Authorization for metacomputing applications

One of the most difficult problems to be solved by metacomputing systems is to ensure strong authentication and authorization. The problem is complicated since the hosts involved in a metacomputing environment often span multiple administrative domains, each with its own security policy. This paper presents a distributed authorization model used by our resource allocation system, the Prospero resource manager. The main components of our design are extended access control lists (EACLs) and a general authorization and access application programming interface (GAA API). EACLs extend conventional ACLs to allow conditional restrictions on access rights. In the case of the Prospero resource manager, specific restrictions include limits on the computational resources to be consumed and on the characteristics of the applications to be executed by the system, such as name, version or endorser. The GAA API provides a general framework for applications to access the EACLs. We have built a prototype of the system