kth.sePublications
Change search
Refine search result
1 - 12 of 12
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Ahsant, Mehran
    et al.
    KTH, Superseded Departments (pre-2005), Numerical Analysis and Computer Science, NADA.
    Mulmo, Olle
    KTH, Superseded Departments (pre-2005), Numerical Analysis and Computer Science, NADA.
    Basney, Jim
    University of Illinois.
    Grid Delegation Protocol2004In: Workshop on Grid Security Practice and Experience, 2004, p. 81-91Conference paper (Refereed)
    Abstract [en]

    We propose a delegation protocol based on the WS-Trust specification, which is applicablefor a wide range of Grid applications. The protocol is independent of underlying securitymechanisms and is therefore applicable to all security mechanisms of common use in Gridenvironments, such as X.509 proxy certificates, Kerberos based delegation, and SAML assertions.We emphasize that this is work in progress. In this paper, we document our thoughtsand current strategy, and we solicit comments and feedback on our approach.

  • 2.
    Ahsant, Mehran
    et al.
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Johnsson, Lennart
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Basney, Jim
    Lee, Adam J.
    Toward An On-demand Restricted Delegation Mechanism for Grids2006In: 2006 7TH IEEE/ACM INTERNATIONAL CONFERENCE ON GRID COMPUTING, New York: IEEE , 2006, p. 152-159Conference paper (Refereed)
    Abstract [en]

    Grids are intended to enable cross-organizationalinteractions which makes Grid security a challenging and nontrivialissue. In Grids, delegation is a key facility that canbe used to authenticate and authorize requests on behalf ofdisconnected users. In current Grid systems there is a tradeoffbetween flexibility and security in the context of delegation.Applications must choose between limited or full delegation: onone hand, delegating a restricted set of rights reduces exposure toattack but also limits the flexibility/dynamism of the application;on the other hand, delegating all rights provides maximumflexibility but increases exposure. In this paper, we propose anon-demand restricted delegation mechanism, aimed at addressingthe shortcomings of current delegation mechanisms by providingrestricted delegation in a flexible fashion as needed for Grid applications.This mechanism provides an ontology-based solutionfor tackling one the most challenging issues in security systems,which is the principle of least privileges. It utilizes a callbackmechanism, which allows on-demand provisioning of delegatedcredentials in addition to observing, screening, and auditingdelegated rights at runtime. This mechanism provides supportfor generating delegation credentials with a very limited andwell-defined range of capabilities or policies, where a delegatoris able to grant a delegatee a set of restricted and limited rights,implicitly or explicitly.

  • 3.
    Ahsant, Mehran
    et al.
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Nefedova, V.
    Ananthakrishnan, R.
    Liming, L.
    Madduri, R.
    Pearlman, L.
    Siebenlist, F.
    Streamlining Grid Operations: Definition and Deployment of a Portal-based User Registration Service2006In: Journal of Grid Computing, ISSN 1572-9184, Vol. 4, no 2, p. 135-144Article in journal (Refereed)
    Abstract [en]

    Manual management of public key credentials can be a significant and often off-putting obstacle to Grid use, particularly for casual users. We describe the Portal-based User Registration Service (PURSE), a set of tools for automating user registration, credential creation, and credential management tasks. PURSE provides the system developer with a set of customizable components, suitable for integration with portals, that can be used to address the full lifecycle of Grid credential management. We describe the PURSE design and its use in portals for two systems, the Earth System Grid data access system and the Swegrid computational Grid. In both cases, the user is entirely freed from the need to create or manage public key credentials, thus simplifying the Grid experience and reducing opportunities for error. We argue that this capturing of common use cases in a reusable ‘solution’ can be a model for how Grid ease-of-use can be addressed in other domains as well.

