Conference PaperPDF Available

Using SAML-Based VOMS for Authorization within Web Services-Based UNICORE Grids

  • August 2007
DOI:10.1007/978-3-540-78474-6_15
  • Conference: Euro-Par 2007 Workshops: Parallel Processing, HPPC 2007, UNICORE Summit 2007, and VHPC 2007, Rennes, France, August 28-31, 2007, Revised Selected Papers
Authors:
Valerio Venturi
Valerio Venturi
Valerio Venturi
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Morris Riedel at Forschungszentrum Jülich
Morris Riedel
Ahmed Shiraz Memon at Forschungszentrum Jülich
Ahmed Shiraz Memon
Shahbaz Memon at Forschungszentrum Jülich
Shahbaz Memon
Show all 12 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract

In recent years, the Virtual Organization Membership Service (VOMS) emerged within Grid infrastructures providing dynamic, fine-grained, access control needed to enable resource sharing across Virtual Organization (VOs). VOMS allows to manage authorization information in a VO scope to enforce agreements established between VOs and resource owners. VOMS is used for authorization in the EGEE and OSG infrastructures and is a core component of the respective middleware stacks gLite and VDT. While a module for supporting VOMS is also available as part of the authorization service of the Globus Toolkit, there is currently no support for VO-level authorization within the new Web services-based UNICORE 6. This paper describes the evolution of VOMS towards an open standard compliant service based on the Security Assertion Markup Language (SAML), which in turn provides mechanisms to fill the VO-level authorization service gap within Web service-based UNICORE Grids. In addition, the SAML-based VOMS allows for cross middleware VO management through open standards.
Content uploaded by Alberto Gianoli
Author content
All content in this area was uploaded by Alberto Gianoli
Content may be subject to copyright.
Using SAML-based VOMS for Authorization
within Web Services-based UNICORE Grids
Valerio Venturi, Morris Riedel, Shiraz Memon, Shahbaz Memon, Frederico Stagni,
Bernd Schuller, Daniel Mallmann, Bastian Tweddell, Alberto Gianolli,
Sven van de Berghe, David Snelling, Achim Streit
3rd UNICORE Summit, Rennes, 28.08.2007
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Outline
Virtual Organizations and their management
The VOMS Technology
VOMS Functionality, Admin Tool, Attribute Authority
Authorization standards in the Grid
OGF OGSA-AuthZ, SAML, XACML
VOMS SAML Service
Deployment, SAML assertions & attributes
Integration of VOMS in UNICORE 6
SAML VOMS AA
Roadmap and Use cases in context of UNICORE
Related Work and Conclusion
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Virtual Organizations
The ‘Grid problem’ :
Coordinated resource sharing across dynamic collections of
individuals, institutions and resources,
Grids are doing this in flexible Virtual Organizations (VOs)
Resource owners (ROs) share their
resources within the VO
Resources are exposed/accessed
by different Grid middleware systems
Users may use any Grid
middleware they prefer
Users may or may not have
relationships to resource owners
[2] Foster et al.
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Virtual Organization Management
Resource owners share their resource
But only due to the fact that they maintain control over how the
sharing is done (e.g. WHO is allowed to access)
Resource owners make sharing agreements within the VO
Enabling VO management means…
Providing tools that deal with highly dynamic VO administrations
Providing the instruments to facilitate the enforcement of such
sharing agreements
Today: Shared resources are exposed/accessed by different
Grid middleware systems (in different e-Infrastructures)
Common open standards are key enabler of cross-Grid VO
management and Grid/e-Infrastructure interoperability
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
The VOMS Technology
VOMS = Virtual Organization Membership Service
A tool for doing VO management
Originally developed during the European Data Grid and
DataTAG collaborations
Production version maintained in the EGEE project
New open standards integration within OMII-Europe
Core components for authorization in middleware stacks
gLite (EGEE) and VDT (OSG)
Module available for using it with the Globus Toolkit authorization
framework
Production version used in Grid Infrastructures worldwide
EGEE, OSG, D-Grid, NAREGI, …
[3] Alfieri et al.
