Sven van den Berghe

Key aspects of the UNICORE 6 security model

This paper presents the security architecture of the sixth version of the UNICORE grid middleware. The sixth iteration of UNICORE introduced a number of new, security-related solutions which make UNICORE distinguishable from the other grid middleware as Globus, gLite or NorduGrid ARC, and these are presented in this paper. The paper discusses the low level security: users authentication, non-repudiation control and trust delegation. The UNICORE unique approach to the challenge of trust delegation is called explicit trust delegation (ETD); discussion of this constitutes the most significant and extensive part of this paper. ETD is compared with the popular grid security infrastructure (GSI). High level security services (such as authorization services) are not described in this paper.

Using SAML-based VOMS for authorization within web services-based UNICORE grids

In recent years, the Virtual Organization Membership Service (VOMS) emerged within Grid infrastructures providing dynamic, fine-grained, access control needed to enable resource sharing across Virtual Organization (VOs). VOMS allows to manage authorization information in a VO scope to enforce agreements established between VOs and resource owners. VOMS is used for authorization in the EGEE and OSG infrastructures and is a core component of the respective middleware stacks gLite and VDT. While a module for supporting VOMS is also available as part of the authorization service of the Globus Toolkit, there is currently no support for VO-level authorization within the new Web services-based UNICORE 6. This paper describes the evolution of VOMS towards an open standard compliant service based on the Security Assertion Markup Language (SAML), which in turn provides mechanisms to fill the VO-level authorization service gap within Web service-based UNICORE Grids. In addition, the SAML-based VOMS allows for cross middleware VO management through open standards.