  • 4.
    Ahsant, Mehran
    et al.
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Surridge, Mike
    Leonard, Thomas
    Krishna, Ananth
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Dynamic Trust Federation in Grids2006In: Trust Management, Proceedings / [ed] Stolen, K; Winsborough, WH; Martinelli, F; Massacci, F, 2006, Vol. 3986, p. 3-18Conference paper (Refereed)
    Abstract [en]

    Grids are becoming economically viable and productive tools. They provide a way of utilizing a vast array of linked resources such as computing systems, databases and services online within Virtual Organizations (VO). However, today's Grid architectures are not capable of supporting dynamic, agile federation across multiple administrative domains and the main barrier, which hinders dynamic federation over short time scales is security. Federating security and trust is one of the most significant architectural issues in Grids. Existing relevant standards and specifications can be used to federate security services, but do not directly address the dynamic extension of business trust relationships into the digital domain. In this paper we describe an experiment which highlights those challenging architectural issues and forms the basis of an approach that combines a dynamic trust federation and a dynamic authorization mechanism for addressing dynamic security trust federation in Grids. The experiment made with the prototype described in this paper is used in the NextGRID(1) project to define the requirements of next generation Grid architectures adapted to business application needs.

  • 5. Cornwall, L. A.
    et al.
    Jensen, J.
    Kelsey, D. P.
    Frohner, Á.
    Kouřil, D.
    Bonnassieux, F.
    Nicoud, S.
    Lorentey, K.
    Hahkala, J.
    Silander, M.
    Cecchini, R.
    Ciaschini, V.
    dell'Agnello, L.
    Spataro, F.
    O'Callaghan, D.
    Mulmo, Olle
    KTH, Superseded Departments (pre-2005), Numerical Analysis and Computer Science, NADA.
    Volpato, Gian Luca
    KTH, Superseded Departments (pre-2005), Numerical Analysis and Computer Science, NADA.
    Groep, D.
    Steenbakkers, M.
    Mcnab, A.
    Authentication and authorization mechanisms for multi-domain grid environments2004In: Journal of Grid Computing, ISSN 1570-7873, E-ISSN 1572-9184, Vol. 2, no 4, p. 301-311Article in journal (Refereed)
    Abstract [en]

    This article discusses the authentication and the authorization aspects of security in grid environments spanning multiple administrative domains. Achievements in these areas are presented using the EU DataGrid project as an example implementation. It also gives an outlook on future directions of development.

  • 6. Demchenko, Y.
    et al.
    Gommans, L.
    De Laat, C.
    Taal, A.
    Wan, A.
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Using workflow for dynamic security context management in Grid-based applications2006In: Proc. IEEE ACM Int. Workshop Grid Comput., 2006, p. 72-79Conference paper (Refereed)
    Abstract [en]

    This paper presents ongoing research and current results on the development of flexible access control infrastructures for complex resource provisioning in Grid-based collaborative applications and on-demand network services provisioning. We investigate the use of workflow concepts for the required orchestration of multiple Grid resources and/or services across multiple administrative and security domains. In particular, workflow execution and management tools can be used to track security context changes that are dependent on the application domain, execution stage defined policies, or user and/or service attributes. The paper discusses what specific functionality should be added to Grid-oriented authorization frameworks to handle such dynamic service-related security contexts. As an example, the paper explains how such functionality can be achieved in the GAAA Authorization framework and GAAA toolkit. Suggestions are given about integration with the Globus Toolkit's Authorization Framework. Additionally, the paper analyses what possibilities of expressing and handling dynamic security contexts are available in XACML and SAML, and how the VO concept can be used for managing dynamic security associations of users and resources. The paper is based on experiences gained from major Grid based and Grid oriented projects such as EGEE, NextGrid, Collaboratory.nl and GigaPort Research on Network.