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
VOMS Functionality
VOMS allows to assign users in a VO attributes regarding their
‘position’ in a VO
Position (attributes) means…
Groups of an user (e.g. LHC, DECI)
Project Membership (e.g. OMII-Europe)
Roles of an users (e.g. administrator)
Any other attributes (e.g. funding_agency_x)
These attributes are used for access control by Grid services
that are exposing resources
Allows enforcement of agreements between ROs and the VO
Resource owners share resources for dedicated
groups/project/roles or any other type of defined attributes
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
VOMS Admin Tool
Tool allows VO managers to perform administrative operations
A Web service interface is available exposing such operations
for easy development of custom admin applications
A ready-to-use Web
application enabling …
Users to register
VO managers to manage
subscriptions
VO managers to create
and manage groups
and assign roles/group
membership
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
VOMS Attribute Authority
VOMS is an Attribute Authority (AA) that releases signed
assertions containing users attributes (groups/roles, etc.)
‘AC VOMS’ uses Attribute Certificates (ACs) (RFC 3281)
No use of Web services, use of proprietary xml messages
Uses GSI for securing communications
Mostly, the AC retrieved from the VOMS AA are inserted into the
proxy certificates of the user
After authentication with
a Grid service, the AC is thus
available for the service
to use it for
authorization
[1] Farrel et al.
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Authorization Standards in the Grid
OGF OGSA - Authorization (AuthZ) working group
Goal: Leverage existing standardization efforts in the Web
Service community and adapt them to Grid Services
Currently focussing on three technologies
Attribute Authority
Based on OASIS Security Assertion Markup Language (SAML)
Authorization Service
Based on OASIS SAML and OASIS Extensible Access Control and
Markup Language (XACML), SAML profile for XACML
Credential Validation Service
Based on OASIS SAML
New ‘SAML VOMS’ implements the SAML-based AA
Working on finalizing the profile but agreements settled
Link to Talk:
Kenneth Klingenstein
Takeaways Open Standards:
SAML & XACML
[6] OASIS Security TC
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Overview: Services in Context
OGF OGSA
Authorization
Framework
SAML VOMS
UNICORE Grid Middleware
UNICORE Clients
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
SAML (in short)
XML-based Framework for exchanging security information
User authentication, entitlement, and attribute information
Assertions
Supplies statements made by a SAML authority
Attributes assertions asserts that a specified subject is
associated with the supplied attributes
Authorization and Authentication assertions
Protocols
Protocols that allow to request assertions from SAML authorities
Bindings
Mapping from SAML request/response messages into standard
messaging or communication protocols (e.g. SOAP)
SAML Assertion
<xml>
</xml>
[4] OASIS Security TC
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
VOMS SAML Service (aka SAML VOMS)
VOMS has been extended to support authorization standards
emerging from the Grid community
The VOMS SAML Service retains the same functionalities of the
production AC VOMS
Exposes a Web service interface according to SAML
Uses SAML Assertions instead of ACs
Can be deployed to any J2EE service container
Apache Tomcat, JBoss, etc.
Goal of standard-integration: Grid middleware independence
Enforce the idea that VO management is a task that is inherently
Grid middleware independent
Allows for cross-Grid VO management
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
VOMS AC and VOMS SAML Comparison
New standardized SAML REQUEST looks like this:
<wsdl:portType name="AttributeAuthorityPortType„>
<wsdl:operation name="AttributeQuery">
<wsdl:input message="tns:AttributeQueryRequest"/>
<wsdl:output message="tns:AttributeQueryResponse"/>
</wsdl:operation>
</wsdl:portType>
Proprietary AC VOMS request protocol
According to:
[5] Randall et al.
„SAML profile for X.509 „
specification
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
SAML Assertions
Example SAML Assertions released by the VOMS SAML Service
(some part are missing for brevity)
SAML Assertion indicates for “WHO/WHAT” the assertion is
valid (saml:Subject)
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion” … >
<saml:Issuer> … </saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:x509SubjectName">
CN=Morris Riedel,OU=ZAM,OU=Forschungszentrum
JuelichGmbH,O=GridGermany,C=DE
</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="..." NotOnOrAfter="..." />
<saml:AttributeStatement>
… shown below …
</saml:AttributeStatement>
</saml:Assertion>
SAML ASSERTION
Subject Morris Riedel
(confirmed per X.509 certificate)
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
SAML Attributes
We have ‘Morris Riedel’ as subject (user)
So what attributes he has…?!
