The SDSC storage resource broker
CASCON '98 Proceedings of the 1998 conference of the Centre for Advanced Studies on Collaborative research
MySRB & SRB: Components of a Data Grid
HPDC '02 Proceedings of the 11th IEEE International Symposium on High Performance Distributed Computing
Data integration in a bandwidth-rich world
Communications of the ACM - Blueprint for the future of high-performance networking
First experiences using XACML for access control in distributed systems
Proceedings of the 2003 ACM workshop on XML security
Computer
| Hi-index | 0.00 |
In this paper, we propose a fine-grain access control system for data resources in the Storage Resource Broker (SRB). The SRB is a Data Grid management system, which can integrate heterogeneous data resources of virtual organizations (VOs). The SRB stores the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT schema, this information can only be used by the SRB applications. If VOs also have many non-SRB applications, each with its own storage format for user access control information, it creates a scalability problem with regard to administration. To solve this problem, we use Shibboleth, which is an attribute authorization service. By using Shibboleth, the authentication and access control information of the user can be obtained from the user's home institution. Thus, the administration overhead is reduced because the access control information of individual users is now managed by the user's home institution alone, not by MCAT or applications. The use of Shibboleth allows access control decisions to be made based on the user attributes such as role memberships and institutional affiliation, instead of the identity. Thus, our system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructure of the SRB.