© University of Kent - Contact | Feedback | Legal | FOI | Cookies
GridShib and PERMIS Integration
D.W. Chadwick, A. Novikov, and A. Otenko
Campus-Wide Information Systems, 23(4):182-196, October 2006.Abstract
This paper describes the results of our recent GridShibPERMIS project to provide policy-driven role-based access control decision making to Grid jobs, in which the users attributes are provided by a Shibboleth Identity Provider (IdP). The goal of the project is to integrate the identity-federation and attribute-assignment functions of Shibboleth with the policy- based enforcement function of PERMIS, in order to provide a flexible fine-grained authorisation system for Grid jobs running under Globus Toolkit v4. This was done by taking the GT4-Shibboleth integration performed in the United States with the PERMIS infrastructure built in the United Kingdom, and developing a GridShibPERMIS Context Handler. This allows for interoperability between GridShib and PERMIS by providing the required attribute extraction, conversion and transfer functions. As a result, the GridShibPERMIS project integrates the advantages of both Shibboleth cross-organisation identity federation and PERMIS policy-driven role-based access control and represents a new avenue of policy-based authorisation for Grids. The paper provides a brief overview of the technologies involved: GT4, Shibboleth and PERMIS, and presents how the three are combined to provide an efficient and simple fine- grained authorisation mechanism, having low implementation costs. The paper concludes with the lessons learned and plans for the future.
Download publication 512 kbytes (PDF)Bibtex Record
@article{2530, author = {{D.W.} {C}hadwick and {A.} {N}ovikov and {A.} {O}tenko}, title = {{G}rid{S}hib and {PERMIS} {I}ntegration}, month = {October}, year = {2006}, pages = {182-196}, keywords = {determinacy analysis, Craig interpolants}, note = {}, doi = {}, url = {http://www.cs.kent.ac.uk/pubs/2006/2530}, publication_type = {article}, submission_id = {4570_1179406143}, ISSN = {1065-0741}, journal = {Campus-Wide Information Systems}, volume = {23}, number = {4}, }