Title: Authorisation and identity mapping services for the Open Science Grid
Authors: Markus Lorch, Dennis Kafura, Ian Fisk, Kate Keahey, Tim Freeman, Abhishek Singh Rana, Frank Würthwein
Addresses: IBM Deutschland Entwicklung GmbH, 71032 Boeblingen, Germany; Formerly Department of Computer Science, Virginia Tech, 24061 VA, USA. ' Department of Computer Science, Virginia Tech, 24061 VA, USA. ' Computing Division, Fermi National Accelerator Laboratory, Batavia, 60510 IL, USA. ' Mathematics and Computer Science Division, Argonne National Laboratory, Chicago, IL 60439, USA. ' Department of Computer Science, University of Chicago, Chicago, 60637 IL, USA.' Department of Physics, University of California, San Diego, CA 92093, USA.' Department of Physics, University of California, San Diego, CA 92093, USA
Abstract: An attribute-based authorisation infrastructure developed for the Open Science Grid (OSG) is presented. The infrastructure integrates existing identity-mapping and group-membership services using concepts prototyped in the PRIMA system. Authorisation scenarios for requests to compute and data resources are detailed. A new SAML obligated authorisation decision statement is introduced that attaches an XACML obligation to the authorisation decision. The use of obligations enables site-centralised, service-independent policy management. Authorisation decisions are enforced via a Workspace Service that creates constrained execution environments configured in accordance with the obligations and other attribute-based information. Finally, an experimental PRIMA authorisation service that extends and simplifies the infrastructure is described.
Keywords: authorisation; grid security; attribute-based security; grid computing; identity mapping; open science grid; OSG; group membership services.
DOI: 10.1504/IJHPCN.2008.020859
International Journal of High Performance Computing and Networking, 2008 Vol.5 No.3, pp.144 - 155
Published online: 19 Oct 2008 *
Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article