VIRTUAL ORGANIZATIONS AND DATABASE ACCESS – A CASE

STUDY

Mikko Pitkanen

, Marko Niinimaki

, John White

, and Tapio Niemi

Helsinki University of Technology, Finland

Helsinki Institute of Physics at CERN, Geneva, Switzerland

University of Tampere, Finland

Keywords:

Grid computing, distributed databases, virtual organizations

Abstract:

This paper presents a case study of using virtual organization technologies in database access. A virtual orga-

nization (VO) is a collection of people in the same administrative domain. A user can belong to many virtual

organizations and have a different role (user, client, administrator,..) in each of them. An authorization of a

user to different services within a VO is based on the user’s identity and a service called a Virtual Organization

Membership Service (VOMS) that maps these identities with roles.

The user’s identity can be established in two ways. If the user communicates with the service using his

web browser, the user’s certiﬁcate must be included in the browser. Another possibility is to use a proxy

certiﬁcate. There, in the proxy creation process, the program that writes the proxy adds the user’s proxy

certiﬁcate information about his participation in different VO’s and his role in each of them.

In order to demonstrate using these VO proxy certiﬁcates, we have extended the functionality of Spitﬁre, a

relational database front end. This involves assigning the user a database role (read/write/update) based on the

VO information in his certiﬁcate. There is also a graphical user interface for creating the mappings between

VO roles and database access roles.

1 INTRODUCTION

The recent interest and subsequent research in the

Grid computing ﬁeld has given rise to the concept of

“virtual organizations”. A virtual organization (VO)

is a collection of people in some administrative do-

main. The user can be a part of any number of in-

ternal groups in their organization and have multiple

roles in many organizations (Alﬁeri et al., 2003). A

user is authorized to perform tasks on a computing

Grid according to their VO afﬁliation and their role(s)

within the VO.

The authorization process becomes more complex

when the number of users and the number of possible

roles of the users in the service increases. As services

are usually distributed, a centralized service manag-

ing the authorization data is needed. This service

is called a Virtual Organization Membership Service

(VOMS) (Alﬁeri et al., 2003). The VOMS service is

a front-end to a database where the information about

the users is kept. The server maintains lists of groups,

roles and capabilities that belong to each user. The

VOMS is used to bind authorization information to a

users identity (Alﬁeri et al., 2003).

When a VOMS service is used, the user in-

vokes voms-proxy-init program (or equivalent)

to contact the VOMS server. This program produces

a proxy certiﬁcate containing the authorization in-

formation from VOMS service (Alﬁeri et al., 2003).

When the user enters a service presenting his VOMS

certiﬁcate, the service can ﬁnd out the user’s autho-

rization information from the certiﬁcate. This re-

moves the responsibility to maintain up-to-date infor-

mation in every server.

The information about a user’s VO and their role in

it can be easily utilized in the context of distributed

databases being accessed by a European DataGrid

(EDG) product, Spitﬁre (Project Spitﬁre, 2001). In a

typical case, if a Spitﬁre administrator knows a user’s

VO (e.g., an academic collaboration ACAVO) and

their role within this ACAVO (say, an administrator),

they can assume which databases the user should be

able to access or modify. Using Spitﬁre, along with

the edg-java-security package and a graphical user in-

terface we can easily add a rule concerning the access

rights of the user. This greatly simpliﬁes the task of

the database administrators, since they do not need to

create a database access and grant different rights to

each new person in the VO.

Foster, Kesselmann and Tuecke emphasize the role

514

Pitkanen M., Niinimaki M., White J. and Niemi T. (2004).

VIRTUAL ORGANIZATIONS AND DATABASE ACCESS – A CASE STUDY.

In Proceedings of the Sixth International Conference on Enterprise Information Systems, pages 514-517

DOI: 10.5220/0002602305140517

 SciTePress

of virtual organizations in resource sharing in (Fos-

ter et al., 2001), and mention database access in

one of their Grid scenarios. The OgsaDai consor-

tium (OgsaDai, 2002) has deﬁned an architecture for

Grid database accesses and released an implementa-

tion of it. However, as far as we know, the European

DataGrid project has been the ﬁrst to design and im-

plement a VO-based access management and imple-

mentation, that is described in this paper.

