对网格计算系统安全结构的改进
摘要
网格是近年来发展起来的新兴技术,并已成为越来越重要的研究领域。网格安全问题是网格计算中的一个核心问题,对网格安全问题的研究与分析同样刻不容缓。在网格环境中,所有的单机系统或机群系统都可以作为一个节点,以提供和消费资源。节点之间通过网络互连,实现对资源的共享和协同应用。网格资源具有动态变化,广域分布,数量类型巨大等特点,这就决定了网格环境中的安全问题比一般网络环境下的安全问题更复杂,而且在网格环境下出现了许多新的安全问题,传统的网络安全技术已经不能很好地满足网格安全需求,因此网格安全研究是个重要、复杂而艰巨的工作。
本文首先介绍了网格技术的基础知识和网格的安全需求、安全策略等,深入剖析了网格安全基础设施GSI的不足之处,针对GSI越权访问和代理滥用的问题对其进行了改进,在用户代理和资源代理之间引入中介模块,同时,在改进的GSI结构中,考虑资源申请的效率问题,提出网格树型拓扑结构,并描述了在此结构中申请网格资源的过程;探讨了网格安全访问控制策略,针对GSI访问控制策略的不足,提出了基于Agent的访问控制策略模型,分析了该模型的基本原理和过程;认真研究了“信息安全业务基础平台”中的安全开放技术规范——开放安全技术框架(OPENSTF),描述了其总体结构、安全中间件以及分布式核心,提出了架构网格计算系统安全体系结构的五点要求,根据这些要求,设计了一个五层的安全体系结构,并将安全中间件部署到此安全体系结构中,使安全体系结构具有更好的扩展性;最后结合这一体系结构,引出一种分层的网格计算系统安全架构模型,并与原有的OGSA安全架构进行了比较。
通过这些讨论和研究,本文从理论上给出了一些网格计算系统安全体系结构的解决方案,为以后网格安全技术的研究和发展提供了借鉴和指导。
Grid is a rising technology developed in recent years, it becomes an increasingly important field of research. Grid resources have the characteristics of changing dynamically, widely distributed, enormous quantity types, so grid computing concerns more security problems than any other common problems, and a lot of new security problems have appeared in the grid environment .So the research of grid security has become a very important, complex and tough job.
This article first introduces the grid technology elementary knowledge and the grid security requirements, the security policies and so on; thoroughly analysis the grid security infrastructure inadequacies of the GSI, against unauthorized access and abuse of agents has been improved, introduces the intermediary module between the user agent and the resources proxy, simultaneously, in the improvement GSI structure, considers the efficiency of the resources, proposes the grid tree topology, and describes applied for the grid resources in this structure of the process; Has discussed the grid safe access control strategy , in view of the GSI access control strategy insufficiency, proposes based on the Agent access control strategy model, has analyzed basic principle and the process of this model; Earnestly has studied the Open Security Technical Framework (OpenSTF), describes its overall structure, the security middleware as well as the distributional core, proposes five requests of the grid computing system security architecture, according to these requests, has designed a five-story structure of the security system, and the security middleware has been deployed into the security system structure, then it has better scalability; Finally unifies this system structure, draws out one kind of stratified grid computing system security architecture model, and has carried on the comparison with the original OGSA security framework.
By these discussion and research, this paper presents a few grid secure solutions from theory. It is a reference and direction for research and development of grid secure technology in the future.
本文首先介绍了网格技术的基础知识和网格的安全需求、安全策略等,深入剖析了网格安全基础设施GSI的不足之处,针对GSI越权访问和代理滥用的问题对其进行了改进,在用户代理和资源代理之间引入中介模块,同时,在改进的GSI结构中,考虑资源申请的效率问题,提出网格树型拓扑结构,并描述了在此结构中申请网格资源的过程;探讨了网格安全访问控制策略,针对GSI访问控制策略的不足,提出了基于Agent的访问控制策略模型,分析了该模型的基本原理和过程;认真研究了“信息安全业务基础平台”中的安全开放技术规范——开放安全技术框架(OPENSTF),描述了其总体结构、安全中间件以及分布式核心,提出了架构网格计算系统安全体系结构的五点要求,根据这些要求,设计了一个五层的安全体系结构,并将安全中间件部署到此安全体系结构中,使安全体系结构具有更好的扩展性;最后结合这一体系结构,引出一种分层的网格计算系统安全架构模型,并与原有的OGSA安全架构进行了比较。
通过这些讨论和研究,本文从理论上给出了一些网格计算系统安全体系结构的解决方案,为以后网格安全技术的研究和发展提供了借鉴和指导。
Grid is a rising technology developed in recent years, it becomes an increasingly important field of research. Grid resources have the characteristics of changing dynamically, widely distributed, enormous quantity types, so grid computing concerns more security problems than any other common problems, and a lot of new security problems have appeared in the grid environment .So the research of grid security has become a very important, complex and tough job.
