Fine-Grain Access Control Using Shibboleth for the Storage Resource Broker

摘要

In this paper, we propose a fine-grain access control system for data resources in the Storage Resource Broker (SRB). The SRB is a Data Grid management system, which can integrate heterogeneous data resources of virtual organizations (VOs). The SRB stores the access control information of individual users in the Metadata Catalog (MCAT) database. However, because of the specific MCAT schema, this information can only be used by the SRB applications. If VOs also have many non-SRB applications, each with its own storage format for user access control information, it creates a scalability problem with regard to administration. To solve this problem, we use Shibboleth, which is an attribute authorization service. By using Shibboleth, the authentication and access control information of the user can be obtained from the user's home institution. Thus, the administration overhead is reduced because the access control information of individual users is now managed by the user's home institution alone, not by MCAT or applications. The use of Shibboleth allows access control decisions to be made based on the user attributes such as role memberships and institutional affiliation, instead of the identity. Thus, our system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructure of the SRB.