is to support fine grained authorization infrastructures whereby attributes needed for a given virtual organization can be dynamically created and recognized by remote “trusted” sources of authority. Through this model, virtual organizations can be created in principle “onthe-fly” without detailed agreements.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Final Report for the JISC funded Dynamic Virtual Organisations in e-Science Education (DyVOSE) Project

Acknowledgements This project was funded as part of the Joint Information Systems Committee (JISC) Core Middleware Technical Development programme. The project partners at Glasgow, Edinburgh and Kent (formerly Salford) would like to thank JISC and the programme managers (James Farnhill, Nicole Harris and Ann Borda) for providing excellent support throughout the course of the project. Thanks are...

متن کامل

Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange

Technologies which implement dynamic privilege management infrastructures will be crucial to the secure sharing of resources on the Grid, especially as the number of resources and participating sites increases. The DyVOSE project has successfully deployed Grid services secured with the PERMIS authorisation software implementing a static Privilege Management Infrastructure (PMI) model. The secon...

متن کامل

Experiences of Applying Advanced Grid Authorisation Infrastructures

The widespread acceptance and uptake of Grid technology can only be achieved if it can be ensured that the security mechanisms needed to support Grid based collaborations are at least as strong as local security mechanisms. The predominant way in which security is currently addressed in the Grid community is through Public Key Infrastructures (PKI) to support authentication. Whilst PKIs address...

متن کامل

Advanced Security Infrastructures for Grid Education

This paper describes the research conducted into advanced authorization infrastructures at the National e-Science Centre (NeSC) at the University of Glasgow and their application to support a teaching environment as part of the Dynamic Virtual Organisations in e-Science Education (DyVOSE) project. We outline the lessons learnt in teaching Grid computing and rolling out the associated security a...

متن کامل

Documentation Status in Shahid Chamran University (SCU) Registrars from Their Employees’ Viewpoints

Abstract: The purpose of the present survey is to study the status of knowledge documentation in SCU registrars from the registrars’ employees’ viewpoints in SCU. The research is a survey of a descriptive-analytical type. The questionnaires were distributed among 110 registrars’ employees in SCU. To analyze the data, some descriptive and inferential statistical tests were employed. Findings ind...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2006