mapping from global subjects to local subjects, centralized certificate authority center, large number of users, many heterogenous security policies. In this paper ...
A PKI-based Scalable Security Infrastructure for Scalable Grid Lican Huang and Zhaohui Wu College of Computer Science and Technology, Zhejiang University, Hangzhou , PRC {lchuang,wzh}@cs.zju.edu.cn
Abstract. Scalable security is a vital important issue for scalable Grid. There are several issues to be solved for scalable Grid security such as mapping from global subjects to local subjects, centralized certificate authority center, large number of users, many heterogenous security policies. In this paper, we present a scalable Grid security infrastructure(SGSI)to solve the above problems. We here describe the models and related protocols for scalable Grid authentication and authorization.
1
Introduction
Security is a very important issue for a large-scale wide-area system, especially Grid [1]. Because the core issues of the Grid security are very hard, they are far from the solution. When a Grid system becomes large scale and has various many heterogeneous security polices, these issues are hard even more. The security polices of Grid nodes may be Role-based access control (RBAC) and Bell-LaPadula, and so on. How to integrate different security polices is also a big issue. When Grid system is large, how to map huge numbers of global subjects to local subjects is another problem. Centralized certificate authority center is not suitable for scalable Grid system. When a Grid system has a huge number of users, the access control for Grid service becomes a very hard issue. We have proposed a scale Grid architecture-VDHA (virtual and dynamic hierarchical architecture)[2]. Here, we present a Scale Grid Security Infrastructure (SGSI) to solve the above problems, which is suitable for scalable Grid, especially for our scalable VDHA-based Grid prototype system– VDHA Grid.
2
Scalable Grid Security Infrastructure
We here mainly deal with authentication and authorization. In our SGSI[2], there are no global-to-local mapping table, and we use Grid nodes as CA centers of themselves and the owned users, which are totally locally managed. We also manage authorization and auditing and so on autonomously and locally, and we adopt some methods to avoid the problem of large number of user accounts.
2
2.1
Formal Definitions
Grid Node ( denoted p ), Entrance node ( denoted ent), Owner node ( denoted ow ), User ( denoted user) and Client host (denoted cli) are defined in the paper[2]. Definition 1. Grid service (denoted s ). The service provided for consumers. sij owned by pi , Si = {sij |sij owned by pi }, S = { sij |sij owned by pi , pi ∈ P } Definition 2. Security policy (denoted sp). The security policy for Grid service. spij for sij Definition 3. Grid user account ( denoted gacc) . gaccij means j-th user owned by pi . Definition 4. Service lifetime management service ( SLM S). It manages the service instance life time, check the authorization, and so on. One Grid node only has one SLMS. SLM Si belongs to pi Definition 5. Administrator (denoted Admin). It manages the security policies and authorization base, and so on. Admini belongs to pi Definition 6. Accounting policy ( denoted Accountp). The accounting policy for Grid service. Accountpij for sij Definition 7. Auditing policy ( denoted Auditp ). The Auditing policy for Grid service. Auditpij for sij Definition 8. SGSI = { U SER, CLI, P, S, GACC, SLM SSET, SP, ACCON T P, AU DIT P, ADM IN, F P } , where, USER is the set of users; CLI is the set of client hosts ; P is the set of Grid nodes ; S is the set of services; GACC is the set of Grid user account; SLMSSET is the set of service life time management service; SP is the set of security policies; ACCONTP is the set of accounting policies; AUDITP is the set of audit policies; ADMIN is the set of administrators; and FP is the set of functions and protocols or core services related to the Grid security. Here, the elements of FP is described as follows: Definition 9. LP:U SER × CLI × P (ent) × P (own) −→ U SERCERT , LP is Login protocol, which is used by users to log in the Grid system. Here, P (ent) is entrance node, P (own) is owner node, and U serCERT is a user with certificate ticket. Definition 10. SCDP: U SERCERT ×SLM S −→ S, SCDP is Service Creation and Destroy Protocol, which creates and destroys the service instances. Definition 11. SCDSIP-I: S × SLM S −→ S , Service Creation and Destroy from Service Instance Protocol Type I (SCDSIP-I) creates and destroys service instance when the created service instance is in the same node as SLMS.
