Publication Date

2009

Document Type

Dissertation

Committee Members

Nikolaos Bourbakis (Committee Member), Soon M. Chung (Advisor), Yong Pei (Committee Member), Michael Talbert (Committee Member), Xinhui Zhang (Committee Member)

Degree Name

Doctor of Philosophy (PhD)

Abstract

A Grid is an integration infrastructure for sharing and coordinated use of diverseresources in dynamic, distributed virtual organizations (VOs). A Data Grid is an architecture for the access, exchange, and sharing of data in the Grid environment. Distributed data resources can be diverse in their formats, schema, quality, access mechanisms, ownership, access policies, and capabilities. In recent years, several organizations have started utilizing Grid technologies to deploy data-intensive and/or computation-intensive applications. As more and more organizations are sharing data resources and participating in Data Grids, the complexity and heterogeneity of the systems is increasing constantly, but their management techniques are not evolving making the systems more complicated and error-prone, indicating a clear need for standardized mechanisms to manage access control for the shared data resources.

The Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) and the Storage Resource Broker (SRB) are widely used frameworks for the integration of heterogeneous data resources in Data Grid systems. However, in these systems, access control causes substantial administration overhead for the resource providers because the authorization information has to be maintained for individual Grid users. In addition, access control policies need to specified and managed across multiple organizations. And, each organization in a Data Grid may use its own terminology to describe a resource making it difficult to coordinate between the organizations.

This dissertation focuses on solving these problems and provides access control systems that are based on existing standards. We developed a role-based access control (RBAC) system with Shibboleth, which is an attribute authorization service currently being used in many Grid applications. We used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML) standard for specifying access control policies uniformly across different organizations. For distributed administration of those policies, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories.

We developed a semantic-based access control method using the ontology to resolve the semantic differences in terminologies. Understanding the semantics of the data being protected is often helpful in determining which users can access the data and what access level the users can have. Web Ontology Language (OWL) is used to represent the ontology of the data resources and users. By using ontology, VOs can resolve the differences in their terminologies and specify access control policies based on concepts and user roles, instead of individual data resources and user identities.

Administration of XACML policies is a difficult task because each XACML policy has several components, and the number of XACML policies may be very large in a Data Grid environment. However, no efficient tool is available for the creation and update of XACML policies. So, we developed an XACML administration tool and a GUI in Java. The tool allows the creation of XACML policies from existing RBAC policies. The tool also provides capabilities to update or create new RBAC policies. Using this tool, the policy administrator can create new users, roles, data resources, and actions. It allows the administrator to change the user-role assignment and the permissions on a role.

Our proposed access control systems allow quick and easy deployments, and privacy protection. The systems are scalable, and support interoperability and fine-grain access control. Administration overheads for the resource providers are reduced because they do not need to maintain the individual user information....

Page Count

124

Department or Program

Department of Computer Science and Engineering

Year Degree Awarded

2009


Share

COinS