Accountability and Control of Process Creation in Metasystems

摘要

The distinguishing feature of a metasystem is middleware that facilitates viewing a collection of large, distributed, heterogeneous resources as a single virtual machine, where each user of the metasystem is identified by a unique metasystem-level identity. The physical resources of the metasystem can exist in multiple administrative domains, each with different local security requirements and authentication mechanisms (e.g., Kerberos, public- key). The problem this paper addresses is how to map the metasystems-level identity to an appropriate account on each local physical machine for the purposes of process creation, such that the access control and authentication policies of each local machine are not violated. This mapping must ensure the integrity of the local machines, must ensure the integrity of the metasystem user's data, and must not unnecessarily burden either the metasystem users, the metasystem system administrator, or the local machine system administrators. Specific examples are drawn from experiences gained during the deployment of the Legion metasystem. For example, Legion configurations for local sites with different access control mechanisms such as standard UNIX mechanisms and Kerberos are compared. Through analysis of these configurations, the inherent security trade-offs in each design are derived. These results have practical importance to current and future metasystem users and to sites considering any future inclusion of local resources in a global virtual computer.