Enabling Fine-grained Access Control requires Security-aware Resource Broker Pietro Mazzoleni
Bruno Crispo Swaminathan Sivasubramanian
Elisa Bertino
Department of Computer Science University of Milan,Italy Email:
[email protected]
Department of Computer Science Vrije Universiteit Email: {crispo,swami}@cs.vu.nl
CS Department and Cerias Purdue University, USA Email:
[email protected]
Abstract— The heterogeneous nature and independent administration of geographically dispersed resources in Grid, demand the need for access control using fine-grained policies. In this paper, we investigate the problem of fine-grained access control in the context of resource allocation in Grid, as we believe it is the first and key step in developing access control methods specifically tailored for Grid systems. In particular, we argue that for efficient support of access control policies, the problem of resource brokering must be integrated with the problem of access control. We propose the design of one such system that integrates security component into the resource broker. The proposed resource broker allocates only those resources that the user is authorized to access. Enabling fine-grained policy-based access control would help the adoption of Grid to a higher extent into new avenues such as Desktop Grids, as the resource owners are given higher flexibility in controlling access to their resources. Similarly, Grid users get a higher flexibility in choosing the resources in which their jobs must execute.
I. I NTRODUCTION A. Motivation Grid infrastructures have the potential to enable seamless access and integration of resources in a world-wide scale by providing abstractions to resource sharing. This can allow users to focus on application development without having to be worried about on which machine the application code will run. Ideally, Grid systems must enable users to run their computational jobs in a remote set of resources, owned by somebody else, as if it is run locally. To realize this vision, issues such as trust, authorization and access control need to be solved. Traditionally, Grid systems assume that all users participating in a Grid project to form a trust community called virtual organization (VO). Consequently, all users and resources participating in the community are assumed to be equally trustable and any user who belongs to the community can access any other resource. We believe that this assumption of to be able to trust every other user (or resource) is limiting and will not work well for large communities such as desktop Grids [1]. These large scale infrastructures call for access control mechanisms in which resource owners can restrict the usage of their resources to only the users they trust. Similarly, the Grid users should be able to specify the resources they trust to run their jobs. Such an infrastructure is essential for Grid
users to gain confidence in their results and resource owners to prevent security attacks created by unknown users. B. Underlying Idea The underlying idea behind our work is to let each user and resource owner to specify their security-related access control policies in a fine-grained manner. In our systems, Grid users will be able to express their security constraints regarding where to run their jobs using fine-grained control (FGAC) policies. Similarly, resource owners can control the access to their resources using FGAC policies. This lets the users and resource owners to join community projects without having to trust everyone in the community. Grid in its current form treats security and access control as a separate subsystem [2] and job scheduling is performed oblivious to security policies. Such an allocation process can lead to allocation of resources which the user is not authorized to access in the first place. This would introduce the problem of re-submitting the request until the resource broker finds a set of resources that will authorize the user’s request. Some solutions address this problem by abstracting the notion of trust and security issues into quantitative numbers [3]. Even though such an approach is appealing and simple, we argue that in real world trust can hardly be expressed by a simple number. C. Proposed Solution To avoid such inefficient scheduling repetitions and to be able to capture security constraints better, we argue that the problem of resource brokering should integrated with the problem of access control. In this paper, we propose a system that integrates fine-grained access control into the process of resource brokering so that the resource broker allocates only those resources that the user is authorized to access. To accomplish this, we integrate the security component, which is responsible finding the set of resources that meet the user’s security constraints (and vice versa), into the resource broker (RB). In our system, the resource owners specify the access control policy for resources using well-defined access control language, XACML [4]. Similarly, Grid users specify their identity and constraints in the same language. The system supports two level policies. In the top level, there is a global
policy (GP) set by the parent organization of the users and the resources. Example of an organization include a company, university or even an ISP. In the next level, each Grid user and resource owners that belongs to the organization can refine the GP using their local policies (LPs). For example, GP of Vrije Universiteit can be “Allow users only from University of Milan to access our resources.” In such a setup, a resource owner in Vrije Universiteit can refine using LP stating “Univ. of Milan can access my resource only between 8pm to 8am.” Subsequently, we view resource brokering as a two staged process: (i) matching the access control policy of resources with the user’s request (and vice versa) and (ii) resource scheduling - finding the best set of resources among the authorized resources for the given user request. In our system, we treat the resource scheduler as a black box and study in detail the process of finding the set of nodes that authorize the user’s request. D. Resource Broker functionalities (i) User Profile + Job Constratints (signed) (i) Regn: Node details LP
User
Signed Certificates
(iv) List of nodes authorized and suitable for job (signed by RB)
(a) User Registration Phase
Interaction with RBs whose GP are met by user request
(b) Job submission Phase
(i) Submit job with certificates
(ii) Validate certificates
N1 (iii) Accept/Deny
User
(Node authorized and considered suitable for job by RB)
(c) Job Running Phase
Fig. 1.