Example VOMS attributes expressed as SAML Attributes…
<saml:AttributeStatement>
<saml:Attribute Name="group-membership-id" NameFormat="urn...">
<saml:AttributeValue type="xs:string">
/omiieurope
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Hence: The user is in the omiieurope project
The format for the attributes is going to change…
A VOMS SAML profile is being finalized
SAML ASSERTION
Subject Morris Riedel
(confirmed per X.509 certificate)
Attribute /omiieurope
(confirmed by VOMS server)
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
SAML VOMS using WS-Security extensions
The coupling of AC and proxy certificates has proved a very
efficient way of making attributes available for services
E.g. used in proxy-based gLite and Globus Toolkits
Requirement from UNICORE community:
Support Grid middleware not (natively) using proxy certificates
SAML assertions in WS-Security extensions (SOAP headers)
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
SAML VOMS AA for UNICORE 6
UNICORE 6 Client-side
Gridsphere portal or GPE Clients
Get a SAML Assertion
from the VOMS SAML service
SAML assertion is signed by
the VOMS SAML service
When contacting UNICORE 6…
Client puts the SAML assertion into
the header of the SOAP message
(using WS-Security extensions)
UNICORE 6 Server-side
Grant/Deny access based on
SAML assertions of users
Prototype on
UNICORE@SourceForge
„VOMS-enabled OGSA-BES“
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Example of Messages to UNICORE 6
SAML-based SOAP Message to UNICORE 6
<soap:Envelope xmlns:soap="...„>
<soap:Header>
<wsse:Security wsse="...„>
<saml:Assertion xmlns:saml="...">
....
</saml:Assertion xmlns:saml="...">
</wsse:Security>
</soap:Header>
<soap:Body>
...
</soap:Body>
</soap:Envelope>
Prototype on
UNICORE@SourceForge
„VOMS-enabled OGSA-BES“
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Attribute-Based AuthZ in UNICORE 6
UNICORE 6 incorporates a
Policy Decision Point (PDP) that
uses XACML policies to make
authorization decisions
The relevant UNICORE 6 service
extracts the VOMS attributes from
the SAML Assertion in SOAP header
SAML assertion is used for a
request to the PDP along with the
action and resource description
The PDP check against its set
of policies to decide whether the
user is allowed to perform the
requested action or not
Prototype on
UNICORE@SourceForge
„VOMS-enabled OGSA-BES“
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
XACML Policy Example
<Rule Effect="Permit" RuleId="allow-omiieurope-members"
xmlns:xacml="urn:oasis:names:tc:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Description>Allow users in the omiieurope VO access any service</Description>
<Target>
<Subjects>…</Subjects>
<Resources>…</Resources>
<Actions>…</Actions>
</Target>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="group-membership-id" />
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">/omiieurope</AttributeValue>
</Condition>
</Rule> XACML POLICY
Subjects with attribute…
/omiieurope
…are permitted
SAML ASSERTION
Subject Morris Riedel
(confirmed per X.509 certificate)
/omiieurope attribute
(confirmed by VOMS server)
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Roadmap and Use case OGSA-BES
Production SAML VOMS support is planned for End 2007
Aligned with UNICORE 6.1, starting with delegation scenarios now
Production Client integration
GridSphere, but also UNICORE Rich Client Platform Client
GPE Support is still matter of ongoing discussions
Use case: OGF OGSA – Basic Execution Service (OGSA-BES)
Interface for job submission and management
Implemented on top of UNICORE 6 backend (XNJS)
Jobs submission requests to the UNICORE OGSA-BES were
allowed or denied after possession of groups in a VO
Using the VOMS SAML service as AA
Prototype of VOMS integration demonstrated at OGF 20
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
OMII-Europe multi-platform Grid infrastructure
(proves open standards actually work!)
