Information Technology Reference
In-Depth Information
assigned roles, source of authority (SoA) (e.g., local managers trusted to
assign roles to subjects), roles and their hierarchical relationships, what
roles can be assigned to which subjects by which SOAs, target resources
and the actions that can be applied to them, which roles are allowed to
perform which actions on which targets, and the conditions under which
access can be granted to roles.
Roles are assigned to subjects by issuing them with X.509 ACs. Once roles
are assigned and policies are developed, they are digitally signed by a man-
ager and stored in one or more Lightweight Directory Access Protocol
(LDAP) repositories. The process to set up and use PERMIS can be split into
two parts:
Administration
and
Use
. To set up and administer PERMIS requires
the use of an LDAP server to store the attribute certii cates and reference the
SoA root certii cate. A local CA is required to be set up, which designates
that the SoA and all user certii cates created from this CA must have a DN
that matches the structure of the LDAP server. The DN of the user certii cate
is used to identify the client making the call on the grid service.
From the user's perspective, once the administrator has set up the infra-
structure, the PERMIS service is relatively easy to use. Unique identii ers
are placed as parameters to services when they are deployed. These are
the object identii cation (OID) number of the policy in the repository, the
URI of the LDAP server where the policies are held, and the SoA associ-
ated with the policy being implemented. Once these parameters are input
and the service is deployed, the user creates a proxy certii cate with the
user certii cate created by the local CA to perform strong authentication.
The client is run and the authorization process allows or disallows the
intended action.
The PERMIS infrastructure offers very-i ne-grained authorization capa-
bilities in terms of both policy expression and enforcement. The policy
editing tools allow for easy development of the XML-based policies. With
support for the SAML authorization API, PERMIS allows direct linkage
between grid services and authorization infrastructures.
PERMIS is perhaps the most advanced authorization infrastructure with
software that meets the needs of the wider e-Research communities. It
provides tools to support the dei nition and seamless enforcement of
authorization policy. Recent enhancements to PERMIS and associated grid
standards now allow PERMIS to work with a variety of grid middleware
and other authorization technologies including VOMS and XACML [17].
Such authorization technologies are essential for site administrators in
providing secure access to their resources. However, the purpose of such
authorization technologies is not solely on protecting access to systems,
but in allowing access to systems. That is, the end users must be able to
access and use protected resources. Furthermore, the vast majority of
researchers are unaware of X.509 attribute certii cates and their use in
supporting privilege management infrastructures. Rather they are more
focused upon research. Thus technologies are required that hide these
Search WWH ::
Custom Search