Standards-Based Job Management in Grid Systems

The Grid paradigm for accessing heterogeneous distributed resources proved to be extremely effective, as many organizations are relying on Grid middlewares for their computational needs. Many different middlewares exist, the result being a proliferation of self-contained, non interoperable “Grid islands”. This means that different Grids, based on different middlewares, cannot share resources, e.g. jobs submitted on one Grid cannot be forwarded for execution on another one. To address this problem, standard interfaces are being proposed for some of the important functionalities provided by most Grids, namely job submission and management, authorization and authentication, resource modeling, and others. In this paper we review some recent standards which address interoperability for three types of services: the BES/JSDL specifications for job submission and management, the SAML notation for authorization and authentication, and the GLUE specification for resource modeling. We describe how standards-enhanced Grid components can be used to create interoperable building blocks for a Grid architecture. Furthermore, we describe how existing components from the gLite middleware have been re-engineered to support BES/JSDL, GLUE and SAML. From this experience we draw some conclusions on the strengths and weaknesses of these specifications, and how they can be improved.     

GridCertLib: A Single Sign-on Solution for Grid Web Applications and Portals

This paper describes the design and implementation of GridCertLib, a Java library leveraging a Shibboleth-based authentication infrastructure and the SLCS online certificate signing service, to provide short-lived X.509 certificates and Grid proxies. The main use case envisioned for GridCertLib, is to provide seamless and secure access to Grid X.509 certificates and proxies in web applications and portals: when a user logs in to the portal using SAML-based Shibboleth authentication, GridCertLib uses the SAML assertion to obtain a Grid X.509 certificate from the SLCS service and generate a VOMS proxy from it. We give an overview of the architecture of GridCertLib and briefly describe its programming model. Its application to some deployment scenarios is outlined, as well as a report on practical experience integrating GridCertLib into portals for Bioinformatics and Computational Chemistry applications, based on the popular P-GRADE and Django softwares.     

Web服务中身份认证与访问控制模型的研究

Web服务的分布式与异构性,使得对服务请求者的身份认证和授权复杂化。针对这些问题提出了一个基于SAML、XACML、RBAC等关键技术的身份认证与访问控制模型。该模型采用SAML辅件技术实现Web服务的单点登录;用XACML实现RBAC模型,简化授权管理,同时达到对资源的细粒度访问控制的目标;用扩展的SAML语法保证XACML信息的安全有效传输。     

Designing a resource broker for heterogeneous grids

Grids provide uniform access to aggregations of heterogeneous resources and services such as computers, networks and storage owned by multiple organizations. However, such a dynamic environment poses many challenges for application composition and deployment. In this paper, we present the design of the Gridbus Grid resource broker that allows users to create applications and specify different objectives through different interfaces without having to deal with the complexity of Grid infrastructure. We present the unique requirements that motivated our design and discuss how these provide flexibility in extending the functionality of the broker to support different low‐level middlewares and user interfaces. We evaluate the broker with different job profiles and Grid middleware and conclude with the lessons learnt from our development experience. Copyright © 2007 John Wiley & Sons, Ltd.     

Web服务中身份认证与访问控制模型的研究

Web服务分布式、异构的本质。使得对服务请求者进行身份认证和授权变得复杂,针对这些问题提出了一个基于SAML,XACML,RBAC等关键技术的身份认证与访问控制模型。该模型采用SAML辅件技术实现Web服务的单点登录;用XACML实现RBAC模型,简化授权管理,同时达到对资源的细粒度访问控制的目标;用扩展的SAML语法支持XACML信息的安全有效传输。     

A Single Sign-On Infrastructure for Science Gateways on a Use Case for Structural Bioinformatics

Structural bioinformatics applies computational methods to analyze and model three-dimensional molecular structures. There is a huge number of applications available to work with structural data on large scale. Using these tools on distributed computing infrastructures (DCIs), however, is often complicated due to a lack of suitable interfaces. The MoSGrid (Molecular Simulation Grid) science gateway provides an intuitive user interface to several widely-used applications for structural bioinformatics, molecular modeling, and quantum chemistry. It ensures the confidentiality, integrity, and availability of data via a granular security concept, which covers all layers of the infrastructure. The security concept applies SAML (Security Assertion Markup Language) and allows trust delegation from the user interface layer across the high-level middleware layer and the Grid middleware layer down to the HPC facilities. SAML assertions had to be integrated into the MoSGrid infrastructure in several places: the workflow-enabled Grid portal WS-PGRADE (Web Services Parallel Grid Runtime and Developer Environment), the gUSE (Grid User Support Environment) DCI services, and the cloud file system XtreemFS. The presented security infrastructure allows a single sign-on process to all involved DCI components and, therefore, lowers the hurdle for users to utilize large HPC infrastructures for structural bioinformatics.     

