计算机科学 ›› 2019, Vol. 46 ›› Issue (11): 123-129.doi: 10.11896/jsjkx.190300112
赵鹏1, 吴礼发2, 洪征1
ZHAO Peng1, WU Li-fa2, HONG Zheng1
摘要: 多云(Multicloud)无需改变提供商的技术方案及运营方式,以独立于提供商的方式自由组合云资源,是一种认可度较高、具有重要推广价值的互联云模型。云经纪人支持向云提供商和云用户提供透明服务,按需组合多个云提供商的资源,降低了跨云协作难度、提供商锁定风险和用户成本开销。然而,云提供商间的访问控制策略的异构性和信任机制的缺乏,极易造成隐私泄露和数据丢失等安全隐患,严重影响了多云的推广应用。文中综合考虑信任、上下文和服务等级协议(SLA)等因素,提出了基于经纪人的多云访问控制模型(MC-ABAC)。首先,构建了多云访问控制模型结构,该结构由虚拟资源管理器(VRM)、访问控制管理器(ACM)和云访问控制经纪人(CACB)等模块组成;其次,设计了多云访问控制模型,该模型定义了主体、资源、环境和操作等,形式化描述了信任、上下文、SLA和授权策略等,实现了云提供商信任度量和跨云的授权;再次,设计了多云访问控制的工作流程,包括从本地提供商访问多云的工作流程和从CACB访问多云的工作流程;最后,利用CloudSim 4.0和OpenAZ搭建多云访问控制环境,验证该模型的请求成功率和响应时间等可用性指标。实验结果表明,当正常使用且请求数量较大时,该模型的请求成功率比ABAC模型提升了18%左右,且响应时间性能优于ABAC模型。
中图分类号:
[1]PETCU D.Multi-Cloud:expectations and current approaches[C]∥International Workshop on Multi-Cloud Applications and Federated Clouds.ACM,2013:1-6. [2]SINGHAL M,CHANDRASEKHAR S,GE T,et al.Collaboration in Multicloud Computing Environments:Framework and Security Issues[J].Computer,2013,46(2):76-84. [3]ALMUTAIRI A A,SARFRAZ M I,BASALAMAH S,et al.A Distributed Access Control Architecture for Cloud Computing[J].IEEE Software,2012,29(2):36-44. [4]THEIMER M M,NICHOLS D A,TERRY D B.Delegationthrough access control programs[C]∥International Conference on Distributed Computing Systems.IEEE,1992:529-536. [5]GUZEK M,GNIEWEK A,BOUVRY P,et al.Cloud Brokering:Current Practices and Upcoming Challenges[J].IEEE Cloud Computing,2015,2(2):40-47. [6]ANASTASI G F,CARLINI E,COPPOLA M,et al.Usage Control in Cloud Federations[C]∥IEEE International Conference on Cloud Engineering.IEEE,2014:141-146. [7]SETTE I S,CHADWICK D W,FERRAZ C A G.Authorization Policy Federation in Heterogeneous Multicloud Environments[J].IEEE Cloud Computing,2017,4(4):38-47. [8]ZHENG Y,LI X,KANTOLA R.Heterogeneous Data AccessControl Based on Trust and Reputation in Mobile Cloud Computing[M]∥Advances in Mobile Cloud Computing and Big Data in the 5G Era.Springer International Publishing,2017. [9]NGO C,DEMCHENKO Y,LAAT C D.Multi-tenant attribute-based access control for cloud infrastructure services[J].Journal of Information Security and Applications,2016,27-28:65-84. [10]DEMCHENKO Y,NGO C,LAAT C D,et al.Federated Access Control in Heterogeneous Intercloud Environment:Basic Models and Architecture Patterns[C]∥IEEE International Conference on Cloud Engineering.IEEE,2014:439-445. [11]MEI J,LI K,TONG Z,et al.Profit Maximization for Cloud Brokers in Cloud Computing[J].IEEE Transactions on Parallel & Distributed Systems,2018,30(1):190-203. [12]FOWLEY F,PAHL C,JAMSHIDI P,et al.A Classification and Comparison Framework for Cloud Service Brokerage Architectures[J].IEEE Transactions on Cloud Computing,2016,6(2):358-371. [13]HOGAN M D,LIU F,SOKOL A W,et al.NIST Cloud Computing Standards Roadmap[R].NIST Special Publication,2011,35. [14]GUZEK M,GNIEWEK A,BOUVRY P,et al.Cloud