Secure Data Grid

The secure data grid project is to develop a secure system for accessing the databases across the Grid, and a semantic Role-Based Access Control (RBAC) mechanism is designed and implemented in the OGSA-DAI.

 

Overview

          A Role-Based Access Control mechanism has been developed for Grid Database Services in the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI). OGSA-DAI is a middle-ware implementation which provides interfaces and services to integrate data from separate data sources. In OGSA-DAI, access control causes substantial administration overhead for resource providers in Virtual Organizations (VOs), because each of them have to manage a role-map file containing authorization information for individual Grid users. A role-map file acts as an access control list with the mapping information from the Grid user to a local database user. Managing access control lists becomes difficult in a grid application as it involves dynamic VOs.

To solve this problem, we used the Community Authorization Service (CAS) provided by the Globus Toolkit to support the Role-Based Access Control (RBAC) within the OGSA-DAI framework. The resource providers delegate the fine-grain authorization to the CAS which authorizes users in VO roles. The resource providers then need to maintain only the mapping information from VO roles to local database roles and the local policy information in the role-map files, so that the number of entries in the role-map file is reduced dramatically. Also, unnecessary overheads for authentication, mapping and connection can be avoided by denying invalid requests at the VO level. Thus, our access control method provides increased manageability for a large number of users and reduces day-to-day administration tasks of the resource providers, while they maintain ultimate authority over their resources. Performance analysis shows that our method adds very little overhead to the existing security infrastructure of OGSA-DAI.

References:  

  1. V. Muppavarapu, A. L. Pereira, and S. M. Chung, “Role-Based Access Control for a Grid System Using OGSA-DAI and Shibboleth,” to appear in The Journal of Supercomputing, Springer.

 

2.     V. Muppavarapu and S. M. Chung, “Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth,” Journal of Grid Computing, Vol. 7, No. 2, Springer, 2009, pp. 265–283.

 

3.     A. L. Pereira, V. Muppavarapu, and S. M. Chung, “Managing Role-Based Access Control Policies for Grid Databases in OGSA-DAI Using CAS,” Journal of Grid Computing, Vol. 5, No. 1, Springer, 2007, pp. 65–81.

 

4.     A. L. Pereira, V. Muppavarapu, and S. M. Chung, “Role-Based Access Control for Grid Database Services Using the Community Authorization Service,” IEEE Trans. on Dependable and Secure Computing, Vol. 3, No. 2, 2006, pp. 156-166.