| With the developing of Grid Computing, the grid security issue is becoming more and more important. It's one of the vital factors in Grid Computing. In the grid security, some problems, such as the management of portal resources, the management of user certificates based on the portal and the authority of grid resources, have become very hot topics.The work of this thesis is based on the requirements of campus grid applications which is Campus Computing Grid (UCGrid3.0). The platform has the requirements in the aspect of the grid security, including the proper and effective management of resources in the portal level, the convenient and secure management of certificates, the implementation of the single login for users, fine-grain authorization for grid resources and so on. At present, it's difficult to solve the problem of the access control for securing resources in the portal level, and there is also a problem that the authorization for grid resources is rather coarse.For solving the problems above, this thesis introduces the classic authentication and authorization systems, including: Kerberos authentication system, and four authorization system of CAS, VOMS, Akenti and PERMIS, and analyzes the principle of the system of authentication and authorization, that the Kerberos authentication system on a single sign of support for poor and four authorization system exists in the authorization defects such as particle size is not enough; on the basis of the Globus Toolkit4 in-depth study of the safety components - Grid Security Infrastructure (GSI), and one of the authentication and authorization way, explains how security descriptor by custom authentication and authorization will be introduced to the GSI in the interface; the same time, in this thesis study and explore the key technologies for authentication and authorization components designed, including role-based access control framework (RBAC), Security Assertion Markup Language (SAML standard) and Extensible Access Control Markup Language (XACML standard). The RBAC framework is introduced between the user and the privileges of the "role" concept, through to specific user roles mapped to the abstract, then associated with permission and role to reach role-based access control. In a grid each virtual organization (VO) may have its own set of authentication and authorization strategy, so the authentication and authorization will bring a great challenge when user access different VO; as SAML and XACML are based on XML standards, so the authentication and authorization can be a uniform manner and shield the different between authentication and authorization strategy conversion and bring convenience for perform authentication and authorization operation. Among them, SAML transmit the authentication time, IP address and authentication credentials with SAML assertions, in order that the user can access different VO by the assertion and have not to re-verify the identity; XACML will store the user permissions in the strategy documents by XML mode, which compare with user each request, and return the authorized response. Due to the permission to save in strategy file, so it can be very flexible setting each user permissions and achieve the effect of dynamic authorized.Based on the above research, this thesis combine with SAML and GSI, put forward the authentication method based on GSI and SAML and use this method in cross- domain access to realize the"a certification, multiple access"function. On the basis of GSI, this thesis combine with RBAC and XACML to realize dynamic authorization based on the role and more fine-grained access control with grid resources, and eventually use in campus computing grid platform. Meanwhile, this thesis build the external CA, which combine with the campus grid platform, to generate the user certificate and manage certificate facilitate for the administrators in the platform, and effectively improve campus computing grid platform safety degree. |
PDF Full Text Request