Cargando…
An efficient method for fine-grained access authorization in distributed
The ARDA group has developed an efficient method for fine-grained access authorization in distributed (Grid) storage systems. Client applications obtain "access tokens" from an organization's file catalogue upon execution of a file name resolution request. Whenever a client applicatio...
| Autor principal: | |
|---|---|
| Lenguaje: | eng |
| Publicado: |
2006
|
| Materias: | |
| Acceso en línea: | http://cds.cern.ch/record/1120624 |
| _version_ | 1780914562741043200 |
|---|---|
| author | Peters, Andreas |
| author_facet | Peters, Andreas |
| author_sort | Peters, Andreas |
| collection | CERN |
| description | The ARDA group has developed an efficient method for fine-grained access authorization in distributed (Grid) storage systems. Client applications obtain "access tokens" from an organization's file catalogue upon execution of a file name resolution request. Whenever a client application tries to access the requested files, the token is transparently passed to the target storage system. Thus the storage service can decide on the authorization of a request without itself having to contact the authorization service. The token is protected from access and modification by external parties using public key infrastructure. We use GSI authentication for identification to the catalogue service and to storage I/O daemons. The authorization system is as secure as GSI authentication and public key infrastructure can be. To improve the performance for the catalogue interaction, we use GSI authenticated sessions between client and server: after an initial full GSI authentication we encrypt every interaction between client and server with a dynamic symmetric key and achieve a 20 times faster performance. The main information inside an authorization envelope are the TURL to be used by I/O daemons, the permissions on that TURL, which are 'read','write','write-once' and 'delete', the lifetime of that token, the certificate subject and the storage system name for which this token was issued. One token can contain the authorization for a group of files. Traditional approaches use proxy->uid mapping services to apply local filesystem permissions. In a direct comparison an access token is equivalent to a VOMS proxy certificate who's proxy extensions authorize access to only one file or a group of files. However VOMS is not the appropriate system to perform authorization on file level since the issue time for such an envelope is very critical (in our implementation only few ms per access) and the VOMS integration, a VOMS server would need to be directly connected to the used file ca |
| id | cern-1120624 |
| institution | Organización Europea para la Investigación Nuclear |
| language | eng |
| publishDate | 2006 |
| record_format | invenio |
| spelling | cern-11206242019-09-30T06:29:59Zhttp://cds.cern.ch/record/1120624engPeters, AndreasAn efficient method for fine-grained access authorization in distributedComputing and ComputersThe ARDA group has developed an efficient method for fine-grained access authorization in distributed (Grid) storage systems. Client applications obtain "access tokens" from an organization's file catalogue upon execution of a file name resolution request. Whenever a client application tries to access the requested files, the token is transparently passed to the target storage system. Thus the storage service can decide on the authorization of a request without itself having to contact the authorization service. The token is protected from access and modification by external parties using public key infrastructure. We use GSI authentication for identification to the catalogue service and to storage I/O daemons. The authorization system is as secure as GSI authentication and public key infrastructure can be. To improve the performance for the catalogue interaction, we use GSI authenticated sessions between client and server: after an initial full GSI authentication we encrypt every interaction between client and server with a dynamic symmetric key and achieve a 20 times faster performance. The main information inside an authorization envelope are the TURL to be used by I/O daemons, the permissions on that TURL, which are 'read','write','write-once' and 'delete', the lifetime of that token, the certificate subject and the storage system name for which this token was issued. One token can contain the authorization for a group of files. Traditional approaches use proxy->uid mapping services to apply local filesystem permissions. In a direct comparison an access token is equivalent to a VOMS proxy certificate who's proxy extensions authorize access to only one file or a group of files. However VOMS is not the appropriate system to perform authorization on file level since the issue time for such an envelope is very critical (in our implementation only few ms per access) and the VOMS integration, a VOMS server would need to be directly connected to the used file caoai:cds.cern.ch:11206242006 |
| spellingShingle | Computing and Computers Peters, Andreas An efficient method for fine-grained access authorization in distributed |
| title | An efficient method for fine-grained access authorization in distributed |
| title_full | An efficient method for fine-grained access authorization in distributed |
| title_fullStr | An efficient method for fine-grained access authorization in distributed |
| title_full_unstemmed | An efficient method for fine-grained access authorization in distributed |
| title_short | An efficient method for fine-grained access authorization in distributed |
| title_sort | efficient method for fine-grained access authorization in distributed |
| topic | Computing and Computers |
| url | http://cds.cern.ch/record/1120624 |
| work_keys_str_mv | AT petersandreas anefficientmethodforfinegrainedaccessauthorizationindistributed AT petersandreas efficientmethodforfinegrainedaccessauthorizationindistributed |