2 SPITFIRE AND EDG JAVA

SECURITY

Spitﬁre (Project Spitﬁre, 2001) is a project of Work

Package 2 within the European Data Grid Project. It

offers a Java servlet that accepts database requests us-

ing HTTP/HTTPS protocols and displays the results

in XML. The EDG’s authentication and authorization

software, edg-java-security, analyzes the user’s rights

to execute operations based on the user certiﬁcate pre-

sented to the system.

In edg-java-security, the authentication is based on

a hand-shaking protocol in Secure Sockets Layer and

Transport Layer Security. The server and client send

each other their X509-format certiﬁcates and mes-

sages encrypted by their private keys that are related

to the public keys included in the X509 certiﬁcates.

This way the server and the client authenticate them-

selves as owners of their respective certiﬁcates (Secu-

rity Coordination Group, 2003).

When a proxy certiﬁcate is used as a credential, the

user sends their certiﬁcate and the proxy certiﬁcate to

the server (Foster and Kesselman, 1997). The proxy

is signed by the user and the user’s certiﬁcate is used

to verify the proxy’s signature. This way the chain

of trust is delegated to the proxy. The proxy certiﬁ-

cate can be used by the user for access to various ser-

vices, as it carries the user’s signature as identiﬁca-

tion. However, the only apparent feature of the proxy

is its issuer, i.e. the user’s certiﬁcate subject like

“O=Grid, O=NorduGrid, OU=hip.ﬁ, CN=Joe User”.

Each Grid service needs to decide independently the

access rights of each certiﬁcate owner. This can be

improved by introducing extensions to the certiﬁcate;

in our case a VO extension that states the user’s VOs

and their role in each of them.

3 AUTHORISATION AND

SECURITY IN RELATIONAL

DATABASES

Authorisation and security are essential in client-

server database systems. In this section we discuss

brieﬂy how they are implemented in SQL databases.

We follow the book by Elmastri and Navathe (Elmasri

and Navathe, 1994).

In general, two methods are used in database access

control: discretionary and mandatory access control.

In discretionary access control different privileges for

database objects (e.g. tables = relations, columns =

attributes) are granted to the users while in mandatory

access control the data and the users are classiﬁed in

different security classes. A user, in order to view

the data, must have the same or higher security class

than the data in question. In the following discussion,

we will refer to discretionary access control meth-

ods since almost all relational database systems use

it while the mandatory control method is used only in

some special systems. Moreover, the SQL standards

support only discretionary access control.

In SQL, privileges can be assigned to the account

(user) level or the database object (relation) level. At

the account level the privileges deﬁne what operations

a particular user can perform in general, and in the

database object level the privileges specify the oper-

ations a user can perform on the object (e.g. select,

modify). In order to perform an operation, the user

must have both account level and the object level priv-

ileges.

The basic privileges for relations (tables) are select,

modify, and reference. The select privilege allows the

user to retrieve data from the relation and is deﬁned

only on the relation level; views can be used to allow

only some attributes to be retrieved. The modify priv-

ilege allows the user to modify the data and can be

deﬁned in a more detailed manner as update, delete,

and insert privileges. The modify privilege is also de-

ﬁned on the relation level, and the update and insert

privileges can also be given on the attribute (column)

level. The reference privilege allows the user to deﬁne

references to a relation, e.g foreign key constraints.

SQL has grant and revoke commands for deﬁning

privileges. With the grant option, a privilege can be

given to the user so that he can grant it further. SQL

also supports roles. The role is “a set of privileges”

that can be assigned to the user. This makes admin-

istration easier since several privileges do not need to

grant separately to the user.

4 VOMS

Essentially the Virtual Oraganization Membership

System (VOMS) presents an extension to a user’s

X509 proxy certiﬁcate, that includes their VO mem-

bership information. When a VOMS-proxy is gen-

erated with the voms-proxy-init command is

used, the VOMS server is contacted to request a

VOMS-extended proxy certiﬁcate that follows the

VIRTUAL ORGANIZATIONS AND DATABASE ACCESS - A CASE STUDY

515

standard X509v3 (Housley et al., 1999) certiﬁcate for-

mat. All the standard ﬁelds of the proxy certiﬁcate

are used to store the user’s authentication information.

