基于门户的网格安全管理系统研究与实现
|
摘要
随着网格技术的迅猛发展,网格安全成为影响网格技术的关键问题。特别当网格门户引入后,如何提供网格门户层资源的安全管理、如何通过门户管理用户证书,如何对网格底层资源进行授权等问题,成为当前应用网格安全领域中的研究热点。
本文的研究工作以网格门户安全需求为背景,在“中国气象应用网格门户”与“国防科大校园高性能计算网格门户”的基础上展开。这两个门户在安全需求中忽视了下列问题:网格门户层资源和证书的安全、有效管理,网格底层资源的细粒度授权,为用户提供单一登录功能等。并且,目前业界对门户层上资源的安全访问控制还没有一套很好的解决方案,在网格授权方面也存在粒度较粗的问题。针对上述问题,本文首先研究了网格门户的基本特征和具体门户框架Gridsphere、GSI安全机制、PKI机制、x.509证书以及MyProxy代理技术。
在此基础上,本文结合具体的网格环境,提出将整个安全控制分为门户层控制与网格底层授权的两层体系结构。在门户层控制中,本文围绕具体网格门户资源的安全需求,引入门户虚拟组的概念,并提出了基于全局角色与门户虚拟组管理相结合的访问控制方法,给不同角色集用户以不同的门户资源视图,解决了一般门户资源安全访问控制的问题。在网格底层授权方面,分析了现有网格授权机制,如GSI的Gridmap、CAS、VOMS的授权原理,指出其存在粒度控制不够等缺陷,针对这些缺陷,提出虚拟组织与任务角色相结合的动态授权(VOTRDA)机制,该机制将网格底层资源的权限与具体任务关联起来,并给任务加入状态特性,实现更细粒度动态授权。
在前面的理论研究工作基础上,本文提出了基于门户的网格安全管理系统总体框架,该系统包括三大模块:门户下的用户安全控制、集成证书管理的用户注册、网格底层资源细粒度授权。本文给出了这三个模块的详细设计与实现,并将该系统与其它国外相关系统作了比较,最后将该系统应用到前面提到的两个网格门户中,这两个应用的实际运行证明了本文研究工作具有一定的理论意义与实践价值。
With the developing of Grid Computing, the grid security issue is becoming more and more important. It’s one of the vital factors in Grid Computing. In the grid security, some problems, such as the management of portal resources, the management of user certificates based on the portal and the authority of grid resources, have become very hot topics.
The work of this thesis is based on the requirements of two grid portal applications which are China Meteorology Application Grid Portal and NUDT Campus High Performance Computing Grid Portal. These two portals have the same requirements in the aspect of the grid security, including the proper and effective management of resources in the portal level, the convenient and secure management of certificates, the implemetation of the single login for users, fine-grain authorization for grid resources and so on. At present, it’s difficult to solve the problem of the access control for securing resources in the portal level, and there is also a problem that the authorization for grid resources is rather coarse.
For solving the problems above, this thesis firstly studies the correlative knowledge such as the essential of the grid portal, the specific portal framework—Gridsphere, GSI security mechanism, PKI mechanism, x.509 Certificate and MyProxy technique. Then according to the factual grid environment, it proposes an architecture with two layers for the grid portal’s security control. In the upper layer, with introducing the portal VO and considering the factual requirement, it proposes a method of access control which combines global RBAC and portal VO to solve the common problems of access control for securing portal resources and present different views of portal resources for different users. In the lower layer, after analyzing authorization principles of present mechanisms such as authorization of Gridmap in GSI, CAS authorization, VOMS authorization and pointing out their limitation of the coarse-grain, it proposes a dynamic authorization mechanism which combines the VO and the access control based on the task role. This mechanism implements the combination between the authorization for grid resources and the task with its own states to support the dynamic fine-grain authorization.
Based on the study above, this thesis proposes a system framework of the grid security management which consists of three main modules—the access control for the portal, the user register integrating the certificate management and the fine-grain authorization for grid resources. After describing the design and implementation of the three modules, it makes a performance comparison between this system and other corresponding systems abroad. In the end, this thesis introduces the application of the system in the two grid portals mentioned above, which demonstrates that the work of this thesis is significant not only in theory but also in practice.
