Skip to main content
SpringerLink
Log in

Nephele: Scalable Access Control for Federated File Services

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

The integration of storage resources across different administrative domains can serve as building block for the development of efficient collaboration environments. In order to improve application portability across such environments, we target data sharing facilities that securely span multiple domains at the filesystem rather than the application level. We introduce the hypergroup as an heterogeneous two-layer construct, where the upper layer consists of administrative domains and the lower layer of users from each participating domain. We use public keys to uniquely identify users and domains, but rely on credentials to securely bind users and domains with hypergroups. Each domain is responsible for authenticating its local users across the federation, and employs access control lists to specify the rights of individual users and hypergroups over local storage resources. In comparison to existing systems, we show both analytically and experimentally reduced transfer cost of remote authorizations and improved scalability properties.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Alam, M., Zhang, X., Khan, K.H., Ali, G.: xDAuth: a scalable and lightweight framework for cross domain access control and delegation. In: ACM Symposium on Access Control Models and Technologies. Innsbruck, Austria (2011)

  2. Alfieri, R., Cecchini, R., Ciaschini, V., dell’ Agnello, L., Frohner, A., Lorentey, K., Spataro, F.: From Gridmap-file to VOMS: managing authorization in a Grid environment. Future Gener. Comput. Syst. (Elsevier) 21, 549–558 (2005)

    Article  Google Scholar 

  3. Ashley, P.: Authorization for a large heterogeneous multi-domain system. In: Australian Unix and Open Systems Group National Conference, pp. 159–169. Brisbane, Australia (1997)

  4. Avetisyan, A.I., Campbell, R., Gupta, I., Heath, M.T., Ko, S.Y., Ganger, G.R., Kozuch, M.A., O’Hallaron, D., Kunze, M., Kwan, T.T., Lai, K., Lyons, M., Milojicic, D.S., Lee, H.Y., Soh, Y.C., Ming, N.K., Luke, J.Y., Namgoong, H.: Open cirrus: a global cloud computing testbed. Computer 43, 35–43 (2010)

    Article  Google Scholar 

  5. Bacon, J., Moody, K., Yao, W.: A model of oasis role-based access control and its support for active security. ACM Trans. Inf. Syst. Secur. 5(4), 492–540 (2002)

    Article  Google Scholar 

  6. Becker, M.Y., Fournet, C., Gordon, A.D.: Design and semantics of a decentralized authorization language. J. Comput. Secur. (IOS Press) 18(4), 619–665 (2010)

    Google Scholar 

  7. Belani, E., Vahdat, A., Anderson, T., Dahlin, M.: The CRISIS wide area security architecture. In: USENIX Security Symposium, pp. 15–30. San Antonio, TX (1998)

  8. Birkenheuer, G., Brinkmann, A., Högqvist, M., Papaspyrou, A., Schott, B., Sommerfeld, D., Ziegler, W.: Infrastructure federation through virtualized delegation of resources and services. J. Grid Computing (Springer) 9(3), 355–377 (2011)

    Article  Google Scholar 

  9. Birrell, A.D., Lampson, B.W., Needham, R.M., Schroeder, M.D.: A global authentication service without global trust. In: IEEE Symposium on Security and Privacy, pp. 223–230. Oakland, CA (1986)

  10. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE Symposium on Security and Privacy, pp. 164–173. Oakland, CA (1996)

  11. Cannon, S., Chan, S., Olson, D., Tull, C., Welch, V., Pearlman, L.: Using CAS to manage role-based VO sub-groups. In: Intl Conference on Computing in High Energy and Nuclear Physics. La Jolla, CA (2003)

  12. Cantor, S.: Shibboleth architecture: protocols and profiles. http://shibboleth.internet2.edu/. Internet2/MACE (2005). Accessed 10 Sept 2005

  13. Chadwick, D.W., Otenko, A.: The PERMIS X.509 role based privilege management infrastructure. In: ACM Symposium on Access control Models and Technologies, pp. 135–140. Monterey, CA (2002)

  14. Clarke, D., Elien, J.E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. J. Comput. Secur. (IOS Press) 9, 285–322 (2001)

    Google Scholar 

  15. Crampton, J., Loizou, G.: Administrative scope: a foundation for role-based administrative models. ACM Trans. Inf. Syst. Secur. 6(2), 201–231 (2003)

    Article  Google Scholar 

  16. Dekker, M., Crampton, J., Etalle, S.: RBAC administration in distributed systems. In: ACM Symposium on Access Control Models and Technologies, pp. 93–101. Estes Park, CO (2008)

  17. Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A security architecture for computational Grids. In: ACM Conference on Computer and Communication Security, pp. 83–92. San Francisco, CA (1998)

