Article

Free access

Fine-grained access control for GridFTP using SecPAL

Authors:

Marty Humphrey,

Norm Beekwilder,

Brian LaMacchia,

Blair DillawayAuthors Info & Claims

GRID '07: Proceedings of the 8th IEEE/ACM International Conference on Grid Computing

Pages 217 - 225

https://doi.org/10.1109/GRID.2007.4354136

Published: 19 September 2007 Publication History

Abstract

Grid access control policy languages today are generally one of two extremes: either extremely simplistic, or overly complex and challenging for even security experts to use. In this paper, we explicitly identify requirements for an access control policy language for Grid data and then consider six specific data access use-cases that have been problematic in today’s Grids: attribute-based access, role-based access, “role-deny” access, impersonation-based access, delegation-based access, and capability-based access. We evaluate the Security Policy Assertion Language (SecPAL) against those requirements, specifically in the context of these six use-cases involving GridFTP.NET. We find that while some of these six use-cases are individually possible via existing Grid authorization systems, we believe that SecPAL uniquely offers a single approach that meets the requirements of a Grid access control policy language, thereby creating support for a wide range of expanded scenarios for Grid data access.

References

[1]

I. Foster, C. Kesselman, G. Tsudik, S. Tuecke. A Security Architecture for Computational Grids. Proc. 5th ACM Conference on Computer and Communications Security Conference, pp. 83-92, 1998.

Digital Library

[2]

R. Butler, D. Engert, I. Foster, C. Kesselman, S. Tuecke, J. Volmer, V. Welch. A National-Scale Authentication Infrastructure. IEEE Computer, 33(12):60-66, 2000.

Digital Library

[3]

Oasis Access Control TC, "XACML 2.0 Specification". 2005. http://docs.oasis-open.org/xacml/2.0/access_control- xacml-2.0-core-spec-os.pdf

[4]

Markus Lorch, Seth Proctor, Rebekah Lepro, Dennis Kafur and Sumit Shah, "First experiences using XACML for access control in distributed systems", In Proceedings of the 2003 ACM workshop on XML security, 2003.

Digital Library

[5]

Hommel, W., Using XACML for Privacy Control in SAML-based Identity Federations. In 9th IFIP TC-6 TC-11 Conference on Communications and Multimedia Security (CMS 2005), Springer, September, 2005.

Digital Library

[6]

Peter Lamb, Robert Power, Gavin Walker, Michael Compton. Role-based access control for data service integration. Proceedings of the 3rd ACM workshop on Secure web services. Alexandria, VA, Nov 2006.

Digital Library

[7]

M.C. Tschantz, S. Krishnamurthi. Towards reasonability properties for access-control policy languages. 2006 Access Control Models and Technologies Symp. Lake Tahoe, CA.

Digital Library

[8]

W. Allcock, J. Bester, J. Bresnahan, A. Chervenak, L. Liming, and S. Tuecke, "GridFTP: Protocol extensions to ftp for the Grid," 2001. {Online}. Available: http://www-fp.mcs.anl.gov/dsl/GridFTP-Protocol-RFC-Draft.pdf

[9]

J. Feng, L. Cui, G. Wasson, and M. Humphrey. Toward Seamless Grid Data Access: Design and Implementation of GridFTP on .NET. 2005 Grid Workshop (Associated with Supercomputing 2005). Nov 2005. Seattle, WA.

Digital Library

[10]

B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: theory and practice. ACM Trans. on Computer Systems, 10(4):265-310, 1992.

Digital Library

[11]

Moritz Y. Becker, Cedric Fournet, Andrew D. Gordon, SecPAL: Design and Semantics of a Decentralized Authorization Language Technical Report In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF), 2007.

Digital Library

[12]

Blair Dillaway, A Unified Approach to Trust, Delegation, and Authorization in Large-Scale Grids, Technical Paper, Microsoft Corporation, September 2006.

[13]

V. Welch, I. Foster, T. Scavo, F. Siebenlist, and C. Catlett. Scaling TeraGrid access: A roadmap for attribute-based authorization for a large cyberinfrastructure (draft August 24). 2006. http://gridshib.globus.org/docs/tg-paper/TG-Attribute-Authz-Roadmap-draft-aug24.pdf.

