Fine-Grain Access Control Using Shibboleth for the Storage Resource Broker

  • Vineela Muppavarapu
  • Soon M. Chung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5576)


In this paper, we propose a fine-grain access control system for data resources in the Storage Resource Broker (SRB). The SRB is a Data Grid management system, which can integrate heterogeneous data resources of virtual organizations (VOs). The SRB stores the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT schema, this information can only be used by the SRB applications. If VOs also have many non-SRB applications, each with its own storage format for user access control information, it creates a scalability problem with regard to administration. To solve this problem, we use Shibboleth, which is an attribute authorization service. By using Shibboleth, the authentication and access control information of the user can be obtained from the user’s home institution. Thus, the administration overhead is reduced because the access control information of individual users is now managed by the user’s home institution alone, not by MCAT or applications. The use of Shibboleth allows access control decisions to be made based on the user attributes such as role memberships and institutional affiliation, instead of the identity. Thus, our system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructure of the SRB.


Storage Resource Broker (SRB) Data Grid virtual organization (VO) Shibboleth fine-grain access control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baker, M., Apon, A., Ferner, C., Brown, J.: Emerging Grid Standards. IEEE Computer 38(4), 43–50 (2005)CrossRefGoogle Scholar
  2. 2.
    Baru, C., Moore, R., Rajasekar, A., Wan, M.: The SDSC Storage Resource Broker. In: Proc. of Conference of the Centre for Advanced Studies on Collaborative Research (1998)Google Scholar
  3. 3.
    Butler, R., Welch, V., Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C.: A National-Scale Authentication Infrastructure. IEEE Computer 33(12), 60–66 (2000)CrossRefGoogle Scholar
  4. 4.
    Carmody, S.: Shibboleth Overview and Requirements. Shibboleth Working Group Document (2001),
  5. 5.
    Foster, I., Grossman, R.L.: Data Integration in a Bandwidth-Rich World. Communications of the ACM 46(11), 50–57 (2003)CrossRefGoogle Scholar
  6. 6.
    Humphrey, M., Thompson, M.R., Jackson, K.R.: Security for Grids. Proceedings of the IEEE 93(3), 644–652 (2005)CrossRefGoogle Scholar
  7. 7.
    Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First Experiences Using XACML for Access Control in Distributed Systems. In: Proc. of the ACM Workshop on XML Security, pp. 25–37 (2003)Google Scholar
  8. 8.
    Organization for the Advancement of Structured Information Standards (OASIS), Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v1.1,
  9. 9.
    OASIS: Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML v2.0,
  10. 10.
    OASIS: eXtensible Access Control Markup Language (XACML) v2.0,
  11. 11.
  12. 12.
    Rajasekar, A., Wan, M., Moore, R., et al.: Storage Resource Broker – Managing Distributed Data in a Grid. Computer Society of India Journal 33(4) (2003)Google Scholar
  13. 13.
    Rajasekar, A., Wan, M., Moore, R.: MySRB & SRB: Components of a Data Grid. In: Proc. of the 11th IEEE Int’l Symposium on High Performance Distributed Computing, pp. 301–310 (2002)Google Scholar
  14. 14.
    Scavo, T., Welch, V.: A Grid Authorization Model for Science Gateways. In: Int’l Workshop on Grid Computing Environments (2007)Google Scholar
  15. 15.
    Secretariat of Information Technology Industry Council (ITI): American National Standard for Information Technology — Role Based Access Control (2003),
  16. 16.
    Welch, V., Barton, T., Keahey, K., Siebenlist, F.: Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration. In: Proc. of the 4th Annual PKI R&D Workshop (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Vineela Muppavarapu
    • 1
  • Soon M. Chung
    • 1
  1. 1.Department of Computer Science and EngineeringWright State UniversityDayton, OhioU.S.A.

Personalised recommendations