Brokering:Current Practices and Upcoming Challenges.IEEE Cloud Computing,2015,2(2):40-47. [15]THOMAS M V.Agent-Based Cloud Broker Architecture forDistributed Access Control in the Inter-Cloud Environments[J].International Journal of Information Processing,2014,8(1):107-123. [16]PAWAR P S,NAIR S K,ELMOUSSA F,et al.Opinion Model Based Security Reputation Enabling Cloud Broker Architecture[C]∥International Conference on Cloud Computing.Springer,2012:103-113. [17]HALABI T,BELLAICHE M.A broker-based framework forstandardization and management of cloud security-SLAs[J].Computers & Security,2018,75(6):59-71. [18]LIU C,WANG G,HAN P,et al.A Cloud Access Security Broker based approach for encrypted data search and sharing[C]∥International Conference on Computing.Networking and Communications.IEEE,2017:422-426. [19]AI H.Distributed access control[J].Computer Engineering and Design,2007,28(21):5110-5111. [20]TOLONE W,AHN G J,PAI T,et al.Access control in collaborative systems[J].Acm Computing Surveys,2005,37(1):29-41. [21]RIZVI S,MITCHELL J.A Semi-distributed Access ControlManagement Scheme for Securing Cloud Environment[C]∥IEEE International Conference on Cloud Computing.IEEE,2015:501-507. [22]LUO Y,LUO W,TIAN P,et al.OpenStack Security Modules:A Least-Invasive Access Control Framework for the Cloud[C]∥IEEE International Conference on Cloud Computing.IEEE,2017:51-58. [23]HILIA M,CHIBANI A,WINTER T,et al.Semantic Based Authorization Framework For Multi-Domain Collaborative Cloud Environments[J].Procedia Computer Science,2017,109:718-724. [24]ALANSARI S,PACI F,MARGHERI A,et al.Privacy-Preserving Access Control in Cloud Federations[C]∥IEEE International Conference on Cloud Computing.IEEE,2017:757-760. [25]LI F,LUO B,LIU P,et al.In-broker Access Control:Towards Efficient End-to-End Performance of Information Brokerage Systems[C]∥IEEE International Conference on Sensor Networks,Ubiquitous,and Trustworthy Computing.IEEE,2006:252-259. [26]BHATT S,PATWA F,SANDHU R.An Attribute-Based Access Control Extension for OpenStack and Its Enforcement Utilizing the Policy Machine[C]∥IEEE International Conference on Collaboration and Internet Computing.IEEE,2017:37-45. [27]JOHN J C,SURAL S,GUPTA A.Authorization Management in Multi-cloud Collaboration Using Attribute-Based Access Control[C]∥International Symposium on Parallel and Distributed Computing.IEEE,2017:190-195. [28]SINGH S,SIDHU J.Compliance-based Multi-dimensional Trust Evaluation System for determining trustworthiness of Cloud Service Providers[J].Future Generation Computer Systems,2017,67:109-132. [29]YOU J,SHANG J L,XU S K,et al Distributed Dynamic Trust Management Model b ased on Trust Reliability[J].Journal of Software,2017,28(9):2354-2369. |
[1] | 郭鹏军, 张泾周, 杨远帆, 阳申湘. 飞机机内无线通信网络架构与接入控制算法研究 Study on Wireless Communication Network Architecture and Access Control Algorithm in Aircraft 计算机科学, 2022, 49(9): 268-274. https://doi.org/10.11896/jsjkx.210700220 |
