Using Workflow for Dynamic Security Context Management in Grid-based Applications Yuri Demchenko #1 , Leon Gommans #2 , Cees de Laat #3 , Arie Taal #4 , Alfred Wan #5 , Olle Mulmo *6 # System and Network Engineering Group, University of Amsterdam Kruislaan 403, 1098SJ, Amsterdam, The Netherlands 1 demch@science.uva.nl, 3 lgommans@science.uva.nl 3 delaat@science.uva.nl, 4 taal@science.uva.nl 5 wan@science.uva.nl * Center for Parallel Computers, Kungliga Tekniska högskola SE-100 44 Stockholm, Sweden 6 mulmo@pdc.kth.se Abstract— This paper presents ongoing research and current results on the development of flexible access control infrastructures for complex resource provisioning in Grid-based collaborative applications and on-demand network services provisioning. We investigate the use of workflow concepts for the required orchestration of multiple Grid resources and/or services across multiple administrative and security domains. In particular, workflow execution and management tools can be used to track security context changes that are dependent on the application domain, execution stage defined policies, or user and/or service attributes. The paper discusses what specific functionality should be added to Grid-oriented authorization frameworks to handle such dynamic service-related security contexts. As an example, the paper explains how such functionality can be achieved in the GAAA Authorization framework and GAAA toolkit. Suggestions are given about integration with the Globus Toolkit’s Authorization Framework. Additionally, the paper analyses what possibilities of expressing and handling dynamic security contexts are available in XACML and SAML, and how the VO concept can be used for managing dynamic security associations of users and resources. The paper is based on experiences gained from major Grid based and Grid oriented projects such as EGEE, NextGrid, Collaboratory.nl and GigaPort Research on Network. I. INTRODUCTION With wider use and deployment of the Grid and Web Services there is increasing industry demand for dynamic, customer-driven service and resource provisioning. In this case, the Grid security infrastructure should allow for a dynamic binding of an invoked Grid service and its security policy, and, in particular, be dependent on the task execution context. While the Open Grid Services Architecture (OGSA) [1] shows great promise at providing an architectural framework for dynamic Grid services, a practical implementation requires a more detailed definition on the operational aspects. Lately, Grid middleware has been developed in the framework of large international projects such as EGEE 1 , 1 http://public.eu-egee.org/ OSG 2 and Globus Alliance 3 . It has reached a production level of maturity, but it still remains primary focused on computational resources and tasks management. At the same time many collaborative and business-oriented applications require more complex and interactive Grid services management scenarios [2]. Grid middleware provides a common communication/messaging infrastructure for all resources and services exposed as Grid services, and also allows for a uniform security configuration at the service container or messaging level. This significantly simplifies development of Grid-based applications and allows developers to focus on application-level logic. The topic of this paper is developing principles and providing suggestions how the access control infrastructure can be built to support a dynamically changing security context and yet be capable of providing consistent security. Currently, this issue is not addressed in existing security middleware implementation. All major components of the security context, such as trust relations, attributes semantics, and access control policies typically need to be statically configured before service deployment. Making them dynamically configurable and manageable during the service operation is considered in this paper as an approach to designing context-aware access control services for dynamic Grid applications. This work is based on two use cases that define basic functionality in a flexible and dynamic access control infrastructure: Optical Light Path Provisioning (OLPP) [3] and Grid-based Collaborative Environments (GCE) [4]. Approaches and technical solutions proposed in this paper are based on an extended gap analysis undertaken in the framework of the SURFnet GigaPort Research on Network (GigaPort-RoN) 4 project to identify general and specific requirements to access control infrastructure for on-demand network services provisioning, in particular, OLPP [5]. 2 http://www.opensciencegrid.org 3 http://www.globus.org/ 4 http://ron.gigaport.nl/