CN104935590A - HDFS access control method based on role and user trust value - Google Patents
HDFS access control method based on role and user trust value Download PDFInfo
- Publication number
- CN104935590A CN104935590A CN201510328860.2A CN201510328860A CN104935590A CN 104935590 A CN104935590 A CN 104935590A CN 201510328860 A CN201510328860 A CN 201510328860A CN 104935590 A CN104935590 A CN 104935590A
- Authority
- CN
- China
- Prior art keywords
- user
- trust value
- role
- hdfs
- ticket
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Abstract
The invention provides an HDFS access control method based on a role and a user trust value and belongs to the field of computer cloud storage access control. The HDFS access control method of the invention firstly combines with a role-based access control policy RBAC to replace a discretionary access control policy of an HDFS, thereby reducing complexity and management expenditure of HDFS authorization management and improving flexibility of the authorization management. When a user accesses the HDFS for the first time, a role is granted to the user, so that users are isolated from authorization through roles, and the management is facilitated. On this basis, the HDFS access control method of the invention further introduces a concept of the user trust value and sets one trust value for each user so that different users with the same role could obtain different access permissions because of their different trust values, and the trust value of the user is dynamically updated according to the later behavior of the user, thereby dynamically and effectively controlling the access of the user to a resource in the HDFS.
Description
Technical field
The present invention relates to the HDFS access control method of a kind of based role and users to trust value, belong to computer cloud memory access control field.
Background technology
Along with the fast development of cloud memory technology, increasing user and enterprise use cloud storage to preserve data or Backup Data, and to strengthen the mobility of data, but the safety issue brought thus is but effectively solved.The core that cloud stores is actually a distributed file system, so in fact the data security sex chromosome mosaicism that cloud stores is exactly the data security sex chromosome mosaicism of distributed file system.
The initial design of Hadoop is that supposition HDFS operates in safe enclosed environment, all nodes in cluster are all reliable, trustworthy, and be supplied to one group of user's use of cooperating with each other, so HDFS is main it is considered that the performance issue of mass data storage at the beginning of design, do not pay close attention to the safety problem in distributed computing environment (DCE) too much.
The development stored along with cloud and extensive use, the safety of Hadoop distributed file system HDFS receives great threat.HDFS does not provide enough safety certifications between user and service, under default situations, HDFS organizes by the user name and user running process the mark uniquely determining client, but because client is long-range, user can create an account with the name of oneself simply on the remote system, cause user can to disguise oneself as any identity, thus walk around the Authority Verification of HDFS, the data arbitrarily in access HDFS.In addition, because Data Node node does not enforce any access control measure to the access of client, as long as this BlockID that a unwarranted client may be caused to know data block just can direct read block, walk around the authentication with Name Node node, also anyone can be made can to write arbitrary data block to Data Node node simultaneously, or be masquerading as legal Data Node node to receive task and the data of Name Node node.Although HDFS itself supports control of authority, what provide is only simple self contained navigation, uses 9-bit position to represent, supports more weak, there is larger potential safety hazard.
Summary of the invention
In order to overcome the deficiency of the existing access control mechanisms of HDFS, the present invention proposes the HDFS access control method of a kind of based role and users to trust value.The object of the invention is to realize a kind of in real time dynamically, granularity more carefully, access control mechanisms more flexibly, can safer, reasonably for user distributes suitable authority.
The present invention adopts following technical scheme for solving its technical problem:
A HDFS access control method for based role and users to trust value, comprises the steps:
Before step one, user access HDFS, first to character management server application user role, character management server distributes role for user, and role-certificate and shared key are presented to user.
Step 2, user hold role-certificate and shared key access trusted third party Verification System Kerberos, and application authentication, if user identity is legal, then authorizes the service ticket Ticket that user accesses HDFS.
Step 3, user hold Ticket to Name Node node request service, by inquiring about the user behavior record be stored in behavior database, and utilize belief updating algorithm to calculate the current trust value of user, if the current trust value of user is more than or equal to the trust value threshold value Trust set by system
threshold, then Name Node node issues block access authorization token BlockAccess Token for user, and user holds Block Access Token and connects all Data Node nodes that Name Node node informs, obtains required service.
