搜索
网格中安全策略的描述和评估陈昕2002.3.17AdditionalProblemsposedbyMultipleAdministrationPolicyintegrationshouldincorporatethediverseauthorizationmodelsthatcancoexistinadistributedsystem.Integratedifferentsetsofpoliciesassociatedwiththedomainprovidingresources,thedomainrequestingresourcesandtheindividualuserswithineachdomain.NosinglesyntaxforspecificationofprincipalsAgeneralizedwaytodefineapplication’ssecurityrequirementsAuthorizationFrameworkPolicylanguageGenericAuthorizationandAccess-controlAPIPolicyLanguageElements:accessidentitygrantoridentityasetofaccessrightsasetofconditionsPolicylanguage(continued)Policylanguagerepresentsasequenceoftokens:–Tokentype–Definingauthority–ValueExtendedAccessControlLists(EACLs)e.gTokenType:access-id-ANYBODYTokenType:access-id-GROUPDefiningAuthority:noneDefiningAuthority:DCEValue:noneValue:15TokenType:pos-access-rightsTokenType:pos-access-rightsDefiningAuthority:local-managerDefiningAuthority:local-managerValue:FILE:readValue:FILE:readFILE:writeTokenType:authentication-mechanismTokenType:locationDefiningAuthority:system-managerDefiningAuthority:system-managerValue:kerberos:V5Value:*.USC.EDUExtendedAccessControlLists(continued)CredentialEvaluationExtendedAccessControlLists(continued)IdentityCredential:access-id-USERkerberos.v5tom@ORG.EDUcondition:time-windowpacific-tzone6am-7pmGroupmembershipcredentialaccess-id-GROUPkerberos.V5admin@ORG.EDUcondition:privilege:restrictedDelegationcredentialgrantor:grantor-id-USERkerberosV5joe@USTC.EDU.CNgrantee:acess-id-USERkerberosV5tom@USTC.EDU.CNobjects:doc.txtrights:pos-access-rightslocal-managerFILE:writecondition:locationlocal-manager*.ustc.edu.cnGAA-APIGAA-APIfunctionsgaa-get-object-policy-infogaa-check-authorizationgaa-inquire-object-policy-infoGAA-APISecurityContextIdentityAuthorizationattributesEvaluationandRetrievalFunctionsforUpcalls