To span administrative boundaries, metacomputing systems require the integration of strong authentication and authorization methods. The problem is complicated because different components of the system may have different security policies. This paper presents a distributed model for authorization that we have integrated with the Prospero Resource Manager, a metacomputing resource allocation system developed at USC. The integration of authorization with PRM was accmplished through the specification of a policy language and the use of a Generic Authorization and Access-control API (GAA API). The language supports the specification of diverse authorization policies including ACLs, capabilities and lattice-based access controls. The GAA API provides a uniform authorization service interface for facilitating access control decisions and requesting authorization information about a particular resource. We describe a prototype of our system.
展开▼