ROAM: An Authorization Manager for Grids

The Resource Oriented Authorization Manager (ROAM) was created to provide a simple but flexible authorization system for the FusionGrid computational Grid. ROAM builds on and extends previous community efforts by both responding to access authorization requests and by providing a Web interface for resource management. ROAM works with the Globus Resource Allocation Manager (GRAM), and is general enough to be used by other virtual organizations that use Globus middleware or X.509/TLS authentication schemes to secure a Grid of distributed resources. In addition to describing ROAM, this paper discusses the basic design parameters of a Grid authorization system and the reasons for the choices made in the ROAM design.     

基于SAML的图书资源联合身份访问控制机制

针对目前图书馆电子资源传统访问控制机制存在的缺陷，本文提出一种基于SAML规范的联合身份访问控制机制。该机制能够实现单点登录、保障身份认证的强度和保护用户的隐私，从而能够满足用户、管理员、分布资源和服务提供者的要求。     

基于SAML的真单点登录框架

随着企业信息化进程的推进,企业业务系统不断地增加.陆续加入的业务系统往往采用不同实现技术和安全策略,并且各自维护独立的认证授权体系,这样很容易形成"信息孤岛".为消除这种系统访问控制孤立,基于统一认证的单点登录(SingleSignOn)系统应运而生.然而,现有的单点登录模型在安全性、扩展性、可维护性等方面都存在诸多不足.本文基于安全断言标记语言SAML,设计了一个安全性高、互操作性好、松耦合的的统一认证单点登录框架,主要包括身份提供者过滤器和服务提供者过滤器模块、单点登录交互协议和安全保障机制.     

ACCESSING SERVICES WITH CLIENT DIGITAL CERTIFICATES: A SHORT REPORT FROM THE DCOCE PROJECT

This article explores the advantages and disadvantages of end user/client digital certificates as means of online authentication in a higher or further education information environment. We conclude that the use of client certificates is feasible and scalable. Nevertheless, it is valid to question whether there is a future in such a technology. Certificates could be useful to some users as the front-end authentication tokens for single sign on systems and we believe that it is not critical that most users will never fully understand how they work. With feedback from over eighty users, with a broad spectrum of technical abilities, the Digital Certificate Operation in a Complex Environment (DCOCE) project looked deeply into the usability of such credentials. Whatever access management technology an institution uses, there is much to learn from the human methodologies of public key infrastructure (PKI) and how these can be made to scale. The use of local user registration individuals to issue user credentials is to be encouraged. Library services are good examples of resources that may be authorized centrally, but other services are not suited to central authorization control. We consider these issues and indicate where digital certificates could be used in the future access management protocols within the UK.     

基于SAML和XACML的Web服务访问控制模型

Web服务采用了通用的协议和技术,便于用户访问,已成为了分布式计算的研究热点,但这种方便也带来了安全性的隐患。提出了一个基于SAML和XACML的Web服务访问控制模型,利用SAML协议实现单点登录,采用XACML策略描述语言对用户进行访问控制。模型在扩展SAML协议的基础上,把XACML引入Web服务能够更好地对服务端受保护资源进行控制,从而实现Web服务的安全访问控制。     

Managing Role-Based Access Control Policies for Grid Databases in OGSA-DAI Using CAS

In this paper, we present a role-based access control method for accessing databases through the Open Grid Services Architecture – Data Access and Integration (OGSA-DAI) framework. OGSA-DAI is an efficient Grid-enabled middleware implementation of interfaces and services to access and control data sources and sinks. However, in OGSA-DAI, access control causes substantial administration overhead for resource providers in virtual organizations (VOs) because each of them has to manage a role-map file containing authorization information for individual Grid users. To solve this problem, we used the Community Authorization Service (CAS) provided by the Globus Toolkit to support the role-based access control (RBAC) within OGSA-DAI. CAS uses the Security Assertion Markup Language (SAML). Our method shows that CAS can support a wide range of security policies using role-privileges, role hierarchies, and constraints. The resource providers need to maintain only the mapping information from VO roles to local database roles and the local policies in the role-map files, so that the number of entries in the role-map file is reduced dramatically. Also, unnecessary authentication, mapping and connections can be avoided by denying invalid requests at the VO level. Thus, our access control method provides increased manageability for a large number of users and reduces day-to-day administration tasks of the resource providers, while they maintain the ultimate authority over their resources. Performance analysis shows that our method adds very little overhead to the existing security infrastructure of OGSA-DAI.     

基于SAML实现Web服务的单点登录

安全声明标记语言SAML描述认证和授权所需的安全信息,其互操作性为不同系统间提供了共享机制.本文介绍了SAML声明、协议和绑定,提出了基于SAML的Web服务单点登录模型,并用WS-Security规范保证SAML自身的安全.     

