Information Technology Reference
In-Depth Information
well in a large VO. A more sophisticated method of applying authorization
controls is through the use of role-based access control (RBAC) mechanisms
[8], which allow privilege management infrastructures (PMI). There are
several RBAC middleware solutions available that support authorization
that have been explored within the grid community. We provide an over-
view of some of the more prominent of those here.
12.3.1
Globus Security Infrastructure
The Globus toolkit [6] supports Globus Security Infrastructure (GSI)-
based authentication and authorization. This includes the following
•
WS-Authentication with support for both message-level and trans-
port-level security. Message-level security is achieved through an
implementation of the WS-Security standard that supports mes-
sage protection at the simple object access protocol (SOAP) [9]
message level. Transport-level security is achieved through the
use of X.509 certii cates to establish transport layer security (TLS)
connections.
WS-Authorization through an authorization framework based
•
on the OASIS security assertion markup language (SAML) [10]
authorization application programming interface (API). Through
this SAML AuthZ API, a generic policy enforcement point (PEP)
can be achieved, which can be associated with arbitrary services.
Thus, rather than developers having to explicitly engineer a PEP
on a per application basis, the deployment information associated
with the service is used. Authorization checks on users attempt-
ing to invoke “methods” associated with Globus services are then
automatically raised and forwarded to the policy decision point
(PDP), which in the simplest case will respond with an allow/
deny. However, we note that in recent versions of the Globus
infrastructure it is now possible to coni gure a chain of authoriza-
tion mechanisms together. We note that one issue that has been
encountered with the SAML AuthZ proi le is the lack of granular-
ity in how users might invoke actions. For example, different
actions may or may not be allowed, depending upon the data that
they wish to access and potentially change. The SAML AuthZ
proi le does not currently allow actions to be distinguished based
upon the parameters that might be associated with them. The grid
standards community is working on addressing this dei ciency.
Credential management through MyProxy [11] is a credential
•
storage and management system that has widespread accep-
tance as the way in which credentials should be managed within
a grid environment. Instead of users managing their own private
keys and credentials, they can delegate them to a MyProxy
Search WWH ::
Custom Search