E. Policy Evaluation In our system, since policies are expressed in a fine-grained manner and the number of nodes can be high, the process of policy evaluation can be a potential performance bottleneck. This calls for mechanisms that cluster similar policies (or even policy rules) to reduce the number of evaluations performed for each user request. To study this, we built a prototype policy evaluation engine using SUNXACML and analyzed different strategies for evaluating policies. Our initial results suggest that policy evaluation strategies that perform clustering-based evaluation strategies perform an order of magnitude better compared to traditional XACML evaluation engine. F. Conclusion: Current Status and Future Work
RB RB
User
•
resources/nodes whose LPs authorize the request and among these nodes selects the subset of nodes that meets the resource requirements of the job. Job request and execution: In this phase, the user finally submits the job to the node selected by the RB. The users and the nodes mutually authenticate and establish an authenticated channel [2].
Different phases: User registration, Job submission and execution
In our system, the RB of each organization is responsible for collecting node LPs, scheduling job requests and identifying the list of nodes whose LPs authorize a given request in addition to meeting the resource requirements of the job. We omit the discussion of interaction among RBs of different organizations due to lack of space and assume that there is only a single RB for the rest of the discussion. The activities of RB can be organized into four main phases (illustrated in Figure 1) and are described as follows: • Node registration: This phase happens when a node registers for sharing its resources in the Grid. In this phase, the node’s LP is collected and stored into its policy database. • User registration: In this phase, an user registers with the Grid by performing an enrollment procedure and obtains a digital authentication certificated (e.g., X509 [5]). This certificate is used letter by the user for identification purposes. • Job submission: Here, the RB analyzes an user request submitted to the Grid. It determines the lists of
In this abstract, we presented the design of a Grid system that lets its users and resources define their security constraints using FGAC policies. Our system supports FGAC policies by integrating the access control mechanisms with the resource broker. Such an integration avoids inefficient scheduling repetitions and each user is allocated a resource only if it is authorized to access the resource. Currently, we are working on integrating our prototype policy evaluation engine into existing Grid resource brokers. As a starting point, we are integrating our policy evaluator with the resource broker of an open source desktop Grid engine [1]. In future, we are planning to investigate the applicability of FGAC policies for P2P systems, such as [6], and transactional Grid environments [7]. R EFERENCES [1] “Berkeley open infrastructure for network computing, http://setiathome.ssl.berkeley.edu/.” [2] I. T. Foster, C. Kesselman, G. Tsudik, and S. Tuecke, “A security architecture for computational grids,” in ACM Conference on Computer and Communications Security, 1998, pp. 83–92. [Online]. Available: citeseer.nj.nec.com/foster98security.html [3] F. Azzedin and M. Maheswaran, “Integrating trust into grid resource management systems,” In International Conference on Parallel Processing (ICPP’02), Vancouver, B.C., Canada , August 2002. [4] XAMCL and O. S. S. T. Committee, “eXtendible Access Control Markup Language (xacml) committee specification 1.0,” Feb 2003. [5] R. Housley, W. Polk, W. Ford, and D. Solo, “Internet x.509 public key infrastructure certificate and crl profile,” RFC3280 2002. [Online]. Available: www.ietf.org/rfc/rfc3280.txt [6] P. Druschel and A. Rowstron, “Storage management and caching in past, a large-scale, persistent peer-to-peer storage utility,” Symposium on Operating Systems Principles (SOSP), October 2001. [7] V. Naik, S. Sivasubramanian, and S. Krishnan, “Adaptive resource sharing in a web services environment,” Middleware (2004) conference, October 2004.
