From gridmap-file to VOMS: managing authorization in a Grid environment

Grids are potentially composed of several thousands of users from different institutions sharing their computing resources (or using resources provided by third parties). Controlling access to these resources is a difficult problem, as it depends on the policies of the organizations the users belong to and of the resource owners. Moreover, a simple authorization implementation, based on a direct user registration on the resources, is not applicable to a large scale environment. In this paper, we describe the solution to this problem developed in the framework of the European DataGrid [M. Draoli, G. Mascari, R. Piccinelli, Project Presentation, DataGrid-11-NOT-0103-_1] and DataTAG [http://www.datatag.org/] projects: the Virtual Organization Membership Service (VOMS) [R. Alfieri, et al., Managing Dynamic User Communities in a Grid of Autonomous Resources, TUBT005, in: Proceedings of the CHEP 2003, 2003]. VOMS allows a fine grained control of the use of the resources both to the users' organizations and to the resource owners

Bridging clinical information systems and grid middleware: a Medical Data Manager

International audienceThis paper describes the effort to deploy a Medical Data Management service on top of the EGEE grid infrastructure. The most widely accepted medical image stan- dard, DICOM, was developed for fulfilling clinical practice. It is implemented in most medical image acquisition and analysis devices. The EGEE middleware is us- ing the SRM standard for handling grid files. Our prototype is exposing an SRM compliant interface to the grid middleware, transforming on the fly SRM requests into DICOM transactions. The prototype ensures user identification, strict file ac- cess control and data protection through the use of relevant grid services. This Medical Data Manager is easing the access to medical databases needed for many medical data analysis applications deployed today. It offers a high level data man- agement service, compatible with clinical practices, which encourages the migration of medical applications towards grid infrastructures. A limited scale testbed has been deployed as a proof of concept of this new service. The service is expected to be put into production with the next EGEE middleware generation

VOMS, an Authorization System for Virtual Organizations

We briefly describe the authorization requirements, focusing on the framework of the DataGrid and DataTAG Projects and illustrate the architecture of a new service we have developed, the Virtual Organization Membership Service (VOMS), to manage authorization information in Virtual Organization scope

Next-Generation EU DataGrid Data Management Services

We describe the architecture and initial implementation of the next-generation of Grid Data Management Middleware in the EU DataGrid (EDG) project. The new architecture stems out of our experience and the users requirements gathered during the two years of running our initial set of Grid Data Management Services. All of our new services are based on the Web Service technology paradigm, very much in line with the emerging Open Grid Services Architecture (OGSA). We have modularized our components and invested a great amount of effort towards a secure, extensible and robust service, starting from the design but also using a streamlined build and testing framework. Our service components are: Replica Location Service, Replica Metadata Service, Replica Optimization Service, Replica Subscription and high-level replica management. The service security infrastructure is fully GSI-enabled, hence compatible with the existing Globus Toolkit 2-based services; moreover, it allows for fine-grained authorization mechanisms that can be adjusted depending on the service semantics.Comment: Talk from the 2003 Computing in High Energy and Nuclear Physics (CHEP03), La Jolla,Ca, USA, March 2003 8 pages, LaTeX, the file contains all LaTeX sources - figures are in the directory "figures

A Secure Grid Medical Data Manager Interfaced to the gLite Middleware

International audienceThe medical community is producing and manipulating a tremendous volume of digital data for which computerized archiving, processing and analysis is needed. Grid infrastructures are promising for dealing with challenges arising in computerized medicine but the manipulation of medical data on such infrastructures faces both the problem of interconnecting medical information systems to Grid middlewares and of preserving patients' privacy in a wide and distributed multi-user system. These constraints are often limiting the use of Grids for manipulating sensitive medical data. This paper describes our design of a medical data management system taking advantage of the advanced gLite data management services, developed in the context of the EGEE project, to fulfill the stringent needs of the medical community. It ensures medical data protection through strict data access control, anonymization and encryption. The multi-level access control provides the flexibility needed for imple! menting complex medical use-cases. Data anonymization prevents the exposure of most sensitive data to unauthorized users, and data encryption guarantees data protection even when it is stored at remote sites. Moreover, the developed prototype provides a Grid storage resource manager (SRM) interface to standard medical DICOM servers thereby enabling transparent access to medical data without interfering with medical practice

Medical Data Manager: an Interface between PACS and the gLite Data Management System

The medical imaging community uses the DICOM image format and protocol to store and exchange data. The Medical Data Manager (MDM) is an interface between DICOM compliant systems such as PACS and the EGEE Data Management System. It opens hospital imaging networks to the world scale Grid while protecting sensitive medical data. It can be accessed transparently from any gLite service. It is an important milestone towards adoption of Grid technologies in the medical imaging community. Hospitals continuously produce tremendous amounts of image data that is managed by local PACS (Picture Archiving and Communication Systems). These systems are often limited to a local network access although the community experiences a growing interest for data sharing and remote processing. Indeed, patient data is often spread out different medical data acquisition centers. Furthermore, researchers in the area often need to analyze large populations whose data can be gathered through federations of PACS. Opening PACS to the outer Internet is challenging though, due to the stringent security requirements applying to medical data manipulation. The gLite Data Management System provides the distribution, user identification, data access control and secured transportation core services needed to envisage wide scale deployment of the medical imaging applications. The MDM provides an upper layer to interface to PACS and manipulate medical data with the required level of security. The MDM core is a DICOM-SRM interface that converts file access queries into DICOM GET operations. An internal database is used to register medical images and to map Grid file identifiers into DICOM identifiers. Image files are therefore be visible from the gLite file catalog for future use by services invoking the data management system. Patient privacy is preserved through data anonymization and encryption. DICOM image headers are whipped out prior to image transfer. All data is encrypted prior to exposure to the Grid network in order to avoid any data leakage. The encryption / decryption phases are transparently handled by the data management system through calls to the Hydra service. Data access is controlled through user DN-based ACLs. An AMGA metadata server is used to store the medical records of the patient independently from the image. It ensures secured and controlled access to the metadata that is isolated from the images. The MDM was originally designed using gLite 1.5 components and was recently ported to the production data management system. It is packaged with an installation script and freely available for download. The next step will be the deployment of a significant number of MDM service interfaced to pre-clinical PACS in order to demonstrate a wide area medical imaging network supported by the Grid infrastructure. Future plans also include distribution of the medical metadata collected

Bridging clinical information systems and grid middleware: a Medical Data Manager

International audienceThis paper describes the effort to deploy a Medical Data Management service on top of the EGEE grid infrastructure. The most widely accepted medical image stan- dard, DICOM, was developed for fulfilling clinical practice. It is implemented in most medical image acquisition and analysis devices. The EGEE middleware is us- ing the SRM standard for handling grid files. Our prototype is exposing an SRM compliant interface to the grid middleware, transforming on the fly SRM requests into DICOM transactions. The prototype ensures user identification, strict file ac- cess control and data protection through the use of relevant grid services. This Medical Data Manager is easing the access to medical databases needed for many medical data analysis applications deployed today. It offers a high level data man- agement service, compatible with clinical practices, which encourages the migration of medical applications towards grid infrastructures. A limited scale testbed has been deployed as a proof of concept of this new service. The service is expected to be put into production with the next EGEE middleware generation

EU DataGrid Data Management Services

this article are as follows