[14]

Foster, I., Kesselman, C., Pearlman, L., Tuecke, S., and Welch, V. The Community Authorization Service: Status and Future. In Proceedings of Computing in High Energy Physics 03 (CHEP '03), 2003.

[15]

Alfieri, R., et al. VOMS, an Authorization System for Virtual Organizations. First European Across Grid Conferences. Santiago de Compostela, Spain, Feb. 2003.

[16]

Lorch, M., Kafura, D., Fisk, I., Keahey, K., Carcassi, G., Freeman, T. Authorization and Account Management in the Open Science Grid. Proceedings of the Sixth International Workshop on Grid Computing (GRID'05).

Digital Library

[17]

Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A. Certificate-based Access Control for Widely Distributed Resources. Proceedings of the Eighth USENIX Security Symposium (Security '99), Washington, D.C., August 23-26, 1999, pp 215-227.

Digital Library

[18]

Chadwick, D., and Otenko, O. The PERMIS X.509 role based privilege management infrastructure. Future Generation Computer Systems, 19(2):277-289, Feb 2003.

Digital Library

[19]

M. Humphrey and G. Wasson. The University of Virginia Campus Grid: Integrating Grid Technologies with the Campus Information Infrastructure. 2005 European Grid Conference (ECG 2005), Amsterdam, Feb 14-16, 2005.

Digital Library

[20]

V. Welch, R. Ananthakrishnan, F. Siebenlist, D. Chadwick, S. Meder, L. Pearlman. "Use of SAML for OGSI Authorization". Open Grid Forum Proposed Standard. GFDE.066. March 26 2006. http://www.ogf.org/documents/GFD.66.pdf

[21]

ITU-T Rec X.812 (1995) | ISO/IEC 10181-3:1996, Security Frameworks for open systems: Access control framework.

[22]

B. Allcock, J. Bresnahan, R. Kettimuthu, M. Link, C. Dumitrescu, I. Raicu, and I. Foster, "The Globus striped GridFTP framework and server," 2005.

[23]

Marlena Erdos and Scott Cantor, "Shibboleth Architecture v5", Internet2/MACE, May 2002.

[24]

V. Welch, T. Barton, K. Keahey, and F. Siebenlist, "Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration," 4th Public Key Infrastructure R&D Workshop, 2005.

[25]

Blair Dillaway, Jason Hogg, Security Policy Assertion Language (SecPAL) Specification, Version 1.0, 15 February 2007, http://research.microsoft.com/projects/secpal/downloadSecP ALSpecification.aspx

Cited By

Hallett JAspinall D(2016)AppPAL for AndroidProceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 963910.1007/978-3-319-30806-7_14(216-232)Online publication date: 6-Apr-2016
https://dl.acm.org/doi/10.1007/978-3-319-30806-7_14
Becker MFournet CGordon A(2010)SecPAL: Design and semantics of a decentralized authorization languageJournal of Computer Security10.5555/1835408.183541118:4(619-665)Online publication date: 1-Dec-2010
https://dl.acm.org/doi/10.5555/1835408.1835411

Fine-grained access control for GridFTP using SecPAL
1. Security and privacy
  1. Security services
  2. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Fine-grained role graph model
Achieving fine-grained access control in virtual organizations: Research Articles
Second International Workshop on Emerging Technologies for Next-generation GRID (ETNGRID 2005)

In a virtual organization environment, where services and data are provided and shared among organizations from different administrative domains and protected with dissimilar security policies and measures, there is a need for a flexible authentication ...
A fine-grained access control system for XML documents

Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing of information via the Web that must be accessed in a selective way, such as electronic commerce ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

GRID '07: Proceedings of the 8th IEEE/ACM International Conference on Grid Computing

September 2007

339 pages

ISBN:9781424415595

Publisher

IEEE Computer Society

United States

Publication History

Published: 19 September 2007

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
124
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hallett JAspinall D(2016)AppPAL for AndroidProceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 963910.1007/978-3-319-30806-7_14(216-232)Online publication date: 6-Apr-2016
https://dl.acm.org/doi/10.1007/978-3-319-30806-7_14
Becker MFournet CGordon A(2010)SecPAL: Design and semantics of a decentralized authorization languageJournal of Computer Security10.5555/1835408.183541118:4(619-665)Online publication date: 1-Dec-2010
https://dl.acm.org/doi/10.5555/1835408.1835411

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents