[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1109/ICGRID.2006.311008guideproceedingsArticle/Chapter ViewAbstractPublication PagesgridConference Proceedingsconference-collections
Article
Free access

Shibboleth-based Access to and Usage of Grid Resources

Published: 28 September 2006 Publication History

Abstract

Security underpins Grids and e-Research. Without a robust, reliable and simple Grid security infrastructure combined with commonly accepted security practices, large portions of the research community and wider industry will not engage. The predominant way in which security is currently addressed in the Grid community is through Public Key Infrastructures (PKI) based upon X.509 certificates to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (authorization). In this paper we outline how we have successfully combined Shibboleth and advanced authorization technologies to provide simplified (from the user perspective) but fine grained security for access to and usage of Grid resources. We demonstrate this approach through different security focused e-Science projects being conducted at the National e-Science Centre (NeSC) at the University of Glasgow. We believe that this model will be more widely applicable and encourage the further uptake of e-Science by non-IT specialists in the research communities.

References

[1]
Shibboleth Architecture Technical Overview, http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-tech-overview-latest.pdf
[2]
Shibboleth Architecture Protocols and Profiles, http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-arch-protocols-latest.pdf
[3]
Globus Grid Security Infrastructure (GSI), http://www.globus.org/toolkit/docs/4.0/security
[4]
Organization for the Advancement of Structured Information Standards (OASIS), Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March 2005.
[5]
L. Pearlman, et al., A Community Authorisation Service for Group Collaboration, in Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks. 2002.
[6]
R. Alfieri, et al, Managing Dynamic User Communities in a Grid of Autonomous Resources, CHEP 2003, La Jolla, San Diego, March, 2003.
[7]
D.W. Chadwick, A. Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure, Future Generation Computer Systems, 936 (2002), Elsevier Science BV, pp. 1-13, Dec. 2002.
[8]
Lepro, R., Cardea: Dynamic Access Control in Distributed Systems, NASA Technical Report NAS-03-020, November 2003.
[9]
Johnston, W., Mudumbai, S., Thompson, M. Authorization and Attribute Certificates for Widely Distributed Access Control, IEEE 7th Int. Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (http://www-itg.lbl.gov/security/Akenti/)
[10]
R.O. Sinnott, A.J. Stell, J. Watt, Comparison of Advanced Authorisation Infrastructures for Grid Computing, Proceedings of International Conference on High Performance Computing Systems and Applications, Guelph, Canada, May 2005.
[11]
R.O. Sinnott, A.J. Stell, D.W. Chadwick, O. Otenko, Experiences of Applying Advanced Grid Authorisation Infrastructures, Proceedings of European Grid Conference (EGC), LNCS 3470, pages 265-275, Volume editors: P.M.A. Sloot, A.G. Hoekstra, T. Priol, A. Reinefeld, M. Bubak, Amsterdam, Holland, June 2005.
[12]
D. Chadwick, O. Otenko, A Comparison of the Akenti and PERMIS Authorization Infrastructures, in Ensuring Security in IT Infrastructures, Proceedings of ITI First International Conference on Information and Communications Technology (ICICT 2003) Cairo University, Ed. Mahmoud T El-Hadidi, p5-26, 2003.
[13]
A.J. Stell, Grid Security: An Evaluation of Authorisation Infrastructures for Grid Computing, MSc Dissertation, University of Glasgow, 2004.
[14]
ITU-T Recommendation X.812 | ISO/IEC 10181-3:1996, Security Frameworks for open systems: Access control framework.
[15]
Von Welch, Rachana Ananthakrishnan, Frank Siebenlist, David Chadwick, Sam Meder, Laura Pearlman. Use of SAML for OGSI Authorization, Aug 2005.
[16]
Glasgow University Early Adoption of Shibboleth (GLASS) project, www.nesc.ac.uk/hub/projects/glass
[17]
eduPerson Specification, http://www.educause.edu/eduperson/
[18]
A. Robiette, T. Morrow, Blueprint for a JISC Production Federation, JISC Development Group, Version 1.1: issued 27 May 2005, http://www.jisc.ac.uk/index.cfm?name=middleware_documents
[19]
Dynamic Virtual Organisations for e-Science Education, www.nesc.ac.uk/hub/projects/dyvose
[20]
J. Watt, R.O. Sinnott, A.J. Stell, Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange, Proceedings of UK e-Science All Hands Meeting, Nottingham, England, Sept. 2005.
[21]
R.O. Sinnott, J. Watt, O. Ajayi, J. Jiang, J. Koetsier, A Shibboleth-Protected Privilege Management Infrastructure for e-Science Education, 6th IEEE International Symposium on Cluster Computing and the Grid, CCGrid2006, May 2006, Singapore.
[22]
R.O. Sinnott, J. Watt, J. Koetsier, A.J. Stell, DyVOSE Project: Experiences in Applying Privilege Management Infrastructures, UK e-Science All Hands Meeting, Nottingham UK, September 2006.
[23]
GridShib project, http://grid.ncsa.uiuc.edu/GridShib/
[24]
ShibGrid, http://www.nesc.ac.uk/esi/events/622/
[25]
Shibboleth Enabled Bridge to Access the National Grid Service (SHEBANGS), http://www.sve.man.ac.uk/Research/AtoZ/SHEBANGS
[26]
MyProxy Credential Management Service, http://myproxy.ncsa.uiuc.edu
[27]
W. Xu, D. Chadwick, A. Otenko, "Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server", 2nd European PKI Workshop, University of Kent, July 2005.
[28]
Biomedical Research Informatics Delivered by Grid Enabled Services (BRIDGES), www.nesc.ac.uk/hub/projects/bridges
[29]
Cardiovascular Functional Genomics project, www.brc.dcs.gla.ac.uk/projects/cfg
[30]
R.O. Sinnott, M. Bayer, Distributed BLAST in a Grid Computing Context, Proceedings of First International Workshop on Distributed Data Mining in Life Science, Konstanz, Germany, September 2005.
[31]
Whitten, A., and Tygar, J. D. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. Proceedings of 9th USENIX security symposium, Washington, 1999.
[32]
R.O. Sinnott, A.J. Stell, O. Ajayi, Development of Grid Frameworks for Clinical Trials and Epidemiological Studies, HealthGrid 2006 conference, Valencia, Spain, June 2006.
[33]
Virtual Organisations for Trials and Epidemiological Studies (VOTES) project funded by Medical Research Council, www.nesc.ac.uk/hu/projects/votes
[34]
Generation Scotland: Scottish Family Health Study exploring Genetics and Healthcare across Scotland, www.nesc.ac.uk/hub/projects/ghi
[35]
Meeting the Design Challenges of nanoCMOS Electronics, EPSRC pilot project to begin October 2006.

