The Research Of The Grid Authorization Service Based On Resource States And RBAC

As a special distributed computing infrastructure, Grid is dynamic, heterogeneous and multi-domain. Because of those specialities, grid security becomes one of the most important parts of the grid computing. Authentication and authorization are the critical concerns in the researches of the grid security technology. GSI (Grid Security Infrastructure) of the Globus project focus on the authentication and message protection. But there is still not a perfect mechanism to support the authorization.Most of the existing authorization methods are restricted by the scope of the grid system, so it lacks the expansibility. They also can't decide the access right policies dynamically based on the states of the resources requested, therefore it lacks the agility. RSRBA (Resource States & Role Based Authorization) combines role-based access control technology and Grid Information Services. The scheme provides fine-grained authorization, and decides the access right policies according to the states of the resources requested dynamically. In the RSRBA model, the grid environment is divided into several domains, so it enables the system administrator to manage the domain and carry out the authorization conveniently.The RSRBA authorization system covers three ends: User end, Server end and Resource end, and the Server end is the kernel. Every independent domain has a server end. The server end is composed of the three components: Domain Management module is used to manage all the entities and roles in the domain; Information Service Module provides the state information of all the resources in the domain; Authorization Service Module queries the domain policy database and decides the access control policies according to the best resource's states provided by the Information Service Module. Authorization Enforcement Module is set in the resource end. It recognizes the access control policies embedded in the certificate generated by the Authorization Service Module, and make the final decision whether the resource accessing is allowed through combining resource's local policies with the ones embedded in the certificate.