Remember Me
Or use your Academic/Social account:


Or use your Academic/Social account:


You have just completed your registration at OpenAire.

Before you can login to the site, you will need to activate your account. An e-mail will be sent to you with the proper instructions.


Please note that this site is currently undergoing Beta testing.
Any new content you create is not guaranteed to be present to the final version of the site upon release.

Thank you for your patience,
OpenAire Dev Team.

Close This Message


Verify Password:
Verify E-mail:
*All Fields Are Required.
Please Verify You Are Human:
fbtwitterlinkedinvimeoflicker grey 14rssslideshare1
Chadwick, David W.; Su, L.; Laborde, Romain (2006)
Publisher: John Wiley and Sons
Languages: English
Types: Unknown
Subjects: QA75
We describe how to control the cumulative use of distributed grid resources by using coordination-aware policy decision points (coordinated PDPs) and an SQL database to hold 'coordination' data. When access to a resource is granted, obligations in the security policy ensure that the coordination database is updated. The coordination database is a normal grid service providing distributed access to the coordinated PDPs. Access to the databases is secured by the grid security infrastructure (GSI) and its own PDP, so that only authorized users (the coordinated PDPs) can access it. A coordinated PDP is imbedded into the Globus Toolkitv4 authorization chain as a custom PDP so that any grid service can be protected by a security policy that provides a coordination capability. Each coordinated PDP uses the services of an uncoordinated PDP to make its access control decisions, so that any existing stateless PDP can be supplemented with a coordination capability. We provide performance results for the coordinated PDPs and compare these with two stateless PDPs. Virtually the entire performance penalty of using coordinated PDPs is accounted for by the heavy costs of using GSI to secure communications between the coordinated PDPs and the coordination database.
  • The results below are discovered through our pilot algorithms. Let us know how we are doing!

    • 809±85 2. D.W.Chadwick, A. Otenko “The PERMIS X.509 Role Based Privilege Management Infrastructure”. Future Generation Computer Systems, 936 (2002) 1–13, December 2002. Elsevier Science BV 3. Von Welch, Rachana Ananthakrishnan, Frank Siebenlist, David Chadwick, Sam Meder, Laura Pearlman. “Use of SAML for OGSI Authorization”, Aug 2005 4. Su, L. Chadwick, D.W., Basden, A., Cunningham, J.A.. “Automated Decomposition of Access Control Policies”. Proc of 6th IEEE International Workshop on Policies for Distributed Systems and Networks, Stockholm, 6-8 June 2005. pp 3-13 5. Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, L., and Tuecke, S. (2003) “Security for Grid Services”, 12th IEEE International Symposium on High Performance Distributed Computing 6.
    • OASIS “eXtensible Access Control Markup Language (XACML) Version 2.0” OASIS Standard, 1 Feb 2005 7. David W Chadwick, Linying Su, Oleksandr Otenko, Romain Laborde. “Coordination between Distributed PDPs”. Proc of 7th IEEE International Workshop on Policies for Distributed Systems and Networks, London, Ontario, 5- 7June 2006 pp163-172 8. E. Elmroth, P. Gardfjell, O. Mulmo, and T.Sandholm. An OGSA-Based Bank Service for Grid Accounting Systems. In J. Wasniewksi et. al. (eds). Applied Parallel Computing. State-of-the-art in Scientific Computing. Springer Verlag, Lecture Notes in Computer Science, 2004.
    • 9. Markus Lorch, Dennis Kafura. “The PRIMA Grid Authorization System”. Journal of Grid Computing, Volume 2, Number 3 / September, 2004 10. Catalin L. Dumitrescu , Michael Wilde and Ian Foster. A Model for Usage Policy-Based Resource Allocation in Grids, in Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05), p 191 – 200, IEEE Computer Society, 2005.
    • 11. ITU-T Rec X.812 (1995) | ISO/IEC 10181-3:1996 “Security Frameworks for open systems: Access control framework” 12. Alfieri, R., Cecchini, R., Ciaschini, V., Dell'Agnello, L., Frohner, A., Lorentey, K., Spataro, F., “From gridmap-file to VOMS: managing authorization in a Grid environment”. Future Generation Computer Systems. Vol. 21, no. 4, pp. 549-558. Apr. 2005 13. Johnston, W., Mudumbai, S., Thompson, M. “Authorization and Attribute Certificates for Widely Distributed Access Control,” IEEE 7th Int Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE), Stanford, CA. June, 1998. Page(s): 340 -345 14. L. Pearlman, V. Welch, I. Foster, C. Kesselman, S. Tuecke. “A Community Authorization Service for Group Collaboration”. Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, 2002 15. Pedro Gama, Carlos Nuno da Cruz Ribeiro and Paulo Jorge Pires Ferreira. A Scalable History-based Policy Engine, in Proceedings of the Seventh IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2006), IEEE Computer Society, 2006.
    • 16. Yi-Bing Lin, Ming-Feng Chang, Herman Chung-Hwa Rao, Mobile prepaid phone services, in IEEE Personal Communications, Vol. 7, N°3, p6-14, 2000.
    • 17. Babu Sundaram, Barbara M. Chapman. Policy Engine: A Framework for Authorization, Accounting Policy Specification and Evaluation in Grids Source, in Proceedings of the Second International Workshop on Grid Computing, LNCS 2242, pages 145 - 153, 2001.
    • 18. Babu Sundaram, Barbara M. Chapman. XML-Based Policy Engine Framework for Usage Policy Management in Grids, in Proceedings of the Third International Workshop on Grid Computing, LNCS 2536, pages 194 - 198, 2002.
    • Saz. See http://www.fnal.gov/docs/products/saz/v_vo1/SAZ.htm A. McNab, “The GridSite Web/Grid security system” Softw. Pract. Exper., vol. 35, no. 9, pp. 827-834, 2005.
    • 21. Edjlali, G., Acharya, A., and Chaudhary, V. 1998. History-based access control for mobile code. In Proc. 5th ACM Conf. on Computer and Communications Security (San Francisco, California, USA, November 02 - 05, 1998).
    • CCS '98. ACM Press, New York, NY, 38-48 22. T.T.Simon and M.E.Zurko. “Separation of duty in role-based environments”. Proc. 10th Computer Security Foundations Workshop, pp.183-194. IEEE Computer Society Press, June 1997.
    • 23. Mart´õn Abadi, C´edric Fournet. “Access Control based on Execution History”. Proc of 10th Annual Network and Distributed System Security Symposium, (NDSS’03), San Diego, California, 6–7 February 2003.
    • 24. Catalin Dumitrescu, Ioan Raicu and Ian Foster. DI-GRUBER: A Distributed Approach to Grid Resource Brokering, in Proceedings of ACM/IEEE conference on Supercomputing, 2005.
    • 25. Pedro Gama, Carlos Nuno da Cruz Ribeiro and Paulo Jorge Pires Ferreira. Heimdhal: A History-based Policy Engine for Grids, in Proceedings of the Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGrid’06), IEEE Computer Society, 2006.
    • 26. Carlos N. Ribeiro, André Zúquete, Paulo Ferreira and Paulo Guedes. SPL: An access control language for security policies with complex constraints. In Proceedings of Network and Distributed System Security Symposium (NDSS’01), February 2001.
    • 27. Pedro Gama and Paulo Jorge Pires Ferreira. “Obligation policies: an enforcement platform”, in Proceedings of Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2005), IEEE Computer Society, 2005.
  • No related research data.
  • No similar publications.

Share - Bookmark

Cite this article