By Topic

A Comprehensive Approach to Self-Restricted Delegation of Rights in Grids

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Stefan Piger ; Regional Comput. Center for Lower Saxony, Leibniz Univ. Hannover, Hannover ; Christian Grimm ; Ralf Groeper ; Christopher Kunz

The delegation of user rights is an essential functionality of GSI-based grid environments. This mechanism facilitates proxy certificates that are derived from the users' end- entity certificates and enables grid services to act in the issuing user's name. Currently, the implementation of the GSI forces users to delegate their complete scope of rights. Compromised proxy credentials can thus be used to perform every action users are entitled to. While this is no major issue for traditional Grid communities, it effectively prevents security sensitive communities like medical users from using the Grid. This paper presents a user-based approach to restrict the scope of rights that are delegated by the user. Thus, the risk imposed by compromised proxy credentials is significantly reduced. We define a policy extension for proxy certificates that contains fine-grained authorization policies expressed in XACML. These are used to limit delegated privileges for the access of storage and compute resources. The mechanisms shown in this paper enable users to restrict the delegated rights to the access of specific files on storage resources and to the execution of specific compute jobs. The respective policy enforcement takes place on the gLite IO-Service and the gLite computing element. Compatibility to the existing proxy certificate renewal mechanism is preserved by an extension to the MyProxy service. Finally, we present a GridSphere-based graphical front-end that simplifies the process of policy specification and submission of jobs to the grid.

Published in:

Cluster Computing and the Grid, 2008. CCGRID '08. 8th IEEE International Symposium on

Date of Conference:

19-22 May 2008