The X509v3 extension (1.3.6.1.4.1.8005.100.100.1)

part is used to include authorization information in the

user’s proxy certiﬁcate. The authorization informa-

tion is stored in triplets of GROUP, ROLE and CAP

(special capability rules, like disk space assignments).

When a user wishes to use a grid service, they

pass their credential (in this case the VOMS-extended

proxy certiﬁcate) to the service interface, for example,

Spitﬁre. The grid service then extracts the user’s au-

thorization information from the extension part. The

extensions part of the proxy certiﬁcate also includes

the VOMS signature and validity period of the role

mappings. The VOMS signature is used to to verify

that a trusted VOMS service has attached the autho-

rization information to the user’s proxy certiﬁcate.

The actual information that the VOMS extension

contains can be conﬁgured by the VO’s administra-

tion, by using VOMS’es user interface.

In the future, it is foreseen to use Attribute Certiﬁ-

cates (Farrell and Housley, 2002) to store the autho-

rization information instead of extending the proxy

certiﬁcate. This will not change the way information

is used in a service since the same information is ex-

tracted from a different credential passed by a user.

5 COMBINING VOMS AND

SPITFIRE USER

AUTHORIZATION

MECHANISMS

In the Spitﬁre service, database roles are divided into

categories of “read”, “write”, “update”, and “create”

by default. A user that has been assigned the read

role is allowed to browse the database in question;

similarly, “write” role owner can insert data, “update”

role owner can modify data, and “create” role owner

can create new tables. Normally, of course, a user can

have many roles; for instance in the case of a database

administrator all of the above.

A policy is a collection of mappings of roles

and users. Policies are designed by EDG’s Trust-

Manager software components. For instance, pol-

icy “default” can be based on a regular expression

mapping that allows roles “read”, “write”, “update”,

and “create” to a person whose certiﬁcate subject is

“O=Grid, O=NorduGrid, OU=hip.ﬁ, CN=Joe User”,

and “read” to persons whose certiﬁcate subject con-

tains “O=Grid, O=NorduGrid, OU=hip.ﬁ”.

Spitﬁre can access any relational database with

a Java connector, but the default implementation is

based on MySQL (MySQL AB, 2001). With MySQL,

the roles are applied on database-wide basis

. Differ-

ent VO’s can have their databases accessed through a

single Spitﬁre service and the access conﬁguration is

managed with standard Java database access methods.

6 USE CASE: ACCESSING

SPITFIRE WITH A CLIENT

PROGRAM

Spitﬁre offers standalone Java and c++ clients for ac-

cessing the service. A use case is presented to illus-

trate database access with VOMS certiﬁcates.

First the user requests a VOMS certiﬁcate with

edg-voms-proxy-init command. The certiﬁ-

cate is written and stored to a ﬁle “/tmp/x509up

uid”

(where id is the user’s identity number in the com-

puter). When the client accesses a service, the VOMS

(proxy) certiﬁcate is sent to the service. The service

is then able to extract the authorization information

from the certiﬁcate.

The service ﬁnds out which VO the user belongs to.

Further, the role of the user in his VO is also extracted

from the certiﬁcate. With this information the service

is able to deﬁne the user’s access rights. This removes

the need from a service to know speciﬁc user ids and

their mapping to database access rights.

In the case of successful authorization, the result of

the user’s query is returned to the client. An extract

of sample client code is shown in Figure 1, where the

programmer requests an XML output of query “select

all columns from table repcat in database GRID such

that the column LFN contains cms.cern.ch”. The se-

curity and authentication features are completely in-

visible to the programmer.

There, we notice that the user requests policy

“voms-based” and and uses his proxy certiﬁcate

named “/tmp/x509up u6385”.

7 CONCLUSIONS

In this paper, we have presented a design and an im-

plementation of virtual organizations and database ac-

cess. The main beneﬁts of the design are that it sep-

arates authentication and role authorization in man-

ageable modules; and that here is no need to enter

user id - password -pairs because of certiﬁcates. Us-

ing VOMS adds the beneﬁt of easy administration;

the VOMS admin can deﬁne global policies how to

MySQL’s “database” rougly corresponds to Oracle’s

tablespace. Many database vendors, including MySQL and

Oracle, implement at least “per database” and “per table”

access control.

