Article

Free access

Authorisation infrastructure for on-demand network resource provisioning

Authors:

C. de LaatAuthors Info & Claims

GRID '08: Proceedings of the 2008 9th IEEE/ACM International Conference on Grid Computing

Pages 95 - 103

https://doi.org/10.1109/GRID.2008.4662787

Published: 29 September 2008 Publication History

Abstract

High performance Grid applications require high speed network infrastructure that should be capable to provide network connectivity service on-demand. This paper presents results of the development of the Authorisation (AuthZ) infrastructure for on-demand multidomain network resource provisioning (NRP). We propose a general Complex Resource Provisioning (CRP) model that can be used as a basis for AuthZ infrastructure development providing a common abstraction for provisioning both network and Grid resources. This model allows common policy expressions, using single user sign-on credentials when requesting and accessing complex Grid-Network resources. The implementation described is based on the generic AAA Authorisation Framework (GAAA-AuthZ) and suggests a number of security mechanisms and components that extends GAAA-AuthZ to achieve consistent policy enforcement and security context management: Token Validation Service (TVS), AuthZ ticket used for AuthZ session management, a special XACML profile for NRP, reference model for policy obligations handling (OHRM). The proposed infrastructure and solutions are being implemented in the framework of the EU project Phosphorus and use authors experiences gained from the major Grid based and Grid oriented projects.

References

[1]

Phosphorus Project. {Online}. Available: http://www.istphosphorus.eu/

[2]

Vollbrecht, J., P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D. Spence, "AAA Authorization Framework," Informational RFC 2904, Internet Engineering Task Force, August 2000. ftp://ftp.isi.edu/in-notes/rfc2904.txt.

[3]

gLite Lightweight Middleware for Grid Computing. {Online}. Available: http://glite.web.cern.ch/glite/.

[4]

The Globus Toolkit. {Online}. Available: http://www.globus.org/toolkit/

[5]

OGSA-AuthZ Working Group. {Online}. Available: https://forge.gridforum.org/sf/projects/ogsa-authz.

[6]

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids. {Online} Available: https://edms.cern.ch/document/929867/1

[7]

Gommans, L. et al. "Applications Drive Secure Lightpath Creation across Heterogeneous Domains", Special Issue "IEEE Communications Magazine, Feature topic Optical Control Planes for Grid Networks: Opportunities, Challenges and the Vision", March 2006.

Digital Library

[8]

Demchenko, Y., L. Gommans, C. de Laat, Rene van Buuren, "Domain Based Access Control Model for Distributed Collaborative Applications", Proceedings of The 2nd IEEE International Conference on e-Science and Grid Computing, December 4-6, 2006, Amsterdam.

Digital Library

[9]

Demchenko, Y., L. Gommans, C. de Laat, A. Taal, A. Wan, O. Mulmo, "Using Workflow for Dynamic Security Context Management in Grid-based Applications," Grid2006 Conf. Barcelona, Sept. 28-30, 2006.

Digital Library

[10]

Viola Meta Scheduling Service Project. {Online}. Available http://packcs-e0.scai.fhg.de/viola-project/

[11]

Demchenko Y, L. Gommans, C. de Laat, A. Wan, O. Mulmo, "Dynamic security context management in Grid-based applications", Future Generation Computer Systems (2007), The International Journal of Grid Computing: Theory, Methods and Applications.

Digital Library

[12]

A. Shamir. Identity-based cryptosystems and signature schemes. In G.R. Blakley and D. Chaum, editors, Advances in Cryptology - Proceedings of CRYPTO'84, pages 47-53. Springer-Verlag LNCS 196, 1985.

Digital Library

[13]

H. Tanaka. A realization scheme for the identity-based cryptosystem. In C. Pomerance, editor, Advances in Cryptology - Proceedings of CRYPTO'87, pages 340-349. Springer-Verlag LNCS 293, 1988.

Digital Library

[14]

Chadwick, D., "Use of WS-TRUST and SAML to access a CVS". OGSA-AUTHZ WG Draft. {Online}. Available: https://forge.gridforum.org/sf/docman/do/downloadDocu ment/projects.ogsa-authz/docman.root.authz_service/doc9011/1

[15]

Web Services Trust Language (WS-Trust). {Online}. ftp://www6.software.ibm.com/software/developer/library/ ws-trust.pdf

[16]

"Token-based authorization of connection oriented network resources", by Leon Gommans, Franco Travostino, John Vollbrecht, Cees de Laat, and Robert Meijer, in Proceedings of GRIDNETS, San Jose, CA, USA, Oct 2004.

[17]

"AAA Architectures for multi-domain optical networking scenario's", Phosphorus Project Deliverable D4.1. - September 30, 2008. {Online}. Available: http://www.istphosphorus.eu/files/deliverables/Phosphorus-deliverable- D4.1.pdf.

[18]

"The Token Based Switch: Per-Packet Access Authorisation to Optical Shortcuts", by Mihai-Lucian Cristea, Leon Gommans, Li Xu, and Herbert Bos, in Proceedings of IFIP Networking, Atlanta, GA, USA, May 2007.

