网格计算中虚拟组织的授权机制

Journal of Systems Engineering and Electronics ›› 2009, Vol. 31 ›› Issue (1): 216-220.

网格计算中虚拟组织的授权机制

邵学军¹, 施化吉^1,2, 赵曦滨³

1. 江苏大学计算机科学与通信工程学院, 江苏, 镇江, 212013;
2. 南京航空航天大学计算机应用研究所, 江苏, 南京, 210016;
3. 清华大学软件学院, 北京, 100084

收稿日期:2007-08-28 修回日期:2008-02-25 出版日期:2009-01-20 发布日期:2010-01-03
作者简介:邵学军(1964- ),男,副研究员,主要研究方向为分布式应用与系统集成.E-mail:xjshao@ujs.edu.cn
基金资助:
国家“863”计划项目(2003AA414031);国家火炬计划项目(2004EB33006)资助课题

Authorization mechanisms for virtual organization in grid computing systems

SHAO Xue-jun¹, SHI Hua-ji^1,2, ZHAO Xi-bin³

1. School of Computer Science and Telecommunications Engineering, Jiangsu Univ., Zhenjiang 212013, China;
2. Inst. of Computer Application, Nanjing Univ. of Aeronautics and Astronautics, Nanjing 210016, China;
3. School of Software, Tsinghua Univ., Beijing 100084, China

Received:2007-08-28 Revised:2008-02-25 Online:2009-01-20 Published:2010-01-03

摘要/Abstract

摘要： 分析了网格计算系统中虚拟组织管理的授权需求,提出使用门限闭包作为网格计算系统中面向虚拟组织的授权服务机制。既分析了门限闭包的适用性,也指出了它在具体实施时所存在的局限性,在此基础上提出一种新的授权服务体系,设计了基于公钥基础设施PKI的访问控制工作协议,并结合现有网格计算系统的安全基础设施设计了相应的授权服务系统架构。该体系通过分离门限闭包策略和实现机制,既保证了对复杂授权策略的处理效率和处理能力,也充分利用了现有网格安全基础设施。

Abstract: This article analyzes authorized demand for management of virtual organization in the grid computing system and consequently proposes using threshold closure as authorized service mechanism for virtual organizations in the grid computing system.The study not only analyzes the applicability of the threshold closure but presents the limitations of the specific implementation and based on which,a new authorization service system is put forward and the access control protocol based on the public key infrastructure as well as the corresponding authorization service architecture combined with the existing security infrastructure in grid computing system are designed.The architecture guarantees the processing efficiency and capacity of the complex authorized strategy,and meanwhile it makes full use of the existing grid security infrastructure through the separation strategy of the threshold closure and implementation mechanism.

中图分类号:

TP393

邵学军, 施化吉, 赵曦滨. 网格计算中虚拟组织的授权机制[J]. Journal of Systems Engineering and Electronics, 2009, 31(1): 216-220.

SHAO Xue-jun, SHI Hua-ji, ZHAO Xi-bin. Authorization mechanisms for virtual organization in grid computing systems[J]. Journal of Systems Engineering and Electronics, 2009, 31(1): 216-220.

