GridLab logo
Welcome
* Introduction
* News
* FAQ
* Licence
* Links
Download
* Releases
* Documentation
* Presentations
People
* Collaborations
* Team
* e-Mail
* Internal
Information Society Technologies  
 
| Home | Products & Technologies | Support & Downloads | Contact us |  

Grid Security

Introduction


Currently, one of the main security problems within grid environments is lack of mechanisms for defining and implementing grid security policies. It results mainly from the general complexity of securing open network environments. However, it is also meaningful that grid technologies are relatively new and solutions to many core problems have not been found yet. Therefore, as the general field of grid security lacks sufficient standards or often even specifications, any security service, in order to be applicable in practice, must be able to cooperate with various solutions. Additionally there should exist a possibility of using this service with solutions and standards that are not available today. In order to solve this problem an appropriate authorization service has to be introduce. The main research effort in the Security Workpackage is focused on development of flexible, manageable and robust authorization service called Grid(Lab) Authorization Service called GAS and introduce it to the GridLab technologies and testbed.

See GAS placement on the GridLab architecture below:

gridlab_gas.jpg - 61660 Bytes


GAS overview


The main goal of GAS is to provide functionality that would be able to fulfill most authorization requirements of grid computing environments. GAS is designed as a trusted single logical point for defining security policy for complex grid infrastructures. As the flexibility is a key requirement, it is to be able to implement various security scenarios, based on push or pull models, simultaneously.

Secondly, GAS is considered as independent of specific technologies used at lower layers, and it should be fully useable in environments based on Globus (supporting compatibility scenario with CAS) as well as other toolkits. The high level of flexibility is achieved mainly through modular design of GAS. It is divided into five logical components, with the main GAS core module (Core Functionality) responsible for performing authorization decisions based upon defined security policy, which is maintained as a set of permissions for specific subjects (e.g. user) and objects (e.g. resource).

The general GAS architecture:



The remaining components are responsible for: managing security policy (Management Components), communication between users/applications/services and GAS (Communication Components), integration with a database system where policy information are stored (Database with Policy Security), interaction with other security solutions such authentication services. (Integration with Security Solutions)

GAS key features

  • Designed in order to fulfill specific requirements of grid-based computing environment,
  • Trusted single logical point for managing security policy for virtual organization,
  • Independent on specific technologies applied to build a grid infrastructure,
  • Support for different scenarios of using GAS, with possibility to apply them simultaneously within single virtual organization.
  • Modular structure allows to introduce new modules for communication, database support, service management, integration with external security solutions (e.g. GSI-enabled Web Service, SAML, XACML, and many other).

Main functionality of GAS ver. 1.0b

    Core functionality:
  • Built-in RAD (Resource Access Decision) authorization security model,
  • Initial support for RBAC (Role Based Access Control) authorization security model,
  • Ability to receive authorization decisions from GAS,
  • Ability to generate a logical part of security policy from GAS,

  • Management Components:
  • Support for GAS server administration,
  • Example user-friendly clients, including GridSphere based portlet, GTK based client and command-line client,

  • Integration with Security Solutions:
  • Access over GSI-enabled Web Service interface is available (e.g. C clients over gSOAP and Java clients over Axis/GT3 libraries to get access to GAS),
  • Access over our own protocol based on GSI protocol,

  • Database with Policy Security:
  • MySQL used for policy security storing over unixODBC drivers,

  • GAS is the open source product !!!


History of GAS


  • The first specification of GAS was presented in July 2002.
  • Development of GAS was started in October 2002.
  • The first prototype was delivered in April 2003.
  • The functionality of first release was finished in January 2004.
Back to top




GridLab: Grid Application Toolkit and Testbed is co-funded by the European Commission under the Fifth Framework Programme (IST-2001-32133).
Web admin: Petr Holub, web design: Radoslaw Strugalski

Last update on Tuesday, 05-Apr-2005 13:39:52 CEST.