Article Preview
Top1. Introduction
Grid is an integration infrastructure for sharing and coordinated use of diverse resources in dynamic, distributed virtual organizations (VOs) (Foster et al., 2001). A Data Grid is an architecture for the access, exchange, and sharing of data in the Grid environment. It facilitates the coordination and sharing of a large number of geographically distributed heterogeneous data sets across different domains in a controlled and secure manner (Foster & Grossman, 2003). Distributed data resources can be diverse in their formats, schema, quality, access mechanisms, ownership, access policies, and capabilities. As more and more organizations are participating in the Data Grids and sharing their resources, the complexity and heterogeneity of the systems is increasing constantly, and there is a clear need for standardized mechanisms to manage access control for the shared resources (Clemente et al., 2006).
The Database Access and Integration Services-Working Group (DAIS-WG) of the Global Grid Forum (renamed to Open Grid Forum (OGF)) is developing the standards for Grid interface to data resources (Malaika et al., 2003). The Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) (Atkinson et al., 2005) provides the first implementation for these emerging standards, and supports query/transaction processing.
Currently, OGSA-DAI supports role-based access control (RBAC) (Ferraiolo & Kuhn, 1992; Sandhu et al., 1996) via a role-map file that maps individual Grid users to database roles. In this case, each resource provider has to maintain a role-map file to authorize access to its resources. This method of access control is not suitable for VOs, because both users and resources are dynamic in VOs. Managing up-to-date access control information of the users by each and every resource provider is a difficult task. Multiple entries in multiple role-map files may need to be updated if new users are allowed to access multiple data resources or if the access privileges of current users change. This puts an unnecessary burden on the resource providers when both the users and resource providers belong to multiple VOs. Furthermore, there are unnecessary overheads on the server side whenever users make invalid requests. This is because users are mapped to local roles and connected to the resource without first verifying their requests against their access privileges.
Several improvements to the current OGSA-DAI’s access control method have been proposed (Pereira et al., 2006, 2007; Muppavarapu et al., 2010). In Pereira et al. (2006, 2007), we described how the Community Authorization Service (CAS) (Pearlman et al., 2002) can be used to RBAC in the OGSA-DAI framework. In Muppavarapu et al. (2010), we described how Shibboleth (Welch et al., 2005) and eXtensible Access Control Markup Language (XACML) (OASIS XACML, 2005) can be used for specifying the RBAC policies for distributed administration. Shibboleth is an attribute authorization service and is designed to provide user attributes to the resources for access control, and it mainly targets the Internet-based resources (Welch et al., 2005). XACML is a standard of the Organization for the Advancement of Structured Information Standards (OASIS) for describing the access control policies uniformly across different security domains (OASIS XACML, 2005). We used the Core and Hierarchical RBAC profile of XACML (OASIS, 2005) to specify the access control policies for multiple VOs.