混合云环境下面向数据生命周期的自适应访问控制  被引量：1

作　　者：林莉 毛新雅[1,2] 储振兴 解晓宇[1,2] LIN Li;MAO Xin-Ya;CHU Zhen-Xing;XIE Xiao-Yu(College of Computer Science,Faculty of Information Technology,Beijing University of Technology,Beijing 100124,China;Beijing Key Laboratory of Trusted Computing(Beijing University of Technology),Beijing 100124,China)

机构地区：[1]北京工业大学信息学部计算机学院,北京100124 [2]可信计算北京市重点实验室(北京工业大学),北京100124

出　　处：《软件学报》2024年第3期1357-1376,共20页Journal of Software

基　　金：国家自然科学基金(61502017)。

摘　　要：混合云模式下企业业务应用和数据经常跨云流转迁移,面对多样复杂的云服务环境,当前大多数混合云应用仅以主体为中心制定数据的访问控制策略并通过人工调整策略,无法满足数据在全生命周期不同阶段时的细粒度动态访问控制需求.为此,提出一种混合云环境下面向数据生命周期的自适应访问控制方法AHCAC.该方法首先采用基于关键属性的策略描述思想去统一混合云下数据全生命周期的异构策略,尤其引入“阶段”属性显式标识数据的生命周期状态,为实现面向数据生命周期的细粒度访问控制提供基础;其次针对数据生命周期同阶段策略具有相似性和一致性的特点,定义策略距离,引入基于策略距离的层次聚类算法实现数据生命周期各阶段对应访问控制策略的构建;最后通过关键属性匹配实现当数据所处阶段变化时,触发策略评估引擎上数据对应阶段策略的自适应调整和加载,最终实现面向数据生命周期的自适应访问控制.在OpenStack和开源策略评估引擎Balana上通过实验验证了所提方法的有效性和可行性.In a hybrid cloud environment,enterprise business applications and data are often transferred across different cloud services.For complex and diversified cloud service environments,most hybrid cloud applications adopt access control policies made around only access subjects and adjust the policies manually,which cannot meet the fine-grained dynamic access control requirements at different stages of the data life cycle.This study proposes AHCAC,an adaptive access control method oriented to data life cycle in a hybrid cloud environment.Firstly,the the policy description idea based on key attributes are employed to unify the heterogeneous policies of the full life cycle of data under the hybrid cloud.Especially,the“stage”attribute is introduced to explicitly identify the life-cycle state of data,which is the basis for achieving fine-grained access control oriented to data life cycle.Secondly,in view of the similarity and consistency of access control policy with the same life-cycle stage,the policy distance is defined,and a hierarchical clustering algorithm based on the policy distance is proposed to construct the corresponding data access control policy in each life-cycle stage.Finally,when the life-cycle stage of data is changed,the adaptation and loading of policies of corresponding data stages in the policy evaluation are triggered through key attribute matching,which realizes the adaptive access control oriented to the data life cycle.This study also conducts experiments to verify the effectiveness and feasibility of the proposed method on OpenStack and open-source policy evaluation engine Balana.

关 键 词：混合云 数据生命周期 访问控制 层次聚类 策略自适应调整 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]