Fine-grained authorization for job and resource management usingakenti and the globus toolkit(R) Page: 1 of 7
This article is part of the collection entitled: Office of Scientific & Technical Information Technical Reports and was provided to UNT Digital Library by the UNT Libraries Government Documents Department.
Extracted Text
The following text was automatically extracted from the image on this page using optical character recognition software:
CHEP 03, La Jolla, Mar 24-28, 2003
Fine-Grained Authorization for Job and Resource Management Using
Akenti and the Globus Toolkit
M. R. Thompson, A. Essiari
LBNL, Berkeley, CA 94705
K. Keahey, V, Welch, S. Lang
ANL, Argonne IL 60439
B. Liu
University of Houston, Houston, TX 77204
As the Grid paradigm is adopted as a standard way of sharing remote resources across organizational domains, the need for fine-
grained access control to these resources increases. This paper presents an authorization solution for job submission and control,
developed as part of the National Fusion Collaboratory, that uses the Globus Toolkit 2 and the Akenti authorization service in
order to perform fine-grained authorization of job and resource management requests in a Grid environment. At job startup, it
allows the system to evaluate a user's Resource Specification Language request against authorization policies on resource usage
(determining how many CPUs or memory a user can use on a given resource or which executables the user can run). Furthermore,
based on authorization policies, it allows other virtual organization members to manage the user's job.1. INTRODUCTION
Users from different organizations who are
geographically dispersed but are working together to solve
a common problem, or related problems in a common
domain, typically organize themselves into virtual
organizations (VOs) [5]. The VO defines who its members
are and (possibly) assigns roles or attributes to the
members. The VO also arranges with the owners of
various resources for VO member access. The resources
may consist of compute platforms, storage elements,
scientific instruments, data or services.
The National Fusion Collaboratory (NFC) [8] is an
example of such a VO. The NFC is building a FusionGrid
to provide computational and data services to its members.
Because the Globus Toolkit (GT2) [6] is so widely used as
Grid middleware, the NFC has chosen to use GT2 for
remote job submission and secure access to its common
data servers.
While object-oriented distributed programming
frameworks such as Legion [4] and CORBA provide very
fine-grained access-control at the level of object methods,
GT2 provides a coarse-grained "admission control"
facility and leaves fine-grained access control up to the
resource provider. This simple approach is entirely
acceptable for the initial stages of a Grid, when there is a
limited set of potential users who negotiate access directly
with the resource providers, but it does not scale to large
numbers of resource hosts and users.
Hence, GT2 access control mechanisms must be
extended to meet the FusionGrid's security needs. The
solution we present here is to integrate the Akenti
authorization service [9] with the Globus Toolkit.
Section 2 of this paper describes typical usage scenarios
for VO Grid use. Section 3 is a brief overview of how
authorization is currently handled in GT2. Section 4
introduces the Akenti authorization service. Section 5
describes our integration of the Globus Toolkit job
manager and Akenti authorization and how this model canbe extended to other authorization decision functions.
Section 6 presents our conclusions and outlines future
work.
2. USAGE SCENARIOS AND
REQUIREMENTS
Many different resource-sharing scenarios exist in a
Grid envirnoment. The shared resources may be basic
compute resources (e.g., compute cycles and storage
elements); sophisticated computer-controlled instruments;
data elements such as files and information in databases;
or services provided by specialized application programs.
Individual resource providers may want detailed control
over user access, or they may want to delegate most of the
control to the VO. Multiple independent entities, called
stakeholders, may be entitled to some control over a
resource. For example, application code may be provided
by one person or organization and run on a computer
provided by an independent organization.
The use case that we are addressing in the NFC is that
of an application service provider [12] where both the
code and the compute resources are owned by the same
entity. Selected hosts within the NFC allow remote users
to execute specific codes. The FusionGrid has several sites
that are providing access to a limited number of
application codes. Thus, the sites want to restrict which
executables may be run. Since these are computationally
intensive codes that may take a long time to complete, the
ability to query and control a job is important. Thus jobs
become dynamic resources that need access control. The
NFC wants to allow some of its users access to
development versions of the code and tools in addition to
the service codes. It may also want to allow some users a
higher quality of service.
In order to support fine-grained access, the access
control decision function (ADF) must be able to base its
access decisions on policy written in a moderately
expressive policy language. Such a language must be easyTUB2006
Upcoming Pages
Here’s what’s next.
Search Inside
This article can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Article.
Thompson, Mary R.; Essiari, Abdelilah; Keahey, Kate; Welch, Von; Lang, S. & Liu, Bo. Fine-grained authorization for job and resource management usingakenti and the globus toolkit(R), article, July 1, 2003; Berkeley, California. (https://digital.library.unt.edu/ark:/67531/metadc873930/m1/1/: accessed March 18, 2024), University of North Texas Libraries, UNT Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.