KR100673329B1 - User Role / Permission Setting System using Certificate in Grid Environment and Its Method - Google Patents

Abstract

The present invention relates to a method for setting access rights for roles and resources to a user authenticated through a certificate in a grid computing environment.

In the present invention, the certificate-based role and resource authority setting system, in a method for allocating a resource required to perform a task requested by a user in a grid computing environment and granting access to a corresponding resource, adds a user policy level. An authentication server system for issuing a certificate; A system for associating a rights policy database with a resource system through a field of a user certificate; A role / policy database for utilizing resources (hardware or software installed on the local system) according to the classification of user roles for the local system; It consists of a module that converts data between the linkage system and the role / policy database, and consists of a user interface that links the system.

User, Grid, Resource System, Gatekeeper, Policy Rating Module, Policy Search / Conversion Module

Description

User Role / Permission Setting System using Certificate in Grid Environment {.}

1 is a simplified service configuration diagram of a user ID based authorization system using a conventional certificate

Figure 2 shows a simplified user ID field of the prior art

3 is a block diagram of a system applied in the present invention

3A illustrates a user ID field according to the present invention.

4 is a flow chart according to the present invention

FIG. 5 illustrates a correlation between the order of role / permission acquisition described in FIG. 2 and each module.

** Description of symbols for the main parts of the drawing **

The present invention relates to a method for setting access rights to roles and resources to a user authenticated through a certificate in a grid computing environment. In detail, the present invention is directed to a user who wants to utilize resources in a grid computing environment. Configure a separate field to set the role and access authority in the extended field of the certificate, and resources (process, memory, file system, etc.) that can be allocated through interworking with the role and policy-based server based on the above fields Hardware resources and execution software and data) and the range of operations (calculation, data utilization, telecommunications, etc.) that can be performed.

A grid computing environment is a combination of unused parts of computing resources owned by different institutions or regions to form a virtual machine. If the user's restrictions are not set in the grid computing environment as described above, there is a weak point in system protection in the monopoly of resources and data protection. That is, indiscriminate use and data protection of the user, there is a problem that must be limited to the user.

A method of authenticating and authorizing a user in a conventional grid computing environment is as follows.

Currently, the middleware that is most used to build grid computing environment at home and abroad is Globus. The middleware is a middle layer that connects users and hardware resources, and provides software and services such as management, search, and allocation of users and resources.

Globus extracts the Subject Distinguished Name (subject DN) uniquely assigned to the user certificate and maps it to the user ID assigned to the local system to authorize access.

In order to perform a job in a grid computing environment, a user sends a job file and a certificate describing the content and scope of the job to be performed to the system to which the resource is allocated. The subjectDN is retrieved from the grid-map file installed on the local system to extract the matching ID, and the privileges set on the local system ID (directory access authority, file manipulation authority, process execution authority, execution environment). , Etc.) to approve access to resources. The above method can be applied to a task management program such as operating system of the local system, LSF, PBS, LoadLeveler, etc., and the number of available CPUs, memory capacity, and execution time based on the user ID in the task program. Etc. may be limited.

However, in such a mechanism, when the subjectDN of the user certificate and the local system ID are mapped 1: 1, the following problem occurs.

First, all local systems that make up the grid computing environment have the same user ID scheme, which can waste account resources.

Second, when the number of users who want to use the grid computing environment increases, the user ID of the local system increases in proportion to this, which may cause problems with account management.

Third, the system administrator may be burdened with setting and managing policies related to user ID granting.

In order to solve the above problem to some extent, the existing system has proposed a method of sharing the subjectDN of multiple user certificates with one local system user ID, but this method has all the requirements of users using the grid computing environment. There is an unreasonable problem in accepting the problem.

In order to solve the above problems, in the present invention, a method using a certificate-based role and access authority setting system adds a field for granting policy equalization to the certificate, and establishes a role and policy database in the field. After defining the data, the object of the present invention is to provide a system that can authorize access and utilization of necessary resources to perform the role and user's requested file by using the constructed database.

In addition, it aims to clarify the roles and privileges of each user as well as to enable efficient management of them, and to increase accounts and increase resource management according to the increase of users compared to conventional systems based on IDs. The purpose is to help reduce the burden of the.

The present invention relates to a method for setting access rights for roles and resources to a user authenticated through a certificate in a grid computing environment.

In the present invention, the certificate-based role and resource authority setting system, in a method for allocating a resource required to perform a task requested by a user in a grid computing environment and granting access to a corresponding resource, adds a user policy level. An authentication server for issuing a certificate; A module for associating a rights policy database with a resource system through a field of a user certificate; A role / policy database for utilizing resources (hardware or software installed on the local system) according to the classification of user roles for the local system; It consists of a module for converting data between the linkage module and the role / policy database, and consists of a user interface for interworking the system.

 The configuration and modules of the role / policy database that play the most important functions in the present invention are based on Role Based Access Control (RBAC). In terms of functionality, the central concept of RBAC is the organization of roles, users who are members of roles, and permissions that represent associated behaviors, and each member can have a many-to-many relationship. This means that a user can be associated with one or more roles and a role can have one or more user members. The same is true of roles and privileges. As users are assigned to roles rather than permissions, users can easily add or remove users, and permissions are also associated with roles, so that operations can be easily modified without modifying user information when a role's functionality changes or is deleted. .

The above function is possible because the role is composed of a unique hierarchical structure. Roles can have responsibilities and privileges that overlap each other. That is, a user who is associated with other roles may need to perform common operations, and administratively need to repeatedly specify common operations for each role created between the many common operations that all employees in the organization must perform. Role hierarchies were introduced to address the inconveniences of the aspects. A role hierarchy means that one role can contain other roles with unique properties, that is, one role can implicitly contain operations, constraints, and objects associated with other roles.

This concept can provide an effective role and authorization in a grid computing environment where users with various requirements exist.

The system proposed by the present invention relates to a method for granting an efficient role and authority to a user in a grid computing environment by combining the features of the RBAC with the authority of various resources of the local system. Differences between the present invention will be described with reference to the accompanying drawings.

1 is a simplified service configuration diagram of a user ID based authorization system using a conventional certificate. A user who wants to work in a grid computing environment accesses the system through a certificate assigned by a certification authority. In the middle of connecting the user with the grid computing environment, a proxy certificate, which is a temporary data copy of the user certificate, is generated, and the subjectDN value representing the owner is extracted from the proxy certificate generated by the user certificate.

The extracted data retrieves a grid-map file containing ID information of the local system through a gatekeeper. As shown in FIG. 2, the grid map file is composed of a subjectDN and a user ID mapped thereto. The gatekeeper finds the user ID assigned to the subjectDN of the proxy certificate, and logs in to the resource system to perform the task.

In one user ID field, a list for accessing a resource system is set. The list includes a resource access system and a role of a user that can be utilized in the access system.

In FIG. 1, a grid map file file referred to by a gatekeeper in order to give a user authority to access a system and use resources is configured as shown in FIG. 2.

The grid map file resides in / etc / grid-security / grid-map on the local system. It consists of a subjectDN field that identifies the user and the local system ID.

subjectDN is one of the fields in the certificate owned by the user, with a unique value for each user.

The granting of user authority according to FIG. 2 is performed in the following order.

The user sends the proxy certificate generated through his certificate with the RSL to request an action from the gatekeeper.

The gatekeeper extracts the subjectDN value from the transmitted proxy certificate and searches whether the value exists in the grid map file.

If the subjectDN exists in the above, the local system ID assigned to it is retrieved.

Access the system resources in the grid environment through the assigned local system ID and perform the tasks described in the RSL file.

Through the above process, the user is assigned access rights and usage rights to the resource system.

The advantage of such a system is that it is simple to implement and no separate authorization information is required. However, in order to reflect the needs of various users, corresponding user IDs must be added, which is very difficult to manage. The problem is that the same user ID is mapped to multiple subjectDNs, as shown in the grid map file configuration.

Hereinafter, the configuration according to the present invention will be described with reference to the drawings.

3 is a block diagram of a system applied in the present invention.