本文的研究工作以网格门户安全需求为背景,在“中国气象应用网格门户”与“国防科大校园高性能计算网格门户”的基础上展开。这两个门户在安全需求中忽视了下列问题:网格门户层资源和证书的安全、有效管理,网格底层资源的细粒度授权,为用户提供单一登录功能等。并且,目前业界对门户层上资源的安全访问控制还没有一套很好的解决方案,在网格授权方面也存在粒度较粗的问题。针对上述问题,本文首先研究了网格门户的基本特征和具体门户框架Gridsphere、GSI安全机制、PKI机制、x.509证书以及MyProxy代理技术。
在此基础上,本文结合具体的网格环境,提出将整个安全控制分为门户层控制与网格底层授权的两层体系结构。在门户层控制中,本文围绕具体网格门户资源的安全需求,引入门户虚拟组的概念,并提出了基于全局角色与门户虚拟组管理相结合的访问控制方法,给不同角色集用户以不同的门户资源视图,解决了一般门户资源安全访问控制的问题。在网格底层授权方面,分析了现有网格授权机制,如GSI的Gridmap、CAS、VOMS的授权原理,指出其存在粒度控制不够等缺陷,针对这些缺陷,提出虚拟组织与任务角色相结合的动态授权(VOTRDA)机制,该机制将网格底层资源的权限与具体任务关联起来,并给任务加入状态特性,实现更细粒度动态授权。
在前面的理论研究工作基础上,本文提出了基于门户的网格安全管理系统总体框架,该系统包括三大模块:门户下的用户安全控制、集成证书管理的用户注册、网格底层资源细粒度授权。本文给出了这三个模块的详细设计与实现,并将该系统与其它国外相关系统作了比较,最后将该系统应用到前面提到的两个网格门户中,这两个应用的实际运行证明了本文研究工作具有一定的理论意义与实践价值。
With the developing of Grid Computing, the grid security issue is becoming more and more important. It’s one of the vital factors in Grid Computing. In the grid security, some problems, such as the management of portal resources, the management of user certificates based on the portal and the authority of grid resources, have become very hot topics.
The work of this thesis is based on the requirements of two grid portal applications which are China Meteorology Application Grid Portal and NUDT Campus High Performance Computing Grid Portal. These two portals have the same requirements in the aspect of the grid security, including the proper and effective management of resources in the portal level, the convenient and secure management of certificates, the implemetation of the single login for users, fine-grain authorization for grid resources and so on. At present, it’s difficult to solve the problem of the access control for securing resources in the portal level, and there is also a problem that the authorization for grid resources is rather coarse.
For solving the problems above, this thesis firstly studies the correlative knowledge such as the essential of the grid portal, the specific portal framework—Gridsphere, GSI security mechanism, PKI mechanism, x.509 Certificate and MyProxy technique. Then according to the factual grid environment, it proposes an architecture with two layers for the grid portal’s security control. In the upper layer, with introducing the portal VO and considering the factual requirement, it proposes a method of access control which combines global RBAC and portal VO to solve the common problems of access control for securing portal resources and present different views of portal resources for different users. In the lower layer, after analyzing authorization principles of present mechanisms such as authorization of Gridmap in GSI, CAS authorization, VOMS authorization and pointing out their limitation of the coarse-grain, it proposes a dynamic authorization mechanism which combines the VO and the access control based on the task role. This mechanism implements the combination between the authorization for grid resources and the task with its own states to support the dynamic fine-grain authorization.
Based on the study above, this thesis proposes a system framework of the grid security management which consists of three main modules—the access control for the portal, the user register integrating the certificate management and the fine-grain authorization for grid resources. After describing the design and implementation of the three modules, it makes a performance comparison between this system and other corresponding systems abroad. In the end, this thesis introduces the application of the system in the two grid portals mentioned above, which demonstrates that the work of this thesis is significant not only in theory but also in practice.
