Abstract
In this paper, we propose a role-based access control (RBAC) system for data resources in the Storage Resource Broker (SRB). The SRB is a Data Grid management system, which can integrate heterogeneous data resources of virtual organizations (VOs). The SRB stores the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT schema structure, this information can only be used by the SRB applications. If VOs also have many non-SRB applications, each with its own storage format for user access control information, it creates a scalability problem with regard to administration. To solve this problem, we developed a RBAC system with Shibboleth, which is an attribute authorization service currently being used in many Grid environments. Thus, the administration overhead is reduced because the role privileges of individual users are now managed by Shibboleth, not by MCAT or applications. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructure of the SRB.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
Alfieri, R., Cecchini, R., Ciaschini, V., dell’Agnello, L., Gianoli, A., Spataro, F., et al.: Managing dynamic user communities in a Grid of autonomous resources. In: Proceedings of International Conference for Computing in High Energy and Nuclear Physics. La Jolla, California (2003)
Antonioletti, M., Atkinson, M., Baxter, R., Borley, A., Chue Hong, N., Dantressangle, P., Hume, A., et al.: OGSA-DAI status and benchmarks. In: Proceedings of the UK e-Science All Hands Meeting. Nottingham, UK (2005)
Atkinson, M., Karasavvas, K., Antonioletti, M., Baxter, R., Borley, A., Chue Hong, N., Hume, A., et al.: A new architecture for OGSA-DAI. In: Proceedings of the UK e-Science All Hands Meeting. Nottingham, UK (2005)
Baker, M., Apon, A., Ferner, C., Brown, J.: Emerging Grid standards. Computer 38(4), 43–50 (2005)
Baru, C., Moore, R., Rajasekar, A., Wan, M.: The SDSC storage resource broker. In: Proceedings of Conference of the Centre for Advanced Studies on Collaborative Research. Toronto, Ontario, Canada (1998)
Baru, C., Rajasekar, A.: A hierarchical access control scheme for digital libraries. In: Proceedings of the 3rd ACM Conference on Digital Libraries, pp. 275–276. Pittsburgh, PA (1998)
Butler, R., Welch, V., Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C.: A national-scale authentication infrastructure. Computer 33(12), 60–66 (2000)
Carmody, S.: Shibboleth overview and requirements. Shibboleth Working Group Document, Available via http://shibboleth.internet2.edu/docs/draft-internet2-shibboleth-requirements-01.html (2001)
Demchenko, Y., de Laat, C., Gommans, L., van Buuren, R.: Domain based access control model for distributed collaborative applications. In: Proceedings of the 2nd IEEE International Conference on e-Science and Grid Computing (2006)
Ferraiolo, D., Kuhn, R.: Role-based access control. In: Proceedings of the 15th National Computer Security Conference. Baltimore, MD (1992)
Ferraiolo, D., Barkley, J., Kuhn, D.R.: A role-based access control model and reference implementation within a corporate intranet. ACM Trans. Inf. Syst. Secur. 2(1), 34–64 (1999)
Foster, I., Kesselman, C.: Security, accounting, and assurance. In: Foster, I., Kesselman, C. (eds.) The Grid: Blueprint for a New Computing Infrastructure, pp. 395–420. Morgan Kaufmann, San Francisco (1999)
Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the Grid: enabling scalable virtual organizations. Int. J. Supercomput. Appl. High Perform. Comput. 15(3), 200–222 (2001)
Foster, I., Grossman, R.L.: Data integration in a bandwidth-rich world. Commun. ACM 46(11), 50–57 (2003)
Freudenthal, E., Pesin, T., Port, L., Keenan, E., Karamcheti, V.: dRBAC: distributed role-based access control for dynamic coalition environments. In: Proceedings of the 22nd International Conference on Distributed Computing Systems, pp. 411–420. Vienna, Austria (2002)
The Globus Security Team: Globus Toolkit version 4 Grid security infrastructure: a standards perspective. Available via http://www.globus.org/toolkit/docs/4.0/security/GT4-GSI-Overview.pdf (2005)
Humphrey, M., Thompson, M.R., Jackson, K.R.: Security for Grids. Proc. IEEE 93(3), 644–652 (2005)
Joshi, J.B.D., Bhatti, R., Bertino, E., Ghafoor, A.: Access-control language for multidomain environments. IEEE Internet Comput. 8(6), 40–50 (2004)
Joshi, J.B.D., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)
Lee, H.K., Luedemann, H.: A lightweight decentralized authorization model for inter-domain collaborations. In: Proceedings of the ACM Workshop on Secure Web Services, pp. 83–89. Fairfax, VA (2007)
Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of the ACM Workshop on XML Security, pp. 25–37 (2003)
