Information Technology Reference
In-Depth Information
Figure 2. The TSRB framework: files, file names and metadata are managed by a Trusted SRB. Dotted
lines depict microcontract establishment and auditing, solid lines depict data flow and job transfers
or hosts, who are trusted by the data owner both
for confidentiality (of the administrators) and for
providing correct information in their HPL.
The main actions are illustrated in Figure 2. A
user uploads data to the TSRB, e.g., using gridFTP
(step 1). The data is stored in a storage system
maintained in the TSRB domain. Metadata can
be stored in a separate service managed by the
TSRB, e.g., a File Catalog in case of storing files
(step 2). A job is submitted through a CRB (step
3), about which the data owner has no information.
Eventually, the CRB submits the job to a cluster
(step 4) that must be trusted by the data owner
before the job can access data.
As part of the protocol before data access is
authorized, user (job) and host authentication
takes place, and the data's RHPL and the remote
host's HPL are compared (details are given
later). If RHPL and HPL match, a microcontract
is established, which is a statement containing
agreed-upon host properties and signed by both
the TSRB and the remote host. Microcontracts are
established for all authorization decisions, includ-
ing, e.g., resolving file names in a File Catalog
(step 5), and accessing the data item itself (step 6).
Only after the TSRB receives a microcontract,
are the data shipped to the job or middleware act-
ing on the job's behalf. In step 7 a job returns to
its CRB where it can be collected by its owner.
Subject to agreement in the microcontract, Cluster
A ensures that no data from the job's execution
remains on the host.
Auditing is important to allow data owners to
track which jobs applied which operations on their
data, on behalf of which users, and from which
hosts. All established microcontracts are shipped
to an auditor process (see Figure 2), which can
be used by data owners to trace the transactions.
Auditing can help establish trust (e.g., using
reputation-based mechanisms), and enables track-
ing of potential sources of information leakage.
CONCEPTS AND INTERACTIONS
Job Authentication
A solution to provide a secure binding between jobs
and Proxy certificates is to combine job integrity
verification with a trust-based mechanism. Only
if a data owner trusts a remote system to verify
the integrity of incoming jobs properly, can he or
she assume the the job-Proxy certificate binding
to be valid, and can Proxy certificate-based au-
Search WWH ::
Custom Search