This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Role-Based Access Control for Grid Database Services Using the Community Authorization Service
April-June 2006 (vol. 3 no. 2)
pp. 156-166
In this paper, we propose a role-based access control (RBAC) method for Grid database services in Open Grid Services Architecture-Data Access and Integration (OGSA-DAI). OGSA-DAI is an efficient Grid-enabled middleware implementation of interfaces and services to access and control data sources and sinks. However, in OGSA-DAI, access control causes substantial administration overhead for resource providers in virtual organizations (VOs) because each of them has to manage a role-map file containing authorization information for individual Grid users. To solve this problem, we used the Community Authorization Service (CAS) provided by the Globus Toolkit to support the RBAC within the OGSA-DAI framework. The CAS grants the membership on VO roles to users. The resource providers then need to maintain only the mapping information from VO roles to local database roles in the role-map files, so that the number of entries in the role-map file is reduced dramatically. Furthermore, the resource providers control the granting of access privileges to the local roles. Thus, our access control method provides increased manageability for a large number of users and reduces day-to-day administration tasks of the resource providers, while they maintain the ultimate authority over their resources. Performance analysis shows that our method adds very little overhead to the existing security infrastructure of OGSA-DAI.

[1] R. Alfieri et al., “Managing Dynamic User Communities in a Grid of Autonomous Resources,” Proc. Int'l Conf. Computing in High Energy and Nuclear Physics, 2003.
[2] A. Anjomshoaa et al., “The Design and Implementation of Grid Database Services in OGSA-DAI,” Proc. UK e-Science All Hands Meeting, 2003.
[3] A.E. Arenas et al., “Toward Web Services Profiles for Trust and Security in Virtual Organizations,” Proc. Sixth IFIP Working Conf. Virtual Enterprises, pp. 26-28, 2005.
[4] W.H. Bell, D. Bosio, W. Hoschek, P. Kunszt, G. McCance, and M. Silander, “Project Spitfire— Towards Grid Web Service Databases,” informational document, Global Grid Forum, 2002.
[5] R. Butler, V. Welch, D. Engert, I. Foster, S. Tuecke, J. Volmer, and C. Kesselman, “A National-Scale Authentication Infrastructure,” Computer, vol. 33, no. 12, pp. 60-66, Dec. 2000.
[6] L.M. Camarinha-Matos and H. Afsarmanesh, “A Roadmap for Strategic Research on Virtual Organizations,” Proc. Fourth IFIP Working Conf. Virtual Enterprises, pp. 33-46, 2003.
[7] S. Cannon, S. Chan, D. Olson, C. Tull, V. Welch, and L. Pearlman, “Using CAS to Manage Role-Based VO Sub-Groups,” Proc. Int'l Conf. Computing in High Energy and Nuclear Physics, 2003.
[8] S. Carmody, “Shibboleth Overview and Requirements,” Shibbololeth Working Group Document, http://shibboleth.internet2. edu/docsdraft-internet2-shibboleth-requirements-01.html , 2001.
[9] D. Ferraiolo and R. Kuhn, “Role-Based Access Control,” Proc. 15th Nat'l Computer Security Conf., 1992.
[10] D.F. Ferraiolo, J.F. Barkley, and D.R. Kuhn, “A Role-Based Access Control Model and Reference Implementation within a Corporate Intranet,” ACM Trans. Information and System Security, vol. 2, no. 1, pp. 34-64, 1999.
[11] I. Foster and C. Kesselman, “The Globus Toolkit,” The Grid: Blueprint for a New Computing Infrastructure, I. Foster, C. Kesselman, eds., pp. 259-278, Morgan Kaufmann, 1999.
[12] I. Foster and C. Kesselman, “Security, Accounting, and Assurance,” The Grid: Blueprint for a New Computing Infrastructure, I. Foster and C. Kesselman, eds. pp. 395-420, Morgan Kaufmann, 1999.
[13] I. Foster, C. Kesselman, and S. Tuecke, “The Anatomy of the Grid: Enabling Scalable Virtual Organizations,” Int'l J. Supercomputer Applications and High-Performance Computing, vol. 15, no. 3, pp. 200-222, 2001.
[14] I. Foster, C. Kesselman, J.M. Nick, and S. Tuecke, “Grid Services for Distributed System Integration,” Computer, vol. 35, no. 6, pp. 37-46, June 2002.
[15] I. Foster, C. Kesselman, J., M. Nick, and S. Tuecke, “The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration,” Open Grid Service Infrastructure Working Group, Global Grid Forum, 2002.
[16] I. Foster and R.L. Grossman, “Data Integration in a Bandwidth-Rich World,” Comm. ACM, vol. 46, no. 11, pp. 50-57, 2003.
[17] M. Humphrey, M.R. Thompson, and K.R. Jackson, “Security for Grids,” Proc. IEEE, vol. 93, no. 3, pp. 644-652, 2005.
[18] M. Jackson, M. Antonioletti, N.C. Hong, A. Hume, A. Krause, T. Sugden, and M. Westhead, “Performance Analysis of the OGSA-DAI Software,” Proc. UK e-Science All Hands Meeting, 2004.
