Designing Universal Framework for Building Collaborative Applications in Heterogeneous Computing Environment

Designing Universal Framework

for Building Collaborative

Applications in Heterogeneous

Computing Environment

Kangseok Kim

k

[email protected]

v

Outline of PhD Thesis Proposal

n

Motivation and Research objectives

Problem statement

n

Literature Survey

Research Issues

Research Designs

Milestones

n

Contributions

v

Shared whiteboard with annotation

on both mobile and non-mobile device

v

Motivation and Research Objectives

I

n

Heterogeneous community collaboration

Ø

Most heterogeneous community collaboration systems

cannot communicate with each other.

Ø e.g. H.323 <-> AG, AG <-> SIP

Ø

We need wider range of collaboration by building integrated

collaboration environment, which combines collaborative

applications as well as other collaboration into a single

easy-to-use environment.

n

Universal collaboration and access

Ø

Mean capability of multiple users to link together with

disparate access modes to access collaborative systems.

Ø

Make systems more usable and more useful, and enable

people to work together with others remotely.

v

Motivation and Research Objectives II

Access control in collaboration system

Ø

Access control policy in heterogeneous community

collaboration systems has not been adequately addressed.

Ø

Access control policies and mechanisms are needed to

restrict unauthorized access to a variety of protected

information and resources.

n

Group coordination support

Ø

As the number of collaborating users increases, a user may

have to contend with other users for access to the

collaboration elements.

Ø

To maintain consistent shared state at application level, we

need to control competing accesses and mitigate race

conditions for shared resources.

v

Problem Statement

What is a generic solution to build

integrated collaboration environment

which combines mobile and non-mobile

collaborative applications as well as

Heterogeneous community collaboration

into a single easy-to-use environment?

v

Literature Survey

Others

VRVS

Access Grid

SIP

H.323

Conferencing

Technologies

Others

CAS

PERMIS

RBAC

Access Matrix

Access Control

Schemes

v

Literature Survey (1)

Conferencing Technologies

n

H.323

Ø

ITU standard for exchange of voice, video, and data

SIP (Session Initiation Protocol)

Ø

Light-weight generic signaling protocol of interactive

communication sessions between users designed by IETF.

n

AG (Access Grid)

Ø

Designed for group-to-group collaboration across

high-performance networks initiated by Argonne National Lab

n

VRVS (Virtual Rooms Videoconferencing System)

A web oriented collaboration system for videoconferencing

and collaborative work over IP networks.

v

Literature Survey (2)

Access Control Schemes

n

Access Matrix

Ø

Authorization is performed by operations that

subjects are allowed to objects

n

RBAC (Role Based Access Control)

Ø

Privileges (permissions) to use resources are

connected to a role and not to a specific user

n

PERMIS (Privilege and Role Management

Infrastructure Standards)

Ø

Role based PMI (Privilege Management

Infrastructure)

n

CAS (Community Authorization Service)

v

Research Issues I

n

Designing a framework for controlling sessions,

accesses, and floors for heterogeneous

community collaboration on mobile devices as

well as non-mobile devices

n

Handle collaboration (Session control)

Ø

Heterogeneous control protocols have to be

translated into general control protocol

Ø

The general session control protocol manages

session users and resources in communities

n

Access control

Ø

Scalable, dynamic, fine-grained access control

v

Research Issues II

n

Group coordination (Floor control)

Ø

An approach to deal with race conditions in

resource sharing for system and shared state

consistency at application level

n

Fault-tolerant role in collaboration system

Ø

A recovery approach from failure-prone system

n

Design issues for building applications on

mobile devices

Ø

An approach to overcome technical limitation

occurring as porting applications from desktop

computers (moderate screen size) to mobile

devices (small screen size)

v

Research Designs (1)

XGSP (XML based General Session Protocol)

n

Our lab’s conference collaboration framework for

integrating multiple heterogeneous communities

Ø

General session protocol defined in XML to handle

collaboration

Ø

Built on both mobile and non-mobile devices

XGSP current capabilities

Ø

Manage membership

Maintain connectivity

Organize sessions

Ø

Support collaborative applications

Ø

Support heterogeneous communities (H.323, SIP)

XGSP missing / desired futures

Ø

Integration access and floor control mechanism into XGSP

framework

Ø

Fault-tolerant role capability

v

Research Designs (1)

XGSP (XML based General Session Protocol)

Framework Components

n

Conference manager

Ø Registries of all scheduled

conferences

Ø Registries of collaborative

applications

Ø User accounts Ø Policies

n

Node manager

Ø User interface for XGSP

conference management service

Ø Factories for all kinds of

applications

n

XGSP conference control

service

Ø Application management

service

§

Access control service

§

Floor control service

v

Research Designs (2)

XRBAC (XML Role Based Access Control)

n Define policies in XML to enable only authorized users to access protected

collaboration environments

n Authorization is performed by explicitly conference chair or implicitly a user

authorized by predefined policies

Ø Performed dynamically at runtime by activation rules or statically by predefined

policies

n Fine-grained control

Ø Allow a user of a group in a role to access resources at certain time Ø Allow groups of users to access resource attributes

n Push and pull policy mode

Ø Push mode

Ø policies are passed to a user by conference manager at conference join time

Ø this lead to policy consistency

Ø Pull mode

Ø policies are retrieved from internal store of a user node at access time

n Benefits

Ø easy of understanding, management, scalability, and dynamic fine-grained

control

v

Research Designs (2)