Digital Library

[19]

SAML 2.0 Profile of XACML 2.0, Version 2. Working Draft 2, 26 June 2006. {Online}. Available: http://docs.oasis-open.org/xacml/2.0/xacml-2.0-profil- esaml2.0-v2.zip

[20]

Godik, S. et al, "eXtensible Access Control Markup Language (XACML) Version 2.0", OASIS Working Draft 04, 6 December 2004, available from http://docs.oasis-open.org/xacml/access_control-xacml- 2_0-core-spec-cd-04.pdf.

[21]

"Hierarchical resource profile of XACML 2.0", OASIS Standard, 1 February 2005, available from http://docs.oasis-open.org/xacml/2.0/access_control- xacml-2.0-hier-profile-spec-os.pdf.

[22]

"XACML 3.0 administrative policy," OASIS Draft, 10 December 2005. {Online}. Available from http://docs.oasis-open.org/access_control

[23]

Grosso, P., F. Dijkstra, J. van der Ham, C. de Laat, "Network Description Language - Semantic Web For Hybrid Networks", Proceedings of TNC2007. {Online}. Available: http://tnc2007.terena.org/programme/presentations/show. php?pres_id=61

[24]

XACML Authorisation Interoperability profile for Network Resource Provisioning: Attributes used for authorisation in network resource provisioning, Work in progress, version 0.1, June 20, 2008. {Online}. Available: http://staff.science.uva.nl/~demch/projects/aaauthreach/ draft-interop-xacml-nrp-profile-01.pdf

[25]

Zhao, G., D. Chadwick, S. Otenko, "Obligations for Role Based Access Control", Proc. "Advanced Information Networking and Applications Workshops", 2007, Advanced Information Networking and Applications Workshops (AINAW), 21st International Conference on, 21-23 May 2007, pp. 424-431.

Digital Library

[26]

D. Chadwick and A. Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure. Future Generation Computer System, 19(2):277-289, 2003.

Digital Library

[27]

Zhang, X., M. Nakae, M. J. Covington, R. Sandhu, A Usage-based Authorization Framework for Collaborative Computing Systems, in the proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT), 2006.

Digital Library

[28]

Menezes A., P. van Oorschot, S. Vanstone, "Handbook of Applied Cryptography". - ISBN: 0-8493-8523-7, October 1996, 816 pages.

Digital Library

[29]

Aaauthreach Java project. {Online}. Available from http://staff.science.uva.nl/~demch/projects/aaauthreach/in dex.html.

[30]

Network Mark-up Language Working Group (NML-WG). {Online}. http://forge.gridforum.org/sf/projects/nml-wg/

Cited By

Demchenko YCristea Mde Laat C(2009)XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructureProceedings of the 10th IEEE international conference on Policies for distributed systems and networks10.5555/1812664.1812687(98-101)Online publication date: 20-Jul-2009
https://dl.acm.org/doi/10.5555/1812664.1812687
Cristea MStrijkers RMarchal DGommans Lde Laat CMeijer R(2009)Supporting communities in programmable grid networksProceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management10.5555/1688933.1688996(406-413)Online publication date: 1-Jun-2009
https://dl.acm.org/doi/10.5555/1688933.1688996
Gommans LXu LDemchenko YWan ACristea MMeijer Rde Laat C(2009)Multi-domain lightpath authorization, using tokensFuture Generation Computer Systems10.1016/j.future.2008.07.01325:2(153-160)Online publication date: 1-Feb-2009
https://dl.acm.org/doi/10.1016/j.future.2008.07.013

Index Terms

Authorisation infrastructure for on-demand network resource provisioning

Recommendations

PERMIS: a modular authorization infrastructure
UK e-Science All Hands Meeting 2006

Authorization infrastructures manage privileges and render access control decisions, allowing applications to adjust their behavior according to the privileges allocated to users. This paper describes the PERMIS role-based authorization infrastructure ...
XACML Policy Profile for Multidomain Network Resource Provisioning and Supporting Authorisation Infrastructure
POLICY '09: Proceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks

Policy definition is an important component of the consistent authorisation service infrastructure that could be effectively integrated with the general resource provisioning workflow and network control and management plane. The paper describes the ...
XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructure
POLICY'09: Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks

Policy definition is an important component of the consistent authorisation service infrastructure that could be effectively integrated with the general resource provisioning workflow and network control and management plane. The paper describes the ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

GRID '08: Proceedings of the 2008 9th IEEE/ACM International Conference on Grid Computing

September 2008

416 pages

ISBN:9781424425785

Publisher

IEEE Computer Society

United States

Publication History

Published: 29 September 2008

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
142
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Demchenko YCristea Mde Laat C(2009)XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructureProceedings of the 10th IEEE international conference on Policies for distributed systems and networks10.5555/1812664.1812687(98-101)Online publication date: 20-Jul-2009
https://dl.acm.org/doi/10.5555/1812664.1812687
Cristea MStrijkers RMarchal DGommans Lde Laat CMeijer R(2009)Supporting communities in programmable grid networksProceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management10.5555/1688933.1688996(406-413)Online publication date: 1-Jun-2009
https://dl.acm.org/doi/10.5555/1688933.1688996
Gommans LXu LDemchenko YWan ACristea MMeijer Rde Laat C(2009)Multi-domain lightpath authorization, using tokensFuture Generation Computer Systems10.1016/j.future.2008.07.01325:2(153-160)Online publication date: 1-Feb-2009
https://dl.acm.org/doi/10.1016/j.future.2008.07.013

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents