Restricted Community Accounts

Portal-based access to high-performance computing resources for communities is an emerging paradigm of allowing unprecented numbers of users access to HPC systems. Examples of this include the GridChem portal and the TeraGrid type 1 science gateways.

Processes launched by these portals still need to run in a Unix account on the HPC resources they utilize. This raises a number of security concerns as users of the portals are not vetted in the same manner as normal users of the HPC resource. The portal is also an additional link in the trust chain from the resource to the user that could be compromised, leading in turn to the compromise of the HPC resource.

Our work is focused on developing tools that enable the HPC administrators to sandbox the processes initiated by the portal. This allows the administrator to limit the trust they place in the portal, mitigating their risk in the even the portal is compromised.

An initial release of the tools is scheduled for early 2006. Targeted users include GridChem and TeraGrid.

Project Staff:

• Kevin Price
• Von Welch

Design documents:

• Requirements
• Stages
• Design - Stage 1

Conference papers:

• Securing Science Gateways at the Account Level (TeraGrid '06)
  Paper - Presentation Slides

User's Guides

• Restricting Community Accounts using the Community Shell

Downloads:

Download are possible through CVS or in source tarball form from this website. Details can be found on the project downloads page

This project is funded under the NCSA NSF core program plan.