引文
[1] I. Foster, C. Kesselman, S. Tuecke. The Anatomy of the Grid: Enabling Scalable Virtual Organizations. International J. Supercomputer Application, 2001, 15(3): 200~222
[2] Cheetty. M, Buyya. R. Weaving computational grids: how analogous are they with electrical grids? Computing in Science&Engineering, 2002, 4(4): 61~71
[3] 徐志伟,冯百明,李伟.网格计算技术.北京:电子工业出版社.2004
[4] Fox. F, Gannon. D. Computational grids. Computing in Science&Engineering, 2001, 3(4): 74~77
[5] I.Foster, C. Kesselman. The Globus Project: A Status Report. In Proc. Heterogeneous Computing Workshop. IEEE Computer Society Press, 1988
[6] I. Foster, C. Kesselman, Gene Tsudik, Steven Tuecke. A Security Architecture for Computational Grids. Proc. 5th ACM Comference on Computer and Communications Security Conference, 1998
[7] K. Hickman, T. Elgamal. The SSL Protocol. Internet draft, Netscape Commnications Corp,1995
[8] GAMA: Grid Account Management Architecture. http://grid-devel.sdsc.ed- u/gama
[9] Purse: Portal-based User Registration Service. http://www.grids-cente-r.or- g/solutions/purse
[10] L.Pearlman, V. W., I. Foster, C. Kesselman, S. Tuecke. A Community Authorization Service for Group Collaboration.in submitted to IEEE Workshop on Policies for Distributed Systems and Networks. 2002
[11] GridLab Security Projects. http://www.gridlab.org/security
[12] Registering Users for the Earth System Grid. http://www.globus.org/solution s/purse
[13] Geon Projects. http://www.geongrid.org
[14] Globus Projects. http://www.globus.org
[15] GridLab Projects. http://www.gridlab.org
[16] R.Alfieri, R.cecchini, V.Ciaschini, L.dell Agnello. VOMS, an Authorization System for Virtual Organization. http://grid-auth.infn.i t/docs/vom s-Santiago.pdf
[17] The DataGrid Project. http://eu-datagrid.web.cern.ch/eu-datagrid
[18] Jason Novotny, Michael Russell, Oliver Wehrens.GridSphere: A Portal FrameWork for Building Collaborations. http://www.gridsphere.org
[19] What is a Portlet. http://www-3.ibm.com/software/webservers/portal/portlet.ht- ml
[20] JSR 168: Portlet Specification. http://www.jcp.org/jsr/detail/168.jsp
[21] M.Thomas, S. Mock, J. Boisseau.Development of Web Toolkits for Computational Science Portals. Proc. of the 9th IEEE Intl.Symp. on HighPerf.Dist, 2000
[22] Novotny, J. (2002) Grid portal development toolkit(GPDK). Concurrency and Computation: Practice and Expericencer, Special Edition on Grid Computing Environments, Spring 2002
[23] Jason Novotny, Michael Russell, Oliver Wehrens. GridLab Portal Design. http://www.gridlab.org/downloads/gridsphere.pdf
[24] Jason Novotny, Michael Russell, Oliver Wehrens. GridLab And Application Portlets Design. http://www.gridlab.org/downloads/GridLabPortlets.pdf
[25] A Globus Toolkit Primer. http://www.globus.org/toolkit/docs/4.0/key/GT4_P- rimer_0.6.pdf
[26] 都志辉,陈渝,刘鹏.网格计算.北京:清华大学出版社,2002
[27] Grid Authentication Authorization and Accounting Requirements Drafts 5, by GGF. https://forge.gridforum.org/projects/saaa-rg/document/draft-ggf-saaar-req- s-5.txt/en/1,21/05/2004
[28] J.Novotny, S. Tuecke, V. Welch. An Online Credential Repository for the Grid: MyProxy. Proceedings of the Tenth International Symposium on High Performance Distributed Computing(HPDC-10), IEEE Press, August 2001
