A Mediated Definite Delegation Model allowing for Certified Grid Job Submission

Grid computing infrastructures need to provide traceability and accounting of their users" activity and protection against misuse and privilege escalation. A central aspect of multi-user Grid job environments is the necessary delegation of privileges in the course of a job submission. With respect to these generic requirements this document describes an improved handling of multi-user Grid jobs in the ALICE ("A Large Ion Collider Experiment") Grid Services. A security analysis of the ALICE Grid job model is presented with derived security objectives, followed by a discussion of existing approaches of unrestricted delegation based on X.509 proxy certificates and the Grid middleware gLExec. Unrestricted delegation has severe security consequences and limitations, most importantly allowing for identity theft and forgery of delegated assignments. These limitations are discussed and formulated, both in general and with respect to an adoption in line with multi-user Grid jobs. Based on the architecture of the ALICE Grid Services, a new general model of mediated definite delegation is developed and formulated, allowing a broker to assign context-sensitive user privileges to agents. The model provides strong accountability and long- term traceability. A prototype implementation allowing for certified Grid jobs is presented including a potential interaction with gLExec. The achieved improvements regarding system security, malicious job exploitation, identity protection, and accountability are emphasized, followed by a discussion of non- repudiation in the face of malicious Grid jobs

Proxy dynamic delegation in grid gateway

Nowadays one of the main obstacles the research comes up against is the difficulty in accessing the required computational resources. Grid is able to offer the user a wide set of resources, even if they are often too hard to exploit for non expert end user. Use simplification has today become a common practice in the access and utilization of Cloud, Grid, and data center resources. With the launch of L-GRID gateway, we introduced a new way to deal with Grid portals. L-GRID is an extremely light portal developed in order to access the EGI Grid infrastructure via Web, allowing users to submit their jobs from whatever Web browser in a few minutes, without any knowledge about the underlying Grid infrastructure.Comment: 6 page

GridCertLib: a Single Sign-on Solution for Grid Web Applications and Portals

This paper describes the design and implementation of GridCertLib, a Java library leveraging a Shibboleth-based authentication infrastructure and the SLCS online certificate signing service, to provide short-lived X.509 certificates and Grid proxies. The main use case envisioned for GridCertLib, is to provide seamless and secure access to Grid/X.509 certificates and proxies in web applications and portals: when a user logs in to the portal using Shibboleth authentication, GridCertLib can automatically obtain a Grid/X.509 certificate from the SLCS service and generate a VOMS proxy from it. We give an overview of the architecture of GridCertLib and briefly describe its programming model. Its application to some deployment scenarios is outlined, as well as a report on practical experience integrating GridCertLib into portals for Bioinformatics and Computational Chemistry applications, based on the popular P-GRADE and Django softwares.Comment: 18 pages, 1 figure; final manuscript accepted for publication by the "Journal of Grid Computing

EMI Security Architecture

This document describes the various architectures of the three middlewares that comprise the EMI software stack. It also outlines the common efforts in the security area that allow interoperability between these middlewares. The assessment of the EMI Security presented in this document was performed internally by members of the Security Area of the EMI project

A Credential Store for Multi-tenant Science Gateways

Science Gateways bridge multiple computational grids and clouds, acting as overlay cyberinfrastructure. Gateways have three logical tiers: a user interfacing tier, a resource tier and a bridging middleware tier. Different groups may operate these tiers. This introduces three security challenges. First, the gateway middleware must manage multiple types of credentials associated with different resource providers. Second, the separation of the user interface and middleware layers means that security credentials must be securely delegated from the user interface to the middleware. Third, the same middleware may serve multiple gateways, so the middleware must correctly isolate user credentials associated with different gateways. We examine each of these three scenarios, concentrating on the requirements and implementation of the middleware layer. We propose and investigate the use of a Credential Store to solve the three security challenges

