Research Of Role Based Fine-grained Authorization System In The Grid Environment

Grid computing has recently emerged as a new format of distributed computing infrastructure. Because the distribution of services and resources in wide-area networks are dynamic, heterogeneous and multi-domain,security is a critical concern in grid computing. Authorization is a very important aspect of security, but there is still not a perfect method to solve it.GT2 used an acl file known as gridmap file to map Grid identities to a local identity associated with a unix account. GT3 installation uses the same file as used by a GT2 installation. It has a number of shortcomings when matched up with the requirements in VO. For example, Authorization on job manager is coarse-grain and static. Local enforcement depends on the rights attached to the user's account, not the rights presented by the user with a specific request. Local account must exist for each one and this creates an undue burden on system administrators and users alike. To solve the problems above, we proposes a general authorization and access control architecture, RB-GACA, for grid computing. It is based on RBAC96 model and use the GSI environment provided by Globus toolkit as its platform. In the RB-GACA model, we introduce some important concepts, such as Organization Unit, Domain, Action Group and Object Group. With these, it can reduce the difficulties of the implementation of the RBAC Model, and enable the system manager to manage the authorization from the point of the department organization, which can reduce the occurrence of misoperations.The RB-GACA model is composed of three components as follows: Role Authorization Management System, Access Control Decision System and Authorization Request Execution System. RAS is in charge of the management of the authorization policies, which makes use of the specifications of SAML and X.509 Certificate Extension. ACDS is the component that does authentication and authorization of the client who talks to it. The authentication is done using standard token sharing protocol of GSS while authorization is done by simply looking for the client's DN in the database, then return a limited proxy certificate, which embeds the Security policies relating with the requesting user in the virtual organization. ARES modifies the resource severs and enable them to recognize the access control policies embedded in the proxy certificates, and implement the fine-grained access control through combining its own policies with policies embeded in the proxy certificate.