[2] | 黄少滨, 孙雪薇, 李熔盛. 基于跨句上下文信息的神经网络关系分类方法 Relation Classification Method Based on Cross-sentence Contextual Information for Neural Network 计算机科学, 2022, 49(6A): 119-124. https://doi.org/10.11896/jsjkx.210600150 |
[3] | 阳真, 黄松, 郑长友. 基于区块链与改进CP-ABE的众测知识产权保护技术研究 Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE 计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075 |
[4] | 郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪. 基于区块链的工业控制系统角色委派访问控制机制 Blockchain-based Role-Delegation Access Control for Industrial Control System 计算机科学, 2021, 48(9): 306-316. https://doi.org/10.11896/jsjkx.210300235 |
[5] | 陈海彪, 黄声勇, 蔡洁锐. 一个基于智能电网的跨层路由的信任评估协议 Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid 计算机科学, 2021, 48(6A): 491-497. https://doi.org/10.11896/jsjkx.201000169 |
[6] | 程学林, 杨小虎, 卓崇魁. 基于组织架构的数据权限控制模型研究与实现 Research and Implementation of Data Authority Control Model Based on Organization 计算机科学, 2021, 48(6A): 558-562. https://doi.org/10.11896/jsjkx.200700127 |
[7] | 潘瑞杰, 王高才, 黄珩逸. 云计算下基于动态用户信任度的属性访问控制 Attribute Access Control Based on Dynamic User Trust in Cloud Computing 计算机科学, 2021, 48(5): 313-319. https://doi.org/10.11896/jsjkx.200400013 |
[8] | 郝志峰, 廖祥财, 温雯, 蔡瑞初. 基于多上下文信息的协同过滤推荐算法 Collaborative Filtering Recommendation Algorithm Based on Multi-context Information 计算机科学, 2021, 48(3): 168-173. https://doi.org/10.11896/jsjkx.200700101 |
[9] | 何亨, 蒋俊君, 冯可, 李鹏, 徐芳芳. 多云环境中基于属性加密的高效多关键词检索方案 Efficient Multi-keyword Retrieval Scheme Based on Attribute Encryption in Multi-cloud Environment 计算机科学, 2021, 48(11A): 576-584. https://doi.org/10.11896/jsjkx.201000026 |
[10] | 曹萌, 于洋, 梁英, 史红周. 基于区块链的大数据交易关键技术与发展趋势 Key Technologies and Development Trends of Big Data Trade Based on Blockchain 计算机科学, 2021, 48(11A): 184-190. https://doi.org/10.11896/jsjkx.210100163 |
[11] | 徐堃, 付印金, 陈卫卫, 张亚男. 基于区块链的云存储安全研究进展 Research Progress on Blockchain-based Cloud Storage Security Mechanism 计算机科学, 2021, 48(11): 102-115. https://doi.org/10.11896/jsjkx.210600015 |
[12] | 晏旭, 马帅, 曾凤娇, 郭正华, 伍俊龙, 杨平, 许冰. 基于编码-解码器架构的光场深度估计方法 Light Field Depth Estimation Method Based on Encoder-decoder Architecture 计算机科学, 2021, 48(10): 212-219. https://doi.org/10.11896/jsjkx.200900005 |
[13] | 王静宇, 刘思睿. 大数据风险访问控制研究进展 Research Progress on Risk Access Control 计算机科学, 2020, 47(7): 56-65. https://doi.org/10.11896/jsjkx.190700157 |
[14] | 顾荣杰, 吴治平, 石焕. 基于TFR 模型的公安云平台数据分级分类安全访问控制模型研究 New Approach for Graded and Classified Cloud Data Access Control for Public Security Based on TFR Model 计算机科学, 2020, 47(6A): 400-403. https://doi.org/10.11896/JsJkx.191000066 |
[15] | 马海江. 基于卷积神经网络与约束概率矩阵分解的推荐算法 Recommendation Algorithm Based on Convolutional Neural Network and Constrained Probability Matrix Factorization 计算机科学, 2020, 47(6A): 540-545. https://doi.org/10.11896/JsJkx.191000172 |
|