  18. Freudenthal, E., Pesin, T., Port, L., Keenan, E., Karamcheti, V.: dRBAC: distributed role-based access control for dynamic coalition environments. In: IEEE Intl Conference on Distributed Computing Systems, pp. 411–420. Vienna, Austria (2002)

  19. Galvin, J.M.: Public key distribution with secure DNS. In: USENIX Security Symposium, pp. 16–25. San Jose, CA (1996)

  20. The Globus Alliance: GT 4.0.7 CAS Developer’s Guide (2008)

  21. The Globus Alliance: GT 4.0.7 GridFTP Developer’s Guide (2008)

  22. Goghlan, B., Walsh, J., Childs, S., Quigley, G., O’Callaghan, D., Pierantoni, G., Ryan, J., Simon, N., Rochford, K.: The back-end of a two-layer model for a federated national datastore for academic research VOs that integrates EGEE data management. J. Grid Computing 8(2), 341–364 (2010)

    Article  Google Scholar 

  23. Hayton, R.J., Bacon, J.M., Moody, K.: Access control in an open distributed environment. In: IEEE Symposium on Privacy and Security, pp. 3–14. Oakland, CA (1998)

  24. Hemmes, J., Thain, D.: Cacheable decentralized groups for Grid resource access control. In: IEEE/ACM Intl Conference on Grid Computing, pp. 192–199. Las Vegas, NV (2006)

  25. Ioannidis, S., Bellovin, S.M., Ioannidis, J., Keromytis, A.D., Smith, J.M.: Design and implementation of virtual private services. In: IEEE Intl Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 269–274. Linz, Austria (2003)

  26. Jaeger, T.: Operating System Security. Synthesis Lectures on Information Security, Privacy and Trust. Morgan & Claypool (2008)

  27. Jie, W., Arshad, J., Townend, P., Lei, Z.: A review of Grid authentication and authorization technologies and support for federated access control. ACM Comput. Surv. 43(2), 12:1–12:26 (2011)

    Article  Google Scholar 

  28. Jøsan, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity management architectures. In: Australasian Information Security Workshop: Privacy Enhancing Technologies, pp. 143–152. Ballarat, Australia (2007)

  29. Kaijser, P., Parker, T., Pinkas, D.: Sesame: The solution to security for open distributed systems. Comput. Commun. 17(7), 501–518 (1994)

    Article  Google Scholar 

  30. Kaminsky, M., Savvides, G., Mazières, D., Kaashoek, M.F.: Decentralized user authenication in a global file system. In: ACM Symposium on Operating Systems Principles, pp. 60–73. Bolton Landing (2003)

  31. Keromytis, A.D., Smith, J.M.: Requirements for scalabale access control and security management architectures. ACM T. Internet Techn. 7(2), 1–22 (2007)

    Google Scholar 

  32. Kurmus, A., Gupta, M., Pletka, R., Cachin, C., Haas, R.: A comparison of secure multi-tenancy architectures for filesystem storage clouds. In: ACM/IFIP/USENIX International Middleware Conference. Lisboa, Portugal (2011)

  33. Lcmaps. http://wiki.nikhef.nl/grid/LCMAPS. Accessed 6 Apr 2012

  34. Leung, A.W., Miller, E.L., Jones, S.: Scalable security for petascale parallel file systems. In: ACM/IEEE Conference on Supercomputing (SC), pp. 1–12. Reno, NV (2007)

  35. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: IEEE Symposium on Security and Privacy, pp. 114–130. Berkeley, CA (2002)

  36. Li, Q., Zhang, X., Xu, M., Wu, J.: Towards secure dynamic collaborations with group-based RBAC model. Comput. Secur. (Springer) 28, 260–275 (2009)

    Article  Google Scholar 

  37. Mazières, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. In: ACM Symposium on Operating Systems Principles, pp. 124–139. Kiawah Island, SC (1999)

  38. ITU-T X.509 Recommendation: Information technology—open systems interconnection—the directory: Public-key and attribute certificate frameworks. International Telecommunication Union, Geneva, Switzerland (2005)

  39. ITU-T X.903 Recommendation: Information processing—open distributed processing—reference model: Architecture. International Telecommunication Union, Geneva, Switzerland (1996)

  40. Miltchev, S., Prevelakis, V., Ioannidis, S., Ioannidis, J., Keromytis, A.D., Smith, J.M.: Secure and flexible global file sharing. In: USENIX Annual Technical Conference, Freenix Track, pp. 168–178. San Antonio, TX (2003)

  41. Miltchev, S., Smith, J.M., Prevelakis, V., Keromytis, A., Ioannidis, S.: Decentralized access control in distributed file sysems. ACM Comput. Surv. 40(3), 10:1–10:30 (2008)