Cited By

View all
  • (2013)Robust and flexible tunnel management for secure private cloudACM SIGAPP Applied Computing Review10.1145/2460136.246014013:1(41-50)Online publication date: 1-Mar-2013
  • (2012)A standards-based interoperable single sign-on framework in ARC Grid middlewareJournal of Network and Computer Applications10.1016/j.jnca.2011.03.00635:3(892-904)Online publication date: 1-May-2012
  • (2011)Shibboleth and community authorization servicesProceedings of the 11th international conference on Algorithms and architectures for parallel processing - Volume Part II10.5555/2075462.2075476(131-140)Online publication date: 24-Oct-2011
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings
GRID '06: Proceedings of the 7th IEEE/ACM International Conference on Grid Computing
September 2006
382 pages
ISBN:142440343X

Publisher

IEEE Computer Society

United States

Publication History

Published: 28 September 2006

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)24
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2013)Robust and flexible tunnel management for secure private cloudACM SIGAPP Applied Computing Review10.1145/2460136.246014013:1(41-50)Online publication date: 1-Mar-2013
  • (2012)A standards-based interoperable single sign-on framework in ARC Grid middlewareJournal of Network and Computer Applications10.1016/j.jnca.2011.03.00635:3(892-904)Online publication date: 1-May-2012
  • (2011)Shibboleth and community authorization servicesProceedings of the 11th international conference on Algorithms and architectures for parallel processing - Volume Part II10.5555/2075462.2075476(131-140)Online publication date: 24-Oct-2011
  • (2011)A review of grid authentication and authorization technologies and support for federated access controlACM Computing Surveys10.1145/1883612.188361943:2(1-26)Online publication date: 4-Feb-2011
  • (2010)A virtual laboratory for medical image analysisIEEE Transactions on Information Technology in Biomedicine10.1109/TITB.2010.204674214:4(979-985)Online publication date: 1-Jul-2010
  • (2009)Standardised job submission and control in cluster and grid environmentsInternational Journal of Grid and Utility Computing10.1504/IJGUC.2009.0220291:2(134-145)Online publication date: 1-Dec-2009
  • (2008)Supporting Security-Oriented, Collaborative nanoCMOS Electronics ResearchProceedings of the 8th international conference on Computational Science, Part I10.1007/978-3-540-69384-0_15(96-105)Online publication date: 23-Jun-2008

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media