Research And Implementation Of Grid Security Management System Based On The Portal

With the developing of Grid Computing, the grid security issue is becoming more and more important. It's one of the vital factors in Grid Computing. In the grid security, some problems, such as the management of portal resources, the management of user certificates based on the portal and the authority of grid resources, have become very hot topics.The work of this thesis is based on the requirements of two grid portal applications which are China Meteorology Application Grid Portal and NUDT Campus High Performance Computing Grid Portal. These two portals have the same requirements in the aspect of the grid security, including the proper and effective management of resources in the portal level, the convenient and secure management of certificates, the implemetation of the single login for users, fine-grain authorization for grid resources and so on. At present, it's difficult to solve the problem of the access control for securing resources in the portal level, and there is also a problem that the authorization for grid resources is rather coarse.For solving the problems above, this thesis firstly studies the correlative knowledge such as the essential of the grid portal, the specific portal framework—Gridsphere, GSI security mechanism, PKI mechanism, x.509 Certificate and MyProxy technique. Then according to the factual grid environment, it proposes an architecture with two layers for the grid portal's security control. In the upper layer, with introducing the portal VO and considering the factual requirement, it proposes a method of access control which combines global RBAC and portal VO to solve the common problems of access control for securing portal resources and present different views of portal resources for different users. In the lower layer, after analyzing authorization principles of present mechanisms such as authorization of Gridmap in GSI, CAS authorization, VOMS authorization and pointing out their limitation of the coarse-grain, it proposes a dynamic authorization mechanism which combines the VO and the access control based on the task role. This mechanism implements the combination between the authorization for grid resources and the task with its own states to support the dynamic fine-grain authorization.Based on the study above, this thesis proposes a system framework of the grid security management which consists of three main modules—the access control for the portal, the user register integrating the certificate management and the fine-grain authorization for grid resources. After describing the design and implementation of the three modules, it makes a performance comparison between this system and other corresponding systems abroad. In the end, this thesis introduces the application of the system in the two grid portals mentioned above, which demonstrates that the work of this thesis is significant not only in theory but also in practice.