A Framework for Access Control and Resource Allocation for Federations

Abstract

In this thesis we address the access control and resource allocation

problems in computational

federations, such as testbeds and cloud computing federations. The

computational federations of

today are growing in their number of participant organizations, where

one challenge is to allow

organizations participate autonomously by expressing how much of their

resources should be used

and by whom, through complex policies. In addition, such organizations

should be able to exchange

resources with any other organizations without necessarily knowing all

of them beforehand.

We introduce our federation framework which allows to build

federations in varying complexities

easily, by synthesizing trust management, policy languages and

resource discovery into a single

system. Although these three have been studied separately in the past,

we show that they are

in fact related, and can be viewed as separate layers of a more

general system. We argue that

complex agreements that involve indirect trust relationships is one

key way to enable resource

exchange in a federation with numerous organizations, and this can be

realized by our synthesis

architecture that provides usability as well as expressiveness.

As part of our framework, federation policy language (FPL) is used to

express both the security

and allocation policies, by providing simple primitives such as

contracts that hide the underlying

complexity. FPL primitives allow system administrators to express

policies such as indirect trust

and resource restrictions within the same construct. Underneath, FPL

uses our distributed trust

management system (CERTDIST) to implement and impose policy

primitives. CERTDIST uses

digital certificates to allow or deny resource requests and a DHT for

complex distributive proofs

in an e!cient way. The Resource discovery part of our framework

(CODAL) is layered on top of

FPL, and uses contracts to discover peers, FPL security and allocation

policies to authorize for

resources that are located possibly in many di↵erent organizations.

We evaluate the federation framework with a realistic emulation of a

large scale federation using

real PlanetLab traces, that shows that complex policies can be

expressed with a minimal amount

of code, and we can e!ciently perform the access control and resource

discovery operations in a

federation.