Start date: 1 May 2004
End date: 30 April 2006
Funding programme: Core Middleware: Technology Development programme
JISC theme(s): Access management, e-Research
DyVOSE (Dynamic Virtual Organisations in e-Science
Education)
Introduction
Current experiences with public key certificates and public key
infrastructures (PKIs) for user authentication have not been successful.
Consequently the UK academic community now wants to experiment with using
local (existing) methods of authentication for remote login, using
the Shibboleth protocol as the
transport mechanism. It is too early to say if large scale use of attribute
certificates (ACs) for user authorisation, based on infrastructures such
as PERMIS, will be
successful or not. However, few other alternatives currently exist, so
practical experience is required.
In order for large scale use to be facilitated, dynamic (rather than
static) delegation of authority is required. This requires enhancements to
security authorisation infrastructures. In the current PERMIS infrastructure,
static delegation of authority means that a central authority has to be
contacted, and register local managers in its policy, before managers are
entitled to assign privileges to subordinates. With dynamic delegation of
authority, local managers do not need to be registered, but are given the
privilege to delegate when they are first given privileges to use the
system. Managers can then allocate privileges to staff and students as
required, without having to contact the central authority first to get
permission. Through this, a federated and scalable model of security
authorisation can be realised. In developing this federated Privilege
Management Infrastructure (PMI) model, key challenges have to be
overcome which are common to most, if not all, uses of Grid technology –
the dynamic establishment of Virtual Organisations (VO).
VOs allow shared use of computational and data resources by collaborating
institutions. Establishing a VO will require that efficient access control
mechanisms to the shared resources by known individuals are in place.
However, currently in the Grid community access control is usually done by
comparing the authenticated name of an entity to a name in an Access
Control List. This approach lacks scalability and manageability. Dynamic
delegation of privileges offers a more realistic approach that could shape
future Grid security, especially when it is rolled-out to the masses, e.g.
Grid students and industry.
Aims and Objectives
The overall aim of the project is to demonstrate dynamic delegation of
trust through an extended version of PERMIS as part of a case study
based upon the issuance of local attribute certificates at the University of Glasgow and e-Science Institute (e-SI) in
Edinburgh. These attribute certificates will be issued to graduate students
at Glasgow by members of
staff, as part of the advanced MSc programme currently under development –
specifically for usage in the Grid Computing modules to be taught therein,
and to e-Science investigators by the e-Science training team at e-SI. These ACs will be used to grant
the users access and use of computational and data resources across the UK
e-Science Grid as well as local e-Science infrastructures such as ScotGrid. The e-Science training team
located at e-SI will
provide training on a range of Grid technologies as part of the Enabling Grids for E-Science in Europe
(EGEE) project. The expected starting date of the advanced MSc
at Glasgow is September 2004
hence this proposal is timely and will serve as a valuable barometer in
assessing delegation based AC infrastructures and their roll-out to the
wider UK e-Science community.
The specific objectives are to:
-
Design educational case studies initially using static and subsequently
using dynamic delegation based PMI;
-
Report on practical experiences and best practices in static delegation
based PMI;
-
Develop software supporting dynamic delegation and authority recognition
in PERMIS;
-
Produce user manuals and administrator guides on using and setting up and
managing dynamic delegation infrastructures;
-
Report on practical experiences in using dynamic delegation
infrastructures as part of e-Science education;
-
Provide a NMI release of PERMIS that supports dynamic
recognition of authority.
Project Methodology
The primary focus of the project will be to extend the PERMIS authorisation
infrastructure to support dynamic recognition of authority, and to explore
this in a realistic educational setting to establish academic VOs. As such,
the roles of the partners and associated activities are clearly defined
with the University of Salford providing PERMIS and its
enhancements; University of
Glasgow and e-Science
Institute in Edinburgh exploring these enhancements through
training and educational courses making use of e-Science computational
resources in a secure (authorised) manner, and EDINA ensuring that the experiences
gained are disseminated out to the JISC Information
Environment .
Implications / Deliverables / Stakeholders
This project may well have a major impact upon UK eScience and the already
identified limitations of the existing security software being used there.
It is clear that if e-Science is to expand in the UK and elsewhere,
different user communities need to be ensured that the open collaborative
nature that Grids provide, is supported by well engineered, scalable
security infrastructures. This is especially the case in dealing with the
medical communities and potentially with industrial partners. This proposal
offers a chance to prototype and trial in a realistic setting, a solution
to dynamic authorisation of VO collaborators. This will impact upon UK
e-Science, international Grid standards, UK academic institutions and
potentially UK industry as a whole. We will attempt to maximise the impact
of this work through dissemination by EDINA throughout the JISC Information
Environment . Deliverables are targeted to meet the overall
objectives outlined above.