| Grid Computing is a new model of infrastructure for the distributed computing. It's different from the traditional network system. In Grid environment, all the users and the resource are dynamic. The trust between each other should be created and destroyed dynamicly, and it should also have nothing to do with the location of the entity. It has broken the restriction of the traditional share and cooperation. In Grid environment, the security schema in each dependent domain has the restriction to the computing resource. With it a new resource share model more free and more convenient has disappeared. It has also resolved the problems the traditional network could not resolve. But meanwhile the features, such as the heterogeneousness of the resource and the service, the dynamic, the multi-domain and so on, make the security schema is very important. Authorization and access control are the two important parts in the field security, but now there are not many methods to resolve the problems in Grid.In GT2 the global user is reflected as a local account using the access control list based on the grid-mapfile to do the authorization. And in the GT3 it adopts the same method. But this method can not meet the user's demand in the virtual domains. For example, the authorization for the job management is coarse grain and static. Weather the local program can be executed or not depends on the right of the local account, and the privilege can not be changed with the user's request. In addition every Grid user should have a local account and it has maken the shoulder of the administrator of the system and the user heavier. In the GT4 the authorization information of the user can be transformed to the service required using SAML decision statement. It also supports the custom authorization module through the SAML callout, so that the researchers and developers can develop their own authorization schema.Based on the RBAC and the attribute certificate, a new authorization schema based on the attribute certificate bas been advanced to resolve the shortcoming of the existing authorization schema. It in some degree meets the demand of the security. The authorization schema has been implemented using the interface and the existing authentication technique. The role is used in the schema and it can be transformed to the object accessed without being broken. To improve the efficiency of the authorization, a Cache bas been designed between the online certificate lib and the authorization model, and it... |
PDF Full Text Request