[19] J.B.D. Joshi, R. Bhatti, E. Bertino, and A. Ghafoor, “Access-Control Language for Multidomain Environments,” IEEE Internet Computing, vol. 8, no. 6, pp. 40-50, Nov.-Dec. 2004.
[20] S. Malaika, A. Eisenberg, and J. Melton, “Standards for Databases on the Grid,” ACM SIGMOD Record, vol. 32, no. 3, pp. 92-100, 2003.
[21] T. Mayfield, J.E. Roskos, S.R. Welke, and J.M. Boone, “Integrity in Automated Information Systems,” technical report, Nat'l Computer Security Center, 1991.
[22] N. Nagaratnam, P. Janson, J. Dayka, A. Nadalin, F. Siebenlist, V. Welch, I. Foster, and S. Tuecke, “The Security Architecture for Open Grid Services,” Open Grid Service Architecture Security Working Group, Global Grid Forum, 2002.
[23] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) Version 1.1, Organization for the Advancement of Structured Information Standards (OASIS), http://www. oasis-open.org/committeestc_home.php?wg_abbrev=security , 2003.
[24] Extensible Access Control Markup Language (XACML) Version 1.0, Organization for the Advancement of Structured Information Standards (OASIS), http://www.oasis-open.org/committeesxacml , 2003.
[25] Web Services Security: SOAP Message Security Version 1.0, Organization for the Advancement of Structured Information Standards (OASIS), http://www.oasis-open.org/committeestc_home. php?wg_abbrev=wss, 2004.
[26] S. Otenko and D. Chadwick, “A Comparison of the Akenti and PERMIS Authorization Infrastructures,” http://sec.isi.salford. ac.uk/downloadAkentiPERMISDeskComparison2-1.pdf , 2003.
[27] L. Pearlman, V. Welch, I. Foster, C. Kesselman, and S. Tuecke, “A Community Authorization Service for Group Collaboration,” Proc. Third IEEE Int'l Workshop Policies for Distributed Systems and Networks, 2002.
[28] L. Pearlman, C. Kesselman, V. Welch, I. Foster, and S. Tuecke, “The Community Authorization Service: Status and Future,” Proc. Int'l Conf. Computing in High Energy and Nuclear Physics, 2003.
[29] C. Ramaswamy and R.S. Sandhu, “Role-Based Access Control Features in Commercial Database Management Systems,” Proc. 21st Nat'l Information Systems Security Conf., 1998.
[30] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-Based Access Control Models,” Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
[31] J. Smith et al., “Distributed Query Processing on the Grid,” Int'l J. High Performance Computing Applications, vol. 17, no. 4, pp. 353-367, 2003.
[32] H. Stockinger, “Distributed Database Management Systems and the Data Grid,” Proc. 18th IEEE Symp. Mass Storage Systems and the Ninth NASA Goddard Conf. Mass Storage Systems and Technologies, 2001.
[33] Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective, The Globus Security Team, http://www.globus.org/toolkit/docs/4.0/security GT4-GSI-Overview.pdf, 2005.
[34] M.R. Thompson, A. Essiari, K. Keahey, V. Welch, S. Lang, and B. Liu, “Fine-Grained Authorization for Job and Resource Management Using Akenti and the Globus Toolkit,” Proc. Int'l Conf. Computing in High Energy and Nuclear Physics, 2003.
[35] S. Tuecke, K. Czajkowski, I. Foster, J. Frey, S. Graham, C. Kesselman, and P. Vanderbilt, Grid Service Specification, Draft 4, Open Grid Service Infrastructure Working Group, Global Grid Forum, 2002.
[36] G. Wasson and M. Humphrey, “Policy and Enforcement in Virtual Organizations,” Proc. Fourth Int'l Workshop Grid Computing, pp. 125-132, 2003.
[37] G. Wasson and M. Humphrey, “Towards Explicit Policy Management for Virtual Organizations,” Proc. Fourth IEEE Int'l Workshop Policies for Distributed Systems and Networks, pp. 173-182, 2003.
[38] V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Czajkowski, J. Gawor, C. Kesselman, S. Meder, L. Pearlman, and S. Tuecke, “Security for Grid Services,” Proc. 12th Int'l Symp. High- Performance Distributed Computing, pp. 48-57, 2003.
[39] V. Welch, T. Barton, K. Keahey, and F. Siebenlist, “Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration,” Proc. Fourth Ann. Public Key Infrastructure R&D Workshop, 2005.
[40] G. Zhang and M. Parasher, “Dynamic Context-Aware Access Control for Grid Applications,” Proc. Fourth Int'l Workshop Grid Computing, pp. 101-108, 2003.

Index Terms:
Open Grid Services Architecture-Data Access and Integration (OGSA-DAI), Grid database services, fine-grain authorization, Community Authorization Service (CAS), role-based access control (RBAC).
Citation:
Anil L. Pereira, Vineela Muppavarapu, Soon M. Chung, "Role-Based Access Control for Grid Database Services Using the Community Authorization Service," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 2, pp. 156-166, April-June 2006, doi:10.1109/TDSC.2006.26
Usage of this product signifies your acceptance of the Terms of Use.