Toward an on-demand restricted delegation mechanism for Grids

Mehran Ahsant, Jim Basney, Olle Mulmo, Adam J. Lee, Lennart Johnsson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Grids are intended to enable cross-organizational interactions which makes Grid security a challenging and non-trivial issue. In Grids, delegation is a key facility that can be used to authenticate and authorize requests on behalf of disconnected users. In current Grid systems there is a trade-off between flexibility and security in the context of delegation. Applications must choose between limited or full delegation: on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility/dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. In this paper, we propose an on-demand restricted delegation mechanism, aimed at addressing the shortcomings of current delegation mechanisms by providing restricted delegation in a flexible fashion as needed for Grid applications. This mechanism provides an ontology-based solution for tackling one the most challenging issues in security systems, which is the principle of least privileges. It utilizes a callback mechanism, which allows on-demand provisioning of delegated credentials in addition to observing, screening, and auditing delegated rights at runtime. This mechanism provides support for generating delegation credentials with a very limited and well-defined range of capabilities or policies, where a delegator is able to grant a delegatee a set of restricted and limited rights, implicitly or explicitly.

Original languageEnglish (US)
Title of host publicationProceedings of the 7th IEEE/ACM International Conference on Grid Computing, GRID 2006
Pages152-159
Number of pages8
DOIs
StatePublished - 2006
Event7th IEEE/ACM International Conference on Grid Computing, GRID 2006 - Barcelona, Spain
Duration: Sep 28 2006Sep 29 2006

Publication series

NameProceedings - IEEE/ACM International Workshop on Grid Computing
ISSN (Print)1550-5510

Other

Other7th IEEE/ACM International Conference on Grid Computing, GRID 2006
Country/TerritorySpain
CityBarcelona
Period9/28/069/29/06

ASJC Scopus subject areas

  • General Engineering

Fingerprint

Dive into the research topics of 'Toward an on-demand restricted delegation mechanism for Grids'. Together they form a unique fingerprint.

Cite this