| Virtual organization is defined as flexible,secure,coordinated resource sharing among dynamic collections of individuals,institutions,and resources.Constructing virtual orginazation on demand in a dynamic and timely manner is suitable for the diversity of grid applications and the dynamic characteristic of grid resources.But current reputation mechanisms for dynamic virtual organization constructing and authorization mechanisms for dynamic virtual organization running are incomplete.For example,the expansibility of centralized reputation models is bad,distributed reputation models mostly depend on distributed hash table technology to implement global reputation management;authorization systems of virtual organization lack authorization enforcement function,whereas their authorization decision processes also lack the capability of continuous decision and policy specifications do not express fine-grained authorization policies for resources.The above problems are researched deeply in this paper.The main work and contributions are presented in the following aspects:(1)To suit for the characteristic of dynamic virtual orginazation,a new reputation mechanism is proposed.The existing distributed reputation mechanisms can not efficiently solve the problems of grid environment,and the trust measurement methods can not nicely depict behaviors of grid service.A fuzzy set method of trust measurement is proposed,which adopts seven grades to evaluate grid service according to the QoS attributes and the trust vector of grid service is calculated with evaluation values.The experimental results show this method is better than the existing methods.Based on behaviors of grid service, local reputation values of grid nodes are obtained,and aggregated through proposed Reputation Overlay Network(RON).The theoretical analyses and experimental results show that,RON can efficiently restrain the forgery and collusion attack,and satisfy demands of more nicely calculating global reputation.(2)To control authorization enforcement process in a fine-grained manner and satisfy restricted delegation requirements of grid applications,a hierarchical-role based delegation authorization enforcement model for virtual organization is proposed.The dynamic characteristic of delegation role granting or revocation and the associated constraint of delegation role granting are effectively supported.The fine-grained associated role dependency is implemented by adding trustworthiness. Partial delegation problem is easily solved by defining the role tree as the basic unit of delegation authorization and by the pruning of the role tree.The delegation spread tree with trustworthiness is defined to implement multi-step delegation in a fine-grained manner.The delegation certification is proposed to fully express temporary delegation, associated role delegation,partial delegation,multi-step delegation.Based on above works,a set of formal delegation authorization enforcement rules is proposed and proved,and the delegation authorization enforcement process is effectively controlled by it.The exhibited example shows that the model satisfies various restricted delegation requirements of grid applications.(3)To keep free from weak capabilities of expression of the usage control model based on authorization predicate(UCONA),based on obligation action(UCON_B),and based on condition predication decision(UCON_C),their improved models and the corresponding policy specifications are proposed,respectively.The delegation certification is used to express decision response in a fine-grained manner,and the UCONA,UCON_B,and UCON_C are improved as SG_UCON_A(UCON_A for service grid),SG_UCON_B(UCON_B for service grid),and SG_UCON_C(UCON_C for service grid),respectively.Delegation certification processing statuses are defined to replace the simple access status.Decision component can make the reasonable delegation certification based on the system status when a request arrives,and also make decision to change the delegation certification processing status when the system status is changed.To verify expressive capabilities of the above models,the corresponding policy specifications are given,and their completeness and soundness are proved.The exhibited example shows that,they can avoid generating the delegation certification for the same access requests repeatedly,express authorization policy in a fine-grained manner,and export reasonable decision responses.(4)To implement mutability of authorization attribute and continuity of authorization decision in virtual organizations for service grid,a fine-grained grid authorization decision service is proposed.This service can maintain processing status of delegation certification when the system status is changed,such as changing its status according to response of continuous authorization decision.Delegation certification can be used by authorization enforcement service only when its processing status is'using_dc',which satisfy the requirement of enabled permission on demand in grid application.Authorization decision process is modeled in Petri nets,and its correctness is verified in this paper. The validation result shows there are not deadlock,stop and infinite circle in the authorization decision process,and the statuses of this process are limited and the various instances are dealt with in it.(5)To dynamically manage the permissions through tasks and tasks'status of workflow in virtual organization,an authorization enforcement model for workflow was proposed.Delegation step,delegation unit and their dependency relationships are defined to formally describe inherent restriction relationships between flow tasks,which can more nicely describe an authorization workflow.A life period model of delegation step is defined,which can more nicely describe the status update process of an authorization workflow.The authorization enforcement process of workflow can be controlled by the proposed workflow authorization enforcement algorithm in a fine-grained manner.The exhibited example shows that the model can satisfy security requirements of workflow application in virtual organization.
|
PDF Full Text Request