参考文献

[1] Foster I,Kesselman C,Tuecke S.The anatomy of the grid:enabling scalable virtual organizations[J].International Journal of Supercomputer Applications,2001,15(3):200-222.
[2] Lam K Y,Zhao X B,Chung S L,et al.Enhancing Grid security infrastructure to support mobile computing nodes[C]//Proc of the 4th International Workshop on Information Security Applications (WISA 2003),Berlin:Springer,2004:42-54.
[3] Raman R,Livny M,Solomon M.Matchmaking:distributed resource management for high throughput computing[C]//Proc of the 7th IEEE International Symposium on High Performance Distributed Computing,1998.
[4] Ryutov T,Neuman B C.Representation and evaluation of security policies for distributed system services[C]//Proc of the DARPA Information Survivability Conference and Exposition,2000.
[5] RyutOv T,Neuman B C,Kim D.Dynamic authorization and intrusion response in distributed systems[C]//Proc of the DARPA Information Survivability Conference and Exposition,2003.
[6] Litzkow M,Livny M,Mutka M.Condor-A hunter of idle workstations[C]//Proc of the 8th International Conference of Distributed Computing Systems.1988:104-111.
[7] Sundaram B,Chapman B M.Policy engine:a framework for authorization,accounting policy specification and evaluation in grids[C]//Second International Workshop on Grid Computing (Grid 2001).Denver,CO,USA o 2001:145-153.
[8] Bester J,Foster I,Kesselman C,et al.GASS:a data movement and access service for wide area computing systems[C]//Sixth Workshop on I/O in Parallel and Distributed Systems,1999.
[9] Duan H X,Wu J P,Li X.Policy based access control framework for large networks[C]//IEEE International Conference on Networks (ICON 2000),2000:267-272.
[10] Bertino E,Catania B,Ferrari E,et al.A system to specify and manage muhipolicy access control models[C]//Third International Workshop on Policies for Distributed Systems and Networks,2002:116-27.
[11] Jajodia S,Samarati P,Sapino M,et al.Flexible support for multiple access control policies[J].ACM Trans.on Database Systems,2001,26(2):214-260.
[12] Karjoth G,Sehunter M.A privacy policy model for enterprises[C]//15th IEEE Computer Security Foundations Workshop,2002:271-281.
[13] Shieh W G,Weems B,Kavi K M.An n-grid model for group authorization[C]//Proc of the 6th Annual Computer Security Applications Conference,1990:384-392.
[14] Reiter M,Birman K,Gong L.Integrating security in a group oriented distributed systemiC]//IEEE Computer Society Symposium on Research in Security and Privacy,1992:18-32.
[15] Petitcolas F A P,Zhang K."WebGroup:a secure group access control tool for the World-Wide Web[C]//7th IEEE International Workshops on Infrastructure for Collaborative Enterprises,1998:301-305.
[16] Oppliger R,Greulich A,Trachsel P.A distributed certificate management system (DCMS) supporting group-based access controls[C]//15th Annual Computer Security Applications Conference,1999:241-248.
[17] The Globus Alliance.Overview of the Grid Security Infrastructure[EB/OL],http://urarurfp.globus,org/security/overview.html,2002-10-17.
[18] Wu X,Yang G,'Shen J,et al.A novel security model based on virtual organization for grid[C]//Proc of the 6th International Conference on Parallel and Distributed Computing Applications and Technologies,2005:106-109.
[19] Pearlman L,Welch V,Foster l,et al.A community authorization service for group collaboration[C]//3th IEEE International Workshop on Policies for Distributed Systems and Networks,CA,USA,2002:50-59.
[20] Pearlman L,Welch V,Foster I.The community authorization service:status and future[C]//Proc of Computing in High Energy Physics,La J olla,USA,2003.
[21] Zhang C R,Lain K Y,Jajodia S.Scalable threshold closure[J].Theoretical Computer Science,1999,226:185-206.
[22] Shamir A.How to share a secret.Comun[J].ACM,1979,22 (11):612-613.
[23] Benaloh J C,Leichter J.Generalized secret sharing and monotone functions[C]//Advances in Cryptology-CRYPTO 88,Berlin:Springer,1989:27-35.
[24] Ito M,Saito A,Nishizeki T.Secret sharing scheme realizing general access structure[C]//Globecom' 87,Tokyo,Japan,1987.99-102.
[25] Nikov V,Nikova S.On proactive secret sharing schemes[C]//Proc of 11th International Workshop on SAC,2004.
[26] Ye Z J,Meng F Z.Special secret sharing scheme with the function of assignment[J].Journal of Systems Engineering and Electronics.2005.16(3):651-653.