Heimdhal: a history-based policy engine for grids

The arising of grid platforms introduced inexpensive and highly available computing, storage and networking resources. Therefore, in a worldwide trend, institutions aggregate on virtual organizations, registering their resources to the grid and in return accessing a virtually limitless warehouse. This overabundance allowed the emergence of innovative application and business models, delivering the solution to several large-scale problems, as is the case of data processing, storage and sharing in CERN´s Large Hadron Collider Project. In order to allow system administrators to assure resources are employed in a coordinated and secure way, policy mechanisms need to cope with such new models and the increased complexity in resource usage management. However, current grid platforms only provide simple primitives in their authorization modules. By restricting access control mechanisms to ACLs and role-based models, they disregard powerful usage semantics, such as those which are history-based (e.g. the Chinese-wall security policy). This absence obliges the development of ad hoc security managers for each deployed resource, introducing vulnerabilities in the security architecture. The use of advanced policies, and more specifically history-based policies, provides a natural method for expressing and enforcing several grid usage patterns, such as fair resource consumption. Additionally, some policy concepts not usually found in policy engines, such as periodic reevaluation, assure an effective policy enforcement. We present the Heimdhal system, a history-enabled policy engine which allows the definition, enforcement and accounting of history-based policies in grid platforms, and more specifically in Globus Toolkit 4.0. A practical evaluation using selected usage patterns corroborates the effectiveness of this kind of policies in grid computing environments, denoting encouraging performance results.