1. Field of the Invention
The present invention relates to a distributed computing system for performing resource reservation and user verification using distributed computing resources.
2. Description of the Related Art
The current distributed computing system comprises a plurality of domains (or trust domains) of logical structure where integral local security policy is established. Each domain is a cluster of computing entities such as routers, log servers and/or parallel computer controlled by a common management and security policy. For those computing entities that belong to the same trust domain, it is not necessary to repeat user verification between resources once user verification is established. However, if computing entities belong to different domains, verification is necessary for each domain. If a user desires to activate multiple resources belonging to different trust domains, verification is necessary for the user to access each resource. In addition, if multiple processes are activated on different resources, verification is required between the activated resources. It is therefore troublesome for users to perform verification procedures themselves. Therefore, there exists a need to develop a single sign-on verification system that eliminates the need to repeat user verification once the user is verified.
To alleviate the problem discussed above, the technique known as Grid Security Infrastructure (GSI) has been developed. According to this technique, a resource proxy is defined to act as an agent for translating inter-domain security operations and local intra-domain mechanisms as described in Ian Foster et al., “A Security Architecture for Computational Grids”, Proceedings of the 5th ACM Conference on Computer and Communication Security, pages 83-92, 1998. In the known distributed computing system, a host computer is connected through a communications network to a number of resource proxies each being associated with one or more computing resources. Each resource proxy holds information known as “resource credential CRP” to identify a particular resource. One such example is a combined set of a certificate signed by a certificate authority and a non-encrypted private key. On each computing resource, a user process is activated in response to a request from the user. The user process holds information known as “process credential” to verify the ownership of the process.
On the host computer, a user proxy is created to perform “resource allocation and process creation” in response to a request from the user and a “resource allocation from a user process” in response to a request from an activated user process of other domain. The user proxy maintains information known as “user proxy credential CUP” which is valid for a limited period of time. A mutual verification proceeds between the user process on the host computer and the resource proxy via the communications network to confirm that the valid period of the user proxy credential is not expired. For verification on the user side, the user proxy credential CUP” is used and for verification on the resource side the resource credential CRP is used.
Once verification is successful between a user proxy and a resource proxy, the user proxy requests the resource proxy to allocate a resource by submitting to it a signed request message. The resource proxy checks with the local security policy and determines whether the requested resource can be allocated to the user if the request is accompanied with the user proxy credential signature. If permission is granted to the request, the resource proxy generates a “resource-credentials tuple” indicating user ID and resource IDs and safely hands it over to the user proxy. If the user proxy determines that it is acceptable, the user proxy signs it and creates a process credential CP of the requested resource and sends it back to the resource proxy. The resource proxy then allocates the requested resource. On the allocated resource the user process is activated and the process credential CP is handed over to the activated user process.
When a user process, which is activated on an allocated resource, is in need of another computing resource, a mutual verification proceeds between the activated user process and the user proxy using the process credential CP to verify the user process and the user proxy credential CUP to verify the user proxy. If the verification is successful, the activated user process on the allocated resource requests the user proxy to allocate a signed resource. In response to this request, the user proxy performs a resource allocation with a resource proxy, which is associated with the requested resource.
However, the prior art distributed computing system has the following shortcomings:                a) During a resource reservation process, the user has the trouble of specifying details for scheduling the necessary resources;        b) The user process, which is activated on a reserved computing resource, is not capable of acting as an agent for the user to perform user verification with other resources during the limited period of reservation; and        c) When a reserved resource is activated, the user has the trouble of manually performing user verification.        