In described step one, character management server is the core realizing role assignments management, participate in access control process as trust authority, it is primarily of Role Management module, key management module, certificate management module, Subscriber Interface Module SIM, network communication module 5 module compositions.When user proposes access request (role comprising user name, password and apply for) to character management server, character management server is according to user identity, inquiring user and character data storehouse, for user distributes corresponding role, and generate role-certificate together with the role key that key management module generates, send to user.
In described step 2, Kerberos realizes the authentication to user as trusted third party Verification System, and user, before application server conducts interviews, first must obtain the access permission card Ticket of this application server from kerberos server.Kerberos server is made up of 2 parts: certificate server (Authentication Server, and Ticket Granting Server (TicketGranting Server AS), TGS), judge that user is not or not in key database by certificate server, if, issue a ticket authorisation bill (Ticket Granting Ticket, TGT), and by TGT session key K1 encrypt after send to user; If user is not in key database, then stop service.
User holds key K 1 decryption information, and send to TGS after being encrypted by the unique identification K1 of oneself together with TGT, TGS is after the validity of checking TGT, for it generates a service ticket Ticket, Ticket comprises session key K3, user name, IP, address, Service name, the term of validity, timestamp, and Ticket key K 2 is encrypted, and sends to user together after K3 K1 is encrypted, because user does not know key K 2, so the information in Ticket cannot be distorted; User holds key K 1 decryption information and obtains key K 3, thus obtains the key mutual with HDFS.
In described step 3, behavior database and trust value database are all arranged on Name Node node, when user holds Ticket access Name Node node, by the user behavior record in User behavior database, and utilize belief updating algorithm to calculate users to trust value, belief updating algorithm is as shown in formula (1):
Wherein cf represents the up-to-date trust value of user, and initTrust represents user's initial trust value or history trust value, N
oB, N
rB, N
dBrepresent common behavior, risk behavior, this three classes user behavior of hazardous act record sum separately respectively, α, β, γ are the trust value assessment weight that system gives often kind of behavior classification, and meet the relation of alpha+beta+γ=1.
As user, to meet user identity legal, service ticket is legal and trust value is more than or equal to trust value threshold condition time, allow the resource in its access HDFS, the constraint expression formula of this access control rule is as follows:
When user identity is illegal or service ticket illegal or trust value is less than trust value threshold value, system refusal user accesses the resource in HDFS, and the constraint expression formula of this access control rule is as follows:
Wherein, user is user profile, and tick is the service ticket that user accesses Name Node node, and cf is the up-to-date trust value of user, Trust
thresholdfor trust value threshold value, ACCEPT is for allowing this accessing operation, and DENY is this accessing operation of refusal.
When user meets CP rule, Name Node node issues Block Access Token for user, and user holds BlockAccess Token and accesses Data Node node, acquisition required service; When user meets CR rule, Name Node node sends to user the information that refusal provides service.
The present invention adopts above technical scheme compared with prior art, has following beneficial effect:
(1) the present invention achieves the isolation of user and authority in conjunction with access control based roles strategy RBAC, decreases complexity and the administration overhead of HDFS empowerment management, improves the flexibility of empowerment management.
(2) the present invention utilizes trusted third party Verification System Kerberos to achieve safety certification to user, solve the malicious user validated user that disguises oneself as and obtain the file permission of HDFS, and malicious user walks around the defect that Name Node node directly accesses Data Node node after learning BlockID.
(3) the present invention introduces the concept of users to trust value, by setting a trust value for each user, and according to its trust value of user behavior real-time update, achieve a kind of fine-grained, reliably, access control mechanisms flexibly, meet the Dynamic controlling demand to user's access, solve validated user later stage behavior creditability problem.
Accompanying drawing explanation
Fig. 1 is model structure schematic diagram of the present invention.
Fig. 2 is access control method schematic flow sheet of the present invention.
Fig. 3 is the HDFS access control schematic flow sheet of based role.
Fig. 4 is the HDFS access control schematic flow sheet based on users to trust value.
Fig. 5 is the HDFS access control core process schematic diagram based on users to trust value simplified.
