Abstract
The integration of storage resources across different administrative domains can serve as building block for the development of efficient collaboration environments. In order to improve application portability across such environments, we target data sharing facilities that securely span multiple domains at the filesystem rather than the application level. We introduce the hypergroup as an heterogeneous two-layer construct, where the upper layer consists of administrative domains and the lower layer of users from each participating domain. We use public keys to uniquely identify users and domains, but rely on credentials to securely bind users and domains with hypergroups. Each domain is responsible for authenticating its local users across the federation, and employs access control lists to specify the rights of individual users and hypergroups over local storage resources. In comparison to existing systems, we show both analytically and experimentally reduced transfer cost of remote authorizations and improved scalability properties.
Similar content being viewed by others
References
Alam, M., Zhang, X., Khan, K.H., Ali, G.: xDAuth: a scalable and lightweight framework for cross domain access control and delegation. In: ACM Symposium on Access Control Models and Technologies. Innsbruck, Austria (2011)
Alfieri, R., Cecchini, R., Ciaschini, V., dell’ Agnello, L., Frohner, A., Lorentey, K., Spataro, F.: From Gridmap-file to VOMS: managing authorization in a Grid environment. Future Gener. Comput. Syst. (Elsevier) 21, 549–558 (2005)
Ashley, P.: Authorization for a large heterogeneous multi-domain system. In: Australian Unix and Open Systems Group National Conference, pp. 159–169. Brisbane, Australia (1997)
Avetisyan, A.I., Campbell, R., Gupta, I., Heath, M.T., Ko, S.Y., Ganger, G.R., Kozuch, M.A., O’Hallaron, D., Kunze, M., Kwan, T.T., Lai, K., Lyons, M., Milojicic, D.S., Lee, H.Y., Soh, Y.C., Ming, N.K., Luke, J.Y., Namgoong, H.: Open cirrus: a global cloud computing testbed. Computer 43, 35–43 (2010)
Bacon, J., Moody, K., Yao, W.: A model of oasis role-based access control and its support for active security. ACM Trans. Inf. Syst. Secur. 5(4), 492–540 (2002)
Becker, M.Y., Fournet, C., Gordon, A.D.: Design and semantics of a decentralized authorization language. J. Comput. Secur. (IOS Press) 18(4), 619–665 (2010)
Belani, E., Vahdat, A., Anderson, T., Dahlin, M.: The CRISIS wide area security architecture. In: USENIX Security Symposium, pp. 15–30. San Antonio, TX (1998)
Birkenheuer, G., Brinkmann, A., Högqvist, M., Papaspyrou, A., Schott, B., Sommerfeld, D., Ziegler, W.: Infrastructure federation through virtualized delegation of resources and services. J. Grid Computing (Springer) 9(3), 355–377 (2011)
Birrell, A.D., Lampson, B.W., Needham, R.M., Schroeder, M.D.: A global authentication service without global trust. In: IEEE Symposium on Security and Privacy, pp. 223–230. Oakland, CA (1986)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE Symposium on Security and Privacy, pp. 164–173. Oakland, CA (1996)
Cannon, S., Chan, S., Olson, D., Tull, C., Welch, V., Pearlman, L.: Using CAS to manage role-based VO sub-groups. In: Intl Conference on Computing in High Energy and Nuclear Physics. La Jolla, CA (2003)
Cantor, S.: Shibboleth architecture: protocols and profiles. http://shibboleth.internet2.edu/. Internet2/MACE (2005). Accessed 10 Sept 2005
Chadwick, D.W., Otenko, A.: The PERMIS X.509 role based privilege management infrastructure. In: ACM Symposium on Access control Models and Technologies, pp. 135–140. Monterey, CA (2002)
Clarke, D., Elien, J.E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. J. Comput. Secur. (IOS Press) 9, 285–322 (2001)
Crampton, J., Loizou, G.: Administrative scope: a foundation for role-based administrative models. ACM Trans. Inf. Syst. Secur. 6(2), 201–231 (2003)
