面向HDFS的密钥资源控制机制  

作　　者：金伟[1,2,3] 李凤华 余铭洁[1,4] 郭云川 周紫妍 房梁[1] JIN Wei;LI Fenghua;YU Mingjie;GUO Yunchuan;ZHOU Ziyan;FANG Liang(Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China;China Academy of Information and Communications Technology,Beijing 100191,China;School of Cyber Security,University of Science and Technology of China,Hefei 230027,China)

机构地区：[1]中国科学院信息工程研究所,北京100093 [2]中国科学院大学网络空间安全学院,北京100049 [3]中国信息通信研究院,北京100191 [4]中国科学技术大学网络空间安全学院,安徽合肥230027

出　　处：《通信学报》2022年第9期27-41,共15页Journal on Communications

基　　金：国家自然科学基金资助项目(No.U1836203,No.61872441);国家重点研发计划基金资助项目(No.2018YFB2100400);中国科学院青年创新促进会人才基金资助项目(No.2021154)。

摘　　要：大数据环境呈现多用户跨网交叉访问、多服务协同计算、数据跨服务流动、海量文件管控复杂的特点,现有密钥资源控制模型和机制不完全适用于大数据场景。针对大数据环境的密钥资源控制、操作语义归一化描述、细粒度访问控制的需求,从密钥资源控制的场景要素及属性出发,通过映射面向网络空间的访问控制(Co AC)模型,提出了面向HDFS的密钥资源控制机制;然后,给出了面向HDFS的密钥资源控制管理机制(CKCM),包括管理子模型和管理支撑模型,并用Z语言形式化地描述了管理模型中的管理函数和管理方法;最后,基于XACML实现CKCM系统,实现HDFS中密钥及文件资源的细粒度安全访问控制。The big data environment presents the characteristics of multi-user cross-network cross-access,multi-service collaborative computing,cross-service data flow,and complex management of massive files.The existing access control models and mechanisms are not fully applicable for big data scenarios.In response to the needs of fine-grained access control and multi-service strategy normalization for cryptographic data in the big data environment,starting from the scene elements and attributes of access control,the HDFS-oriented CKCM was proposed by mapping the cyberspace-oriented access control(CoAC)model.Subsequently,a fine-grained access control management model for HDFS was proposed,including management sub-models and management supporting models.The Z-notation was used to formally describe the management functions and management methods in the management model.Finally,the CKCM system was implemented based on XACML to realize fine-grained secure access control for managing file and secret keys in HDFS.

关 键 词：大数据平台 密钥管理 资源控制 面向网络空间的访问控制 

分 类 号：TP302[自动化与计算机技术—计算机系统结构]