Hadoop云平台中基于信任的访问控制模型  被引量：17

作　　者：刘莎[1] 谭良[1,2] 

机构地区：[1]四川师范大学计算机科学学院,成都610068 [2]中国科学院计算技术研究所,北京100190

出　　处：《计算机科学》2014年第5期155-163,共9页Computer Science

基　　金：国家自然科学基金(60970113);国家自然科学基金青年基金(60903073)资助

摘　　要：Hadoop云计算平台是当下最流行的云平台之一,其现有的访问控制模型采用Kerberos进行身份验证,结合基于ACL的访问授权机制,通过Delegation Token和Block Access Token等令牌,实现了该平台中简单的访问控制。该模型具有明显的缺点,即仅仅在授权时考虑了用户身份的真实性,没有考虑用户后期行为的可信性,而且权限一经授予就不再监管。提出一种适用于Hadoop云平台的基于信任的访问控制新模型——LT。LT模型基于现有的Hadoop访问控制模型,为每个用户设定信任值,通过用户在集群中的行为记录实时地更新用户信任值,并根据这个信任值动态地控制用户对平台的访问。与Hadoop平台现有的访问控制模型相比,该模型所实现的访问授权不再是一个关口控制,而是一个实时动态的过程,其粒度更细并且具有更高的安全性和灵活度。实验证明,该模型不仅正确有效,而且克服了现行Hadoop平台中访问控制安全性不足的缺点,能够动态、有效地控制用户对集群中资源的访问及使用。Hadoop is one of the most popular cloud computing platforms.In this platform,the existing access control model adopts Kerberos for identity verification,combines with authorization mechanism based on ACL,and uses the Delegation Token and Block Access Token,realizing a simple access control mechanism.There is an obvious shortcoming in this model,namely,it considers only the identity authenticity of a user while authorizing,nevertheless the credibi-lity of its following behaviors.Once access control right is granted,there won＇t be any kind of supervision.This paper proposed a new trust-based access control model in Hadoop,which is based on the existing access control model in Hadoop and is called LT.LT sets a trust value for each user,updates this value according to users＇ behavior records,and controls the user to access Hadoop cluster with the trust value dynamically.Comparing with the existing access control model in Hadoop,the access and authorization mechanism realized in LT isn＇t a one-time access and authorization,but a thoroughly real-time and dynamic process,so LT is more secure,more flexible and has a finer control particle size.Experiments show that this model is not only right and effective but also overcomes the disadvantage on lacking of security about the existing access control model in Hadoop.It can control a user to access or use the resources supplied by a Hadoop cluster dynamically and effectively.

关 键 词：云计算 云平台 HADOOP 访问控制 信任值 

分 类 号：TP319[自动化与计算机技术—计算机软件与理论]