Architectural design of Integrating XRBAC service into

XGSP Framework

Chair node User node

Decision Response Access Request Conference Manager Service / Message System Push

Policies PushPolicies

KMC (Key Management Center)

Activation / Deactivation Service Access Decision Service Authentication Service

Local Policy Store

Pull Policies Activation / Deactivation Service Access Decision Service Authentication Service

Local Policy Store

Pull Policies

v

Milestones

§ Designed and built general conference control framework on both

mobile device (cell phone) and non-mobile device

Ø Define general session protocol in XML (XGSP)

n Designed and implemented collaborative applications on both

non-mobile and mobile device (cell phone)

§ Define definitions and rules of collaboration roles

n Define access control policies

Ø Define role-based access control policies in XML (XRBAC)

n Integrate access control mechanism into collaboration system

n Integrate floor control mechanism into collaboration system

Ø Define floor control policies in XML (XFLOOR)

n Design and Implement fault-tolerant role mechanism

v

Contributions

n

Provides an approach for heterogeneous community

collaboration

Ø A mechanism that makes systems more usable and more useful

to maximize the use of various collaborative capabilities to collaborator

n

Provides an approach for universal collaboration and access

with mobile devices like cell phone

Ø A mechanism that users can access collaborative systems

independent of their access device and their physical capabilities

n

Provides an approach for access control on collaboration

system

Ø A mechanism that only authorized users can access to a variety

of protected information and resources

n

Provides an approach for maintaining system and shared

state consistency at application level

Ø A mechanism that users allow to attain exclusive control without

access conflicts on shared resources in static or dynamic fine-grained control

v

Literature Survey (1)

H.323

n

ITU standard for exchange of voice,

video, and data

n

A set of standards for group

communication

n

TCP call setup and control

UDP for audio/video

v

Literature Survey (2)

SIP (Session Initiation Protocol)

n

Designed by IETF.

n

Light-weight generic signaling protocol of

interactive communication sessions between

users

n

Defines how to establish, maintain, and

terminate Internet sessions including

multimedia conferences.

n

Provides basic functions such as user

location resolution, capability negotiation,

and call management.

n

Designed in a text format and took

request/response protocol style like HTTP.

Ø

Difference : SIP is used for human-to-human

communication and to locate individual users

v

Literature Survey (3)

AG (Access Grid)

n

A project initiated by Argonne National

Lab

n

Designed for group-to-group

collaboration across high-performance

networks.

n

A form of collaborative technology that

uses synchronous communications.

n

Uses IP multicast for audio/video

v

Literature Survey (4)

VRVS (Virtual Rooms Videoconferencing

System)

n

A web oriented collaboration system for

videoconferencing and collaborative work

over IP networks.

n

Composed of two different parts

Ø

web server : users’ interface to connect to

videoconferences and launch AV applications

Ø

reflector : a specific software to distribute

information (audio, video, and data) to

collaborating users to Interconnect each user

to a Virtual Room

v

Literature Survey (5)

Access Matrix

n

Authorization is performed

by operations that subjects

are allowed to objects

n

Access Control List (ACL)

expressed by columns

n

Capability list

Ø

expressed by rows

n

Shortcomings

Ø

doesn’t allow fine-grained

access control to object

attributes

File 1 File 2 File 3

File 1 File 3

AC L

v

Literature Survey (6)

RBAC (Role Based Access Control)

Privileges (permissions) to use resources are connected to

a role and not to a specific user

Ø roles are assigned to users (role assignment) and access

permissions are assigned to roles (permission assignment)

n

Benefit

Ø scalable – because users can be easily reassigned from one

role to another

n

Shortcomings

Ø lacks ability to specify fine-grained control on individual users

in certain roles and on individual resource instances

User s

Role s

Permission s

Role assignmen

t

Permissio n

assignmen t

Users Submi_t Targe_t Role

policy Rea

d

v

Literature Survey (7)

PERMIS (Privilege and Role Management

Infrastructure Standards)

n

Role based PMI

n

Policies are written in XML

and stored as X.509 AC

(Attribute Certificate)

residing in an LDAP

directory

n

Access control enforcement

function (AEF)

Ø Authenticate user and ask

ADF if the user is allowed to perform the requested action on target resource

n

Access control decision

function (ADF)

Ø Access LDAP to retrieve

authorization policy and role AC for the user and make a decision based on these Authenticatio n Service AE F AD F PERMIS PMI API Decision Decisio n Request LDA P

v

Literature Survey (8)

CAS (Community Authorization Service)

n Implement RBAC using an authorization server (CAS server)

n Fine-grained access control can be delegated to administrator of

community

n Shortcomings

Ø single point of failure of CAS server

Ø lack of dynamic change (permission) at runtime

CAS Server

Resour

ce Resource Resource

Us

er User User

1. issue request 2. issue CAS credential

with capability

3. access request with issued CAS credential

delegate decision role

to administrator

Communit y