Next steps
in RED/ORANGE
Towards technical e-Infrastructure interoperability
Achieving Interoperability
through usage of
common open standards
OGSA-BES, SAML, XACML, …
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Use Case : RBAC for COVS (planned)
UNICORE 6 allows the developments of higher-level application
services that work on top of UASs
The Collaborative Online Visualization and Steering (COVS)
service allows participants sharing the same visualization session
COVS sessions require roles for users to be authorized to the
different actions in a visualization session
E.g. add/remove participants of a collaborative session
VOMS provides the fine grained access control based on group
membership and role-based Access Control (RBAC)
Participant are divided in groups (within D-Grid Astro VO)
Assigned roles within groups imply different allowed actions
Start/stop session, steer session, add/remove participants, etc.
[7] Riedel et al.
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Use Case : RBAC for COVS (planned)
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Related Work
Shibboleth
Attribute-based authorization framework (among the others)
Widely used especially in the education community
Also based on SAML
IVOM: Interoperability and Integration of
VO Management Technologies in D-Grid
Providing VO management solutions for UNICORE 5
Focus on the problem of aggregating attributes coming from
different sources (e.g. Shibboleth and VOMS as AAs)
Using both AC VOMS and soon also SAML VOMS
Ongoing collaboration between OMII-Europe VOMS activity and
German IVOM project
Link to talk from
Wolfgang Ziegler
(Attributes and VOs: Extending the
UNICORE Authorisation Capabilities)
Link to talk from
Kenneth Klingenstein
(Internet-Scale Identity and Collaboration)
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Conclusion
Different versions of VOMS are available soon
AC VOMS (Attribute Certificate-based VOMS)
Releases RFC3821 compliant certificates
AC VOMS is used in production and will be still supported
SAML VOMS (SAML-based VOMS)
Developed in OMII-Europe
Releases signed SAML assertions
Intended to be the successor of AC VOMS in production soon
Grid middleware independent
UNICORE integration with VOMS
Production release at the end of year 2007 (with UNICORE 6.1)
Usable by many clients: GridSphere portals, UNICORE RCP, …
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
References
[1] S. Farrel, R. Housley. An Internet Attribute Certificate Profile for Authorization. IETF RFC
3281, April 2002. http://www.ietf.org/rfc/rfc3281.txt.
[2] I. Foster, C. Kesselman, and S. Tuecke. The anatomy of the grid: Enabling scalable virtual
organizations. International J. Supercomputer Applications, 15(3):200–222, 2001.
[3] R. Alfieri, R. Cecchini, V. Ciaschini, L. dell’Agnello, A´ . Frohner, K. Lo¨rentey, and F. Spataro.
From gridmapfile to voms: managing authorization in a grid environment. Future
Generation Comp. Syst., 21(4):549–558, 2005.
[4] OASIS. Oasis security assertion markup language (saml) tc. http://www.oasisopen.
org/committees/tc home.php?wg abbrev=security, 2005.
[5] R. Randall, R. Philpott, R. Metz, T. Wisniewsky, S. Cantor,and P. Madsen. Saml attribute
sharing profile for x.509 authentication-based systems. www.oasisopen.
org/committees/download.php/18058/, 2006.
[6] OASIS. Oasis extensible access control markup language (xacml) tc. http://www.oasis-
open.org/committees/xacml, 2005.
[7] M.Riedel et al. Requirements and Design of a Collaborative Online Visualization and Steering
Framework for Grid and e-Science Infrastructures. In Proc. of German e-Science
Conference, Baden-Baden, 2007.
EU project: RIO31844-OMII-EUROPE
3rd UNICORE Summit 2007, Rennes, 28.08.2007
Questions
Morris Riedel
m.riedel@fz-juelich.de
Valerio Venturi
valerio.venturi@cnaf.infn.it
... In security, full X.509 certificates are used as base line, while the access control is based on XACML policies. A support for SAML-based VOMS (virtual organisation management service) [6] is available as well as support for proxy certificates. Apart from standards in the area of security, standards play also a significant role in the area of information. ...
