 |
|
 |
||||||
|
||||||
 |
Home
| Mission
|
about SciDAC
|
Contact Us |
|||||
 |
 |
 |
||||
|
Alumni ProjectSecurity and Policy for Group Collaboration Steve Tuecke, Argonne National Laboratory SummaryToday, scientific advances are rarely the result of an individual toiling in isolation, but are typically the result of a collaborative, team effort. While considerable work has been done on collaboration tools to assist in performing the work of a collaboration, little has been done on mechanisms for establishing and maintaining the structure of the collaboration. Our work focuses on tools to structure collaboration by developing scalable, secure, and usable methods and tools for defining and maintaining membership, rights, and roles in group collaborations. There are many examples of collaborative teams in areas of science of interest to the Department of Energy, including particle physics experiments (e.g. BABAR, CMS, ATLAS), global climate change, and fusion science. Such examples exhibit four essential properties of collaborative work:
While considerable work has been done on collaboration tools to assist in performing the work of a collaboration (e.g. electronic notebooks, mechanisms for annotating and cataloging information, interfaces to computing resources), work is only commencing on mechanisms for establishing and maintaining the structure of the collaboration. This structure includes means for identifying who is a member of the collaboration, what role they play, what types of activities they are entitled to perform, what community resources are available to members of the collaboration and what are the policies from those resource's owners. At the center of this problem of structure is determining the identity of both participants and resources in a collaboration and, based on this identity, determining the rights of the participant and the policy of the resource. These operations fall under the general heading of security technologies: identity and role being implemented via authentication mechanisms, and rights by authorization mechanisms. While many basic mechanisms for authentication and authorization have been defined, the issues of distribution, dynamics and scale discussed above complicate their application to collaborative environments, posing major research challenges that must be addressed. Additionally, sites providing the resources for a collaboration often have overruling security mechanisms and policies in place which must be interoperated with, rather than replaced by the collaboration. Collaboration infrastructure must allow for the integration across different sites to provide a consistent experience to the collaborati ng on users. Our focus is on this fundamental question of how to structure collaborations. Our goal is to develop scalable, secure, and usable methods, standards and tools for defining and maintaining membership, rights, and roles in group collaborati ng groups ons . Our concern is not with any specific collaboration or collaboratory but rather with:
We have instantiated our initial research results into the Globus Toolkit's® widely used Grid Security Infrastructure. Since the Globus Toolkit is already adopted by many science projects - the Particle Physics Data Grid, Earth Systems Grid, DOE Science Grid, as well as many other non-DOE Grid activities like NSF TeraGrid, NASA IPG and the European Data Grid - enabling our results to be easily used by these scientists. Current accomplishments include draft standards for our security protocols and APIs in the Global Grid Forum (GGF) and IETF, work to integrate Grid security with local site security mechanisms, and the development of the Community Authorization Service (CAS). CAS is a flexible tool to allow for collaboration management of group membership and rights in distributed, multi-organization environments. It allows the collaboration to flexibly and consistently express fine grain policy across all the resources participating in the collaboration while allowing those resources' local policy to remain in effect. CAS has been demonstrated CAS in conjunction with the Earth Systems Grid SciDAC collaboratory , while and the infrastructure underlying CAS has been used to allow for integration with site authorization systems in PPDG and collaboratory policy mechanisms in NFC.
Our current work includes leveraging the emerging Web Services security specifications to enhance existing Grid Security standards and software. We are This includes the creat ion ing of standards for using Web Services in Grid Security and developing software to take advantage of these standards. One goal of this work is to make integration of multiple security mechanisms and advanced security services such as CAS with Grid applications as seamless and automated as possible. These results, like our current work, are being integrated into Globus Toolkit releases to facilitate their adoption in the DOE SciDAC collaboratories and other Grid deployments. For more information please visit: http://www-fp.mcs.anl.gov/dsl/scidac/security/ Or contact:
|
||||
Home | ASCR | Contact Us | DOE disclaimer |
|
|