Dekker, M., Crampton, J., Etalle, S.: RBAC administration in distributed systems. In: ACM Symposium on Access Control Models and Technologies, pp. 93–101. Estes Park, CO (2008)
Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A security architecture for computational Grids. In: ACM Conference on Computer and Communication Security, pp. 83–92. San Francisco, CA (1998)
Freudenthal, E., Pesin, T., Port, L., Keenan, E., Karamcheti, V.: dRBAC: distributed role-based access control for dynamic coalition environments. In: IEEE Intl Conference on Distributed Computing Systems, pp. 411–420. Vienna, Austria (2002)
Galvin, J.M.: Public key distribution with secure DNS. In: USENIX Security Symposium, pp. 16–25. San Jose, CA (1996)
The Globus Alliance: GT 4.0.7 CAS Developer’s Guide (2008)
The Globus Alliance: GT 4.0.7 GridFTP Developer’s Guide (2008)
Goghlan, B., Walsh, J., Childs, S., Quigley, G., O’Callaghan, D., Pierantoni, G., Ryan, J., Simon, N., Rochford, K.: The back-end of a two-layer model for a federated national datastore for academic research VOs that integrates EGEE data management. J. Grid Computing 8(2), 341–364 (2010)
Hayton, R.J., Bacon, J.M., Moody, K.: Access control in an open distributed environment. In: IEEE Symposium on Privacy and Security, pp. 3–14. Oakland, CA (1998)
Hemmes, J., Thain, D.: Cacheable decentralized groups for Grid resource access control. In: IEEE/ACM Intl Conference on Grid Computing, pp. 192–199. Las Vegas, NV (2006)
Ioannidis, S., Bellovin, S.M., Ioannidis, J., Keromytis, A.D., Smith, J.M.: Design and implementation of virtual private services. In: IEEE Intl Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 269–274. Linz, Austria (2003)
Jaeger, T.: Operating System Security. Synthesis Lectures on Information Security, Privacy and Trust. Morgan & Claypool (2008)
Jie, W., Arshad, J., Townend, P., Lei, Z.: A review of Grid authentication and authorization technologies and support for federated access control. ACM Comput. Surv. 43(2), 12:1–12:26 (2011)
Jøsan, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity management architectures. In: Australasian Information Security Workshop: Privacy Enhancing Technologies, pp. 143–152. Ballarat, Australia (2007)
Kaijser, P., Parker, T., Pinkas, D.: Sesame: The solution to security for open distributed systems. Comput. Commun. 17(7), 501–518 (1994)
Kaminsky, M., Savvides, G., Mazières, D., Kaashoek, M.F.: Decentralized user authenication in a global file system. In: ACM Symposium on Operating Systems Principles, pp. 60–73. Bolton Landing (2003)
Keromytis, A.D., Smith, J.M.: Requirements for scalabale access control and security management architectures. ACM T. Internet Techn. 7(2), 1–22 (2007)
Kurmus, A., Gupta, M., Pletka, R., Cachin, C., Haas, R.: A comparison of secure multi-tenancy architectures for filesystem storage clouds. In: ACM/IFIP/USENIX International Middleware Conference. Lisboa, Portugal (2011)
Lcmaps. http://wiki.nikhef.nl/grid/LCMAPS. Accessed 6 Apr 2012
Leung, A.W., Miller, E.L., Jones, S.: Scalable security for petascale parallel file systems. In: ACM/IEEE Conference on Supercomputing (SC), pp. 1–12. Reno, NV (2007)
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: IEEE Symposium on Security and Privacy, pp. 114–130. Berkeley, CA (2002)
Li, Q., Zhang, X., Xu, M., Wu, J.: Towards secure dynamic collaborations with group-based RBAC model. Comput. Secur. (Springer) 28, 260–275 (2009)
Mazières, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. In: ACM Symposium on Operating Systems Principles, pp. 124–139. Kiawah Island, SC (1999)
ITU-T X.509 Recommendation: Information technology—open systems interconnection—the directory: Public-key and attribute certificate frameworks. International Telecommunication Union, Geneva, Switzerland (2005)
ITU-T X.903 Recommendation: Information processing—open distributed processing—reference model: Architecture. International Telecommunication Union, Geneva, Switzerland (1996)
