删除或更新信息,请邮件至freekaoyan#163.com(#换成@)

一种适用于Hadoop云平台的访问控制方案

清华大学 辅仁网/2017-07-07
一种适用于Hadoop云平台的访问控制方案
王志华(),庞海波,李占波
Access control for Hadoop-based cloud computing
Zhihua WANG(),Haibo PANG,Zhanbo LI
Software Technology School, Zhengzhou University, Zhengzhou 450002, China

摘要:
HTML
输出: BibTeX | EndNote (RIS) 背景资料
文章导读
摘要分析了Hadoop云计算平台的安全需求,设计了一种基于身份的Capability (ID-CAP), 并提出了一种基于ID-CAP的Hadoop访问控制方案。方案设计采用了最小授权原则,实现了基于Capability的访问控制,使用户在Hadoop平台上提交的作业能以最小权限运行。实验结果表明: 基于Capability的访问控制机制能有效实现在Hadoop平台上实施最小授权原则,支持平台内部相互依赖的各模块之间的身份认证,有效提高Hadoop平台的系统安全性和稳定性。
关键词 访问控制,权能,Hadoop,云计算,最小授权原则
Abstract:An identity-based capability (ID-CAP) method is given to provide secure access control to Hadoop cloud computing platforms. The capability-based access control design follows the least privilege principle with the platform running tenant jobs using a least privilege set. Tests show that the capability-based access control can be efficiently implemented to support mutual authentication between different servers in a Hadoop platform while satisfying the least privilege requirement to improve platform security and stability.

Key wordsaccess controlcapabilityHadoopcloud computingthe least-privilege principle
收稿日期: 2013-12-01 出版日期: 2015-04-16
ZTFLH: 
基金资助:河南省自然科学基金资助项目 (2011B520036);河南省基础与前沿技术研究资助项目 (142300410226)
引用本文:
王志华, 庞海波, 李占波. 一种适用于Hadoop云平台的访问控制方案[J]. 清华大学学报(自然科学版), 2014, 54(1): 53-59.
Zhihua WANG, Haibo PANG, Zhanbo LI. Access control for Hadoop-based cloud computing. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 53-59.
链接本文:
http://jst.tsinghuajournals.com/CN/ http://jst.tsinghuajournals.com/CN/Y2014/V54/I1/53


图表:
符号 解释
PermListW 一个MapReduce作业所需要的访问权限列表
ExpTime 过期时间
PK Hadoop平台内部CA公钥
SK Hadoop平台内部CA私钥
PKJ MapReduce作业所使用的公钥
SKJ MapReduce作业所使用的私钥
ID-CAPJ MapReduce作业的capability
<msg>SK 由私钥SK签名的消息


符合及其解释
提交一个MapReduce作业
作业进程访问HDFS
方案类型 操作类型 ThroughputMB·s-1 Average IO rateMB·s-1
原生Hadoop Read 39.82 42.02
Write 18.82 19.23
ID-CAP based Read 39.17 41.43
Write 18.02 18.38


HDFS读写测试
测试目标 原生
Hadoop/s		 ID-CAP based
Hadoop/s
生产随机数据MapReduce
(map: 90, reduce: 0)		 877 880
排序MapReduce
(map: 720, reduce: 48)		 5 655 5 663
排序正确性检查MapReduce
(map: 138, reduce: 1)		 865 867


排序测试
测试次数 原生Hadoop
AvgTime/μs		 ID-CAP based Hadoop
AvgTime/μs
numRuns=100 31 413 33 047


MapReduce连续性测试


参考文献:
[1] Lampson B K. Protection [J]. Operating Systems Review, 1974, 8(1): 18-24.
[2] Snyder L. Formal models of capability-based protection systems[J]. IEEE Transactions on Computers, 1981, 30(3): 172-181.
[3] Kain R Y, Landwehr C E. On access checking in capability-based systems[J]. IEEE Transactions on Software Engineering, 1987, SE13(2): 95-101.
[4] Karger P A. Improving security and performance for capability systems [D]. London, UK: University of Cambridge, 1988.
[5] Gong L. A secure identity-based capability system [C]// Proceedings of the 1989 IEEE Symposium on. Security and Privacy. Oakland, USA: IEEE Computer Society Press, 1989: 56-63.
[6] Boebert W E. On the inability of an unmodified capability machine to enforce the property [C]// Proceedings of the 7th DoD/NBS Computer Security Conference. Gaithersburg, USA: National Bureau of Standards, 1984: 291-293.
[7] Landwehr C E. Formal models for computer security[J]. ACM Computing Surveys, 1981, 13(3): 247-278.
[8] Lampson B W. A note on the confinement problem[J]. Communications of the ACM on Operation Systems, 1973, 16(10): 613-615.


相关文章:
[1]刘荣华,魏加华,翁燕章,王光谦,唐爽. HydroMP:基于云计算的水动力学建模及计算服务平台[J]. 清华大学学报(自然科学版), 2014, 54(5): 575-583.

相关话题/计算 测试 授权 方案 生产

Free考研考试FreeKaoYan.Com
欢迎来到Free考研考试,"为实现人生的Free而奋斗"

© 2020 FreeKaoYan! . All rights reserved.