Embodiment
Below in conjunction with drawings and Examples, technical scheme of the present invention is described in further details:
Embodiment one
In order to solve the access control problem of Hadoop distributed file system HDFS, the invention provides the HDFS access control method of a kind of based role and users to trust value, as shown in Figure 2, the method comprises idiographic flow:
When user sends operation requests, the integrality of character management server first verification operation request, then the authority of user operation is checked, check by rear, character management server is according to user identity inquiring user and character data storehouse, for user distributes corresponding role, and role-certificate is sent to user together with shared key.
The plaintext user information of oneself is sent to key distribution manager (the Key Distribution Center of Kerberos by user, KDC), KDC server judges user whether in key database by certificate server (AS), if, produce a ticket authorisation bill (TGT), and return to user after encrypting with session key K1, user holds key K 1 decryption information, and send to Ticket Granting Server (TGS) after being encrypted by the unique identification K1 of oneself together with TGT, TGS is after the validity of checking TGT, for it generates a service ticket Ticket, Ticket comprises session key K3, user name, IP, address, Service name, the term of validity, timestamp, and Ticket key K 2 is encrypted, user is sent to together after K3 K1 is encrypted, because user does not know key K 2, so the information in Ticket cannot be distorted, user holds key K 1 decryption information and obtains key K 3, thus obtain the key mutual with HDFS.
User holds key K 3 encrypting user name, IP, and together send to Name Node node with the Ticket that K2 encrypts, authentication on application Name Node node, if user identity is legal, then Name Node node issues authorization token Delegation Token to user, and user holds Delegation Token and serves to Name Node node application HDFS, NameNode node is by inquiring user behavior database, and utilize belief updating algorithm to calculate the current trust value of user, if the current trust value of user is more than or equal to the trust value threshold value set by system, then Name Node node generates block access authorization token Block Access Token for user, user holds all DataNode node request required services that Block Access Token access Name Node node is informed, if the current trust value of user is less than the trust value threshold value set by system, then Name Node node sends to user the information that refusal provides service, Data Node node is in nearest upper once heartbeat, the user operation behavior record be recorded in behavior buffering area is fed back to Name Node node, Name Node node is saved in behavior database by feeding back the user operation behavior record obtained, to calculate users to trust value during user's access next time HDFS, thus to achieve the Dynamic controlling to user's access.
Embodiment two
Embodiments of the invention two are in conjunction with traditional access control based roles strategy RBAC, and provide a kind of HDFS access control method of based role, the steps flow chart of the method as shown in Figure 3, comprising:
(1) user Client is to character management server request dispatching role;
(2) character management server distributes role for user, and role-certificate and shared key are presented to user;
(3) arrange between character management server and Name Node node, upgrade shared key;
(4) user Client holds role-certificate and shared key access Name Node node, application access service;
(5) the legal and legal rear line of shared key of Name Node node verification user role returns to best data block copy address;
(6) user Client all Data Node node request required services of informing to Name Node node;
(7), after Data Node node receives the request of user, giving user provides required service or refusal to provide service;
(8) Data Node node is communicated by heartbeat mechanism with Name Node node.
Embodiment three
Embodiments of the invention three are in conjunction with the concept of Kerberos and users to trust value, and provide a kind of HDFS access control method based on users to trust value, the steps flow chart of the method as shown in Figure 4, comprising:
(1) Client sends to KDC to ask to carry out authentication after being encrypted by the authentication information K1 of oneself;
(2) KDC verifies that Client identity is effectively legal, issues ticket authorisation bill TGT, and returns to Client with after K1 encryption;
(3) Client holds TGT and sends service request to KDC, and request content K1 encrypts;
(4) KDC receives request, and produces service ticket Ticket={K3, user name, IP, address, Service name, the term of validity, timestamp };
(5) KDC K1 encrypts K3, in the lump returns to Client after encrypting Ticket with K2;
(6) Client deciphers the session key K3 obtained between Name Node node, and generates Authenticator={ (user name, IP)
k3;
(7) Client by step 5 from KDC get with K2 encryption Ticket together with step 6 generate Authenticator, with form { (Ticket)
k2, Authenticator} sends to Name Node node, the authentication on application Name Node node;
(8) Name Node node is decrypted received content, and whether checking Client belongs to validated user;
(9) Name Node node verification Client identity legal after, generate Delegation Token and be also presented to Client;