The system of the present invention is a certificate-based user role and authorization system applying RBAC as shown in FIG. Instead of the subjectDN and user ID mapping system described above, the user policy class field is added through the extension field in the certificate, and the resource configured in the grid computing environment based on the granted policy class and the role / policy database defined by RBAC. It is configured to access and perform work on the system.

A user who accesses the grid computing environment requests to perform a task and writes it to an RSL file. The RSL file contains information related to the user's level. In the execution of the RSL file, the permission for the resource is obtained after passing through the RBAC module. The configuration of the module is as follows.

Component  Explanation Degree Management Module This module manages user level. Degree Rule Define DB Repository that stores information about policy rules associated with user levels. Passing module Converts by mapping user level and RBAC Rule. RBAC Policy DB It is a repository that stores contents necessary to operate RBAC system such as user's role, operation, inheritance, task separation, and constraint.

An overview of the system configuration and service flow in FIG. 3 can be summarized as follows. The system of the present invention largely includes a new user certificate, a gatekeeper, a resource system, a policy rating module, a rating definition database, a translation module, and a policy database.

In the present invention, the user certificate is configured by adding a field specifying the policy level of the user in the extension field. In order to issue such a certificate, a new field of a certificate issued by an existing certification authority must be newly configured and the policy accordingly must be reconfigured.

The gatekeeper analyzes the work file requested by the user and extracts the value in the policy level field in the included certificate field. In addition, the extracted policy level is transferred to the processing module to acquire a role and an access right according to a user, and accordingly, performs a role of allowing access to a resource system.

The policy rating module searches the rating definition database to determine rating information corresponding to each rating.

Class definition database is divided into system administrator, general administrator, user, and guest.

For example, system administrators can be defined as 1st level, general administrators as 2nd level and general users as 3rd level.

The policy lookup / transformation module and policy database perform key functions in the system of the present invention. The policy search / conversion module is a module that searches a policy database according to the obtained policy level and determines the actual authority range according to the corresponding information. The policy database is defined with information corresponding to the scope of work that each user can have, the size and type of resources (files) that can be changed, permissions, and the execution environment. These modules can replace the authority information of the user ID in the existing system.

The resource system is a system in which actual work is performed. The resource system is composed of a set of resources configured by a resource broker of a grid computing environment, and can perform a user's work request according to role and authority information.

In FIG. 3, a value transmitted to a module for allocating authority to a user includes a data field of the form shown in FIG. 3A. 3A shows an example of a subjectDN included in a certificate of various users and a corresponding user policy class. subjectDN is one of the fields in the certificate owned by the user, and each user has a unique value.

The policy level shows the authority of each user, separated by "." For each field. The policy class level shown in FIG. 3A has the following configuration.

First field: Indicates the group to which the user belongs (subdivided into top-level administrator, limited-privileged administrator, general user, guest, etc.).

Second field: Represents the role played by the user's group. Role here refers to the area in which each user is responsible or the software and additional systems available.

Third field: Represents a user's assigned authority. Types of authority include general read, write, and execute types, and also include resource information such as the type and total amount of available resources.

Fourth field: Represents a security policy assigned to a user. The security policy follows a system-specific security policy such as whether or not to delegate authority, creating a process, and transmitting data.

In FIG. 3A, a user policy level according to each subjectDN (for example, 1.200.555.500) may be allocated a corresponding authority by a value composed of each field separator in a module for granting user authority to utilize resources and perform operations. have.

4 shows a flowchart in accordance with the present invention.

In general, a process of searching for an ID and detecting a password to search whether the user is accessible to the user (S_1) is omitted.

The user transmits (S_2) a job file to the gatekeeper, which is a certificate including the content of the job to be performed and the policy level. Work files consist of specific specifications and data of tasks that users will perform in a grid computing environment.

The gatekeeper receiving the work file searches for the policy level in the certificate (S_3) and transmits it to the policy level module (S_4).

The module, which has received the policy grade, searches the grade definition database to determine the range of the corresponding grade (S_5). The class definition database is divided into system administrators, general administrators, users, and guests, and is specifically divided according to each role.

