Study Of The Role-based Authorization Mechanism Of The Grid And Its Application In Manufacturing Grid

Grid Computing is a new model of infrastructure for the distributed computing.It's different from the traditional network system. In the Grid environment, all theusers and the resources are dynamic. The trust of each other should be created anddestroyed dynamicly, and should also has nothing to do with the location of theentities, and it breaks the restriction of the traditional sharing and cooperation. InGrid environment, the security schema in each dependent domain has therestriction to the computing resources. And a new resources sharing model which ismore free and more convenient appears with it's breach. It also resolves theproblems that the traditional network can not resolve. Meanwhile, the features ofthe resources and the services, such as heterogeneousness, dynamic, multi-domainand so on, decide the important of the security schema.Currently there are a lot of researches on Grid authorization problems, andsome authorization model frames have been proposed. For example, Chadwick andOtenko proposed a policy driven RBAC Privilege Management Infrastructure(Permis) in 2002. Thompson et al. proposed an access control architecture (Akenti)in 1999.Pearlman et al. proposed Community Authorisation Service (CAS) in 2002.Alfieri et al. proposed Virtual Organisation Membership Service (VOMS) in 2003.Some models have centrally managed problems or have interoperability problemsbetween virtual organizations.Authorization and access control mechanisms in Grid environment havedeficiencies. Based on the analysis of the RBAC model and IRBAC model, thispaper improves RBAC model and proposes CRBAC and ICRBAC model.ICRBAC model which consists of the CRBAC model is more suitable fordistributed multi-domain interoperability issues. Combining the characteristics ofthe Grid environment this paper proposes G-ICRBAC framework. Through thecombination of Globus Toolkit 4 and the framework it realizes a gridauthentication and authorization system, and applies the system to the resourcemanagement system in manufacturing grid.The works has been done in this paper are as following: 1. CRBAC Model is proposed.RBAC is a role-based access control model. IRBAC model improves RBAC,and it is mostly used to resolve interoperability issues when IRBAC modeltransforms in the domain's roles, there may be the following problems: First, itviolates the principle of separation of duties. Secondly, there are circletransformations between domain's roles.Thirdly, roles between the domains can befreely transformed may bring potential secure problems. These problems willundermine the security strategy in the domain and affect the security of thetransformation between domain's roles.Therefore, a classed role-based access control model CRBAC is proposed.The model proposes administrative roles, interoperability administrative roles,in-roles, out-roles and common roles. Administrative roles are responsible for thecompletion of the management in the domain. Interoperability administrative rolesare responsible for the completion of the proxy of the roles between domains. Apartfrom the roles of other categories are known as common roles. The models againstthe problems exist in the transformation between domains'roles.This paperproposed the concept of the interface role, which is definition of the in-role, theout-role. Their mission done strictly limited. ICRBAC is a good model to solve theabove problems. This makes the transformation between domain's roles simple,flexibility and security.2. G-ICRBAC is proposed.Virtual organization needs secure strategy to be localized, and it is difficult toimplement uniformly access control by center. If the distributed control can beimplemented, the virtual organization will form credit domain respectively. Beforeyou implement access inter-domain, you must implement credit authorizationbetween domains. It must have a mechanism that can authorize the out-domain userin-domain access privilege.ICRBAC model meets the damands of the distributed management, andcrossing domain trust authority. Therefore, according to ICRBAC model. Thispaper designes and implements the grid environment which based on PKIICRBAC model.The framework includes the authentication center, certificationdatabase, domain security strategy management module, the local access control,the remote access control and the audit management components. The extension of this model discusses the environmental information collection process, theprivilege of conferred certificates variable attribute values, access verificationalgorithm and gives examples of the access. This Model can meet the demands ofdistributed management in grid access control. It implements authorizationcrossing domains and roles management inside system. The Model can alsoauthorize different privilege according to the different login environment of user.3. The paper implements G-ICRBAC system.During implementation of the system, this paper adopts development platformbased on Linux, using PKI key technologies, LDAP server preserved certificates,developing with C++ language and OpenSSL library. According to each module ofG-ICRBAC framework, this paper implements the main modules of the system.Among these modules,it mainly designes and implements certificate center,certificate database, security strategy management, LAC and RAC model.Certificate center realizes domain certificates, identity certificate, role proxycertificates, role authenticated certificate, authority granted certificates, accessingcertificates and so on.And it provides authentication, certificates issued andremoved.It's a firm foundation of realizing of the overall system. Supplyingcertificate classification of different types of certificates to preserve and improvethe speed of retrieval. The local access control used to deal with the requests forlocal resources. During implement, this paper designes two requests queue torespectirly process the requests from local domain and out domain, ensuring theavailability and reliability of the system, meeting the local user requests at first,comparing and analyzing two authorization algorithms, adopting cache technologyfor user roles set which generated by user role in the verification process,improving the speed of the second access. The remote access control used toprocess the requests of out domains.4. An application in manufacturing grid which based on G-ICRBAC.On the Globus Toolkit 4 platform which integrates with G-ICRBAC Model,This paper introduces grid application development Model based on G-ICRBACsystem and Web Service developed process by GT4. With the advantage ofdeveloping Grid Service with Java, it implements an application of resourcemanagement system in manufacturing grid.The design and implementation of resource management system includes register module, security strategy management module and resource managementmodule. Each module is deployed with GridWeb Service.The application of G-ICRBAC system in manufacturing grid resourcemanagement system illuminates that the reliability, stability and high availability ofthe system.