Toward an On-Demand Restricted Delegation Mechanism for Grids

Authors:
Mehran Ahsant;Jim Basney;Olle Mulmo;Adam Lee;Lennart Johnsson
Affiliations:
Center for Parallel Computers, Royal Institute of Technology, Valhallavgen 79, 10044 Stockholm, Sweden. mehrana@pdc.kth.se;National Center for Supercomputing Applications, University of Illinois at Urbana-Champaign, 1205 W. Clark St., Urbana, IL 61801 USA. jbasney@ncsa.uiuc.edu;Center for Parallel Computers, Royal Institute of Technology, Valhallavgen 79, 10044 Stockholm, Sweden. mulmo@pdc.kth.se;Department of Computer Science, University of Illinois at Urbana-Champaign, 201 N. Goodwin Ave., Urbana, IL 61801 USA. adamlee@cs.uiuc.edu;Center for Parallel Computers, Royal Institute of Technology, Valhallavgen 79, 10044 Stockholm, Sweden. johnsson@pdc.kth.se
Venue:
GRID '06 Proceedings of the 7th IEEE/ACM International Conference on Grid Computing
Year:
2006

Citing 7
Cited 3

Reliable File Transfer in Grid Environments

LCN '02 Proceedings of the 27th Annual IEEE Conference on Local Computer Networks
Security for Grid Services

HPDC '03 Proceedings of the 12th IEEE International Symposium on High Performance Distributed Computing
A Community Authorization Service for Group Collaboration

POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
Workflow-based Authorization Service in Grid

GRID '03 Proceedings of the 4th International Workshop on Grid Computing
The Grid 2: Blueprint for a New Computing Infrastructure

The Grid 2: Blueprint for a New Computing Infrastructure
Traust: a trust negotiation-based authorization service for open systems

Proceedings of the eleventh ACM symposium on Access control models and technologies
Self-Describing Delegation Networks for the Web

POLICY '06 Proceedings of the Seventh IEEE International Workshop on Policies for Distributed Systems and Networks

Dynamic, context-aware, least-privilege grid delegation

GRID '07 Proceedings of the 8th IEEE/ACM International Conference on Grid Computing
UNICORE/w3

Euro-Par'07 Proceedings of the 2007 conference on Parallel processing
Encoding secure information flow with restricted delegation and revocation in Haskell

Proceedings of the 1st annual workshop on Functional programming concepts in domain-specific languages

Quantified Score

Hi-index	0.00

Visualization

Abstract

Grids are intended to enable cross-organizational interactions which makes Grid security a challenging and non-trivial issue. In Grids, delegation is a key facility that can be used to authenticate and authorize requests on behalf of disconnected users. In current Grid systems there is a trade-off between flexibility and security in the context of delegation. Applications must choose between limited or full delegation: on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility/dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. In this paper, we propose an on-demand restricted delegation mechanism, aimed at addressing the shortcomings of current delegation mechanisms by providing restricted delegation in a flexible fashion as needed for Grid applications. This mechanism provides an ontology-based solution for tackling one the most challenging issues in security systems, which is the principle of least privileges. It utilizes a callback mechanism, which allows on-demand provisioning of delegated credentials in addition to observing, screening, and auditing delegated rights at runtime. This mechanism provides support for generating delegation credentials with a very limited and well-defined range of capabilities or policies, where a delegator is able to grant a delegatee a set of restricted and limited rights, implicitly or explicitly.