单点登录在Web服务安全中的应用

针对目前单点登录应用于Web服务安全时存在的问题,结合WS-Security和SAML规范提出一个Web服务身份认证和授权的单点登录模型,描述该模型的单点登录过程及实现,对其安全性进行了分析并给出了相应的安全策略。该系统模型具有兼容性、容易部署及良好的可扩展性等特点。     

Provide Virtual Distributed Environments for Grid computing on demand

Grid users always expect to meet some challenges to employ Grid resources, such as customized computing environment and QoS support. In this paper, we propose a new methodology for Grid computing – to use virtual machines as computing resources and provide Virtual Distributed Environments (VDE) for Grid users. It is declared that employing virtual environment for Grid computing can bring various advantages, for instance, computing environment customization, QoS guarantee and easy management. A light weight Grid middleware, Grid Virtualization Engine, is developed accordingly to provide functions of building virtual environment for Grids. We also present a typical use case, on-demand build a virtual e-Science infrastructure to justify the methodology.     

Towards Better AAA in Identity Federations

ABSTRACT

Many organizations have adopted SAML-based identity federation as a standard component of their enterprise architecture. A service provider in a federation may be viewed as a combination of an assertion consumer service (ACS) responsible for interactions with other federation participants (such as identity providers, or IDPs) and an application that provides useful functionality to end users. More often than not assertion consumer services are shared among multiple applications, but the current usage only exposes the ACS’s name to other parties in the federation, not the names of the applications. Identity providers in higher assurance federations frequently provide authentication, authorization, and accounting (AAA) services with application-level granularity, and this usage pattern prevents them from knowing the applications on whose behalf federation requests are made. In this article we propose a solution that enables an ACS to generate, and an IDP to consume, this missing information. Our approach is to extend the existing SAML 2.0 proxying capability by allowing references to applications that participate in the SAML ecosystem but do not support SAML themselves. We conclude that simple changes in information technology practices (supported by the necessary enhancements in vendor products) can significantly improve application-level AAA in environments with shared assertion consumer services.     

Achieving Interoperation of Grid Data Resources via Workflow Level Integration

Production Grids are becoming widely utilized by the e-Science community to run computation and data intensive experiments more efficiently. Unfortunately, different production Grid infrastructures are based on different middleware technologies, both for computation and for data access. Although there is significant effort from the Grid community to standardize the underlying middleware, solutions that allow existing non-standard tools to interoperate are one of the major concerns of Grid users today. This paper describes the generic requirements towards the interoperation of Grid data resources within computational workflows, and suggests integration techniques that allow workflow engines to access various heterogeneous data resources during workflow execution. Reference implementations of these techniques are presented and recommendations on their applicability and suitability are made.     

基于SAML的跨域单点登录的设计与实现

随着网络技术的飞速发展,基于网络平台的应用系统逐渐进入各行各业中,带来巨大收益的同时对安全性提出了更高的要求,需要保证访问其资源的用户具有合法的权限。为了适应多系统平台的发展要求,实现对登录平台的用户信息进行统一认证和管理,文中设计了一个跨域的单点登录系统（CD—SSO）,它采用SAM[。断言作为安全信息定义的标准化格式,通过SOAP消息传递安全元素,利用WS—Security来保障消息的完整性和机密性。它在方便用户访问的同时提供了完善的安全服务机制,可以保证消息和服务的保密性、完整性和有效性。     

Cross‐domain authorization for federated virtual organizations using the myVocs collaboration environment

This paper describes our experiences building and working with the reference implementation of myVocs (my Virtual Organization Collaboration System). myVocs provides a flexible environment for exploring new approaches to security, application development, and access control built from Internet services without a central identity repository. The myVocs framework enables virtual organization (VO) self‐management across unrelated security domains for multiple, unrelated VOs. By leveraging the emerging distributed identity management infrastructure. myVocs provides an accessible, secure collaborative environment using standards for federated identity management and open‐source software developed through the National Science Foundation Middleware Initiative. The Shibboleth software, an early implementation of the Organization for the Advancement of Structured Information Standards Security Assertion Markup Language standard for browser single sign‐on, provides the middleware needed to assert identity and attributes across domains so that access control decisions can be determined at each resource based on local policy. The eduPerson object class for lightweight directory access protocol (LDAP) provides standardized naming, format, and semantics for a global identifier. We have found that a Shibboleth deployment supporting VOs requires the addition of a new VO service component allowing VOs to manage their own membership and control access to their distributed resources. The myVocs system can be integrated with Grid authentication and authorization using GridShib. Copyright © 2008 John Wiley & Sons, Ltd.     

基于SAML实现医疗保险中心的单点登录系统

本文基于SAML实现一个适用于Web服务要求的联合单点登录系统,并用WS-Security规范保证SAML自身的安全。该系统具有跨越平台的特性,可以减少客户注册、认证次数以及医保中心管理客户信息的开销。