网格中安全策略的描述和评估

Policy language,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,*,网格中安全策略的描述和评估,陈 昕,2002.3.17,Additional Problems posed by Multiple Administration,Policy integration should incorporate the diverse authorization models that can coexist in a distributed system.,Integrate different sets of policies associated with the domain providing resources,the domain requesting resources and the individual users within each domain.,No single syntax for specification of principals,A generalized way to define applications security requirements,Authorization Framework,Policy language,Generic Authorization and Access-control API,Policy Language,Elements:,access identity,grantor identity,a set of access rights,a set of conditions,Policy language,(continued),Policy language represents a sequence of tokens:,Token type,Defining authority,Value,Extended Access Control Lists(,EACLs,),e.g,Token Type:,access-id-ANYBODY,Token Type:,access-id-GROUP,Defining Authority:,none,Defining Authority:DCE,Value:,none,Value:,15,Token Type:,pos-access-rights,Token Type:,pos-access-rights,Defining Authority:,local-manager,Defining Authority:,local-manager,Value:,FILE:read,Value:,FILE:read FILE:write,Token Type:,authentication-mechanism,Token Type:,location,Defining Authority:,system-manager,Defining Authority:,system-manager,Value:,kerberos,:V5,Value:*.USC.EDU,Extended Access Control Lists,(continued),Credential Evaluation,Extended Access Control Lists,(continued),Identity Credential:,access-id-USER,kerberos,.v5,tomORG.EDU,condition,:time-window pacific-,tzone,6am-7pm,Group membership credential,access-id-GROUP,kerberos,.V5,adminORG.EDU,condition,:privilege:restricted,Delegation credential,grantor,:grantor-id-USER kerberosV5,joeUSTC.EDU.CN,grantee,:,acess,-id-USER kerberosV5,tomUSTC.EDU.CN,objects,:doc.txt,rights,:pos-access-rights local-manager FILE:write,condition,:location local-manager*.,ustc,.,edu,.,cn,GAA-API,GAA-API functions,gaa,-get-object-policy-info,gaa,-check-authorization,gaa,-inquire-object-policy-info,GAA-API Security Context,Identity,Authorization attributes,Evaluation and Retrieval Functions for,Upcalls,