Authorization and account management in the Open Science Grid

Author

Lorch, Markus ; Kafura, Dennis ; Fisk, Ian ; Keahey, Kate ; Carcassi, Gabriele ; Freeman, Tim ; Peremutov, Timur ; Rana, Abhishek Singh

Author_Institution

Dept. of Comput. Sci., Virginia Tech, Blacksburg, VA, USA

fYear

2005

fDate

13-14 Nov. 2005

Abstract

An attribute-based authorization infrastructure developed for the Open Science Grid is presented. The infrastructure integrates existing identity-mapping and group-membership service using concepts prototyped in the PRIMA system. Authorization scenarios for requests to compute and data resources are detailed. A new SAML obligated authorization decision statement is introduced that attaches an XACML obligation to the authorization decision. The use of obligations enables site-centralized, service-independent policy management. Authorization decisions are enforced via a Workspace Service that creates constrained execution environments configured in accordance with the obligations and other attribute-based information. Finally, an experimental PRIMA authorization service that extends and simplifies the infrastructure is described.

Keywords

authorisation; grid computing; natural sciences computing; open systems; Open Science Grid; PRIMA authorization service; SAML obligated authorization decision statement; Workspace Service; XACML obligation; account management; attribute-based authorization infrastructure; data resources; group membership; identity mapping; service-independent policy management; site-centralized policy management; Authorization; Collaborative work; Computer science; Grid computing; Information security; Large-scale systems; National security; Prototypes; Resource management;

fLanguage

English

Publisher

ieee

Conference_Titel

Grid Computing, 2005. The 6th IEEE/ACM International Workshop on

Print_ISBN

0-7803-9492-5

Type

conf

DOI

10.1109/GRID.2005.1542719

Filename

1542719