... This process leads to the decision whether the service access request is denied or granted. The UNICORE 6 authorisation and authentication framework is inherently based on pluggable mechanism byFigure 4.1: Architecture of bridging Shibboleth and UNICORE 6 using handlers, some of which provide capabilities of handling SAML2 assertions namely SAMLInHandler and SAMLOutHandler as described in [6] . Bridging Shibboleth and the UNICORE 6 security model enables authentication and authorisation interoperability with all other middlewares supporting Shibboleth and GridShib-CA. ...
UNICORE 6 — recent and future advancements
Article
Full-text available
  • Dec 2010
In the last three years activities in Grid computing have changed; in particular in Europe the focus moved from pure research-oriented work on concepts, architectures, interfaces, and protocols towards activities driven by the usage of Grid technologies in day-to-day operation of e-infrastructure and in applicationdriven use cases. This change is also reected in the UNICORE activities [1]. The basic components and services have been established, and now the focus is increasingly on enhancement with higher level services, integration of upcoming standards, deployment in e-infrastructures, setup of interoperability use cases and integration of applications. The development of UNICORE started back more than 10 years ago, when in 1996 users, supercomputer centres and vendors were discussing "what prevents the efficient use of distributed supercomputers?". The result of this discussion was a consensus which still guides UNICORE today: seamless, secure and intuitive access to distributed resources. Since the end of 2002 continuous development of UNICORE took place in several EU-funded projects, with the subsequent broadening of the UNICORE community to participants from across Europe. In 2004 the UNICORE software became open source and since then UNICORE is developed within the open source developer community. Publishing UNICORE as open source under BSD license has promoted a major uptake in the community with contributions from multiple organisations. Today the developer community includes developers from Germany, Poland, Italy, UK, Russia and other countries. The structure of the paper is as follows. In Section 2 the architecture of UNICORE 6 as well as implemented standards are described, while Section 3 focusses on its clients. Section 4 covers recent developments and advancements of UNICORE 6, while in section 5 an outlook on future planned developments is given. The paper closes with a conclusion.
View
... XUUDB based authorisation can accommodate all access control requirements within a single site. For resource access cross sites, file transfer from different sites for example, UNICORE6 supports proxy certificates and provides an 3BThe Grid XACML entity that can be triggered to delegate access decision to a VO management system, the UNICORE VO service (UVOS) [127]. ...
View
... Existing approaches fall into two categories: general approach and federation-based approach. Representative systems using general approach include CAS (Community Authorization Service) [20], VOMS (Virtual Organization Management Service) [31] and TrustCoM [5] which are mainly designed for grid computing scenarios. Examples of the federation-based approach includes GridShib [33], CROWN-CredFed [15,18], Liberty [28], WS-Federation [19] and some delegation approaches [14] . ...
A secure collaboration service for dynamic virtual organizations
Article
Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.
View
... They define the membership of accessing entities to specific VOs, information which can be used to find out which VO's data an accessing entity is authorized to retrieve. Newer methods use a combination of VOMS services and SAML (Security Assertion Markup Language) [42] to get the credentials of an accessing entity. As soon as credentials of a querying entity are known, the query can be filtered and the corresponding data sets can be provided. ...
An Interoperable Grid Information System for Integrated Resource Monitoring Based on Virtual Organizations
Article
Full-text available
  • Sep 2009
In many Grid infrastructures different kinds of information services are in use, which utilize different incompatible data structures and interfaces to encode and provide their data. Homogeneous monitoring of these infrastructures with the monitoring data being accessible everywhere independently of the middleware which provided it, is the basis for a consistent status reporting on the Grids’ resources and services. Thus, interoperability or interoperation between the different information services in a heterogeneous Grid infrastructure is required. Monitoring data must contain the identity of the affected Virtual Organization (VO) so that it can be related to the resources and services the VO has allocated to enable VO-specific information provision. This paper describes a distributed architecture for an interoperable information service, which combines data unification and categorization with policies for VO membership, VO resource management and data transformations. This service builds the basis for an integrated and interoperating monitoring of Grids, which provide their data to more than one VO and utilize heterogeneous information services.