(10) Client holds Delegation Token and serves to Name Node node application HDFS, the TokenID received by Name Node node uses
dtokenAuthenticator is calculated with the masterkey of this locality
d, again build a Delegation Token in this locality, if the Delegation Token that Name Node rebuilds has identical version in the local internal memory of Name Node, then assert that this user identity is effectively legal;
(11) inquiring user behavior database calculate the current trust value of user by belief updating algorithm;
(12) if users to trust value meets the demands, then Name Node node generates block access authorization token BlockAccess Token for user.AccessModes field in token deposits the operation that active user can perform Block, is in fact exactly the authority that user has.The trust value threshold value that the value setting of this field operates self regulation by each decides: 1) if calculate gained trust value in step 11 to be more than or equal to the trust value threshold value that certain operates defined, field AccessModes value adds this operation; 2) if calculate gained trust value in step 11 to be less than the trust value threshold value that certain operates defined, field AccessModes value is empty, does not add this operation;
(13) when user meets CP rule, the Block Access Token of generation is distributed to Client by Name Node node;
(14) Client holds all Data Node node request required services that Block Access Token informs to Name Node node;
(15) after Data Node node receives the request of Client, first judge that whether Block Access Token is effectively legal, then determine whether give user the operation that AccessModes field defined is provided;
(16) Client obtains from Data Node node the operation that AccessModes field specify, or when user meet CR regular time, send the information refusing to provide service to user;
(17) Data Node node is in nearest upper once heartbeat, and Client all operations behavior record is in the above fed back to Name Node node;
(18) Name Node node is saved in feeding back the user operation behavior record obtained in behavior database.
Claims (4)
1. a HDFS access control method for based role and users to trust value, is characterized in that comprising the steps:
Before step one, user access HDFS, first to character management server application user role, character management server distributes role for user, and role-certificate and shared key are presented to user.
Step 2, user hold role-certificate and shared key access trusted third party Verification System Kerberos, and application authentication, if user identity is legal, then authorizes the service ticket Ticket that user accesses HDFS.
Step 3, user hold Ticket to Name Node node request service, by inquiring about the user behavior record be stored in behavior database, and utilize belief updating algorithm to calculate the current trust value of user, if the current trust value of user is more than or equal to the trust value threshold value Trust set by system
threshold, then Name Node node issues block access authorization token BlockAccess Token for user, and user holds Block Access Token and connects all Data Node nodes that Name Node node informs, obtains required service.
2. the HDFS access control method of a kind of based role as claimed in claim 1 and users to trust value, is characterized in that carrying out role assignments to user, comprising:
Character management server is the core realizing role assignments management, participates in access control process as trust authority, and it is primarily of Role Management module, key management module, certificate management module, Subscriber Interface Module SIM, network communication module 5 module compositions.When user proposes access request (role comprising user name, password and apply for) to character management server, character management server is according to user identity, inquiring user and character data storehouse, for user distributes corresponding role, and generate role-certificate together with the role key that key management module generates, send to user.
3. the HDFS access control method of a kind of based role as claimed in claim 2 and users to trust value, is characterized in that carrying out Kerberos authentication to user, comprising:
Kerberos realizes the authentication to user as trusted third party Verification System, and user, before application server conducts interviews, first must obtain the access permission card Ticket of this application server from kerberos server.Kerberos server is made up of 2 parts: certificate server (Authentication Server, and Ticket Granting Server (Ticket GrantingServer AS), TGS), judge that user is not or not in key database by certificate server, if, issue a ticket authorisation bill (Ticket Granting Ticket, TGT), and by TGT session key K1 encrypt after send to user; If user is not in key database, then stop service.
User holds key K 1 decryption information, and send to TGS after being encrypted by the unique identification K1 of oneself together with TGT, TGS is after the validity of checking TGT, for it generates a service ticket Ticket, Ticket comprises session key K3, user name, IP, address, Service name, the term of validity, timestamp, and Ticket key K 2 is encrypted, and sends to user together after K3 K1 is encrypted, because user does not know key K 2, so the information in Ticket cannot be distorted; User holds key K 1 decryption information and obtains key K 3, thus obtains the key mutual with HDFS.
