Components for Grid Security

Sections

1. Basic Security Mechanisms
2. Components for Credential Generation
3. Components for Credential Management
4. Components for Access Control and Authorization

Managing the certificates used by Grid applications is simple in principle, but can be challenging in practice. The Grid community has developed certificate management tools for generating credentials for users and services, for getting users "signed up" to use a Grid, and for getting users' Grid credentials to wherever they're needed in a system.

Beyond verifying the identities of users and services, basic Grid security mechanisms leave access control decisions to services. The Grid community has developed authorization and access control tools for storing and providing access to system-wide authorization information and for creating a central data store for supporting decentralized control mechanisms.

Related Solutions: The Grid Solutions section of this website provides examples of these components being used in scientific projects. See especially the Registering Users for the Earth System Grid solution.

Basic Security Mechanisms

The Globus Toolkit's Authentication and Authorization components provide the de facto standard for the "core" security software in Grid systems and applications. These software development kits (SDKs) provide programming libraries, Java classes, and essential tools for a PKI, certificate-based authentication system with single sign-on and delegation features, in either Web Services or non-Web Services frameworks. ("Delegation" means that once someone accesses a remote system, he can give the remote system permission to use his credentials to access others systems on his behalf.)

• Pre-Web Services Authentication and Authorization - A non-Web services implementation of the Grid Security Infrastructure (GSI), containing the core libraries and tools needed to secure applications using GSI mechanisms
• Web Services Authentication and Authorization - A Web services implementation of the Grid Security Infrastructure (GSI), containing the core libraries and tools needed to secure applications using GSI mechanisms

Components for Credential Generation

When Grid security methods are used in a system or application, users and services must provide credentials to prove their identities. Grid credentials contain data generated by cryptographic methods, so they must be produced by software programs. The following tools and services provide several ways to generate certificates for use in Grid systems and applications.

• Globus Certificate Service - An online service that issues low-quality GSI certificates to users who want to experiment with Grid software but don't have any other means to acquire certificates
• Simple CA - A convenient method of issuing certificates for users and services that work with GSI and WS-Security

Components for Credential Management

Experience in many early Grid projects has demonstrated that it is difficult for users of Grid applications and systems to manage their own credentials. Overcoming this difficulty is a requirement for successful application deployment. The following components provide ways to avoid (or simplify) the need for users to manage their own credentials.

• MyProxy - A network service that stores user credentials so they can be accessed from other systems on the network
• KX.509 and KCA - A system for providing Kerberos users with Grid credentials without operating a conventional Certificate Authority
• PKINIT - A mechanism that allows a Kerberos ticket to be obtained using a Grid credential rather than a Kerberos passphrase

Components for Access Control and Authorization

Beyond verifying the identities of users and services, basic Grid security mechanisms leave access control decisions to services. The Grid community has developed authorization and access control tools for storing and providing access to system-wide authorization information and for creating a central data store for supporting decentralized control mechanisms.

• Shibboleth - A set of services that leverage existing user authentication and authorization systems at "home institutions" to give remote services the information they need to make authorization decisions
• Community Authorization Service (CAS) - A service that allows resource providers to specify course-grained access control policies in terms of communities as a whole, delegating fine-grained access control policy management to the community itself
• VOMS - A database-driven mechanism for central management of user role and capability data