This article first introduces the grid technology elementary knowledge and the grid security requirements, the security policies and so on; thoroughly analysis the grid security infrastructure inadequacies of the GSI, against unauthorized access and abuse of agents has been improved, introduces the intermediary module between the user agent and the resources proxy, simultaneously, in the improvement GSI structure, considers the efficiency of the resources, proposes the grid tree topology, and describes applied for the grid resources in this structure of the process; Has discussed the grid safe access control strategy , in view of the GSI access control strategy insufficiency, proposes based on the Agent access control strategy model, has analyzed basic principle and the process of this model; Earnestly has studied the Open Security Technical Framework (OpenSTF), describes its overall structure, the security middleware as well as the distributional core, proposes five requests of the grid computing system security architecture, according to these requests, has designed a five-story structure of the security system, and the security middleware has been deployed into the security system structure, then it has better scalability; Finally unifies this system structure, draws out one kind of stratified grid computing system security architecture model, and has carried on the comparison with the original OGSA security framework.
By these discussion and research, this paper presents a few grid secure solutions from theory. It is a reference and direction for research and development of grid secure technology in the future.
引文
[1]http://www.tech.ecidnet.com/pub/coumn/c319.htm
[2]徐志伟,李伟.织女星网格的体系结构研究[J].计算机研究与发展,39(8),2002
[3]http://www.d2ol.com
[4]刘鹏.中国网格研究现状[J].清华大学计算机系高性能所网格研究组http://www.net130.com/netbass/grid/wg20040410003.htm
[5]R.Butler,D.Engert,I.Forster.A National-Scale uthentication Infrastructure.IEEE Computer,2000,33(12):60-66
[6]V.Welch,F.Siebenlist,I Foster etc.Security for Grid Services.Twelfth International Symposium on High Performance Distributed Computing(HPDC-12),IEEE Press,to paper June 2003
[7]SSL 3.0 Specification.http://home/netscape.com/eng/ssl3/
[8]Myers J,RFC 2222.Simple Authentication and Security Layer,1997
[9]X.509.http://www.faqs.org/rfcs/rfc2459.html
[10]张刚,李晓林,游赣梅,徐志伟.基于角色的信息网格访问控制的研究.计算机研究与发2002,39(8):952-957
[11]查礼,徐志伟,林国璋,刘玉树,刘东华,李伟.基于LDAP的网格监控系统.计算机研究与发2002,39(8):930-936
[12]刘东华,徐志伟,李伟.基于有向无环图的两层网格监测系统,计算机研究与发展2002,39(8):937-942
[13]许智宏,孙竞,孙济洲.一种基于组件的安全网格环境.计算机工程2004(21):111-112,128
[14]Mumtaz Siddiqui,Ale Alex Villaz 'on,J"urgen Hof Hofer er,Thomas Fahrahringer.GLARE:A Grid Activity Registration,Deployment and Provisioning Framework work.Proceedings of Supercomputing 2005.2005:178-183
[15]I Foster,C Kesselman.The Crid:Blueprint for a Future Computing
[16]都志辉,陈渝,刘鹏等.网格计算[M].北京清华人学出版社,2002,10
[17]I Foster and C.Kesselman.Globus:A Metacomputing Infrastructure Toolkit.Supercomputer Applications,1997,11(2):115-128
[18] K. Czajkowski, D. Ferguson and I. Foster etc. From Open Grid Services Infrastructure to WS-Resource Framework: Refactoring & Evolution http://www-106.ibm.com/dcvclopcrworks/library/ws-rcsourcc/ogsi_to_wsrf-1.0.pdf,March 5,2004
[19] Donald McMullen, Randall Bramley, et al. Xport Collaboratory for X-ray Crystallography
[20] OGSA规范. http://www.gridforum.org/ogsi-wg/drafts/GS_Spec_draft03.2002-07-17.pdf
[21] I Foster , Geisler J, Nickless W, Smith W, Tuecke S. Software Infrastructure for the I-WAY High Performance Distributed Computing Experiment[A]. Proc. 5th IEEE Symposium on High Performance Distributed Computing[C], 1997, 562-571
