计算机科学

计算机科学 ›› 2014, Vol. 41 ›› Issue (5): 155-163.doi: 10.11896/j.issn.1002-137X.2014.05.033

• 信息安全 • 上一篇    下一篇

Hadoop云平台中基于信任的访问控制模型

刘莎,谭良   

  1. 四川师范大学计算机科学学院 成都610068;四川师范大学计算机科学学院 成都610068
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受国家自然科学基金(60970113),国家自然科学基金青年基金(60903073)资助

New Trust Based Access Control Model in Hadoop

LIU Sha and TAN Liang   

  • Online:2018-11-14 Published:2018-11-14

PDF (PC)

63

摘要: Hadoop云计算平台是当下最流行的云平台之一,其现有的访问控制模型采用Kerberos进行身份验证,结合基于ACL的访问授权机制,通过Delegation Token和Block Access Token等令牌,实现了该平台中简单的访问控制。该模型具有明显的缺点,即仅仅在授权时考虑了用户身份的真实性,没有考虑用户后期行为的可信性,而且权限一经授予就不再监管。提出一种适用于Hadoop云平台的基于信任的访问控制新模型——LT。LT模型基于现有的Hadoop访问控制模型,为每个用户设定信任值,通过用户在集群中的行为记录实时地更新用户信任值,并根据这个信任值动态地控制用户对平台的访问。与Hadoop平台现有的访问控制模型相比,该模型所实现的访问授权不再是一个关口控制,而是一个实时动态的过程,其粒度更细并且具有更高的安全性和灵活度。实验证明,该模型不仅正确有效,而且克服了现行Hadoop平台中访问控制安全性不足的缺点,能够动态、有效地控制用户对集群中资源的访问及使用。

Abstract: Hadoop is one of the most popular cloud computing platforms.In this platform,the existing access control model adopts Kerberos for identity verification,combines with authorization mechanism based on ACL,and uses the Delegation Token and Block Access Token,realizing a simple access control mechanism.There is an obvious shortco-ming in this model,namely,it considers only the identity authenticity of a user while authorizing,nevertheless the credibi-lity of its following behaviors.Once access control right is granted,there won’t be any kind of supervision.This paper proposed a new trust-based access control model in Hadoop,which is based on the existing access control model in Hadoop and is called LT.LT sets a trust value for each user,updates this value according to users’ behavior records,and controls the user to access Hadoop cluster with the trust value dynamically.Comparing with the existing access control model in Hadoop,the access and authorization mechanism realized in LT isn’t a one-time access and authorization,but a thoroughly real-time and dynamic process,so LT is more secure,more flexible and has a finer control particle size.Experiments show that this model is not only right and effective but also overcomes the disadvantage on lacking of security about the existing access control model in Hadoop.It can control a user to access or use the resources supplied by a Hadoop cluster dynamically and effectively.

[1] 刘玮,王丽宏.云计算应用及其安全问题研究[J].计算机研究与发展,2012,49:186-191
[2] 云计算百科.什么是云计算平台?云计算平台有哪些?[EB/OL].http://www.cloudwhy.com/ mingci/2011/0317/128.html,2012-06-12
[3] 韩伟,张福生,胡志勇.基于Hadoop云计算平台下DDoS攻击防御研究[D].太原:太原科技大学,2011,7
[4] Hadoop.[EB/OL].http://hadoop.apache.org/,2012-06-12
[5] Nutch.[EB/OL].http://nutch.apache.org/,2012-06-12
[6] White T.Hadoop:The Definitive Guide(2ndedition)[M].2009-05
[7] it168.com.浅谈Hadoop系统架构与海量数据分析[EB/OL].http://wenku.it168.com/d_ 00076703.shtml,2012-06-12
[8] Becherer A.Attacking Kerberos and the New Hadoop Security Design[EB/OL].http://www.ipma-wa.com/prof_dev/2011/HadoopSecurityDesign_201104_AndrewBecherer.pdf,2012-06-13
[9] Yahoo.Scaling Hadoop to 4000nodes atYahoo! [EB/OL].http://developer.yahoo.com/blogs/hadoop/scaling-hadoop-4000-nodes-yahoo-410.html,2008-09-30
[10] O’Malley O,Zhang Kan,Radia S.Hadoop Security Design[EB/OL].http:/www.valleytalk.org/wp-content/uploads/2013/03/hadoop-security-design.pdf,2009-10
[11] Hadoop Releases[EB/OL].http://hadoop.apache.org/co-mmon/releases.html,2012-06-14
[12] Yahoo,Hadoop 0.20.S Virtual Machine Appliance[EB/OL].http://developer.yahoo.com/blogs/hadoop/hadoop-0-20-virtual-machine-appliance-460.html,2010-06-29
[13] Cloudera.CDH3 Security Guide[EB/OL].https://ccp.clou-dera.com/display/CDHDOC/CDH3+Security+Guide
[14] Chang Bao-rong,Tsai H F.Access Security on Cloud Computing Implemented in Hadoop System[C]∥IEEE 2011Fifth International Conference on Genetic and Evolutionary Computing.2010,27:77-80
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发