4. the HDFS access control method of a kind of based role as claimed in claim 3 and users to trust value, is characterized in that, when user accesses HDFS resource, also comprises:
Behavior database and trust value database are all arranged on Name Node node, when user holds Ticket access NameNode node, by the user behavior record in User behavior database, and utilize belief updating algorithm to calculate users to trust value, belief updating algorithm is as shown in formula (1):
Wherein cf represents the up-to-date trust value of user, and initTrust represents user's initial trust value or history trust value, N
oB, N
rB, N
dBrepresent common behavior, risk behavior, this three classes user behavior of hazardous act record sum separately respectively, α, β, γ are the trust value assessment weight that system gives often kind of behavior classification, and meet the relation of alpha+beta+γ=1.
As user, to meet user identity legal, service ticket is legal and trust value is more than or equal to trust value threshold condition time, allow the resource in its access HDFS, the constraint expression formula of this access control rule is as follows:
When user identity is illegal or service ticket illegal or trust value is less than trust value threshold value, system refusal user accesses the resource in HDFS, and the constraint expression formula of this access control rule is as follows:
Wherein, user is user profile, and tick is the service ticket that user accesses Name Node node, and cf is the up-to-date trust value of user, Trust
thresholdfor trust value threshold value, ACCEPT is for allowing this accessing operation, and DENY is this accessing operation of refusal.
When user meets CP rule, Name Node node issues Block Access Token for user, and user holds BlockAccess Token and accesses DataNode node, acquisition required service; When user meets CR rule, Name Node node sends to user the information that refusal provides service.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510328860.2A CN104935590A (en) | 2015-06-10 | 2015-06-10 | HDFS access control method based on role and user trust value |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510328860.2A CN104935590A (en) | 2015-06-10 | 2015-06-10 | HDFS access control method based on role and user trust value |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104935590A true CN104935590A (en) | 2015-09-23 |
Family
ID=54122562
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510328860.2A Pending CN104935590A (en) | 2015-06-10 | 2015-06-10 | HDFS access control method based on role and user trust value |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104935590A (en) |
Cited By (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105656903A (en) * | 2016-01-15 | 2016-06-08 | 国家计算机网络与信息安全管理中心 | Hive platform user safety management system and application |
CN106790026A (en) * | 2016-12-15 | 2017-05-31 | 国家计算机网络与信息安全管理中心 | A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop |
CN106790027A (en) * | 2016-12-15 | 2017-05-31 | 国家计算机网络与信息安全管理中心 | The multi-tenant Dropbox right management method and system of HDFS file system |
CN106961441A (en) * | 2017-04-06 | 2017-07-18 | 中国民航大学 | A kind of user's dynamic accesses control method for Hadoop cloud platform |
CN106997440A (en) * | 2017-04-10 | 2017-08-01 | 中经汇通电子商务有限公司 | A kind of role access control method |
CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
CN107342975A (en) * | 2016-12-21 | 2017-11-10 | 安徽师范大学 | Trust computational methods based on domain division under insincere cloud environment |
CN107483491A (en) * | 2017-09-19 | 2017-12-15 | 山东大学 | The access control method of distributed storage under a kind of cloud environment |
CN107612910A (en) * | 2017-09-19 | 2018-01-19 | 北京邮电大学 | A kind of distributed document data access method and system |
CN107665315A (en) * | 2017-10-31 | 2018-02-06 | 上海应用技术大学 | A kind of based role suitable for Hadoop and the access control method trusted |
CN107800723A (en) * | 2017-12-06 | 2018-03-13 | 中盈优创资讯科技有限公司 | CC attack guarding methods and equipment |