Miltchev, S., Prevelakis, V., Ioannidis, S., Ioannidis, J., Keromytis, A.D., Smith, J.M.: Secure and flexible global file sharing. In: USENIX Annual Technical Conference, Freenix Track, pp. 168–178. San Antonio, TX (2003)
Miltchev, S., Smith, J.M., Prevelakis, V., Keromytis, A., Ioannidis, S.: Decentralized access control in distributed file sysems. ACM Comput. Surv. 40(3), 10:1–10:30 (2008)
Murri, R., Kunszt, P.Z., Maffioletti, S., Tschopp, V.: GridCertLib: a single sign-on solution for Grid web applications and portals. J. Grid Computing (Springer) 9(4), 441–453 (2011)
Neuman, B.C.: Proxy-based authorization and accounting for distributed systems. In: IEEE Intl Conf on Distributed Computing Systems, pp. 283–291. Pittsburgh, PA (1993)
Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. Mag. 32(9), 33–38 (1994)
Oh, S., Sandhu, R., Zhang, X.: An effective role administration model using organization structure. ACM Trans. Inf. Syst. Secur. 9(2), 113–137 (2006)
Osborn, S., Guo, Y.: Modeling users in role-based access control. In: ACM Workshop on Role-based Access Control, pp. 31–37. Berlin, Germany (2000)
Pawlowski, B., Noveck, D., Robinson, D., Thurlow, R.: The NFS version 4 protocol. In: SANE Intl System Administration and Networking Conference. Maastricht, Netherlands (2000)
Pearlman, L., Welch, V., Foster, I., Kesselman, C.: A community authorization service for group collaboration. In: Intl Workshop on Policies for Distributed Systems and Networks, pp. 50–59. Monterey, CA (2002)
Pereira, A.L., Muppavarapu, V., Chung, S.M.: Managing role-based access control policies for Grid databases in OGSA-DAI using CAS. J. Grid Computing (Springer) 5(1), 65–81 (2007)
Popa, R.A., Lorch, J.R., Molnar, D., Wang, H.J., Zhuang, L.: Enabling security in cloud storage SLAs with CloudProof. In: USENIX Annual Technical Conference, pp. 355–368. Portland, OR (2011)
Ragouzis, N., Hughes, J., Philpott, R., Maler, E., Madsen, P., Scavo, T.: Security Assertion Markup Language (SAML) V2.0 Technical Overview. Organization for the Advancement of Structured Information Standards (OASIS) (2007)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)
Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: towards a unified standard. In: ACM Workshop on Role-based Access Control, pp. 47–63. Berlin, Germany (2000)
Sandhu, R.S., Coyne, E.J.: Role-based access control models. Computer (IEEE) 29(2), 38–47 (1996)
Satyanarayanan, M.: Integrating security in a large distributed system. ACM Trans. Comput. Syst. 7(3), 247–280 (1989)
Shands, D., Yee, R., Jacobs, J., Sebes, E.J.: Secure Virtual Enclaves: supporting coalition use of distributed application technologies. ACM Trans. Inf. Syst. Secur. 4, 103–133 (2000)
Stribling, J., Sovran, Y., Zhang, I., Pretzer, X., Li, J., Kaashoek, M.F., Morris, R.: Flexible, wide-area storage for distributed systems with wheelfs. In: USENIX Symposium on Networked Systems Design and Implementation, pp. 43–58. Boston, MA (2009)
Taiani, F., Hiltunen, M., Schlichting, R.: The impact of web service integration on Grid performance. In: IEEE Intl Symp on High Performance Distributed Computing, pp. 14–23. Research Triangle Park, NC (2005)
Thompson, M.R., Essiari, A., Mudumbai, S.: Certificate-based authorization policy in a PKI environment. ACM Trans. Inf. Syst. Secur. 6(4), 566–588 (2003)
Tolone, W., Ahn, G.J., Pai, T.: Access control in collaborative systems. ACM Comput. Surv. 37(1), 29–41 (2005)
Trostle, J.T., Neuman, B.C.: A flexible distributed authorization protocol. In: Symposium on Network and Distributed System Security (Internet Society), pp. 43–52. Internet Society, San Diego (1996)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Margaritis, G., Hatzieleftheriou, A. & Anastasiadis, S.V. Nephele: Scalable Access Control for Federated File Services. J Grid Computing 11, 83–102 (2013). https://doi.org/10.1007/s10723-012-9217-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10723-012-9217-4