A Framework for Access Control and Resource Allocation in Federations
Abstract:
In this thesis we address the access control and resource allocation problems in computational
federations, such as testbeds and cloud computing federations. The computational federations of
today are growing in their number of participant organizations, where one challenge is to allow
organizations participate autonomously by expressing how much of their resources should be used
and by whom, through complex policies. In addition, such organizations should be able to exchange
resources with any other organizations without necessarily knowing all of them beforehand.
We introduce our federation framework which allows to build federations in varying complexities
easily, by synthesizing trust management, policy languages and resource discovery into a single
system. Although these three have been studied separately in the past, we show that they are
in fact related, and can be viewed as separate layers of a more general system. We argue that
complex agreements that involve indirect trust relationships is one key way to enable resource
exchange in a federation with numerous organizations, and this can be realized by our synthesis
architecture that provides usability as well as expressiveness.
As part of our framework, federation policy language (FPL) is used to express both the security
and allocation policies, by providing simple primitives such as contracts that hide the underlying
complexity. FPL primitives allow system administrators to express policies such as indirect trust
and resource restrictions within the same construct. Underneath, FPL uses our distributed trust
management system (CERTDIST) to implement and impose policy primitives. CERTDIST uses
digital certificates to allow or deny resource requests and a DHT for complex distributive proofs
in an efficient way. The Resource discovery part of our framework (CODAL) is layered on top of
FPL, and uses contracts to discover peers, FPL security and allocation policies to authorize for
resources that are located possibly in many different organizations.
This thesis also involves a trust model analysis of today’s federations and enabler technologies,
which shows that simpler trust relationships have been used in these systems, but complex trust
relationships is a logical evolutionary step. We evaluate the federation framework with a realistic
emulation of a large scale federation using real PlanetLab traces, that shows that complex policies
can be expressed with a minimal amount of code, and we can efficiently perform the access control
and resource discovery operations in a federation