CN108111348A (en) * | 2017-12-20 | 2018-06-01 | 杭州云屏科技有限公司 | A kind of security policy manager method and system for enterprise's cloud application |
CN108427677A (en) * | 2017-02-13 | 2018-08-21 | 阿里巴巴集团控股有限公司 | A kind of object accesses method, apparatus and electronic equipment |
CN108924120A (en) * | 2018-06-28 | 2018-11-30 | 电子科技大学 | A kind of dynamic accesses control method of multi-dimensional state perception |
CN109063495A (en) * | 2018-07-24 | 2018-12-21 | 中国人民解放军陆军工程大学 | A kind of access control risk analysis method based on spatial weighting |
CN109245880A (en) * | 2018-09-07 | 2019-01-18 | 国网福建省电力有限公司 | One kind is based on to hadoop component safety reinforcement means |
CN109815685A (en) * | 2019-01-18 | 2019-05-28 | 新华网股份有限公司 | Method for managing user right, device, electronic equipment and readable storage medium storing program for executing |
CN109831459A (en) * | 2019-03-22 | 2019-05-31 | 百度在线网络技术(北京)有限公司 | Method, apparatus, storage medium and the terminal device of secure access |
CN111353172A (en) * | 2020-03-02 | 2020-06-30 | 山东工商学院 | Hadoop cluster big data access method and system based on block chain |
CN113076552A (en) * | 2020-01-03 | 2021-07-06 | 中国移动通信集团广东有限公司 | HDFS (Hadoop distributed File System) resource access permission verification method and device and electronic equipment |
CN113824554A (en) * | 2021-08-30 | 2021-12-21 | 山东健康医疗大数据有限公司 | Dynamic authentication method and device for data transmission between middleware and computer medium |
CN114465777A (en) * | 2021-12-31 | 2022-05-10 | 惠州华阳通用智慧车载系统开发有限公司 | TSP server access control method |
CN114567489A (en) * | 2022-03-02 | 2022-05-31 | 临沂大学 | Dynamic access control method based on service body |
CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
CN114666079A (en) * | 2020-12-22 | 2022-06-24 | 中国科学院沈阳自动化研究所 | Industrial control system access control method based on attribute certificate |
CN114928499A (en) * | 2022-06-21 | 2022-08-19 | 重庆邮电大学 | Access control method based on block chain and trust system |
CN116881956A (en) * | 2023-09-08 | 2023-10-13 | 国网信息通信产业集团有限公司 | Permission management method and device oriented to multi-cloud resource management |
CN117177243A (en) * | 2023-10-30 | 2023-12-05 | 吉林大学 | Biomedical data sharing system based on 5G Internet of things |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
CN102457555A (en) * | 2010-10-28 | 2012-05-16 | 中兴通讯股份有限公司 | Security system and method for distributed storage |
US20140196115A1 (en) * | 2013-01-07 | 2014-07-10 | Zettaset, Inc. | Monitoring of Authorization-Exceeding Activity in Distributed Networks |
CN104301301A (en) * | 2014-09-04 | 2015-01-21 | 南京邮电大学 | Inter-cloud-storage-system data migration encryption method |
-
2015
- 2015-06-10 CN CN201510328860.2A patent/CN104935590A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457555A (en) * | 2010-10-28 | 2012-05-16 | 中兴通讯股份有限公司 | Security system and method for distributed storage |
CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
US20140196115A1 (en) * | 2013-01-07 | 2014-07-10 | Zettaset, Inc. | Monitoring of Authorization-Exceeding Activity in Distributed Networks |
CN104301301A (en) * | 2014-09-04 | 2015-01-21 | 南京邮电大学 | Inter-cloud-storage-system data migration encryption method |
Non-Patent Citations (2)
Title |
---|
刘莎: "Hadoop云平台的用户可信访问控制模型研究与实现", 《信息科技辑》 * |
柴黄琪等: "基于HDFS的安全机制设计", 《计算机安全》 * |
Cited By (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105656903B (en) * | 2016-01-15 | 2018-07-27 | 国家计算机网络与信息安全管理中心 | A kind of user safety management system of Hive platforms and application |
CN105656903A (en) * | 2016-01-15 | 2016-06-08 | 国家计算机网络与信息安全管理中心 | Hive platform user safety management system and application |
CN106790027B (en) * | 2016-12-15 | 2020-09-11 | 国家计算机网络与信息安全管理中心 | Multi-tenant network disk authority management method and system of HDFS file system |
CN106790026A (en) * | 2016-12-15 | 2017-05-31 | 国家计算机网络与信息安全管理中心 | A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop |
CN106790027A (en) * | 2016-12-15 | 2017-05-31 | 国家计算机网络与信息安全管理中心 | The multi-tenant Dropbox right management method and system of HDFS file system |