Mayfield, T., Roskos, J.E., Welke, S.R., Boone, J.M.: Integrity in automated information systems. Technical Report, National Computer Security Center (1991)
MCAT. Available via http://www.sdsc.edu/srb/index.php/MCAT
Nagaratnam, N., Janson, P., Dayka, J., Nadalin, A., Siebenlist, F., Welch, V., Foster, I., Tuecke, S.: The security architecture for open Grid services. Open Grid Service Architecture Security Working Group, Global Grid Forum (2002)
Organization for the Advancement of Structured Information Standards (OASIS): ebXML registry technical committee. Available via http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=regrep
Organization for the Advancement of Structured Information Standards (OASIS): Assertions and protocols for the OASIS Security Assertion Markup Language (SAML) v1.1. Available via http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security (2003)
Organization for the Advancement of Structured Information Standards (OASIS): Core and hierarchical role based access control (RBAC) profile of XACML v2.0. Available via http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf (2005)
Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML) version 2.0. Available via http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf (2005)
Organization for the Advancement of Structured Information Standards (OASIS): ebXML registry information model version 3.0. Available via http://docs.oasis-open.org/regrep/v3.0/specs/regrep-rim-3.0-os.pdf (2005)
Organization for the Advancement of Structured Information Standards (OASIS): SAML 2.0 profile of XACML v2.0. Available via http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf (2005)
Object, Metadata and Artifacts Registry. Available via http://ebxmlrr.sourceforge.net/3.0/
Otenko, S., Chadwick, D.: A comparison of the Akenti and PERMIS authorization infrastructures. Available via http://sec.isi.salford.ac.uk/download/AkentiPERMISDeskComparison2–1.pdf (2003)
Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A community authorization service for group collaboration. In: Proceedings of the 3rd IEEE International Workshop on Policies for Distributed Systems and Networks. Monterey, CA (2002)
Pereira, A.L., Muppavarapu, V., Chung, S.M.: Role-based access control for Grid database services using the community authorization service. IEEE TDSC 3(2), 156–166 (2006)
Pereira, A.L., Muppavarapu, V., Chung, S.M.: Managing role-based access control policies for Grid databases in OGSA-DAI using CAS. J. Grid Comput. 5(1), 65–81 (2007)
Rajasekar, A., Wan, M., Moore, R.: MySRB & SRB: components of a data Grid. In: Proceedings of the 11th IEEE International Symposium on High Performance Distributed Computing, pp. 301–310. Edinburgh, Scotland, UK (2002)
Rajasekar, A., Wan, M., Moore, R., et al.: Storage resource broker-managing distributed data in a Grid. Comput. Soc. India J. 33(4) (2003)
Ramaswamy, C., Sandhu, R.S.: Role-based access control features in commercial database management systems. In: Proceedings of the 21st National Information Systems Security Conference. Arlington, VA (1998)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM. Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)
Sandhu, R., Ferraiolo, D.F., Kuhn, D.R.: The NIST model for role based access control: towards a unified standard. In: Proceedings of the 5th ACM Workshop on Role Based Access Control. Berlin, Germany (2000)
Scavo, T., Welch, V.: A Grid authorization model for science gateways. In: International Workshop on Grid Computing Environments. Reno, NV (2007)
Secretariat of Information Technology Industry Council (ITI): American National Standard for Information Technology—Role based access control. Available via http://csrc.nist.gov/rbac/rbac-std-ncits.pdf (2003)
Thompson, M.R., Essiari, A., Keahey, K., Welch, V., Lang, S., Liu, B.: Fine-grained authorization for job and resource management using Akenti and the Globus Toolkit. In: Proceedings of International Conference for Computing in High Energy and Nuclear Physics. La Jolla, California (2003)
Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, L., Tuecke, S.: Security for Grid services. In: Proceedings of the 12th International Symposium on High-Performance Distributed Computing, pp. 48–57. Seattle, WA (2003)
Welch, V., Barton, T., Keahey, K., Siebenlist, F.: Attributes, anonymity, and access: Shibboleth and Globus integration to facilitate Grid collaboration. In: Proceedings of the 4th Annual PKI R&D Workshop. Gaithersburg, MD (2005)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Muppavarapu, V., Chung, S.M. Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth. J Grid Computing 7, 265–283 (2009). https://doi.org/10.1007/s10723-009-9116-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10723-009-9116-5