Grid Security - Grid Computing: Infrastructure, Service, and Applications

Information Technology Reference

In-Depth Information

FIGURE 12.1

VOTES portal showing cancer clinical data query.

The access to the portal is through Shibboleth following the interactions

described previously. Figure 12.1 (left) shows the interface to one study

where information on cancer patients is being returned (the names are for

demonstration purposes only and not real identities). The results of this

query are returned on the right of Figure 12.1. Key to this is the various

attributes that are returned (right-hand side of browser interfaces). These

are delivered via Shibboleth interactions and used to personalize the

access to different services through the portal; that is, the portlets that are

accessible are based upon having the roles to see them. This model corre-

sponds to security models along the lines of “what you can see is what

you can do.”

However, remote data providers are unlikely to simply allow access to

their datasets for someone who has authenticated and provided the right

roles to a remote portal. They will want to make their own authorization

decisions. To support this, the remote services providing access to data are

also protected with PERMIS and have their own local security policies on

access and usage. When a user issues a query is federated to a remote ser-

vice provider, their authorization infrastructure (PERMIS) is coni gured to

pull the X.509 attribute certii cate associated with that user request to

make their own local authorization decision. In supporting this, the attri-

butes delivered via Shibboleth are kept in a VO-specii c attribute authority

(LDAP server) associated with the portal. Thus all service providers know

where to go to obtain the attributes that they need and have agreed upon

when requests for secure access to their datasets are made. When pulled,

these attributes are checked for authenticity and validity, and if accept-

able, the query is run and resultant datasets are returned. We note that the

infrastructure does not allow arbitrary querying. Rather, the queries are

Search WWH ::

Custom Search

Home