CN106790026B (en) * | 2016-12-15 | 2020-07-07 | 国家计算机网络与信息安全管理中心 | Hadoop-based multi-tenant network disk authentication method and system |
CN107342975A (en) * | 2016-12-21 | 2017-11-10 | 安徽师范大学 | Trust computational methods based on domain division under insincere cloud environment |
CN107342975B (en) * | 2016-12-21 | 2020-03-24 | 安徽师范大学 | Domain division-based trust computing method in untrusted cloud environment |
CN108427677A (en) * | 2017-02-13 | 2018-08-21 | 阿里巴巴集团控股有限公司 | A kind of object accesses method, apparatus and electronic equipment |
CN106961441B (en) * | 2017-04-06 | 2020-05-22 | 中国民航大学 | User dynamic access control method for Hadoop cloud platform |
CN106961441A (en) * | 2017-04-06 | 2017-07-18 | 中国民航大学 | A kind of user's dynamic accesses control method for Hadoop cloud platform |
CN106997440A (en) * | 2017-04-10 | 2017-08-01 | 中经汇通电子商务有限公司 | A kind of role access control method |
CN107196951B (en) * | 2017-06-12 | 2019-02-26 | 北京明朝万达科技股份有限公司 | A kind of implementation method and firewall system of HDFS system firewall |
CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
CN107483491A (en) * | 2017-09-19 | 2017-12-15 | 山东大学 | The access control method of distributed storage under a kind of cloud environment |
CN107612910A (en) * | 2017-09-19 | 2018-01-19 | 北京邮电大学 | A kind of distributed document data access method and system |
CN107665315B (en) * | 2017-10-31 | 2020-12-15 | 上海应用技术大学 | Role and trust-based access control method suitable for Hadoop |
CN107665315A (en) * | 2017-10-31 | 2018-02-06 | 上海应用技术大学 | A kind of based role suitable for Hadoop and the access control method trusted |
CN107800723A (en) * | 2017-12-06 | 2018-03-13 | 中盈优创资讯科技有限公司 | CC attack guarding methods and equipment |
CN108111348A (en) * | 2017-12-20 | 2018-06-01 | 杭州云屏科技有限公司 | A kind of security policy manager method and system for enterprise's cloud application |
CN108924120A (en) * | 2018-06-28 | 2018-11-30 | 电子科技大学 | A kind of dynamic accesses control method of multi-dimensional state perception |
CN109063495A (en) * | 2018-07-24 | 2018-12-21 | 中国人民解放军陆军工程大学 | A kind of access control risk analysis method based on spatial weighting |
CN109063495B (en) * | 2018-07-24 | 2021-12-10 | 中国人民解放军陆军工程大学 | Access control risk analysis method based on spatial weighting |
CN109245880A (en) * | 2018-09-07 | 2019-01-18 | 国网福建省电力有限公司 | One kind is based on to hadoop component safety reinforcement means |
CN109245880B (en) * | 2018-09-07 | 2021-06-22 | 国网福建省电力有限公司 | Hadoop component safety reinforcement method |
CN109815685A (en) * | 2019-01-18 | 2019-05-28 | 新华网股份有限公司 | Method for managing user right, device, electronic equipment and readable storage medium storing program for executing |
CN109831459A (en) * | 2019-03-22 | 2019-05-31 | 百度在线网络技术(北京)有限公司 | Method, apparatus, storage medium and the terminal device of secure access |
CN113076552B (en) * | 2020-01-03 | 2022-10-18 | 中国移动通信集团广东有限公司 | HDFS (Hadoop distributed File System) resource access permission verification method and device and electronic equipment |
CN113076552A (en) * | 2020-01-03 | 2021-07-06 | 中国移动通信集团广东有限公司 | HDFS (Hadoop distributed File System) resource access permission verification method and device and electronic equipment |
CN111353172A (en) * | 2020-03-02 | 2020-06-30 | 山东工商学院 | Hadoop cluster big data access method and system based on block chain |
CN111353172B (en) * | 2020-03-02 | 2023-04-11 | 山东工商学院 | Hadoop cluster big data access method and system based on block chain |
CN114666079A (en) * | 2020-12-22 | 2022-06-24 | 中国科学院沈阳自动化研究所 | Industrial control system access control method based on attribute certificate |
CN114666079B (en) * | 2020-12-22 | 2023-03-24 | 中国科学院沈阳自动化研究所 | Industrial control system access control method based on attribute certificate |
CN113824554A (en) * | 2021-08-30 | 2021-12-21 | 山东健康医疗大数据有限公司 | Dynamic authentication method and device for data transmission between middleware and computer medium |
CN113824554B (en) * | 2021-08-30 | 2024-02-13 | 山东浪潮智慧医疗科技有限公司 | Dynamic authentication method, device and computer medium for data transmission between middleware |
CN114465777A (en) * | 2021-12-31 | 2022-05-10 | 惠州华阳通用智慧车载系统开发有限公司 | TSP server access control method |