View
... We published a good portion of the work reported in this Chapter in [104] and [103]. ...
On Usage Control for Data Grids: Models, Architectures, and Specifications
Article
Full-text available
This thesis reasons on usage control in Data Grids, by presenting models, architectures and specifications. This work is a step toward a continuous monitoring and control of the data access and usage in a Data Grid. First, the thesis presents a background on Grids, security, and security for Grids, by making an abstraction to the current Grid implementations. We argue that usage control in Data Grids should be considered as a process composed by two black boxes. We analysed the requirements for Grid security, and propose a distributed usage control model suitable for Grids and distributed systems alike. Then, we apply such model to a Data Grid abstraction, and present a usage control architecture for Data Grids that uses the functional components of the currents Grids. We also present an abstract specification for an enforcing mechanism for usage control policies. To do so, we use a formal requirement engineering methodology with a bottom-up approach, that proves that the specification is sound and complete. With the methodology, we show formally that such abstract specification can enforce all the different typologies of usage control policies. Finally, we consider how existing prototypes can fit in the proposed architecture, and the advantages derived from using Semantic Grid techologies for the specification of policies subjects and objects.
View
A portable interceptor mechanism for SOAP frameworks
Article
An interceptor is a generic architecture pattern, and has been used to resolve specific issues in a number of application domains. Many standard platforms such as CORBA also provide interception interfaces so that an interceptor developed for a specific application can become portable across systems running on the same platform. SOAP frameworks are commonly used platforms to build Web Services. However, there is no standard way to build interceptors portable across current SOAP frameworks, although, some of them provide proprietary interceptor solution within individual framework, such as Axis, XFire, and etc. In this paper, we propose the portable interceptor mechanism (PIM) consisting of a set of application programming interfaces (API) on SOAP engine, a core component of a SOAP framework. An interceptor is able to receive messages passing through the SOAP framework from the SOAP engine via these APIs. Furthermore, the proposed PIM facilitates run-time lifecycle management of interceptors that is a crucial feature to many application domains but is not fully supported by CORBA standard. For concept proving, we implement the proposed PIM on two popular SOAP frameworks, namely, Axis and XFire. We also discuss a number of implementation issues including the performance and reliability of PIM.
View
A standards-based interoperable single sign-on framework in ARC Grid middleware
Article
  • May 2012
Security infrastructure is one of the most challenging tasks in the development, integration and deployment of Grid middlewares. Even though the Grid community addresses the security issue through public key infrastructures (PKI) to support mutual authentication using X.509 certificates, maintaining X.509 credentials is not that easy for non-IT-experts, and has proved to be an obstacle for a more wide deployment of Grid technologies. The identity federation is an increasingly popular technology that can facilitate cross-domain single sign-on without requiring the users to maintain any credentials additional to their own institutional accounts. We believe that utilizing identity federation for Grid middlewares is a promising path for the Grid technology to get more widely used. This paper describes a single sign-on infrastructure developed as a part of the NorduGrid ARC (Advanced Resource Connector) Grid middleware. It adopts the identity federation standard (SAML), as well as other Web Service standards. It focuses on a single sign-on solution at the middleware level for users to access Grids by only using their frequently used accounts, without being bothered to maintain X.509 credentials. Users can use their username/password only to access Grids developed in ARC middleware, as well as access Grids developed in other middlewares that requires users to provide X.509 certificates. Moreover, the single sign-on for workflow-like Grid applications (in which intermediate entities act on behalf of users) is also supported. As an important aspect of single sign-on, authorization is also considered by implementing an attribute-based authorization using SAML standard. In addition, the performance of single sign-on solution is measured. We identify performance limitations of security-related services inside this solution, and analyse the ways to avoid the limitations. To our knowledge, the work presented in this paper is the first evaluated implementation that utilizes identity federation for Grid usage on the middleware level.