  • 7. Demchenko, Yuri
    et al.
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Gornmans, Leon
    de Laat, Cees
    Wan, Alfred
    Dynamic security context management in Grid-based applications2008In: Future generations computer systems, ISSN 0167-739X, E-ISSN 1872-7115, Vol. 24, no 5, p. 434-441Article in journal (Refereed)
    Abstract [en]

    This paper summarises ongoing research and recent results on the development of flexible access control infrastructure for complex resource provisioning in Grid-based collaborative applications and on-demand network services provisioning. The paper analyses the general access control model for Grid-based applications and discusses what mechanisms can be used for expressing and handling dynamic domain or process/workflowrelated security context. Suggestions are given on what specific functionality should be added to the Grid-oriented authorization frameworks to handle such dynamic security context. As an example, the paper explains how such functionality can be achieved in the GAAA Authorization framework (GAAA-AuthZ) and GAAA toolkit. Additionally, the paper describes AuthZ ticket format for extended AuthZ session management. The paper is based on experiences gained from major Grid-based and Grid-oriented projects such as EGEE, Phosphorus, NextGRID, and GigaPort Research on Network.

  • 8. Elmroth, E
    et al.
    Gardfjall, P
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Numerical Analysis and Computer Science, NADA.
    Sandholm, Thomas
    KTH, School of Computer Science and Communication (CSC), Numerical Analysis and Computer Science, NADA.
    An OGSA-based bank service for Grid accounting systems2006In: APPLIED PARALLEL COMPUTING: STATE OF THE ART IN SCIENTIFIC COMPUTING / [ed] Dongarra, J; Madsen, K; Wasniewski, J, 2006, Vol. 3732, p. 1051-1060Conference paper (Refereed)
    Abstract [en]

    This contribution presents the design and implementation of a bank service, constituting a key component in a recently developed Grid accounting system. The Grid accounting system maintains a Grid-wide view of the resources consumed by members of a virtual organization (VO). The bank is designed as an online service, managing the accounts of VO projects. Each service request is transparently intercepted by the accounting system, which acquires a reservation oil a portion of the project's bank account prior to servicing the request. Upon service completion, the account is charged for the consumed resources. We present the overall bank design and technical details of its major components, as well as some illustrative examples of relevant service interactions. The system, which has been implemented using the Globus Toolkit, is based oil state-of-the-art Web and Grid services technology and complies with the Open Grid Services Architecture (OGSA).

  • 9.
    Laure, Erwin
    et al.
    CERN, Geneva, Switzerland.
    Fisher, S-M
    Frohner, A.
    Grandi, C.
    Kunszt, P.
    Krenek, A.
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Numerical Analysis and Computer Science, NADA.
    Pacini, F.
    Prelz, F.
    White, J.
    Barroso, M.
    Buncic, P.
    Hemmer, F.
    Di Meglio, A.
    Edlund, Åke
    KTH, School of Computer Science and Communication (CSC), Numerical Analysis and Computer Science, NADA.
    Programming the grid with glite2006In: Computational Methods in Science and Technology, ISSN 1505-0602, Vol. 12, no 1, p. 33-45Article in journal (Other academic)
    Abstract [en]

    The past few years have seen the creation of the first production level Grid infrastructures that offer their users a dependable service at an unprecedented scale. Depending on the flavor of middleware services these infrastructures deploy (for instance Condor, gLite, Globus, UNICORE, to name only a few) different interfaces to program the Grid infrastructures are provided. Despite ongoing efforts to standardize Grid service interfaces, there are still significant differences in how applications can interface to a Grid infrastructure. In this paper we describe the middleware (gLite) and services deployed on the EGEE Grid infrastructure and explain how applications can interface to them.

  • 10.
    Sandholm, Thomas
    et al.
    KTH, Superseded Departments (pre-2005), Numerical Analysis and Computer Science, NADA.
    Gardfjäll, Peter
    Elmroth, Erik
    Johnsson, Lennart
    KTH, Superseded Departments (pre-2005), Numerical Analysis and Computer Science, NADA.
    Mulmo, Olle
    KTH, Superseded Departments (pre-2005), Numerical Analysis and Computer Science, NADA.
    An OGSA-Based Accounting System for Allocation Enforcement across HPC Centers2004In: ICSOC '04: Proceedings of the Second International Conference on Service Oriented Computing, 2004, p. 279-288Conference paper (Refereed)
    Abstract [en]

