{"title":"网格中用于授权的策略驱动协商","authors":"I. Constandache, D. Olmedilla, F. Siebenlist","doi":"10.1109/POLICY.2007.36","DOIUrl":null,"url":null,"abstract":"In many grid services deployments, the clients and servers reside in different administrative domains. Hence, there is a requirement both to discover each other's authorization policy, in order to be able to present the right assertions that allow access, and to reveal as little as possible of the access policy details to unauthorized parties. This paper describes a mechanism where the client and servers are semantically annotated with policies that protect their resources. These annotations specify both constraints and capabilities that are used during a negotiation to reason about and communicate the need to see certain credentials from the other party and to determine whether requested credentials can be obtained and revealed. The result of the negotiation is a state where both parties have satisfied their policy constraints for a subsequent interaction or where such interaction is disallowed by either or both. Furthermore, we present an implementation of a prototype, based on the PEERTRUST policy language, and a reasoning engine that is integrated in the Web services runtime component of the globus toolkit. The negotiation process is facilitated through the implementation of WSRF-compliant service interfaces for protocol message exchanges.","PeriodicalId":240693,"journal":{"name":"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Policy-Driven Negotiation for Authorization in the Grid\",\"authors\":\"I. Constandache, D. Olmedilla, F. Siebenlist\",\"doi\":\"10.1109/POLICY.2007.36\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In many grid services deployments, the clients and servers reside in different administrative domains. Hence, there is a requirement both to discover each other's authorization policy, in order to be able to present the right assertions that allow access, and to reveal as little as possible of the access policy details to unauthorized parties. This paper describes a mechanism where the client and servers are semantically annotated with policies that protect their resources. These annotations specify both constraints and capabilities that are used during a negotiation to reason about and communicate the need to see certain credentials from the other party and to determine whether requested credentials can be obtained and revealed. The result of the negotiation is a state where both parties have satisfied their policy constraints for a subsequent interaction or where such interaction is disallowed by either or both. Furthermore, we present an implementation of a prototype, based on the PEERTRUST policy language, and a reasoning engine that is integrated in the Web services runtime component of the globus toolkit. The negotiation process is facilitated through the implementation of WSRF-compliant service interfaces for protocol message exchanges.\",\"PeriodicalId\":240693,\"journal\":{\"name\":\"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)\",\"volume\":\"26 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-06-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/POLICY.2007.36\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/POLICY.2007.36","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Policy-Driven Negotiation for Authorization in the Grid
In many grid services deployments, the clients and servers reside in different administrative domains. Hence, there is a requirement both to discover each other's authorization policy, in order to be able to present the right assertions that allow access, and to reveal as little as possible of the access policy details to unauthorized parties. This paper describes a mechanism where the client and servers are semantically annotated with policies that protect their resources. These annotations specify both constraints and capabilities that are used during a negotiation to reason about and communicate the need to see certain credentials from the other party and to determine whether requested credentials can be obtained and revealed. The result of the negotiation is a state where both parties have satisfied their policy constraints for a subsequent interaction or where such interaction is disallowed by either or both. Furthermore, we present an implementation of a prototype, based on the PEERTRUST policy language, and a reasoning engine that is integrated in the Web services runtime component of the globus toolkit. The negotiation process is facilitated through the implementation of WSRF-compliant service interfaces for protocol message exchanges.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