View
Experiences and Requirements for Interoperability Between HTC and HPC-driven e-Science Infrastructure
Chapter
Full-text available
  • Dec 2009
Recently, more and more e-science projects require resources in more than one production e-science infrastructure, especially when using HTC and HPC concepts together in one scientific workflow. But the interoperability of these infrastructures is still not seamlessly provided today and we argue that this is due to the absence of a realistically implementable reference model in Grids. Therefore, the fundamental goal of this paper is to identify requirements that allows for the definition of the core building blocks of an interoperability reference model that represents a trimmed down version of OGSA in terms of functionality, is less complex, more fine-granular and thus easier to implement. The identified requirements are underpinned with gained experiences from world-wide interoperability efforts.
View
The Interoperable Attribute-based Authorization in ARC Grid Middleware
Conference Paper
  • Nov 2010
Grid has been proved to be a promising technology for integrating heterogeneous resources. However, with the emerging of various Grid middle wares, the heterogeneous problem also occurs for Grid middleware themselves, as well as for the Grid services developed on those middle wares, which is an obstacle for the interoperation. SOA(Service Oriented Architecture) has been introduced into the development of Grid middewares and services to solve this problem. One of the challenging tasks in the development, integration and deployment of Grid middle wares is to provide security framework. In this paper, the key issue of Grid security framework, i.e., authorization, is focused, and an attribute-based authorization framework is presented. Due to the adoption of SAML, XACML and the generic Web Service specifications, the proposed framework can achieve interoperability to other standard-based attribute authority services, as well as other standard-based policy evaluation services.
View
Web Services Interfaces and Open Standards Integration into the European UNICORE 6 Grid Middleware
Conference Paper
  • Oct 2007
The UNICORE grid system provides a seamless, secure and intuitive access to distributed grid resources. In recent years, UNICORE 5 is used as a well-tested grid middleware system in production grids (e.g. DEISA, D-Grid) and at many supercomputer centers world-wide. Beyond this production usage, UNICORE serves as a solid basis in many European and International research projects and business scenarios from T-Systems, Philips Research, Intel, Fujitsu and others. To foster ongoing developments in multiple projects, UNICORE is open source under BSD license at SourceForge. More recently, the new Web services-based UNICORE 6 has become available that is based on open standards such as the Web services addressing (WS-A) and the Web services resource framework (WS-RF) and thus conforms to the open grid services architecture (OGSA) of the open grid forum (OGF). In this paper we present the evolution from production UNICORE 5 to the open standards-based UNICORE 6 and its various Web services-based interfaces. It describes the interface integration of emerging open standards such as OGSA-BES and OGSA-RUS and thus provides an overview of UNICORE 6.
View
Assertions and protocols for the oasis security assertion markup language
Article
Full-text available
This specification defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, and for the protocols that convey this information. Status: This is a second Committee Draft approved by the Security Services Technical Committee on 21 September 2004.
View
Standardization processes of the unicore grid system
Article
Full-text available
  • Jul 2008
The UNICORE Grid system has been developed since the late 1990s to support distributed computing applications and emerging Grid infrastructures. Over the years, UNICORE has evolved to a full-grown and well-tested Grid middleware system, which today is used in daily production at many supercomputing centers worldwide. Also, the UNICORE technology serves as a solid basis in many European and International research projects. In this paper, we present issues surrounding the integration of standards into the UNICORE Grid system. We summarize here the principal character-istics of the latest Web services-based Unicore/GS release, which provides significant enhancements in the areas of interoperability, standards compliance and functionality.
View
The Anatomy of the Grid: Enabling Scalable Virtual Organizations
Conference Paper
Full-text available
"Grid" computing has emerged as an important new field, distinguished from conventional distributed computing by its focus on large-scale resource sharing, innovative applications, and, in some cases, high-performance orientation. In this article, we define this new field. First, we review the "Grid problem," which we define as flexible, secure, coordinated resource sharing among dynamic collections of individuals, institutions, and resources-what we refer to as virtual organizations. In such settings, we encounter unique authentication, authorization, resource access, resource discovery, and other challenges. It is this class of problem that is addressed by Grid technologies. Next, we present an extensible and open Grid architecture, in which protocols, services, application programming interfaces, and software development kits are categorized according to their roles in enabling resource sharing. We describe requirements that we believe any such mechanisms must satisfy, and we discuss the central role played by the intergrid protocols that enable interoperability among different Grid systems. Finally, we discuss how Grid technologies relate to other contemporary technologies, including enterprise integration, application service provider, storage service provider, and peer-to-peer computing. We maintain that Grid concepts and technologies complement and have much to contribute to these other approaches.