3
Definition 12. SCDSIP-II: S × SLM S × SLM S −→ S , Service Creation and Destroy from Service Instance Protocol Type II (SCDSIP-II) creates and destroys service instance when the created service instance is in the different node with requesting SLMS. Definition 13. SAAP: U SER × SLM S −→ GACC , Service Account Application Protocol (SAAP) is used by users to apply the access authorization for a certain service. Definition 14. ACP: SLM S ×GACC ×SP −→ {RIGHT, FAIL}, Access Control Protocol( ACP) controls the users’ access rights for the services. Definition 15. MANAGE: ADM IN × SP × ACCON T P × AU DIT P −→ SP × ACCON T P × AU DIT P , MANAGE is the service to manage the security policies, accounting policies , auditing services , and so on. 2.2
Login protocol (LP)
The login protocol is based on public key infrastructure. In VDHA Grid, the owner node takes as CA of the users and itself. The owner node keeps its owned users’ public key, and also some information of the owner users such as password, which is used to identify user in ordinary ways. The nodes’ public keys are authenticated by itself. We use user-credential to solve the problems such as single-sign-on. Meanwhile, because the client host’s IP address is generally LAN IP address, not the Internet IP address, we use the entrance nodes as proxy stations to help the client to connect to the Grid system. The detail of protocol is shown in paper[2]. 2.3
Authentication for Service Creation and Destroy Protocols
When user requests the service, SLMS will check the authorization and create the service instance . In some cases, the created service(requesting service) needs other services ( requested service)to cooperate working. These requesting services and requested services may be within the same nodes or within the different nodes. So, there are three cases. When user requests the service, Service Creation and Destroy Protocol (SCDP) is used to create requested service instance. When a service instance wants another service to cooperator and the requested service is located at the same node as the requesting service, Service Creation and Destroy from Service Instance Protocol Type I (SCDSIP-I) is used to create the service instance. As the requested service and the requesting service instance are within different nodes, Service Creation and Destroy from Service Instance Protocol Type II (SCDSIP-II) is used to create the requested service. Here, we describe the SCDSIP-II in details ( sij needs service of skl . ). Step 1: sij .send(request-creation-instance, SLM Si ) step 2: SLM Si authenticates with SLM Sk step 3: if the user pays for the requested service skl
4
right =ACP( SLM Sk ,user, spkl ) else right = ACP(SLM Sk , sij , spkl ) step 4: If right 6= FAIL then SLM Sk creates instance of skl ; SLM Sk .send(success-create-service-instance, SLM Si .send( success-create-instance, sij ); else SLM Sk .send(Fail-access-service, SLM Si ); SLM Si .send( Fail-access-service,sij );
2.4
SLM Si );
Access control protocol (ACP)
One of the access control protocol may be like following: Step 1: check there are any global user ID. If there is, get the access right and exit, else goto step 2; Step 2: check there is any global group ID which the global user is within. If there is, get the access right and exit, else goto step 3. Step 3: check whether there is a guest account. If there is, get the access right and exit. else goto step 4. Step 4: refuse the access
3
Conclusion
We here propose a scale Grid security infrastructure (SGSI) to solve the issues of the scalability and heterogeneous security polices. SGSI solves the problem of mapping global entity name into local entity name and gives the methods for account management to solve the huge numbers of Grid users. The authorization and auditing are also managed by the service owner node locally. The user is managed by the owner node locally, but the user becomes global user by logging into the Grid system via entrance node from anywhere and getting a certificate ticket. All the above make the security scalable without losing the fulfillment of the Grid requirements.
References 1. I.Foster, C.Kesselman, G. Tsudik, S. Tuecke, ”A Security Architecture for Computational Grids”, the 5th ACM Conference on Computer and Communication Security, ftp://ftp.globus.org/pub/globus/papers/security.pdf 2. Huang L., Wu Z. and Pan Y. ”Virtual and Dynamic Hierarchical Architecture for e-Science Grid”, International Journal of High Performance Computing Application.2003, 17(3):329-347
