S. Piger, C. Kunz, C. Grimm, and R. Groeper (Germany)
Grid Computing, security, delegation, proxy certificate, GSI
The delegation of user rights is an essential functionality of GSI-based Grid environments. This mechanism facili tates proxy certificates that are derived from the users’ end entity certificates and enables Grid services to act in the issuing user’s name. Currently, the implementation of the GSI forces users to delegate their complete scope of rights. Compromised proxy credentials can thus be used to per form every action users are entitled to. While this is no major issue for traditional Grid communities, it effectively prevents security sensitive communities like medical users from using the Grid. This paper presents a user-based approach to restrict the scope of rights that are delegated by the user. Thus, the risk imposed by compromised proxy credentials is signif icantly reduced. We define a policy extension for proxy certificates that contains fine-grained authorization poli cies. These are used to limit delegated privileges for the access of storage and compute resources. The mechanism shown in this paper enables the user to restrict the delegated rights to the execution of specific compute jobs. The re spective policy enforcement takes place on the gLite Com puting Element. Compatibility to the existing proxy certifi cate renewal mechanism is preserved by an extension to the MyProxy service.
Important Links:
Go Back