This paper presents Sharp, a framework for secure distributed resource management in an Internet-scale computing infrastructure. The cornerstone of Sharp is a construct to represent cryptographically protected resource claims— promises or rights to control resources for designated time intervals—together with secure mechanisms to subdivide and delegate claims across a network of resource managers. These mechanisms enable flexible resource peering: sites may trade their resources with peering partners or contribute them to a federation according to local policies. A separation of claims into tickets and leases allows coordinated resource management across the system while preserving site autonomy and local control over resources. Sharp also introduces mechanisms for controlled, accountable oversubscription of resource claims as a fundamental tool for dependable, efficient resource management. We present experimental results from a Sharp prototype for PlanetLab, and illustrate its use with a decentralized barter economy for global PlanetLab resources. The results demonstrate the power and practicality of the architecture, and the effectiveness of oversubscription for protecting resource availability in the presence of failures.

The MyProxy online credential repository has been used by the grid computing community for over four years for managing security credentials in the grid public key infrastructure. MyProxy improves usability by giving users access to their credentials over the network using password authentication, allowing users to delegate their credentials via web browser interfaces to the grid, and supporting credential renewal for long-running jobs. MyProxy helps administrators secure users ’ private keys by providing an online service from which users retrieve short-lived credentials without distributing long-lived keys to potentially vulnerable end-systems. This paper describes the MyProxy system and its use. key words: grid computing, credential management, public key infrastructure, virtual smart card

this paper we describe CAS and our past and current implementations of CAS, and we discuss our plans for CAS-related research

Abstract—Understanding the Earth’s climate system and how it might be changing is a preeminent scientific challenge. Global climate models are used to simulate past, present, and future climates, and experiments are executed continuously on an array of distributed supercomputers. The resulting data archive, spread over several sites, currently contains upwards of one hundred terabytes of simulation data and is growing rapidly. Looking towards mid-decade and beyond, we must anticipate and prepare for distributed climate research data holdings of many petabytes. The Earth System Grid (ESG) is a collaborative interdisciplinary project aimed at addressing the challenge of enabling management, discovery, access, and analysis of these critically important datasets in a distributed and heterogeneous computational environment. The problem is fundamentally a Grid problem. Building upon

While the primary objective of Grid Computing is to facilitate the sharing of resource and service spanning across largely distributed and heterogeneous system, the success deployment of Grid infrastructure will make lots of applications possible. The applications range from pure scientific computing to commercial utilization. It will enhance the human creativity by increasing the computing capability and performance; allow geographically distributed people and computers to collaborate. The Grid infrastructure presents many challenges due to its inherent heterogeneity, multidomain characteristic, and highly dynamic nature. One critical challenge is providing authentication, authorization and access control guarantees. Although lots of researches have been done on di#erent aspects of security issues for Grid computing, these e#orts focus on relatively static scenarios where access depends on identity of the subject. They do not address access control issues for pervasive Grid applications where the access privileges of a subject not only depend on its identity but also on its current context (i.e. current time, location, system resources, network state, etc.) and state. In this thesis, we present the SESAME dynamic context-aware access control mechanism for pervasive Grid applications. SESAME complements current authorization mechanisms to dynamically grant and adapt permissions to users based on their current context. The underlying dynamic role based access control (DRBAC) model extends the classic role based access control (RBAC). We also present a prototype implementation of SESAME and DRBAC with the Discover computational collabo...

ABSTRACT The challenge for user authentication in a global file system is al-lowing people to grant access to specific users and groups in remote administrative domains, without assuming any kind of pre-existingadministrative relationship. The traditional approach to user authentication across administrative domains is for users to prove theiridentities through a chain of certificates. Certificates allow for general forms of delegation, but they often require more infrastructurethan is necessary to support a network file system.

Experiences with a Ground-Shaking Grid Application

Securing a Grid environment presents a distinctive set of challenges. This paper groups the activities that need to be secured into four categories: naming and authentication; secure communication; trust, policy, and authorization; and enforcement of access control. It examines the current state of the art in securing these activities and introduces new technologies that promise to meet the security requirements of Grids more completely. Keywords—Authentication, authorization, computational Grid security, secure communication, security policy, trust management. I.

In a large distributed system spanning administrative domains such as a Grid, it is desirable to maintain and query dynamic and timely information about active participants such as services, resources and user communities. The web services vision promises that programs are made more flexible and powerful by querying Internet databases (registries) at runtime in order to discover information and network attached third-party building blocks. Services can advertise themselves and related metadata via such databases, enabling the assembly of distributed higher-level components. In support of this vision, this thesis shows how to support expressive general-purpose queries over a view that integrates autonomous dynamic database nodes from a wide range of distributed system topologies.

In recent years, we have witnessed the evolutionary development of a new breed of distributed systems. Systems of this type share a number of characteristics. They are highly decentralized, of Internet-grade scalability, and autonomous within their administrative domains. Most importantly, they are designed to operate collaboratively, regardless of whether they know each other or not. Among many applications, the prime examples of this type of distributed systems include peer-to-peer systems and web services. Traditionally, authorization...