[29] Butler. R, Welch.V, Emgert. D, etal. A national-scale authentication infrastructure Computer, 2000, 33(12): 60~66
[30] X.509证书及证书撤销清单CRL, http://www.nyist.net/java/javaweb/linuxja- va/cjdkl_2-doc-zh/jdk1.2/ zh/docs/guide/security/cert3.html
[31] Downs, D. Discretionary Access Control Guideline, Aerospace Report. The Aerospace Corporation. 1985
[32] M.A. Harrison, M.L. Ruzzo, J.D. Ullman. Protection in operating systems. Communications of the ACM, 1976, 19(8): 461~471
[33] J ones, A. K, Lipton, R. J., S nyder, L. A Linear Time Algorithm for Deciding Security Proc. 17th Annual Symp. on Found of Comp. Sci.,1976
[34] 昔小超,张绍莲,茅兵,谢立.访问控制技术的研究和进展.计算机科学. 2001, 28(7)
[35] Nyanchama. M. , Osborn. S. Modeling mandatory access control in role-based security systems. Proceeding of the IFIP Working Group 11.3 Working Conference on Database Security. Elsevier North-Holland, Inc. , 1996:37~56
[36] Ravi S.Sandu, Edward J.Coyne, Hal L.Feinstein, CharlesE.Youman. Role-Based Access Control Models. IEEE Computer, 1996, 29(2)
[37] National Institute of Standard Technology. http ://csrc.nist.gov/rbac
[38] Laboratory of Information Security Technology. http://www.list.gmu.edu
[39] Ferraiolo D, Kuhn R. Role-Based access control. Proceeding of the 15th NIST-NCSC National Computer Security Conference, 1992: 554~563
[40] W. C. Yang, P. Y. Hsieh, C. S. Laih. Efficient Squaring of Large Integers. The Institute of Electronics Information and Communication Engineers (IEICE)Transactions on Fundamentals, 2004, E87-A (5). (EI, SCI)
[41] R. K. Thomas and R.S.Sandhu. Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. Processings of the IFIP Workshop on Database Security, Lake Tahoe, California, 1997
[42] 洪帆, 李静.基于任务的授权模型.计算机研究与发展,2002,39(8): 998~1003
[2] Cheetty. M, Buyya. R. Weaving computational grids: how analogous are they with electrical grids? Computing in Science&Engineering, 2002, 4(4): 61~71
[3] 徐志伟,冯百明,李伟.网格计算技术.北京:电子工业出版社.2004
[4] Fox. F, Gannon. D. Computational grids. Computing in Science&Engineering, 2001, 3(4): 74~77
[5] I.Foster, C. Kesselman. The Globus Project: A Status Report. In Proc. Heterogeneous Computing Workshop. IEEE Computer Society Press, 1988
[6] I. Foster, C. Kesselman, Gene Tsudik, Steven Tuecke. A Security Architecture for Computational Grids. Proc. 5th ACM Comference on Computer and Communications Security Conference, 1998
[7] K. Hickman, T. Elgamal. The SSL Protocol. Internet draft, Netscape Commnications Corp,1995
[8] GAMA: Grid Account Management Architecture. http://grid-devel.sdsc.ed- u/gama
[9] Purse: Portal-based User Registration Service. http://www.grids-cente-r.or- g/solutions/purse
[10] L.Pearlman, V. W., I. Foster, C. Kesselman, S. Tuecke. A Community Authorization Service for Group Collaboration.in submitted to IEEE Workshop on Policies for Distributed Systems and Networks. 2002
[11] GridLab Security Projects. http://www.gridlab.org/security
[12] Registering Users for the Earth System Grid. http://www.globus.org/solution s/purse
[13] Geon Projects. http://www.geongrid.org
[14] Globus Projects. http://www.globus.org
[15] GridLab Projects. http://www.gridlab.org
[16] R.Alfieri, R.cecchini, V.Ciaschini, L.dell Agnello. VOMS, an Authorization System for Virtual Organization. http://grid-auth.infn.i t/docs/vom s-Santiago.pdf
