Background Science Applications Physics Climate Groundwater Fusion Energy Life Sciences Materials & Chemistry SciDAC Institutes Collaboratories Enabling Technologies Applied Mathematics Computer Science Visualization & Data Mgt. SciDAC Outreach Participating Orgs Grant Solicitations FY2007 FY2006 FY2005 FY2004 FY2001 Collateral Materials SciDAC Review magazine '06 Progress Report (pdf) Publications 2001-5 (pdf) Logos Search Collateral (from SciDAC 1) Browse by Affiliation Browse by Author Browse by Title DOE Office of Advanced Scientific Computing Research (ASCR) Program Managers only

Security and Policy for Group Collaboration

Steve Tuecke, Argonne National Laboratory Carl Kesselman, USC, Information Science Institute Miron Livny, U. Wisconsin, Madison

Summary

Today, scientific advances are rarely the result of an individual toiling in isolation, but are typically the result of a collaborative, team effort. While considerable work has been done on collaboration tools to assist in performing the work of a collaboration, little has been done on mechanisms for establishing and maintaining the structure of the collaboration. Our work focuses on tools to structure collaboration by developing scalable, secure, and usable methods and tools for defining and maintaining membership, rights, and roles in group collaborations.

There are many examples of collaborative teams in areas of science of interest to the Department of Energy, including particle physics experiments (e.g. BABAR, CMS, ATLAS), global climate change, and fusion science. Such examples exhibit four essential properties of collaborative work:

1. The participants, as well as the resources, are distributed both geographically and organizationally;
2. Collaborations can scale in size from a few individuals to thousands of participants, and membership may very dynamic;
3. Collaborations may span areas of expertise, with members filling different roles within the collaboration;
4. The work of the team is enabled by providing team members with access to a variety of community resources, including computers, storage systems, datasets, applications, and tools.

While considerable work has been done on collaboration tools to assist in performing the work of a collaboration (e.g. electronic notebooks, mechanisms for annotating and cataloging information, interfaces to computing resources), little has been done on mechanisms for establishing and maintaining the structure of the collaboration. This structure includes means for identifying who is a member of the collaboration, what role they play, what types of activities they are entitled to perform, and what community resources are available to members of the collaboration. Yet these issues must be addressed in a comprehensive manner before collaborative environments can be used to solve problems of real consequence.

At the center of this problem of structure is determining the identity of both participants and resources in a collaboration and, based on this identity, determining the rights of the participant and resource. These operations fall under the general heading of security technologies: identity and role being implemented via authentication mechanisms, and rights by authorization mechanisms. Yet while many basic mechanisms for authentication and authorization have been defined, the issues of distribution, dynamics and scale discussed above complicate their application to collaborative environments, posing major research challenges that must be addressed.

Our focus is on this fundamental question of how to structure collaborations. Our goal is to develop scalable, secure, and usable methods, standards and tools for defining and maintaining membership, rights, and roles in group collaborations. Our concern is not with any specific collaboration or collaboratory but rather with:

1. understanding the basic mechanisms required to structure a collaboration,
2. developing infrastructure elements in the form of middleware services and tools that implement the mechanisms, and
3. demonstrating the validity of these methods within the context of a number of demonstration collaboration environments.

Building off of the Globus Toolkit's® widely used Grid Security Infrastructure (GSI) we developing methods and tools to:

• Reduce greatly the cost of adding new members to a collaboration,
• Facilitate integration of new resources into the collaboration,
• Manage the roles and associated privileges of participants in a collaboration.

We will instantiate our research results into a framework that makes it useable to a wide range of collaborative tools. This will in turn be integrated into the Globus Toolkit. Since the Globus Toolkit is already adopted by many science projects - the Particle Physics Data Grid, Earth Systems Grid, DOE Science Grid, as well as many other non-DOE Grid activities like NSF TeraGrid, NASA IPG and the European Data Grid - this enables the results to be easily used by scientists in these projects.

Current accomplishments include draft standards for security in the Global Grid Forum (GGF) and IETF, work to integrate Grid security with local site security mechanisms, and the development of the Community Authorization Service (CAS).

CAS is a flexible tool for managing group membership and rights in distributed collaborative environments. It allows the collaboration to flexibly and consistently express fine grain policy across all the resources participating in the collaboration while allowing those resources' local policy to remain in effect. We have already demonstrated CAS in conjunction with the Earth Systems Grid SciDAC collaboratory. It is currently being evaluated by other SciDAC collaboratories such as DOE Science Grid, Particle Physics Data Grid, and the Fusion Collaboratory where we expect to see it used in the next year.

Figure 1: CAS Architecture

Our current work also includes leveraging the emerging Web Services security specifications to enhance existing Grid Security standards and software. Over the coming year we will create standards for using Web Services in Grid Security and develop software to take advantage of these standards. One goal of this work is to make integration of multiple security mechanisms and advanced security services such as CAS with Grid applications as seamless and automated as possible. These, like our current work, will be integrated into future Globus Toolkit releases to facilitate their adoption in the DOE SciDAC collaboratories and other Grid deployments.

back to project page