CN114465777B (en) * | 2021-12-31 | 2023-06-30 | 惠州华阳通用智慧车载系统开发有限公司 | TSP server access control method |
CN114567473B (en) * | 2022-02-23 | 2024-01-09 | 南通大学 | Internet of vehicles access control method based on zero trust mechanism |
CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
CN114567489A (en) * | 2022-03-02 | 2022-05-31 | 临沂大学 | Dynamic access control method based on service body |
CN114567489B (en) * | 2022-03-02 | 2023-09-15 | 临沂大学 | Dynamic access control method based on service body |
CN114928499A (en) * | 2022-06-21 | 2022-08-19 | 重庆邮电大学 | Access control method based on block chain and trust system |
CN114928499B (en) * | 2022-06-21 | 2023-09-19 | 深圳建科网络科技有限公司 | Access control method based on block chain and trust system |
CN116881956B (en) * | 2023-09-08 | 2024-01-09 | 国网信息通信产业集团有限公司 | Permission management method and device oriented to multi-cloud resource management |
CN116881956A (en) * | 2023-09-08 | 2023-10-13 | 国网信息通信产业集团有限公司 | Permission management method and device oriented to multi-cloud resource management |
CN117177243A (en) * | 2023-10-30 | 2023-12-05 | 吉林大学 | Biomedical data sharing system based on 5G Internet of things |
CN117177243B (en) * | 2023-10-30 | 2023-12-29 | 吉林大学 | Biomedical data sharing system based on 5G Internet of things |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104935590A (en) | HDFS access control method based on role and user trust value | |
US20210336782A1 (en) | Cryptoasset custodial system with different rules governing access to logically separated cryptoassets and proof-of-stake blockchain support | |
US10673626B2 (en) | Threshold secret share authentication proof and secure blockchain voting with hardware security modules | |
Liang et al. | PDPChain: A consortium blockchain-based privacy protection scheme for personal data | |
US11301845B2 (en) | Cryptoasset custodial system with proof-of-stake blockchain support | |
De Oliveira et al. | Towards a blockchain-based secure electronic medical record for healthcare applications | |
Zhu et al. | Digital asset management with distributed permission over blockchain and attribute-based access control | |
US8726342B1 (en) | Keystore access control system | |
US9736186B2 (en) | Public and private hybrid distributed cloud storage system and cloud storage method | |
US8850593B2 (en) | Data management using a virtual machine-data image | |
CN108390876A (en) | Revocation outsourcing is supported to can verify that more authorization center access control methods, Cloud Server | |
CN110099043A (en) | The hiding more authorization center access control methods of support policy, cloud storage system | |
CN109818757A (en) | Cloud storage data access control method, Attribute certificate awarding method and system | |
CN115701301A (en) | Integration of blockchains, administrative group permissions, and access in an enterprise environment | |
CN107483491A (en) | The access control method of distributed storage under a kind of cloud environment | |
CN108833393A (en) | A kind of revocable data sharing method calculated based on mist | |
CN103780607B (en) | The method of the data de-duplication based on different rights | |
CN103391192B (en) | A kind of based on secret protection across security domain access control system and control method thereof | |
CN103259663A (en) | User unified authentication method in cloud computing environment | |
CN103220141B (en) | A kind of protecting sensitive data method and system based on group key strategy | |
CN101321064A (en) | Information system access control method and apparatus based on digital certificate technique | |
CN113645195B (en) | Cloud medical record ciphertext access control system and method based on CP-ABE and SM4 | |
CN116090000A (en) | File security management method, system, device, medium and program product | |
CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
CN104935576A (en) | Data safe divided storage and assigned user sharing system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150923 |
|
WD01 | Invention patent application deemed withdrawn after publication |