The Dropout Crisis: Promising Approaches in Prevention and Recovery

The number of high school age students who do not complete high school is receiving increased attention as a serious challenge facing the educational system. This is happening for several reasons. New research estimates that about 30 percent of high school students fail to earn a diploma in the standard number of years, a higher figure than state and local education officials typically cite. In many states, barely half of African-Americans and Latinos graduate from high school. The magnitude of the challenge is becoming clear at the same time that a consensus is emerging that education beyond high school is critical to economic self-sufficiency and success in today's knowledge-intensive economy. The U.S. Bureau of Labor Statistics projects that 60 percent of jobs created between now and 2010 will require at least some postsecondary education. In the emerging economy, a high school dropout or a young person who earns a GED, but no further postsecondary credential, has extremely few opportunities for a family-supporting career. Addressing the dropout crisis will require responding to a dual challenge: state education systems must promote and support both dropout prevention strategies and dropout recovery efforts. This brief describes current practice in both prevention and recovery, highlighting promising approaches in each area that can help reduce stubbornly high dropout rates. It concludes with several suggestions for how state policymakers can help promote a more systemic approach to the dropout crisis

Investigation of Driver License Issuance Alternatives

This study develops an alternative model for issuing driver licenses and personal identifications in Kentucky. Under the current model, most licenses are distributed by circuit court clerks at 142 offices across the state while the Kentucky Transportation Cabinet (KYTC) provides central and regional support for specific license types. Given the cumbersome administrative structure and impending REAL ID requirements, both circuit clerks and KYTC administrators would like to explore an alternative distribution model. Researchers at the Kentucky Transportation Center (KTC) projected the costs of transitioning from the current issuance model to a centralized DMV model where licenses are distributed at 18 to 24 regional field offices. In FY 2020, the cost for having circuit clerks distribute licenses was roughly $18.5 million. A regional model will have initial costs between$10.4 and $16.4 million depending on the number of offices and employee compensation levels. If switching from a 4-year to 8-year license renewal cycle, the ensuing revenues would more than cover costs, although the License Fund allocation from each license sale should be adjusted so that all costs are covered and do not require additional Road Fund supplements. Optimizing the centralized issuance model will depend on transitioning from 4-year to 8-year license renewal intervals, completely transitioning issuance to KYTC and avoiding a hybrid distribution system and duplication of infrastructure, increasing allocations to the License Fund, implementing an online driver license renewal system in the near future, and transitioning away from the dated mainframe driver licensing database to a newer, more dynamic system

The credentialed workforce: Examining success rates across short-term noncredit training programs aligned with industry credentials

A new grant program implemented to provide subsidized training costs for students enrolling in short-term noncredit programs aligned with high-demand industry credentials leading to middle-skill jobs was implemented in July 2016. The grant program follows a pay-for-performance model where students are given a two-thirds discount on tuition but required to pay back an additional one-third if they do not successfully complete their short-term noncredit training. An exploratory study was conducted to provide training program completion and credential attainment rates for the overall program and by student demographic groups (age, race, and gender). Results showed little variation among training program completion rates among groups but showed considerable differences among programs and demographic groups for credential attainment rates indicating possible barriers to credential attainment. Supplemental information was collected via a survey sent to career coaches at the community colleges implementing the grant program. Responses indicated a need for additional resources (e.g. transportation vouchers) and support for students during program implementation (e.g. additional classroom resources). Overall, findings indicate a need for further research once additional enrollment data is available and additional collection of qualitative data from the colleges implementing the program to support programmatic improvement aligned with the grant outcomes

The Economic Development and Workforce Development Systems

Provides an overview of current U.S. strategies for and challenges in ensuring economic growth with adequate employment opportunities and preparing disadvantaged people for careers. Also summarizes goals, key stakeholders, and the policy environment

Spartan Daily, February 20, 2007

Volume 128, Issue 15https://scholarworks.sjsu.edu/spartandaily/10329/thumbnail.jp