T.V. Ryutov, G. Gheorghiu and B.C. Neuman
Information Sciences Institute
University of Southern California
4676 Admiralty Way suite 1001
Marina del Rey, CA 90292
(310)822-1511 (voice) (310)823-6714 (fax)
To span administrative boundaries, metacomputing systems require the integration of strong authentication and authorization methods. The problem is complicated because different components of the system may have different security policies. This paper presents a distributed model for authorization that we have integrated with the Prospero Resource Manager, a metacomputing resource allocation system developed at USC. The integration of authorization with PRM was accomplished through the specification of a policy language and the use of a Generic Authorization and Access-Control API (GAA API). The language supports the specification of diverse authorization policies including ACLs, capabilities and lattice-based access controls. The GAA API provides a uniform authorization service interface for facilitating access control decisions and requesting authorization information about a particular resource. We describe a prototype of our system.