View
Design and evaluation of a collaborative online visualization and steering framework implementation for computational grids
Conference Paper
Full-text available
  • Oct 2007
Today's large-scale scientific research often relies on the collaborative use of a Grid or c-Science infrastructure (e.g. DEISA, EGEE, TeraGrid, OSG) with computational, storage, or other types of physical resources. One of the goals of these emerging infrastructures is to support the work of scientists with advanced problem-solving tools. Many e-Science applications within these infrastructures aim at simulations of a scientific problem on powerful parallel computing resources. Typically, a researcher first performs a simulation for some fixed amount of time and then analyses results in a separate post-processing step, for instance, by viewing results in visualizations. In earlier work we have described early prototypes of a Collaborative Online Visualization and Steering (COVS) Framework in Grids that performs both -simulation and visualization -at the same time (online) to increase the efficiency of e-Scientists. This paper evaluates the evolved mature reference implementation of the COVS framework design that is ready for production usage within Web service-based Grid and e-Science infrastructures.
View
The Anatomy of the Grid - Enabling Scalable Virtual Organizations
Article
  • Mar 2001
"Grid" computing has emerged as an important new field, distinguished from conventional distributed computing by its focus on large-scale resource sharing, innovative applications, and, in some cases, high-performance orientation. In this article, we define this new field. First, we review the "Grid problem," which we define as flexible, secure, coordinated resource sharing among dynamic collections of individuals, institutions, and resources-what we refer to as virtual organizations. In such settings, we encounter unique authentication, authorization, resource access, resource discovery, and other challenges. It is this class of problem that is addressed by Grid technologies. Next, we present an extensible and open Grid architecture, in which protocols, services, application programming interfaces, and software development kits are categorized according to their roles in enabling resource sharing. We describe requirements that we believe any such mechanisms must satisfy, and we discuss the central role played by the intergrid protocols that enable interoperability among different Grid systems. Finally, we discuss how Grid technologies relate to other contemporary technologies, including enterprise integration, application service provider, storage service provider, and peer-to-peer computing. We maintain that Grid concepts and technologies complement and have much to contribute to these other approaches.
View
View
View
View
UNICORE—From project results to production grids
Article
  • Dec 2005
The UNICORE Grid-technology provides a seamless, secure and intuitive access to distributed Grid resources. In this paper we present the recent evolution from project results to production Grids. At the beginning UNICORE was developed as a prototype software in two projects funded by the German research ministry (BMBF). Over the following years, in various European-funded projects, UNICORE evolved to a full-grown and well-tested Grid middleware system, which today is used in daily production at many supercomputing centers worldwide. Beyond this production usage, the UNICORE technology serves as a solid basis in many European and International research projects, which use existing UNICORE components to implement advanced features, high level services, and support for applications from a growing range of domains. In order to foster these ongoing developments, UNICORE is available as open source under BSD licence at SourceForge, where new releases are published on a regular basis. This paper is a review of the UNICORE achievements so far and gives a glimpse on the UNICORE roadmap.
View
From gridmap-file to VOMS: Managing authorization in a Grid environment
Article
Grids are potentially composed of several thousands of users from dif- ferent institutions sharing their computing resources (or using resources provided by third parties). Controlling access to these resources is a di-- cult problem, as it depends on the policies of the organizations the users belong to and of the resource owners. Moreover, a simple authorization implementation, based on a direct user registration on the resources, is not applicable to a large scale environment. In this paper we describe the solution to this problem developed in the framework of the European DataGrid (1) and DataTAG (2) projects: the Virtual Organization Mem- bership Service (VOMS) (3). VOMS allows a flne grained control of the use of the resources both to the users' organizations and to the resource owners.
View