Dynamic Trust Federation in Grids

Grids are becoming economically viable and productive tools. Grids provide a way of utilizing a vast array of linked resources such as computing systems, databases and services online within Virtual Organizations (VO). However, today’s Grid architectures are not capable of supporting dynamic, agile federation across multiple administrative domains and the main barrier, which hinders dynamic federation over short time scales is security. Federating security and trust is one of the most significant architectural issues in Grids. Existing relevant standards and specifications can be used to federate security services, but do not directly address the dynamic extension of business trust relationships into the digital domain. In this paper we describe an experiment in which we highlight those challenging architectural issues and we will further describe how the approach that combines dynamic trust federation and dynamic authorization mechanism can address dynamic security trust federation in Grids. The experiment made with the prototype described in this paper is used in the NextGRID project for the definition of requirements for next generation Grid architectures adapted to business application need

Managing Dynamic User Communities in a Grid of Autonomous Resources

One of the fundamental concepts in Grid computing is the creation of Virtual Organizations (VO's): a set of resource consumers and providers that join forces to solve a common problem. Typical examples of Virtual Organizations include collaborations formed around the Large Hadron Collider (LHC) experiments. To date, Grid computing has been applied on a relatively small scale, linking dozens of users to a dozen resources, and management of these VO's was a largely manual operation. With the advance of large collaboration, linking more than 10000 users with a 1000 sites in 150 counties, a comprehensive, automated management system is required. It should be simple enough not to deter users, while at the same time ensuring local site autonomy. The VO Management Service (VOMS), developed by the EU DataGrid and DataTAG projects[1, 2], is a secured system for managing authorization for users and resources in virtual organizations. It extends the existing Grid Security Infrastructure[3] architecture with embedded VO affiliation assertions that can be independently verified by all VO members and resource providers. Within the EU DataGrid project, Grid services for job submission, file- and database access are being equipped with fine- grained authorization systems that take VO membership into account. These also give resource owners the ability to ensure site security and enforce local access policies. This paper will describe the EU DataGrid security architecture, the VO membership service and the local site enforcement mechanisms Local Centre Authorization Service (LCAS), Local Credential Mapping Service(LCMAPS) and the Java Trust and Authorization Manager.Comment: Talk from the 2003 Computing in High Energy and Nuclear Physics (CHEP03), La Jolla, Ca, USA, March 2003, 7 pages, LaTeX, 5 eps figures. PSN TUBT00

Toward an on-demand restricted delegation mechanism for Grids

Grids are intended to enable cross-organizational interactions which makes Grid security a challenging and non-trivial issue. In Grids, delegation is a key facility that can be used to authenticate and authorize requests on behalf of disconnected users. In current Grid systems there is a trade-off between flexibility and security in the context of delegation. Applications must choose between limited or full delegation: on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility/dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. In this paper, we propose an on-demand restricted delegation mechanism, aimed at addressing the shortcomings of current delegation mechanisms by providing restricted delegation in a flexible fashion as needed for Grid applications. This mechanism provides an ontology-based solution for tackling one the most challenging issues in security systems, which is the principle of least privileges. It utilizes a callback mechanism, which allows on-demand provisioning of delegated credentials in addition to observing, screening, and auditing delegated rights at runtime. This mechanism provides support for generating delegation credentials with a very limited and well-defined range of capabilities or policies, where a delegator is able to grant a delegatee a set of restricted and limited rights, implicitly or explicitly. © 2006 IEEE

Dynamic security context management in Grid-based applications

This paper summarises ongoing research and recent results on the development of flexible access control infrastructure for complex resource provisioning in Grid-based collaborative applications and on-demand network services provisioning. The paper analyses the general access control model for Grid-based applications and discusses what mechanisms can be used for expressing and handling dynamic domain or process/workflow-related security context. Suggestions are given on what specific functionality should be added to the Grid-oriented authorization frameworks to handle such dynamic security context. As an example, the paper explains how such functionality can be achieved in the GAAA Authorization framework (GAAA-AuthZ) and GAAA toolkit. Additionally, the paper describes AuthZ ticket format for extended AuthZ session management. The paper is based on experiences gained from major Grid-based and Grid-oriented projects such as EGEE, Phosphorus, NextGRID, and GigaPort Research on Network

Programming the Grid with gLite

The past few years have seen the creation of the first production level Grid infrastructures that offer their users a dependable service at an unprecedented scale. Depending on the flavor of middleware services these infrastructures deploy (for instance Condor, gLite, Globus, UNICORE, to name only a few) different interfaces to program the Grid infrastructures are provided. Despite ongoing efforts to standardize Grid service interfaces, there are still significant differences in how applications can interface to a Grid infrastructure. In this paper we describe the middleware (gLite) and services deployed on the EGEE Grid infrastructure and explain how applications can interface to them

Middleware for the next generation Grid infrastructure

The aim of the EGEE (Enabling Grids for E-Science in Europe) project is to create a reliable and dependable European Grid infrastructure for e-Science. The objective of the EGEE Middleware Re-engineering and Integration Research Activity is to provide robust middleware components, deployable on several platforms and operating systems, corresponding to the core Grid services for resource access, data management, information collection, authentication & authorization, resource matchmaking and brokering, and monitoring and accounting. For achieving this objective, we developed an architecture and design of the next generation Grid middleware leveraging experiences and existing components essentially from AliEn, EDG, and VDT. The architecture follows the service breakdown developed by the LCG ARDA group. Our strategy is to do as little original development as possible but rather re-engineer and harden existing Grid services. The evolution of these middleware components towards a Service Oriented Architecture (SOA) adopting existing standards (and following emerging ones) as much as possible is another major goal of our activity

Programming the Grid with gLite

Advances in networking and distributed computing allowed the establishment of production Grid infrastructures during the past few years. Today, large-scale production Grid infrastructures such as EGEE in Europe