infrastructure, grid user expression is very important to realize a practical user .... Role Management Infrastructure Standards Validation: http://www.permis.org. 4.
A Layered Grid User Expression Model in Grid User Management Limin Liu, Zhiwei Xu, Wei Li Institute of Computing Technology, Chinese Academy of Sciences, Beijing, 100080, China {liulm, zxu, liwei}@ict.ac.cn
Abstract. As a main compositive part of the grid user management infrastructure, grid user expression is very important to realize a practical user management system. In this paper, we present a layered user expression model –RUS model and describe each layer’s user set and expression method. Then give the model’s application. Finally we analysis the model’s advantages to the convenience of system administration and the users.…
1 Introduction Among the various researching aspects of grid system, there is not a grid user expression model in the GGF and Globus’s[6] researching group now. In order to realize the effective management of users and support the authentication, authorization and auditing to users, we present a RUS(Role-User-Session) user expression model based on the considerations to the construction of a grid system and its characteristics. This model can effectively solves the grid subject expression and management problems.
2 The Grid User Expression RUS Model The RUS model divides the user expression into three layers, that is role, user and session layers. 2.1 Role layer During the running of a grid system, the grid users (subject) can be divided into many roles: grid administrator, community or VO administrator, node administrator, service owner, user group administrator and common users. The user expression of role layer should provide a semantic expression method. The role layer locates at the highest level among the user expression layers. Its expression is a semantic one. For example: A grid is a set consisted of community 1N, that is
G={C1,C2,…,CK,…,Cn} Then we can express the administrator of the community CK as “Community CK Admin”. Supposed the set of all the user entities in grid G is U, all users of grid G are composed of the users distributed in role 1-n: RG={R1,R2,…,RK,…,Rn} Where Ri ⊆ U,Ri≠Φ(i=1,2,…,n)and
n
U Ri =U i =1
Take role Rk as a example, the user number in it is |Rk|, as for as the user entities concerned, (the user entity is a real user in the grid, it is identified by the global exclusive ID in the following session layer) we have Ri ∩ Rj ≠Φ. That is to say, the user sets of different roles have intersection. R1——RN is the user entities overlay of grid G and not a partition of them. The users in different role set is a same user iff they have a same global ID. 2.2 User layer The user layer locates at the middle layer among the RUS expression model. Its expression is similar with the inputted character string when we login into a system. But there must not be two same string names within a administrative domain. The user management basic unit is community or administrative domain. The users set in community Ci expressed by the user layer is: UCi={U1,…,Uk,…,Um} To the whole user set U in grid G,we have: UCi ⊆ U,UCi≠Φ(i=1,2,…,n)and
n
UUci =U, U
Ci ∩ UCj =
Φ
i =1
The users set constituted by UC1,UC2,…,UCk,…,UCn is a partition of all user entities in the grid. At the same time, we should support a user entity to register in different communities. We can use the federation method to merge the information of the user entity among the different communities. There is a mapping relationship between role layer and user layer. The mapping is multiple to multiple, multiple users can be mapped to a role and a user can be mapped to multi-roles. The user expression method of role layer and use layer is user-oriented. The user name in user layer corresponds to the exterior name of a grid user. 2.3 Session layer The session layer name is used to identify a user uniquely when the user requests a service or carries through other session activities. Considering the user expression’s relations with user management, accounting and auditing, the user expression in session layer must include the following information:
The user’s home community (community can also be hierarchical), the user’s home node and the user’s identity information. For instance, the DN name of a user’s X509 certificate is expressed as: Subject: O=Grid, O=Globus, OU=linux.ict.ac.cn, CN=lk252 This name describes the home community or VO ‘s hierarchy name of the user – “lk252”.The user expression name in session layer is unique. Similarly, there is a mapping relationship between user layer and session layer user sets and this mapping is one to one.
3
The Application and advantages of the RUS Model
The three layers described above represent grid user space. At the service level, there is a local user space of the service or resource. Limited by current native operating systems and runtime environment, when a grid user requests a service or resource, there must be a local account mapping to the user at the service or resource level. This mapping relationship can be one to one or multiple to one. This mapping is affected by the policy of the service or resource. In order to support various mapping policy, the user expression names of the grid user space’s three layers can be mapped to the local account at the service level simultaneously. That is to say, the lower layer does not hide the upper layer strictly. The mapping relationship is illustrated as figure 1: Role layer user expression name User layer expression name Session layer name
Grid User space
Local account(Service layer user space) Fig.1. The mapping relationship between grid user and service local account
The RUS model defines the user space at different layers. In order to support user entity’s session process, the data structure representing an active user entity must include the information of all the three layers. Through the above discussion, the RUS model has the following advantages: 1) Supports multi-granularity user access control The RUS model can provide a very good flexibility to the user access control. You can provide a fine-grained access control to a single user entity, just like Globus, and can maintenance various coarse-grained access control. For example, access control can be based on the role layer user name: {“Project X users”,R,W,E}. 2)Presents a friendly means for user’s interaction
Sometimes grid users need to interact with other user entities, for example, the privilege request to a resource owner, the message transfer among coordinated users etc. Using the RUS model, we can realize the interaction between users conveniently. The user to interact with other users needs not to remember and provide the expression name of the session layer but can use the expression name of role layer or user layer. 3)Supports Single Sign On(SSO) and the 3A (Anywhere, Anytime and Any device) using mode Because every user entity have a unique ID name and the user’s information can provide its home community and node, when the user logon an arbitrary community’s user management service or roaming among different community, the user management service can parse out the user’s home node from the user’s data structure. So we can realize SSO within a community and among communities.The user himself need not to be concerned about his position. The user only needs to provide his unique ID and then can use the grid successfully. The unique ID can be a very portable device like a key which is very easy to be integrated into any grid accessing device.
4 Conclusions and Future Work Through the contents above mentioned, the RUS model can support the concept of grid process because a user entity has a unique scalable data structure and also can solve the user management scalability problem . Now we are implementing a practical user management system using the RUS model. At the next step, we will consider the policy and context factors of a community and integrated the RUS model in the policy decision and context generation.
References 1. Foster, I., C. Kesselman, and S. Tuecke, The Anatomy of the Grid: Enabling Scalable Virtual Organizations. International Journal of High Performance Computing Applications, 2001.15(3): p. 200-222. 2. L.Pearlman, V. Welch, I. Foster,K. Kesselman, A Community Authorization Service for Group Collaboration. IEEE Workshop on Policies for Distributed Systems and Networks(2002). 3. Privilege and Role Management Infrastructure Standards Validation: http://www.permis.org. 4. R. Alfieri, R. Cecchini,V. Ciaschini, L. dell’Agnello , A.Gianoli, F. Spataro , Managing Dynamic UserCommunities in a Grid of Autonomous Resources: http://wwwconf.slac.stanford.edu/chep03/register/administrator/papers/papers/TUBT005.PDF 5. Xu Zhiwei, A model of Grid address space model with applications(in Chinese), Journal of Computer Research and Development. Vol.6, 2003. 6. http://www.globus.org 7. http://www.globalgridforum.org