ICEIS 2004 - DATABASES AND INFORMATION SYSTEMS INTEGRATION

516

public final class SimpleQuery {

public static void main (String args[]) throws Exception {

String endpoint = null; endpoint = args[0];

SpitfireBaseServiceLocator sfLocator = new SpitfireBaseServiceLocator();

SpitfireBase sfBase = sfLocator.getSpitfireBase(new java.net.URL( endpoint ));

try {

System.out.println("The result as XML\n");

String c = "LFN like \"%cms.cern.ch%\"";

System.out.println(sfBase.simpleSelectAllAsXML("GRID","repcat",c, 0));

} catch (Exception x) {

System.out.println(" ERROR: " + x.getMessage() );

}

java -classpath [...]

-DgridProxyFile=/tmp/x509up_u6385

-Dedg-security.policy=voms-based

SimpleQuery https://localhost:8443/Spitfire/services/SpitfireBase

The result as XML

<?xml version="1.0" encoding="UTF-8"?>

<ROWSET><ROW num="1"><LFN>lfn://cms.cern.ch/dataset/file001</LFN>

[..]

<ROW num="5"><LFN>lfn://cms.cern.ch/dataset/file005</LFN>

Figure 1: Sample code, a command to invoke it, and its output.

access database services within a VO and thus ease

local administration procedures.

As discussed in Section 5, the system can only

be accessed using speciﬁc client programs, not for

instance a web browser. However, we are in pro-

cess of incorporating VOMS functionality in Grid-

Blocks Agent software (Mobile Analyzer, see (Karp-

pinen et al., 2003)) that enables simultaneous queries

to distributed databases and has a graphical user inter-

face.

EDG software is open source, and avail-

able at http://datagrid.in2p3.fr. Grid-

Blocks is open source software available at

http://gridblocks.sourceforge.net.

REFERENCES

Alﬁeri, R., Cecchini, R., Ciashini, V., dell’Agnello, L.,

Frohner, A., Lorentey, K., and Spataro, F. (2003).

VOMS an authorization system for virtual organiza-

tions. In Proceedings of the 1st European Across

Grids Conference - Santiago de Compostela, Spain,

13-14 February 2003.

Elmasri, R. and Navathe, S. B. (1994). Fundamentals of

database systems (2nd ed). Benjamin / Cummings.

Farrell, S. and Housley, R. (2002). Rfc 3281, an internet

attribute certiﬁcate proﬁle for authorization. Available

on http://www.ietf.org/rfc/rfc3281.txt.

Foster, I. and Kesselman, C. (1997). Globus: A metacom-

puting infrastructure toolkit. International Journal of

Supercomputer Applications, 11(2).

Foster, I., Kesselman, C., and Tuecke, S. (2001). The

anatomy of the Grid: Enabling scalable virtual organi-

zations. International Journal of Supercomputer Ap-

plications, 15(3).

Housley, R., Ford, W., Polk, W., and Solo, D. (1999).

Rfc 2459, internet x.509 public key infrastruc-

ture certiﬁcate and crl proﬁle. Available on

http://www.ietf.org/rfc/rfc2459.txt.

Karppinen, J., Niemi, T., and Niinimaki, M. (2003). Mo-

bile analyzer - new concept for next generation of

distributed computing. The 3rd IEEE/ACM Inter-

national Symposium on Cluster Computing and the

Grid, (CCGrid 2003), Japan, May 2003. Available on

http://ccgrid2003.apgrid.org/online

posters.

MySQL AB (2001). Mysql. Available on:

http://www.mysql.org.

OgsaDai (2002). Open grid services architecture

data access and integration. Available on:

http://www.ogsadai.org.

Project Spitﬁre (2001). Project Spitﬁre.

Available on: http://spitﬁre.web.cern.ch.

Security Coordination Group (2003). Datagrid security de-

sign. Technical report, European DataGrid Project.

VIRTUAL ORGANIZATIONS AND DATABASE ACCESS - A CASE STUDY

517