Dynamic Virtual Organisations in

1
Dynamic Virtual Organisations in e-Science
Education
Dr Dave Berry National e-Science
Centre University of Edinburgh daveb_at_nesc.ac.uk
Dr Sandy Shaw EDINA University of
Edinburgh s.shaw_at_ed.ac.uk
Dr Richard Sinnott National e-Science
Centre University of Glasgow ros_at_dcs.gla.ac.uk
Professor David Chadwick Systems Security IS
Institute University of Salford D.W.Chadwick_at_salfo
rd.ac.uk
Overview
PERMIS Overview
Current experiences with public key certificates
and PKIs for user authentication have not been
too successful. Consequently the UK academic
community now wants to experiment with using
local (existing) methods of authentication for
remote login, using the Shibboleth protocol as
the transport mechanism. Large scale use of
attribute certificates (ACs) for user
authorisation based on infrastructures such as
PERMIS offer an alternative but practical
experience is needed To facilitate this large
scale use, dynamic delegation of authority is
required. This requires enhancements to security
authorisation infrastructures such as PERMIS to
support a federated and more scalable model of
security authorisation In developing this
federated PMI model, key challenges have to be
overcome which are common to most, if not all,
uses of Grid technology the dynamic
establishment of Virtual Organisations (VO) to
allow shared use of computational and data
resources by collaborating institutions. The
DyVOSE project will demonstrate dynamic
delegation of trust through an extended version
of PERMIS using a case study based upon the
issuance of local ACs at the University of
Glasgow to advanced MSc students involved in the
Grid Computing module, and later to e-Science
trainees at the e-Science Institute in Edinburgh.
These ACs will be used to grant the users
access and use of computational and data
resources across the UK e-Science Grid as well as
local e-Science infrastructures such as ScotGrid.

• The PERMIS software realises a Role Based Access
  Control (RBAC) authorisation infrastructure. It
  offers a standards-based Java API that allows
  developers of resource gateways to enquire if a
  particular access to a resource should be allowed
• PERMIS RBAC uses XML based policies defining
  rules, specifying which access control decisions
  are to be made for given VO resources. These
  rules include
• definitions of subjects that can be assigned
  roles
• definitions of Source of Authority (SOA) -
  trusted to assign roles to subjects
• definitions of roles and their hierarchical
  relationships
• definitions of what roles can be assigned to
  which subjects
• definitions of targets that are governed by the
  policy
• the conditions under which a subject can be
  granted access.
• Roles are assigned to subjects by issuing them
  with an X.509 Attribute Certificate

Dynamic Establishment of Trust
The second phase of the DyVOSE work will
investigate the challenging area of dynamic
establishment and realisation of trust needed for
scalable VOs In the current PERMIS
infrastructure, static delegation of authority is
supported. This means that a central authority
has to be contacted, and register local managers
in its policy, before managers are entitled to
assign privileges to subordinates (as will be
demonstrated in the first phase of the DyVOSE
work). A better and more scalable solution is
to support dynamic delegation of authority where
local managers do not need to be registered, but
instead are given the privilege to delegate when
first given privileges to use the system.
Managers can then allocate privileges to
subordinates (staff or students) as required,
without having to contact the central authority
first to get permission. To support this the
PERMIS authorisation infrastructure will be
extended with dynamic delegation of authority
capabilities
Establishing e-Science Education Virtual
Organisations

• The DyVOSE project will initially focus on
  establishing static e-Science education VOs
• Course developers (lecturers) at Glasgow
  University will issue ACs to students as part of
  the advanced MSc
• The course itself (student projects etc) will be
  explicitly designed to investigate security
  issues associated with VOs
• These ACs will be associated with XML based
  policies describing
• the different roles (students, teaching staff,
  course directors)
• the subjects themselves (student, staff names)
• which resources the students and staff are able
  to access and use and under what
• conditions
• the time period of validity for the ACs
• PERMIS will be used to enforce (authorise) these
  policies as shown in Figure 1

Figure 2 Phase2 Dynamic VO Establishment
Impact and Expectations
It is clear that if e-Science is to expand in the
UK and elsewhere, different user communities need
to be ensured that the open collaborative nature
that Grids provide, is supported by well
engineered, scalable security infrastructures.
This is especially the case in dealing with the
medical communities and potentially with
industrial partners DyVOSE offers a chance to
prototype and trial in a realistic setting, a
solution to dynamic authorisation of VO
collaborators. This will impact upon UK
e-Science, international Grid standards, UK
academia and potentially UK industry as a whole
Further Information
Figure 1 Phase 1 VO Establishment
Further information on DyVOSE can be found at
www.nesc.gla.ac.uk/projects/dyvose or by
contacting Dr Richard Sinnott (ros_at_dcs.gla.ac.uk)
. Further information on PERMIS can be found at
www.permis.org or by contacting Prof David
Chadwick (D.W.Chadwick_at_salford.ac.uk)