Research On Access Control In Secure Grid Interoperation

With the development of grid technology, many universities, companies and research institutions around the world have developed many grid platforms. However, the standard of grid is still far from perfect, which results in the embarrassment in achieving interoperation among various grid platforms. In addition, grid gradually expanded to business areas, more and more attention has been paid to its security. How to ensure security in grid interoperation process is becoming one of the most important issues. The problems which secure grid interoperation should solve include access control, authentication and message secure transporting. Access control is much less mature than authentication and secure message transporting in secure grid interoperation.Traditional access control mechanisms can be applied to secure grid interoperation, e.g., user-based access control and role-based access control. However, these two mechanisms aggravate the burden of policy manager and system itself. To solve this problem, a role mapping-based access control mechanism has been proposed. According to this mechanism, the role which has a higher level in mapping site should get a higher level in the mapped site. This mechanism is more flexible and expansible than traditional mechanisms.Portal-based secure interoperation and direct secure interoperation have been implemented by using role mapping-based access control mechanism in secure grid interoperation between CGSP (ChinaGrid Support Platform) and VEGA. Portal-based secure interoperation access control system includes attaining user roles, role mapping and proxy user binding etc. Direct secure interoperation access control system includes attaining user roles, role mapping, attaining access control list, service address changing and access control enforcement etc.In portal-based implantation, grid users with different roles can visit CGSP and VEGA through mapping to different proxy users. In direct interoperation solution, different roles of the CGSP users have different authorizations to VEGA services according to access control policies managed in VEGA. VEGA policy manager's operations, such as adding, deleting and updating some authorization policies to specific VEGA services, and so on, can be mapped to the corresponding roles in CGSP.The test result also shows that, as the increasing number of systems' roles and systems' services, role mapping based access control mechanism will largely lighten the burden of policy manager and system itself than the traditional mechanisms, and implement the secure interoperation between CGSP and VEGA.