Information Technology Reference
In-Depth Information
encrypted data are described in (Montagnat et al.,
2007; Xu, 2005).
particular administrative domain. Host ACLs
are expressed as GSI host/domain name patterns,
which match with the common name field of the
x509 GSI host certificate, e.g., *.sara.nl, or host1.
amc.nl. Specific patterns override wildcarded
patterns. Also associated with data items or sets
of data is a Remote Host Property List (RHPL).
Before evaluating a remote host's HPL, it is
checked that this host is in the Host ACL; only
then is the HPL information considered trusted.
We chose to separately store an RHPL with each
(set of) data items, in addition to the basic User
and Host ACLs, because of the dynamic nature
of Grid systems. Different domains may contain
many machines or clusters, each of which with
different configuration and job or data handling
properties, which may even change over time.
Connection-time RHPL / HPL matching allows
the system to evaluate these properties at runtime,
without relying on a (trusted) central repository
of these properties.
Naming and Metadata Services
The TSRB can offer metadata services for man-
aging and querying metadata about the stored
data. Metadata is useful to search for data items
of interest in large data collections. File names
can be seen as metadata specific to file systems.
Naming or metadata services must be inte-
grated into the TSRB, since access to file names
and other sensitive metadata should be carefully
protected. For example, careless encoding of file
names could enable attackers to identify patient
or hospital information from a file name and re-
identify a patient. Naming or metadata services
may be private to a VO, or part of some hierarchical
naming service. In either case, file name lookup
requests are subject to data-owner specified access
control policies as outlined in this paper.
Access Control Lists
Job Submission Procedure
Access control in our system is enforced on the
basis of ACLs. ACLs can be associated with indi-
vidual data items or with a grouping (set) of data
items. In case of files, grouping may be facilitated
by e.g., associating ACLs with directory names.
Unauthorized users should not even be able to
find out if a given data item exists.
The User ACL contains a list of principals (job
owners) that are allowed to access a (set of) data
item(s), together with these principals' access
rights on that data. The Host ACL specifies from
what hosts or domains authorized jobs may ac-
cess particular data, and with what access rights.
Access rights from the User and Host ACLs are
combined such that only the minimum set of
rights for this data is granted to a job of a given
user running on a given host.
The trusted domains or hosts in the Host ACL
are determined by the data owner, e.g., based on
whether he or she trusts the administrator of a
At job submission time, a host must be selected
from which the job's input data is accessible.
Since CRBs are generally not trusted
1
, client-side
software should be used which contacts the TSRB
before job submission. A file naming convention
combined with a naming service (e.g., DNS) al-
lows the client job submission program to locate
the TSRB where the data is stored.
Client-side software can authenticate directly
to the TSRB using the job owner's identity key. If
authorized, it can fetch the relevant access control
and HPL information, using which a job descrip-
tion is created. To allow for selection of suitable
hosts by the CRB, HPLs could be published in a
(global) information system. Note that because
of run-time (R)HPL evaluation, the information
system does not need to be completely consistent
or trusted. This is important for scalability, as
keeping a possibly global information system
fully up-to-date may be infeasible.
Search WWH ::
Custom Search