[22] GGF的OGSI工作组.http://www.gridforum.org/ogsi-wg/
[23] Web Service工作组. http://www.w3.org/2002/ws/
[24] Neuman ,B. C. and Ts'o, T. Kerberos.An Authentication Service for Computer Networks[J]. IEEE Communications Magazine, 32 (9). 33-88. 1994
[25] Globus project. http://www.globus.org/
[26] L. Pearlman, V. Welch, I Foster. A Community Authorization service for Group Collaboration. IEEE 3rd International Workshop on Policies fro Distributed Systems and Networks, 2001
[27] W. E. Johnston, D. Gannon, and B. Nitzberg. Information Power Grid Implementation Plan: Research, Development, and Testbeds for High Performance, Widely Distributed, Collaborative, Computing and Information Systems Supporting Science and Engineering. NASA Ames Research Center. http://www.nas.nasa.gov/IPG,1999
[28] I Foster, "A Security Architecture for Computational Grids"[A]. Proc. 5th ACM Conference on Computer and Communications Security Conference[C], 1998,83-92
[29] Mary R. Thompson, Abdelilah Essiari, Srilekha Mudumbai. Certificate-based Authorization Policy in a PKI Environment[J]. 2001 http://dsd.[b].gov/security/Akenti/Papers/ACMTISSEC.pdf
[30] Nataraj Nagaranam, Philippe Janson, John Dayka, Antony Nadalin, Frank Siebenlist, Von Welch, Steven Tueche. Security Architecture for Open Grid Services, 2003
[31]Russell Lock.Grid Security Requirements,Interactions,Mechanisms and Models [EB/OL]http://www.comp.lancs.ac.uk/computing/research/cseg/projects/dire/papers/int ernal%20reports/Security%20Requirements%20for%20Grids.pdf2002.9
[32]刘怡文,李伟琴,韦卫.信息网格安全体系结构的研究[J].北京航空航天大,2003,07
[33]陈建刚.网格安全体系结构研究[J]信息网络安.2005,07
[34]Laura F.McGinnis,William,Thigpen,Thomas J.Hacker Accounting and Accountability for Distributed and Grid Systems Proceedings of the 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid(CCGRID.02) 2002
[35]Ian Foster and Carl Kesselman.The Globus Project:A Status Report.In Proc.Heterogeneous Gomputing Workshop.IEEE Computer Society Press,1998
[36]X.509.http://www.faqs.org/rfcs/rfc2459.html
[37]Alan O.Freier(Netscape Communications),etc.The SSL Protocol Version 3.0[S]http://wp.netscape.com/eng/ssl3/draft302.txt.1996.11
[38]Lance Yoo.开放安全技术框架的蓝图,2003
[39]常小波.安全体系结构的设计、部署与操作.清华大学出版社,2003
[40]房向明、杨寿保、郭磊涛、张蕾.网格计算系统的安全体系结构模型研究.清华大学出版社,2003
[41]赵庆敏、朱蔓菁、齐正保.GSI访问控制策略的改进.电子技术应用,2006
[42]肖政宏、胡忠望、尹浩.基于移动Agent的网格跨域安全审计体系结构及实现.计算机科学,2006
[43]姜正涛、衣鹏超、王育民.关于构造一种易于访问和安全管理网格的研究.计算机科学,2006
[44]王庆荣.网格安全体系结构及证书管理技术研究.兰州理工大学硕士学位论文,2005
[45]OGSA Security Architecture for Open Grid Services,http://www.cs.virginia,edu/~humphrey/ogsa-sec-wg/OGSASec-ggf5.pdf.
[2]徐志伟,李伟.织女星网格的体系结构研究[J].计算机研究与发展,39(8),2002
[3]http://www.d2ol.com
[4]刘鹏.中国网格研究现状[J].清华大学计算机系高性能所网格研究组http://www.net130.com/netbass/grid/wg20040410003.htm
[5]R.Butler,D.Engert,I.Forster.A National-Scale uthentication Infrastructure.IEEE Computer,2000,33(12):60-66
[6]V.Welch,F.Siebenlist,I Foster etc.Security for Grid Services.Twelfth International Symposium on High Performance Distributed Computing(HPDC-12),IEEE Press,to paper June 2003
[7]SSL 3.0 Specification.http://home/netscape.com/eng/ssl3/
[8]Myers J,RFC 2222.Simple Authentication and Security Layer,1997
[9]X.509.http://www.faqs.org/rfcs/rfc2459.html
[10]张刚,李晓林,游赣梅,徐志伟.基于角色的信息网格访问控制的研究.计算机研究与发2002,39(8):952-957
[11]查礼,徐志伟,林国璋,刘玉树,刘东华,李伟.基于LDAP的网格监控系统.计算机研究与发2002,39(8):930-936
[12]刘东华,徐志伟,李伟.基于有向无环图的两层网格监测系统,计算机研究与发展2002,39(8):937-942
[13]许智宏,孙竞,孙济洲.一种基于组件的安全网格环境.计算机工程2004(21):111-112,128
