PDF(1150 KB)
PDF(1150 KB)
PDF(1150 KB)
一种适用于Hadoop云平台的访问控制方案
Access control for Hadoop-based cloud computing
分析了Hadoop云计算平台的安全需求,设计了一种基于身份的Capability (ID-CAP), 并提出了一种基于ID-CAP的Hadoop访问控制方案。方案设计采用了最小授权原则,实现了基于Capability的访问控制,使用户在Hadoop平台上提交的作业能以最小权限运行。实验结果表明: 基于Capability的访问控制机制能有效实现在Hadoop平台上实施最小授权原则,支持平台内部相互依赖的各模块之间的身份认证,有效提高Hadoop平台的系统安全性和稳定性。
An identity-based capability (ID-CAP) method is given to provide secure access control to Hadoop cloud computing platforms. The capability-based access control design follows the least privilege principle with the platform running tenant jobs using a least privilege set. Tests show that the capability-based access control can be efficiently implemented to support mutual authentication between different servers in a Hadoop platform while satisfying the least privilege requirement to improve platform security and stability.
访问控制 / 权能 / Hadoop / 云计算 / 最小授权原则
access control / capability / Hadoop / cloud computing / the least-privilege principle
| [1] | Lampson B K. Protection [J]. Operating Systems Review, 1974, 8(1): 18-24. |
| [2] | Snyder L. Formal models of capability-based protection systems[J]. IEEE Transactions on Computers, 1981, 30(3): 172-181. |
| [3] | Kain R Y, Landwehr C E. On access checking in capability-based systems[J]. IEEE Transactions on Software Engineering, 1987, SE13(2): 95-101. |
| [4] | Karger P A. Improving security and performance for capability systems [D]. London, UK: University of Cambridge, 1988. |
| [5] | Gong L. A secure identity-based capability system [C]// Proceedings of the 1989 IEEE Symposium on. Security and Privacy. Oakland, USA: IEEE Computer Society Press, 1989: 56-63. |
| [6] | Boebert W E. On the inability of an unmodified capability machine to enforce the property [C]// Proceedings of the 7th DoD/NBS Computer Security Conference. Gaithersburg, USA: National Bureau of Standards, 1984: 291-293. |
| [7] | Landwehr C E. Formal models for computer security[J]. ACM Computing Surveys, 1981, 13(3): 247-278. |
| [8] | Lampson B W. A note on the confinement problem[J]. Communications of the ACM on Operation Systems, 1973, 16(10): 613-615. |
/
| 〈 |
|
〉 |
