A Grid is an integration infrastructure for sharing and coordinated use of diverseresources in dynamic, distributed virtual organizations (VOs). A Data Grid is an
architecture for the access, exchange, and sharing of data in the Grid environment.
Distributed data resources can be diverse in their formats, schema, quality, access
mechanisms, ownership, access policies, and capabilities. In recent years, several
organizations have started utilizing Grid technologies to deploy data-intensive and/or
computation-intensive applications. As more and more organizations are sharing data
resources and participating in Data Grids, the complexity and heterogeneity of the
systems is increasing constantly, but their management techniques are not evolving
making the systems more complicated and error-prone, indicating a clear need for
standardized mechanisms to manage access control for the shared data resources.
The Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)
and the Storage Resource Broker (SRB) are widely used frameworks for the integration
of heterogeneous data resources in Data Grid systems. However, in these systems, access
control causes substantial administration overhead for the resource providers because the
authorization information has to be maintained for individual Grid users. In addition,
access control policies need to specified and managed across multiple organizations.
And, each organization in a Data Grid may use its own terminology to describe a
resource making it difficult to coordinate between the organizations.
This dissertation focuses on solving these problems and provides access control
systems that are based on existing standards. We developed a role-based access control
(RBAC) system with Shibboleth, which is an attribute authorization service currently
being used in many Grid applications. We used the Core and Hierarchical RBAC profile
of the eXtensible Access Control Markup Language (XACML) standard for specifying
access control policies uniformly across different organizations. For distributed
administration of those policies, we used the Object, Metadata and Artifacts Registry
(OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML)
registry specifications developed to achieve interoperable registries and repositories.
We developed a semantic-based access control method using the ontology to
resolve the semantic differences in terminologies. Understanding the semantics of the
data being protected is often helpful in determining which users can access the data and
what access level the users can have. Web Ontology Language (OWL) is used to
represent the ontology of the data resources and users. By using ontology, VOs can
resolve the differences in their terminologies and specify access control policies based on
concepts and user roles, instead of individual data resources and user identities.
Administration of XACML policies is a difficult task because each XACML policy
has several components, and the number of XACML policies may be very large in a Data
Grid environment. However, no efficient tool is available for the creation and update of
XACML policies. So, we developed an XACML administration tool and a GUI in Java.
The tool allows the creation of XACML policies from existing RBAC policies. The tool
also provides capabilities to update or create new RBAC policies. Using this tool, the policy administrator can create new users, roles, data resources, and actions. It allows the
administrator to change the user-role assignment and the permissions on a role.
Our proposed access control systems allow quick and easy deployments, and
privacy protection. The systems are scalable, and support interoperability and fine-grain
access control. Administration overheads for the resource providers are reduced because
they do not need to maintain the individual user information. Moreover, our system
allows unauthorized requests to be denied before establishing a connection to the
resource, thereby reducing the connection overheads and making the data resources to be
available to authorized users. Performance analysis shows that our systems add very little
overhead to the existing security infrastructures of SRB and OGSA-DAI.