[14]Mumtaz Siddiqui,Ale Alex Villaz 'on,J"urgen Hof Hofer er,Thomas Fahrahringer.GLARE:A Grid Activity Registration,Deployment and Provisioning Framework work.Proceedings of Supercomputing 2005.2005:178-183
[15]I Foster,C Kesselman.The Crid:Blueprint for a Future Computing
[16]都志辉,陈渝,刘鹏等.网格计算[M].北京清华人学出版社,2002,10
[17]I Foster and C.Kesselman.Globus:A Metacomputing Infrastructure Toolkit.Supercomputer Applications,1997,11(2):115-128
[18] K. Czajkowski, D. Ferguson and I. Foster etc. From Open Grid Services Infrastructure to WS-Resource Framework: Refactoring & Evolution http://www-106.ibm.com/dcvclopcrworks/library/ws-rcsourcc/ogsi_to_wsrf-1.0.pdf,March 5,2004
[19] Donald McMullen, Randall Bramley, et al. Xport Collaboratory for X-ray Crystallography
[20] OGSA规范. http://www.gridforum.org/ogsi-wg/drafts/GS_Spec_draft03.2002-07-17.pdf
[21] I Foster , Geisler J, Nickless W, Smith W, Tuecke S. Software Infrastructure for the I-WAY High Performance Distributed Computing Experiment[A]. Proc. 5th IEEE Symposium on High Performance Distributed Computing[C], 1997, 562-571
[22] GGF的OGSI工作组.http://www.gridforum.org/ogsi-wg/
[23] Web Service工作组. http://www.w3.org/2002/ws/
[24] Neuman ,B. C. and Ts'o, T. Kerberos.An Authentication Service for Computer Networks[J]. IEEE Communications Magazine, 32 (9). 33-88. 1994
[25] Globus project. http://www.globus.org/
[26] L. Pearlman, V. Welch, I Foster. A Community Authorization service for Group Collaboration. IEEE 3rd International Workshop on Policies fro Distributed Systems and Networks, 2001
[27] W. E. Johnston, D. Gannon, and B. Nitzberg. Information Power Grid Implementation Plan: Research, Development, and Testbeds for High Performance, Widely Distributed, Collaborative, Computing and Information Systems Supporting Science and Engineering. NASA Ames Research Center. http://www.nas.nasa.gov/IPG,1999
[28] I Foster, "A Security Architecture for Computational Grids"[A]. Proc. 5th ACM Conference on Computer and Communications Security Conference[C], 1998,83-92
[29] Mary R. Thompson, Abdelilah Essiari, Srilekha Mudumbai. Certificate-based Authorization Policy in a PKI Environment[J]. 2001 http://dsd.[b].gov/security/Akenti/Papers/ACMTISSEC.pdf
[30] Nataraj Nagaranam, Philippe Janson, John Dayka, Antony Nadalin, Frank Siebenlist, Von Welch, Steven Tueche. Security Architecture for Open Grid Services, 2003
[31]Russell Lock.Grid Security Requirements,Interactions,Mechanisms and Models [EB/OL]http://www.comp.lancs.ac.uk/computing/research/cseg/projects/dire/papers/int ernal%20reports/Security%20Requirements%20for%20Grids.pdf2002.9
[32]刘怡文,李伟琴,韦卫.信息网格安全体系结构的研究[J].北京航空航天大,2003,07
[33]陈建刚.网格安全体系结构研究[J]信息网络安.2005,07
[34]Laura F.McGinnis,William,Thigpen,Thomas J.Hacker Accounting and Accountability for Distributed and Grid Systems Proceedings of the 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid(CCGRID.02) 2002
[35]Ian Foster and Carl Kesselman.The Globus Project:A Status Report.In Proc.Heterogeneous Gomputing Workshop.IEEE Computer Society Press,1998
[36]X.509.http://www.faqs.org/rfcs/rfc2459.html
[37]Alan O.Freier(Netscape Communications),etc.The SSL Protocol Version 3.0[S]http://wp.netscape.com/eng/ssl3/draft302.txt.1996.11
[38]Lance Yoo.开放安全技术框架的蓝图,2003
[39]常小波.安全体系结构的设计、部署与操作.清华大学出版社,2003
[40]房向明、杨寿保、郭磊涛、张蕾.网格计算系统的安全体系结构模型研究.清华大学出版社,2003
[41]赵庆敏、朱蔓菁、齐正保.GSI访问控制策略的改进.电子技术应用,2006
[42]肖政宏、胡忠望、尹浩.基于移动Agent的网格跨域安全审计体系结构及实现.计算机科学,2006
[43]姜正涛、衣鹏超、王育民.关于构造一种易于访问和安全管理网格的研究.计算机科学,2006
[44]王庆荣.网格安全体系结构及证书管理技术研究.兰州理工大学硕士学位论文,2005
[45]OGSA Security Architecture for Open Grid Services,http://www.cs.virginia,edu/~humphrey/ogsa-sec-wg/OGSASec-ggf5.pdf.