Currently, one of the main security problems within grid environments is lack of mechanisms for defining
and implementing grid security policies. It results mainly from the general complexity of securing
open network environments. However, it is also meaningful that grid technologies are relatively new and
solutions to many core problems have not been found yet. Therefore, as the general field of grid security lacks
sufficient standards or often even specifications, any security service, in order to be applicable in practice,
must be able to cooperate with various solutions. Additionally there should exist a possibility of using this service
with solutions and standards that are not available today. In order to solve this problem an appropriate authorization
service has to be introduce. The main research effort in the Security Workpackage is focused on development of flexible,
manageable and robust authorization service called Grid(Lab) Authorization Service
called GAS and introduce it to the GridLab technologies and testbed.
See GAS placement on the GridLab architecture below:
The main goal of GAS is to provide functionality that would be able to fulfill most authorization requirements
of grid computing environments. GAS is designed as a trusted single logical point for defining security
policy for complex grid infrastructures. As the flexibility is a key requirement, it is to be able to implement
various security scenarios, based on push or pull models, simultaneously.
Secondly, GAS is considered as independent of specific technologies used at lower layers,
and it should be fully useable in environments based on Globus (supporting compatibility scenario with CAS)
as well as other toolkits. The high level of flexibility is achieved mainly through modular design of GAS.
It is divided into five logical components, with the main GAS core module (Core Functionality) responsible for performing
authorization decisions based upon defined security policy, which is maintained as a set of permissions
for specific subjects (e.g. user) and objects (e.g. resource).
The general GAS architecture:
The remaining components are responsible for: managing security policy (Management Components), communication between
users/applications/services and GAS (Communication Components), integration with a database system where policy
information are stored (Database with Policy Security), interaction with other security solutions such authentication services.
(Integration with Security Solutions)
GAS key features
- Designed in order to fulfill specific requirements of grid-based computing environment,
- Trusted single logical point for managing security policy for virtual organization,
- Independent on specific technologies applied to build a grid infrastructure,
- Support for different scenarios of using GAS, with possibility to apply them simultaneously within single virtual organization.
- Modular structure allows to introduce new modules for communication, database support, service management, integration with external security solutions (e.g. GSI-enabled Web Service, SAML, XACML, and many other).
Main functionality of GAS ver. 1.0b
- Built-in RAD (Resource Access Decision) authorization security model,
- Initial support for RBAC (Role Based Access Control) authorization security model,
- Ability to receive authorization decisions from GAS,
- Ability to generate a logical part of security policy from GAS,
- Support for GAS server administration,
- Example user-friendly clients, including GridSphere based portlet, GTK based client and command-line client,
Integration with Security Solutions:
- Access over GSI-enabled Web Service interface is available (e.g. C clients over gSOAP and Java clients over Axis/GT3 libraries to get access to GAS),
- Access over our own protocol based on GSI protocol,
Database with Policy Security:
- MySQL used for policy security storing over unixODBC drivers,
- GAS is the open source product !!!
History of GAS
Back to top
- The first specification of GAS was presented in July 2002.
- Development of GAS was started in October 2002.
- The first prototype was delivered in April 2003.
- The functionality of first release was finished in January 2004.
GridLab: Grid Application Toolkit and Testbed
is co-funded by the European Commission under the Fifth Framework Programme
Web admin: Petr Holub, web design: Radoslaw Strugalski
Last update on Tuesday, 05-Apr-2005 13:39:52 CEST.