    Article  Google Scholar 

  42. Murri, R., Kunszt, P.Z., Maffioletti, S., Tschopp, V.: GridCertLib: a single sign-on solution for Grid web applications and portals. J. Grid Computing (Springer) 9(4), 441–453 (2011)

    Article  Google Scholar 

  43. Neuman, B.C.: Proxy-based authorization and accounting for distributed systems. In: IEEE Intl Conf on Distributed Computing Systems, pp. 283–291. Pittsburgh, PA (1993)

  44. Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. Mag. 32(9), 33–38 (1994)

    Article  Google Scholar 

  45. Oh, S., Sandhu, R., Zhang, X.: An effective role administration model using organization structure. ACM Trans. Inf. Syst. Secur. 9(2), 113–137 (2006)

    Article  Google Scholar 

  46. Osborn, S., Guo, Y.: Modeling users in role-based access control. In: ACM Workshop on Role-based Access Control, pp. 31–37. Berlin, Germany (2000)

  47. Pawlowski, B., Noveck, D., Robinson, D., Thurlow, R.: The NFS version 4 protocol. In: SANE Intl System Administration and Networking Conference. Maastricht, Netherlands (2000)

  48. Pearlman, L., Welch, V., Foster, I., Kesselman, C.: A community authorization service for group collaboration. In: Intl Workshop on Policies for Distributed Systems and Networks, pp. 50–59. Monterey, CA (2002)

  49. Pereira, A.L., Muppavarapu, V., Chung, S.M.: Managing role-based access control policies for Grid databases in OGSA-DAI using CAS. J. Grid Computing (Springer) 5(1), 65–81 (2007)

    Article  Google Scholar 

  50. Popa, R.A., Lorch, J.R., Molnar, D., Wang, H.J., Zhuang, L.: Enabling security in cloud storage SLAs with CloudProof. In: USENIX Annual Technical Conference, pp. 355–368. Portland, OR (2011)

  51. Ragouzis, N., Hughes, J., Philpott, R., Maler, E., Madsen, P., Scavo, T.: Security Assertion Markup Language (SAML) V2.0 Technical Overview. Organization for the Advancement of Structured Information Standards (OASIS) (2007)

  52. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  53. Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)

    Article  Google Scholar 

  54. Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: towards a unified standard. In: ACM Workshop on Role-based Access Control, pp. 47–63. Berlin, Germany (2000)

  55. Sandhu, R.S., Coyne, E.J.: Role-based access control models. Computer (IEEE) 29(2), 38–47 (1996)

    Article  Google Scholar 

  56. Satyanarayanan, M.: Integrating security in a large distributed system. ACM Trans. Comput. Syst. 7(3), 247–280 (1989)

    Article  Google Scholar 

  57. Shands, D., Yee, R., Jacobs, J., Sebes, E.J.: Secure Virtual Enclaves: supporting coalition use of distributed application technologies. ACM Trans. Inf. Syst. Secur. 4, 103–133 (2000)

    Article  Google Scholar 

  58. Stribling, J., Sovran, Y., Zhang, I., Pretzer, X., Li, J., Kaashoek, M.F., Morris, R.: Flexible, wide-area storage for distributed systems with wheelfs. In: USENIX Symposium on Networked Systems Design and Implementation, pp. 43–58. Boston, MA (2009)

  59. Taiani, F., Hiltunen, M., Schlichting, R.: The impact of web service integration on Grid performance. In: IEEE Intl Symp on High Performance Distributed Computing, pp. 14–23. Research Triangle Park, NC (2005)

  60. Thompson, M.R., Essiari, A., Mudumbai, S.: Certificate-based authorization policy in a PKI environment. ACM Trans. Inf. Syst. Secur. 6(4), 566–588 (2003)

    Article  Google Scholar 

  61. Tolone, W., Ahn, G.J., Pai, T.: Access control in collaborative systems. ACM Comput. Surv. 37(1), 29–41 (2005)

    Article  Google Scholar 

  62. Trostle, J.T., Neuman, B.C.: A flexible distributed authorization protocol. In: Symposium on Network and Distributed System Security (Internet Society), pp. 43–52. Internet Society, San Diego (1996)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Ioannina, Ioannina, 45110, Greece

    Giorgos Margaritis, Andromachi Hatzieleftheriou & Stergios V. Anastasiadis

Authors
  1. Giorgos Margaritis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andromachi Hatzieleftheriou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stergios V. Anastasiadis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stergios V. Anastasiadis.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Margaritis, G., Hatzieleftheriou, A. & Anastasiadis, S.V. Nephele: Scalable Access Control for Federated File Services. J Grid Computing 11, 83–102 (2013). https://doi.org/10.1007/s10723-012-9217-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10723-012-9217-4

Keywords

Search

Navigation