According to the determined level, the role / permission database is searched (S_7), and the corresponding information is extracted and transmitted to the gatekeeper (S_8). The role / permission database consists of the types of tasks that can be performed according to the class, the types and capacity of resources that can be allocated, permissions, and the execution environment.

The gatekeeper permits access to the resource system according to the acquired role / permission data (S_9).

A user who is granted access to a resource system accesses the resource system and performs a task requested by the user.

If the user runs out of resources while performing the requested task, the system accesses other systems with the same attributes and allocates the resources. This process is carried out by the running process, not by the user. In a grid computing environment, a process is not only the subject of performing a task but also has the authority of a user who requested to perform a task, and thus may be a requestor. Therefore, if the resource is insufficient after the system is initially assigned, the process performs a request for a resource, not a user, and is performed through the same process as described above.

FIG. 5 illustrates a correlation between each module and the order of role / authority acquisition described in FIG. 2.

That is, FIG. 5 is a process of acquiring usage rights for resources in a granular module relationship and order for RBAC modules.

The user transmits a certificate including a content of a task to be performed and a policy level to the gatekeeper 200, and the gatekeeper receiving the file acquires a policy level by searching for the policy level in the certificate and transmitting the policy level to the policy level module (S5_1). )do. In order to obtain a policy level, the policy level is composed of the four fields described above. By separating each field value, the grade defined in each field value is searched in the grade definition database 411 to set the grade and convert the authority (S5_2).

The obtained field obtains a policy (S5_3) for acquiring the user's (who) 's authority and the scope of use.

If the policy grade is obtained, roles are obtained for fields divided according to the policy grade (S5_4), and for each role, a role / permission database 421 is searched to obtain information by searching for information on each role (S5_5). . The role / permission database is composed of the types of tasks that can be performed according to the level, the types and capacity of resources that can be allocated, permissions, and the execution environment.

When the above process is completed, the certificate is sent back to the gatekeeper to grant access to the resource system (grid) for the user, and the user performs work on the resource system (grid).

The level defined in the user certificate goes through the role parsing module and obtains the defined role retrieved from the database. The acquired role goes through the process of object selection, and the acquisition of the use authority for the resource acquires the final authority through the query retrieved from the object / role / permission database. The authority obtained through such a process is expressed in the form of acquiring and managing the authority according to the defined role, in contrast to granting each user the authority to use the resource individually. You can solve administrative problems that arise from authorization and definition of user requirements.

According to the present invention, a user certificate-based role and authority setting system is established to perform efficient resource distribution and management to users using a grid computing environment, to accommodate various demands of users, and user ID of a local system. Management problem can be solved.

In addition, the present invention has developed a new role and authority setting system that does not depend on the user ID due to the configuration of the module linked to the role and authority policy database. It has the effect of providing advantages in resource allocation management and account resource management. In addition, there is an effect that provides a way to protect the system securely from various security attacks that may occur in the existing system security by the user ID.

In addition, the user certificate-based role and authority setting system according to the present invention is applicable to a distributed system environment similar to a grid computing environment because it complies with international standards that are used in the past.

Claims (2)

In a system for allocating resources required to perform a task requested by a user in a grid computing environment and granting access to the resources, An authentication server for issuing a certificate to which the user's policy level is added; Modules linking the authorization policy database to the resource system through fields in the user certificate. A role / policy database to utilize resources according to the classification of user roles on the local system; And a module for converting data between the linkage module and the role / policy database. And a user role / permission setting system using a certificate in a grid environment, wherein the user interface is configured to interwork with the system. In the grid computing environment, a method for allocating a resource required to perform a task requested by a user and granting access to the resource, Transmitting, to the gatekeeper, a work file which is a certificate including a content and a policy level of the work to be performed; The gatekeeper receiving the work file retrieves the policy level in the certificate and sends it to the policy level module; The module receiving the policy grade, searching the grade definition database to determine a range corresponding to the grade; Retrieving a role / authority database according to the determined rank; Searching for the role / authority database, extracting the corresponding information, and transmitting the extracted information to the gatekeeper; User role / authority setting method using a certificate in a grid environment, characterized in that consisting of.

Images