[17] The DataGrid Project. http://eu-datagrid.web.cern.ch/eu-datagrid
[18] Jason Novotny, Michael Russell, Oliver Wehrens.GridSphere: A Portal FrameWork for Building Collaborations. http://www.gridsphere.org
[19] What is a Portlet. http://www-3.ibm.com/software/webservers/portal/portlet.ht- ml
[20] JSR 168: Portlet Specification. http://www.jcp.org/jsr/detail/168.jsp
[21] M.Thomas, S. Mock, J. Boisseau.Development of Web Toolkits for Computational Science Portals. Proc. of the 9th IEEE Intl.Symp. on HighPerf.Dist, 2000
[22] Novotny, J. (2002) Grid portal development toolkit(GPDK). Concurrency and Computation: Practice and Expericencer, Special Edition on Grid Computing Environments, Spring 2002
[23] Jason Novotny, Michael Russell, Oliver Wehrens. GridLab Portal Design. http://www.gridlab.org/downloads/gridsphere.pdf
[24] Jason Novotny, Michael Russell, Oliver Wehrens. GridLab And Application Portlets Design. http://www.gridlab.org/downloads/GridLabPortlets.pdf
[25] A Globus Toolkit Primer. http://www.globus.org/toolkit/docs/4.0/key/GT4_P- rimer_0.6.pdf
[26] 都志辉,陈渝,刘鹏.网格计算.北京:清华大学出版社,2002
[27] Grid Authentication Authorization and Accounting Requirements Drafts 5, by GGF. https://forge.gridforum.org/projects/saaa-rg/document/draft-ggf-saaar-req- s-5.txt/en/1,21/05/2004
[28] J.Novotny, S. Tuecke, V. Welch. An Online Credential Repository for the Grid: MyProxy. Proceedings of the Tenth International Symposium on High Performance Distributed Computing(HPDC-10), IEEE Press, August 2001
[29] Butler. R, Welch.V, Emgert. D, etal. A national-scale authentication infrastructure Computer, 2000, 33(12): 60~66
[30] X.509证书及证书撤销清单CRL, http://www.nyist.net/java/javaweb/linuxja- va/cjdkl_2-doc-zh/jdk1.2/ zh/docs/guide/security/cert3.html
[31] Downs, D. Discretionary Access Control Guideline, Aerospace Report. The Aerospace Corporation. 1985
[32] M.A. Harrison, M.L. Ruzzo, J.D. Ullman. Protection in operating systems. Communications of the ACM, 1976, 19(8): 461~471
[33] J ones, A. K, Lipton, R. J., S nyder, L. A Linear Time Algorithm for Deciding Security Proc. 17th Annual Symp. on Found of Comp. Sci.,1976
[34] 昔小超,张绍莲,茅兵,谢立.访问控制技术的研究和进展.计算机科学. 2001, 28(7)
[35] Nyanchama. M. , Osborn. S. Modeling mandatory access control in role-based security systems. Proceeding of the IFIP Working Group 11.3 Working Conference on Database Security. Elsevier North-Holland, Inc. , 1996:37~56
[36] Ravi S.Sandu, Edward J.Coyne, Hal L.Feinstein, CharlesE.Youman. Role-Based Access Control Models. IEEE Computer, 1996, 29(2)
[37] National Institute of Standard Technology. http ://csrc.nist.gov/rbac
[38] Laboratory of Information Security Technology. http://www.list.gmu.edu
[39] Ferraiolo D, Kuhn R. Role-Based access control. Proceeding of the 15th NIST-NCSC National Computer Security Conference, 1992: 554~563
[40] W. C. Yang, P. Y. Hsieh, C. S. Laih. Efficient Squaring of Large Integers. The Institute of Electronics Information and Communication Engineers (IEICE)Transactions on Fundamentals, 2004, E87-A (5). (EI, SCI)
[41] R. K. Thomas and R.S.Sandhu. Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. Processings of the IFIP Workshop on Database Security, Lake Tahoe, California, 1997
[42] 洪帆, 李静.基于任务的授权模型.计算机研究与发展,2002,39(8): 998~1003