| Grid computing has recently emerged as a new format of distributed computing infrastructure. Because the services and resources in wide-area networks are dynamic, heterogeneous and multi-domain,security is a critical concern in grid computing. Authorization and Access Control are very important aspects of security, but there is still not a perfect method to solve them.GT2 used an acl file, known as gridmap file, to map Grid identity to a local identity associated with an unix account. GT3 installation uses the same file as used by a GT2 installation. It has a number of shortcomings when matched up with the requirements in Virtual Organization (VO). For example, Authorization on job manager is static. Local enforcement depends on the rights attached to the user's account, not the rights presented by the user with a specific request. Local account must exist for each one and this creates an undue burden on system administrators and users.To solve the problems above, we propose an access control architecture, R-GSS, for grid computing. It is based on RBAC96 model and use the GSI environment provided by Globus toolkit as its platform. In the R-GSS model, we introduce some important concepts, such as Organization Unit, User Group and Object Group. With these, it can reduce the difficulties of the implementation of the RBAC Model.The R-GSS model is composed of three components as follows: Access Control Decision Server (ACDS), LDAP Directory Service Server and Access Control Execution Server (ACES). ACDS is the component that does authentication and authorization of the client who talks to it. The authentication is done using standard token sharing protocol of GSS (Generic Security Service) while authorization is done by simply looking for the client's DN in the database, then return a limited proxy certificate, which embeds the Security policies relating with the requesting user in the virtual organization. LDAP stores contents about Certificate Authority, Object Policy and Locality Information and so on. ACES enhances the resource severs and enables them to recognize the access control policies embedded in the proxy certificates, and implements the fine-grained access control through combining its own policies with... |
PDF Full Text Request