【作者】 刘海；

【导师】 张卫民；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2006， 硕士

【摘要】 随着网格技术的迅猛发展,网格安全成为影响网格技术的关键问题。特别当网格门户引入后,如何提供网格门户层资源的安全管理、如何通过门户管理用户证书,如何对网格底层资源进行授权等问题,成为当前应用网格安全领域中的研究热点。本文的研究工作以网格门户安全需求为背景,在“中国气象应用网格门户”与“国防科大校园高性能计算网格门户”的基础上展开。这两个门户在安全需求中忽视了下列问题:网格门户层资源和证书的安全、有效管理,网格底层资源的细粒度授权,为用户提供单一登录功能等。并且,目前业界对门户层上资源的安全访问控制还没有一套很好的解决方案,在网格授权方面也存在粒度较粗的问题。针对上述问题,本文首先研究了网格门户的基本特征和具体门户框架Gridsphere、GSI安全机制、PKI机制、x.509证书以及MyProxy代理技术。在此基础上,本文结合具体的网格环境,提出将整个安全控制分为门户层控制与网格底层授权的两层体系结构。在门户层控制中,本文围绕具体网格门户资源的安全需求,引入门户虚拟组的概念,并提出了基于全局角色与门户虚拟组管理相结合的访问控制方法,给不同角色集用户以不同的门户资源视图,解决了一般门户资源安全访问控制的问题。在网格底层授权方面,分析了现有网格授权机制,如GSI的Gridmap、CAS、VOMS的授权原理,指出其存在粒度控制不够等缺陷,针对这些缺陷,提出虚拟组织与任务角色相结合的动态授权(VOTRDA)机制,该机制将网格底层资源的权限与具体任务关联起来,并给任务加入状态特性,实现更细粒度动态授权。在前面的理论研究工作基础上,本文提出了基于门户的网格安全管理系统总体框架,该系统包括三大模块:门户下的用户安全控制、集成证书管理的用户注册、网格底层资源细粒度授权。本文给出了这三个模块的详细设计与实现,并将该系统与其它国外相关系统作了比较,最后将该系统应用到前面提到的两个网格门户中,这两个应用的实际运行证明了本文研究工作具有一定的理论意义与实践价值。更多还原

【Abstract】 With the developing of Grid Computing, the grid security issue is becoming more and more important. It’s one of the vital factors in Grid Computing. In the grid security, some problems, such as the management of portal resources, the management of user certificates based on the portal and the authority of grid resources, have become very hot topics.The work of this thesis is based on the requirements of two grid portal applications which are China Meteorology Application Grid Portal and NUDT Campus High Performance Computing Grid Portal. These two portals have the same requirements in the aspect of the grid security, including the proper and effective management of resources in the portal level, the convenient and secure management of certificates, the implemetation of the single login for users, fine-grain authorization for grid resources and so on. At present, it’s difficult to solve the problem of the access control for securing resources in the portal level, and there is also a problem that the authorization for grid resources is rather coarse.For solving the problems above, this thesis firstly studies the correlative knowledge such as the essential of the grid portal, the specific portal framework—Gridsphere, GSI security mechanism, PKI mechanism, x.509 Certificate and MyProxy technique. Then according to the factual grid environment, it proposes an architecture with two layers for the grid portal’s security control. In the upper layer, with introducing the portal VO and considering the factual requirement, it proposes a method of access control which combines global RBAC and portal VO to solve the common problems of access control for securing portal resources and present different views of portal resources for different users. In the lower layer, after analyzing authorization principles of present mechanisms such as authorization of Gridmap in GSI, CAS authorization, VOMS authorization and pointing out their limitation of the coarse-grain, it proposes a dynamic authorization mechanism which combines the VO and the access control based on the task role. This mechanism implements the combination between the authorization for grid resources and the task with its own states to support the dynamic fine-grain authorization.Based on the study above, this thesis proposes a system framework of the grid security management which consists of three main modules—the access control for the portal, the user register integrating the certificate management and the fine-grain authorization for grid resources. After describing the design and implementation of the three modules, it makes a performance comparison between this system and other corresponding systems abroad. In the end, this thesis introduces the application of the system in the two grid portals mentioned above, which demonstrates that the work of this thesis is significant not only in theory but also in practice.更多还原