    In this paper, we present an Open Grid Services Architecture (OGSA)-based decentralized allocation enforcement system, developed with an emphasis on a consistent data model and easy integration into existing scheduling, and workload management software at six independent high-performance computing centers forming a Grid known as SweGrid. The Swedish National Allocations Committee (SNAC) allocates resource quotas at these centers to research projects requiring substantial computer time. Our system, the SweGrid Accounting System (SGAS), addresses the need for soft real-time allocation enforcement on SweGrid for cross-domain job submission. The SGAS framework is based on state-of-the-art Web and Grid services technologies. The openness and ubiquity of Web services combined with the fine-grained resource control and cross-organizational security models of Grid services proved to be a perfect match for the SweGrid needs. Extensibility and customizability of policy implementations for the three different parties the system serves (the user, the resource manager, and the allocation authority) are key design goals. Another goal is end-to-end security and single sign-on, to allow resources-selected based on client policies-to act on behalf of the user when negotiating contracts with the bank in an environment where the six centers would continue to use their existing accounting policies and tools. We conclude this paper by showing the feasibility of SGAS, which is currently being deployed at the production sites, using simulations of reservation streams. The reservation streams are shaped using soft computing and policy-based algorithms.

  • 11.
    Sandholm, Thomas
    et al.
    KTH, School of Computer Science and Communication (CSC), Numerical Analysis and Computer Science, NADA.
    Gardfjäll, Peter
    Department of Computing Science, HPC2N, Umeå University.
    Elmroth, Erik
    Department of Computing Science, HPC2N, Umeå University.
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Numerical Analysis and Computer Science, NADA.
    Johnsson, Lennart
    KTH, School of Computer Science and Communication (CSC), Numerical Analysis and Computer Science, NADA.
    A service-oriented approach to enforce Grid resource allocations2006In: International Journal of Cooperative Information Systems, ISSN 0218-8430, Vol. 15, no 3, p. 439-459Article in journal (Refereed)
    Abstract [en]

    We present the SweGrid Accounting System (SGAS) - a decentralized and standards-based system for Grid resource allocation enforcement that has been developed with an emphasis on a uniform data model and easy integration into existing scheduling and workload management software. The system has been tested at the six high-performance computing centers comprising the SweGrid computational resource, and addresses the need for soft, real-time quota enforcement across the SweGrid clusters. The SGAS framework is based on state-of-the-art Web and Grid services technologies. The openness and ubiquity of Web services combined with the fine-grained resource control and cross-organizational security models of Grid services proved to be a perfect match for the SweGrid needs. Extensibility and customizability of policy implementations for the three different parties that the system serves (the user, the resource manager, and the allocation authority) are key design goals. Another goal is end-to-end security and single sign-on, to allow resources to reserve allocations and charge for resource usage on behalf of the user. We conclude this paper by illustrating the policy customization capabilities of SGAS in a simulated setting, where job streams are shaped using different modes of allocation policy enforcement. Finally, we discuss some of the early experiences from the production system.

  • 12. Seitz, L.
    et al.
    Rissanen, E.
    Sandholm, Thomas
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Firozabadi, B. S.
    Mulmo, Olle
    KTH, School of Computer Science and Communication (CSC), Centres, Centre for High Performance Computing, PDC.
    Policy administration control and delegation using XACML and delegent2005Conference paper (Refereed)
    Abstract [en]

    In this paper we present a system permitting controlled policy administration and delegation using the XACML access control system. The need for these capabilities stems from the use of XACML in the SweGrid Accounting System, which is used to enforce resource allocations to Swedish research projects. Our solution uses a second access control system Delegent, which has powerful delegation capabilities. We have implemented limited XML access control in Delegent, in order to supervise modifications of the XML-encoded XACML policies. This allows us to use the delegation capabilities of Delegent together with the expressive access level permissions of XACML.

1 - 12 of 12
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf