CN104935590A - HDFS access control method based on role and user trust value - Google Patents

HDFS access control method based on role and user trust value Download PDF

Info

Publication number
CN104935590A
CN104935590A CN201510328860.2A CN201510328860A CN104935590A CN 104935590 A CN104935590 A CN 104935590A CN 201510328860 A CN201510328860 A CN 201510328860A CN 104935590 A CN104935590 A CN 104935590A
Authority
CN
China
Prior art keywords
user
trust value
role
hdfs
ticket
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510328860.2A
Other languages
Chinese (zh)
Inventor
秦小麟
史文浩
王胜
王潇逸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN201510328860.2A priority Critical patent/CN104935590A/en
Publication of CN104935590A publication Critical patent/CN104935590A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The invention provides an HDFS access control method based on a role and a user trust value and belongs to the field of computer cloud storage access control. The HDFS access control method of the invention firstly combines with a role-based access control policy RBAC to replace a discretionary access control policy of an HDFS, thereby reducing complexity and management expenditure of HDFS authorization management and improving flexibility of the authorization management. When a user accesses the HDFS for the first time, a role is granted to the user, so that users are isolated from authorization through roles, and the management is facilitated. On this basis, the HDFS access control method of the invention further introduces a concept of the user trust value and sets one trust value for each user so that different users with the same role could obtain different access permissions because of their different trust values, and the trust value of the user is dynamically updated according to the later behavior of the user, thereby dynamically and effectively controlling the access of the user to a resource in the HDFS.

Description

The HDFS access control method of a kind of based role and users to trust value
Technical field
The present invention relates to the HDFS access control method of a kind of based role and users to trust value, belong to computer cloud memory access control field.
Background technology
Along with the fast development of cloud memory technology, increasing user and enterprise use cloud storage to preserve data or Backup Data, and to strengthen the mobility of data, but the safety issue brought thus is but effectively solved.The core that cloud stores is actually a distributed file system, so in fact the data security sex chromosome mosaicism that cloud stores is exactly the data security sex chromosome mosaicism of distributed file system.
The initial design of Hadoop is that supposition HDFS operates in safe enclosed environment, all nodes in cluster are all reliable, trustworthy, and be supplied to one group of user's use of cooperating with each other, so HDFS is main it is considered that the performance issue of mass data storage at the beginning of design, do not pay close attention to the safety problem in distributed computing environment (DCE) too much.
The development stored along with cloud and extensive use, the safety of Hadoop distributed file system HDFS receives great threat.HDFS does not provide enough safety certifications between user and service, under default situations, HDFS organizes by the user name and user running process the mark uniquely determining client, but because client is long-range, user can create an account with the name of oneself simply on the remote system, cause user can to disguise oneself as any identity, thus walk around the Authority Verification of HDFS, the data arbitrarily in access HDFS.In addition, because Data Node node does not enforce any access control measure to the access of client, as long as this BlockID that a unwarranted client may be caused to know data block just can direct read block, walk around the authentication with Name Node node, also anyone can be made can to write arbitrary data block to Data Node node simultaneously, or be masquerading as legal Data Node node to receive task and the data of Name Node node.Although HDFS itself supports control of authority, what provide is only simple self contained navigation, uses 9-bit position to represent, supports more weak, there is larger potential safety hazard.
Summary of the invention
In order to overcome the deficiency of the existing access control mechanisms of HDFS, the present invention proposes the HDFS access control method of a kind of based role and users to trust value.The object of the invention is to realize a kind of in real time dynamically, granularity more carefully, access control mechanisms more flexibly, can safer, reasonably for user distributes suitable authority.
The present invention adopts following technical scheme for solving its technical problem:
A HDFS access control method for based role and users to trust value, comprises the steps:
Before step one, user access HDFS, first to character management server application user role, character management server distributes role for user, and role-certificate and shared key are presented to user.
Step 2, user hold role-certificate and shared key access trusted third party Verification System Kerberos, and application authentication, if user identity is legal, then authorizes the service ticket Ticket that user accesses HDFS.
Step 3, user hold Ticket to Name Node node request service, by inquiring about the user behavior record be stored in behavior database, and utilize belief updating algorithm to calculate the current trust value of user, if the current trust value of user is more than or equal to the trust value threshold value Trust set by system threshold, then Name Node node issues block access authorization token BlockAccess Token for user, and user holds Block Access Token and connects all Data Node nodes that Name Node node informs, obtains required service.
In described step one, character management server is the core realizing role assignments management, participate in access control process as trust authority, it is primarily of Role Management module, key management module, certificate management module, Subscriber Interface Module SIM, network communication module 5 module compositions.When user proposes access request (role comprising user name, password and apply for) to character management server, character management server is according to user identity, inquiring user and character data storehouse, for user distributes corresponding role, and generate role-certificate together with the role key that key management module generates, send to user.
In described step 2, Kerberos realizes the authentication to user as trusted third party Verification System, and user, before application server conducts interviews, first must obtain the access permission card Ticket of this application server from kerberos server.Kerberos server is made up of 2 parts: certificate server (Authentication Server, and Ticket Granting Server (TicketGranting Server AS), TGS), judge that user is not or not in key database by certificate server, if, issue a ticket authorisation bill (Ticket Granting Ticket, TGT), and by TGT session key K1 encrypt after send to user; If user is not in key database, then stop service.
User holds key K 1 decryption information, and send to TGS after being encrypted by the unique identification K1 of oneself together with TGT, TGS is after the validity of checking TGT, for it generates a service ticket Ticket, Ticket comprises session key K3, user name, IP, address, Service name, the term of validity, timestamp, and Ticket key K 2 is encrypted, and sends to user together after K3 K1 is encrypted, because user does not know key K 2, so the information in Ticket cannot be distorted; User holds key K 1 decryption information and obtains key K 3, thus obtains the key mutual with HDFS.
In described step 3, behavior database and trust value database are all arranged on Name Node node, when user holds Ticket access Name Node node, by the user behavior record in User behavior database, and utilize belief updating algorithm to calculate users to trust value, belief updating algorithm is as shown in formula (1):
cf = initTrust + α * N OB + ( - β ) * N RB + ( - γ ) * N DB N OB + N RB + N DB - - - ( 1 )
Wherein cf represents the up-to-date trust value of user, and initTrust represents user's initial trust value or history trust value, N oB, N rB, N dBrepresent common behavior, risk behavior, this three classes user behavior of hazardous act record sum separately respectively, α, β, γ are the trust value assessment weight that system gives often kind of behavior classification, and meet the relation of alpha+beta+γ=1.
As user, to meet user identity legal, service ticket is legal and trust value is more than or equal to trust value threshold condition time, allow the resource in its access HDFS, the constraint expression formula of this access control rule is as follows:
CP : ∃ user { hasKDC ( user ) ^ hasTicks ( tick , getTicks ( KDC ) ) ^ Compare ( cf , Trust threshold ) } → ACCEPT - - - ( 2 )
When user identity is illegal or service ticket illegal or trust value is less than trust value threshold value, system refusal user accesses the resource in HDFS, and the constraint expression formula of this access control rule is as follows:
Wherein, user is user profile, and tick is the service ticket that user accesses Name Node node, and cf is the up-to-date trust value of user, Trust thresholdfor trust value threshold value, ACCEPT is for allowing this accessing operation, and DENY is this accessing operation of refusal.
When user meets CP rule, Name Node node issues Block Access Token for user, and user holds BlockAccess Token and accesses Data Node node, acquisition required service; When user meets CR rule, Name Node node sends to user the information that refusal provides service.
The present invention adopts above technical scheme compared with prior art, has following beneficial effect:
(1) the present invention achieves the isolation of user and authority in conjunction with access control based roles strategy RBAC, decreases complexity and the administration overhead of HDFS empowerment management, improves the flexibility of empowerment management.
(2) the present invention utilizes trusted third party Verification System Kerberos to achieve safety certification to user, solve the malicious user validated user that disguises oneself as and obtain the file permission of HDFS, and malicious user walks around the defect that Name Node node directly accesses Data Node node after learning BlockID.
(3) the present invention introduces the concept of users to trust value, by setting a trust value for each user, and according to its trust value of user behavior real-time update, achieve a kind of fine-grained, reliably, access control mechanisms flexibly, meet the Dynamic controlling demand to user's access, solve validated user later stage behavior creditability problem.
Accompanying drawing explanation
Fig. 1 is model structure schematic diagram of the present invention.
Fig. 2 is access control method schematic flow sheet of the present invention.
Fig. 3 is the HDFS access control schematic flow sheet of based role.
Fig. 4 is the HDFS access control schematic flow sheet based on users to trust value.
Fig. 5 is the HDFS access control core process schematic diagram based on users to trust value simplified.
Embodiment
Below in conjunction with drawings and Examples, technical scheme of the present invention is described in further details:
Embodiment one
In order to solve the access control problem of Hadoop distributed file system HDFS, the invention provides the HDFS access control method of a kind of based role and users to trust value, as shown in Figure 2, the method comprises idiographic flow:
When user sends operation requests, the integrality of character management server first verification operation request, then the authority of user operation is checked, check by rear, character management server is according to user identity inquiring user and character data storehouse, for user distributes corresponding role, and role-certificate is sent to user together with shared key.
The plaintext user information of oneself is sent to key distribution manager (the Key Distribution Center of Kerberos by user, KDC), KDC server judges user whether in key database by certificate server (AS), if, produce a ticket authorisation bill (TGT), and return to user after encrypting with session key K1, user holds key K 1 decryption information, and send to Ticket Granting Server (TGS) after being encrypted by the unique identification K1 of oneself together with TGT, TGS is after the validity of checking TGT, for it generates a service ticket Ticket, Ticket comprises session key K3, user name, IP, address, Service name, the term of validity, timestamp, and Ticket key K 2 is encrypted, user is sent to together after K3 K1 is encrypted, because user does not know key K 2, so the information in Ticket cannot be distorted, user holds key K 1 decryption information and obtains key K 3, thus obtain the key mutual with HDFS.
User holds key K 3 encrypting user name, IP, and together send to Name Node node with the Ticket that K2 encrypts, authentication on application Name Node node, if user identity is legal, then Name Node node issues authorization token Delegation Token to user, and user holds Delegation Token and serves to Name Node node application HDFS, NameNode node is by inquiring user behavior database, and utilize belief updating algorithm to calculate the current trust value of user, if the current trust value of user is more than or equal to the trust value threshold value set by system, then Name Node node generates block access authorization token Block Access Token for user, user holds all DataNode node request required services that Block Access Token access Name Node node is informed, if the current trust value of user is less than the trust value threshold value set by system, then Name Node node sends to user the information that refusal provides service, Data Node node is in nearest upper once heartbeat, the user operation behavior record be recorded in behavior buffering area is fed back to Name Node node, Name Node node is saved in behavior database by feeding back the user operation behavior record obtained, to calculate users to trust value during user's access next time HDFS, thus to achieve the Dynamic controlling to user's access.
Embodiment two
Embodiments of the invention two are in conjunction with traditional access control based roles strategy RBAC, and provide a kind of HDFS access control method of based role, the steps flow chart of the method as shown in Figure 3, comprising:
(1) user Client is to character management server request dispatching role;
(2) character management server distributes role for user, and role-certificate and shared key are presented to user;
(3) arrange between character management server and Name Node node, upgrade shared key;
(4) user Client holds role-certificate and shared key access Name Node node, application access service;
(5) the legal and legal rear line of shared key of Name Node node verification user role returns to best data block copy address;
(6) user Client all Data Node node request required services of informing to Name Node node;
(7), after Data Node node receives the request of user, giving user provides required service or refusal to provide service;
(8) Data Node node is communicated by heartbeat mechanism with Name Node node.
Embodiment three
Embodiments of the invention three are in conjunction with the concept of Kerberos and users to trust value, and provide a kind of HDFS access control method based on users to trust value, the steps flow chart of the method as shown in Figure 4, comprising:
(1) Client sends to KDC to ask to carry out authentication after being encrypted by the authentication information K1 of oneself;
(2) KDC verifies that Client identity is effectively legal, issues ticket authorisation bill TGT, and returns to Client with after K1 encryption;
(3) Client holds TGT and sends service request to KDC, and request content K1 encrypts;
(4) KDC receives request, and produces service ticket Ticket={K3, user name, IP, address, Service name, the term of validity, timestamp };
(5) KDC K1 encrypts K3, in the lump returns to Client after encrypting Ticket with K2;
(6) Client deciphers the session key K3 obtained between Name Node node, and generates Authenticator={ (user name, IP) k3;
(7) Client by step 5 from KDC get with K2 encryption Ticket together with step 6 generate Authenticator, with form { (Ticket) k2, Authenticator} sends to Name Node node, the authentication on application Name Node node;
(8) Name Node node is decrypted received content, and whether checking Client belongs to validated user;
(9) Name Node node verification Client identity legal after, generate Delegation Token and be also presented to Client;
(10) Client holds Delegation Token and serves to Name Node node application HDFS, the TokenID received by Name Node node uses dtokenAuthenticator is calculated with the masterkey of this locality d, again build a Delegation Token in this locality, if the Delegation Token that Name Node rebuilds has identical version in the local internal memory of Name Node, then assert that this user identity is effectively legal;
(11) inquiring user behavior database calculate the current trust value of user by belief updating algorithm;
(12) if users to trust value meets the demands, then Name Node node generates block access authorization token BlockAccess Token for user.AccessModes field in token deposits the operation that active user can perform Block, is in fact exactly the authority that user has.The trust value threshold value that the value setting of this field operates self regulation by each decides: 1) if calculate gained trust value in step 11 to be more than or equal to the trust value threshold value that certain operates defined, field AccessModes value adds this operation; 2) if calculate gained trust value in step 11 to be less than the trust value threshold value that certain operates defined, field AccessModes value is empty, does not add this operation;
(13) when user meets CP rule, the Block Access Token of generation is distributed to Client by Name Node node;
(14) Client holds all Data Node node request required services that Block Access Token informs to Name Node node;
(15) after Data Node node receives the request of Client, first judge that whether Block Access Token is effectively legal, then determine whether give user the operation that AccessModes field defined is provided;
(16) Client obtains from Data Node node the operation that AccessModes field specify, or when user meet CR regular time, send the information refusing to provide service to user;
(17) Data Node node is in nearest upper once heartbeat, and Client all operations behavior record is in the above fed back to Name Node node;
(18) Name Node node is saved in feeding back the user operation behavior record obtained in behavior database.

Claims (4)

1. a HDFS access control method for based role and users to trust value, is characterized in that comprising the steps:
Before step one, user access HDFS, first to character management server application user role, character management server distributes role for user, and role-certificate and shared key are presented to user.
Step 2, user hold role-certificate and shared key access trusted third party Verification System Kerberos, and application authentication, if user identity is legal, then authorizes the service ticket Ticket that user accesses HDFS.
Step 3, user hold Ticket to Name Node node request service, by inquiring about the user behavior record be stored in behavior database, and utilize belief updating algorithm to calculate the current trust value of user, if the current trust value of user is more than or equal to the trust value threshold value Trust set by system threshold, then Name Node node issues block access authorization token BlockAccess Token for user, and user holds Block Access Token and connects all Data Node nodes that Name Node node informs, obtains required service.
2. the HDFS access control method of a kind of based role as claimed in claim 1 and users to trust value, is characterized in that carrying out role assignments to user, comprising:
Character management server is the core realizing role assignments management, participates in access control process as trust authority, and it is primarily of Role Management module, key management module, certificate management module, Subscriber Interface Module SIM, network communication module 5 module compositions.When user proposes access request (role comprising user name, password and apply for) to character management server, character management server is according to user identity, inquiring user and character data storehouse, for user distributes corresponding role, and generate role-certificate together with the role key that key management module generates, send to user.
3. the HDFS access control method of a kind of based role as claimed in claim 2 and users to trust value, is characterized in that carrying out Kerberos authentication to user, comprising:
Kerberos realizes the authentication to user as trusted third party Verification System, and user, before application server conducts interviews, first must obtain the access permission card Ticket of this application server from kerberos server.Kerberos server is made up of 2 parts: certificate server (Authentication Server, and Ticket Granting Server (Ticket GrantingServer AS), TGS), judge that user is not or not in key database by certificate server, if, issue a ticket authorisation bill (Ticket Granting Ticket, TGT), and by TGT session key K1 encrypt after send to user; If user is not in key database, then stop service.
User holds key K 1 decryption information, and send to TGS after being encrypted by the unique identification K1 of oneself together with TGT, TGS is after the validity of checking TGT, for it generates a service ticket Ticket, Ticket comprises session key K3, user name, IP, address, Service name, the term of validity, timestamp, and Ticket key K 2 is encrypted, and sends to user together after K3 K1 is encrypted, because user does not know key K 2, so the information in Ticket cannot be distorted; User holds key K 1 decryption information and obtains key K 3, thus obtains the key mutual with HDFS.
4. the HDFS access control method of a kind of based role as claimed in claim 3 and users to trust value, is characterized in that, when user accesses HDFS resource, also comprises:
Behavior database and trust value database are all arranged on Name Node node, when user holds Ticket access NameNode node, by the user behavior record in User behavior database, and utilize belief updating algorithm to calculate users to trust value, belief updating algorithm is as shown in formula (1):
cf = initTrust + α * N OB + ( - β ) * N RB + ( - γ ) * N DB N OB + N RB + N DB - - - ( 1 )
Wherein cf represents the up-to-date trust value of user, and initTrust represents user's initial trust value or history trust value, N oB, N rB, N dBrepresent common behavior, risk behavior, this three classes user behavior of hazardous act record sum separately respectively, α, β, γ are the trust value assessment weight that system gives often kind of behavior classification, and meet the relation of alpha+beta+γ=1.
As user, to meet user identity legal, service ticket is legal and trust value is more than or equal to trust value threshold condition time, allow the resource in its access HDFS, the constraint expression formula of this access control rule is as follows:
When user identity is illegal or service ticket illegal or trust value is less than trust value threshold value, system refusal user accesses the resource in HDFS, and the constraint expression formula of this access control rule is as follows:
Wherein, user is user profile, and tick is the service ticket that user accesses Name Node node, and cf is the up-to-date trust value of user, Trust thresholdfor trust value threshold value, ACCEPT is for allowing this accessing operation, and DENY is this accessing operation of refusal.
When user meets CP rule, Name Node node issues Block Access Token for user, and user holds BlockAccess Token and accesses DataNode node, acquisition required service; When user meets CR rule, Name Node node sends to user the information that refusal provides service.
CN201510328860.2A 2015-06-10 2015-06-10 HDFS access control method based on role and user trust value Pending CN104935590A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510328860.2A CN104935590A (en) 2015-06-10 2015-06-10 HDFS access control method based on role and user trust value

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510328860.2A CN104935590A (en) 2015-06-10 2015-06-10 HDFS access control method based on role and user trust value

Publications (1)

Publication Number Publication Date
CN104935590A true CN104935590A (en) 2015-09-23

Family

ID=54122562

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510328860.2A Pending CN104935590A (en) 2015-06-10 2015-06-10 HDFS access control method based on role and user trust value

Country Status (1)

Country Link
CN (1) CN104935590A (en)

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105656903A (en) * 2016-01-15 2016-06-08 国家计算机网络与信息安全管理中心 Hive platform user safety management system and application
CN106790026A (en) * 2016-12-15 2017-05-31 国家计算机网络与信息安全管理中心 A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop
CN106790027A (en) * 2016-12-15 2017-05-31 国家计算机网络与信息安全管理中心 The multi-tenant Dropbox right management method and system of HDFS file system
CN106961441A (en) * 2017-04-06 2017-07-18 中国民航大学 A kind of user's dynamic accesses control method for Hadoop cloud platform
CN106997440A (en) * 2017-04-10 2017-08-01 中经汇通电子商务有限公司 A kind of role access control method
CN107196951A (en) * 2017-06-12 2017-09-22 北京明朝万达科技股份有限公司 The implementation method and firewall system of a kind of HDFS systems fire wall
CN107342975A (en) * 2016-12-21 2017-11-10 安徽师范大学 Trust computational methods based on domain division under insincere cloud environment
CN107483491A (en) * 2017-09-19 2017-12-15 山东大学 The access control method of distributed storage under a kind of cloud environment
CN107612910A (en) * 2017-09-19 2018-01-19 北京邮电大学 A kind of distributed document data access method and system
CN107665315A (en) * 2017-10-31 2018-02-06 上海应用技术大学 A kind of based role suitable for Hadoop and the access control method trusted
CN107800723A (en) * 2017-12-06 2018-03-13 中盈优创资讯科技有限公司 CC attack guarding methods and equipment
CN108111348A (en) * 2017-12-20 2018-06-01 杭州云屏科技有限公司 A kind of security policy manager method and system for enterprise's cloud application
CN108427677A (en) * 2017-02-13 2018-08-21 阿里巴巴集团控股有限公司 A kind of object accesses method, apparatus and electronic equipment
CN108924120A (en) * 2018-06-28 2018-11-30 电子科技大学 A kind of dynamic accesses control method of multi-dimensional state perception
CN109063495A (en) * 2018-07-24 2018-12-21 中国人民解放军陆军工程大学 A kind of access control risk analysis method based on spatial weighting
CN109245880A (en) * 2018-09-07 2019-01-18 国网福建省电力有限公司 One kind is based on to hadoop component safety reinforcement means
CN109815685A (en) * 2019-01-18 2019-05-28 新华网股份有限公司 Method for managing user right, device, electronic equipment and readable storage medium storing program for executing
CN109831459A (en) * 2019-03-22 2019-05-31 百度在线网络技术(北京)有限公司 Method, apparatus, storage medium and the terminal device of secure access
CN111353172A (en) * 2020-03-02 2020-06-30 山东工商学院 Hadoop cluster big data access method and system based on block chain
CN113076552A (en) * 2020-01-03 2021-07-06 中国移动通信集团广东有限公司 HDFS (Hadoop distributed File System) resource access permission verification method and device and electronic equipment
CN113824554A (en) * 2021-08-30 2021-12-21 山东健康医疗大数据有限公司 Dynamic authentication method and device for data transmission between middleware and computer medium
CN114465777A (en) * 2021-12-31 2022-05-10 惠州华阳通用智慧车载系统开发有限公司 TSP server access control method
CN114567489A (en) * 2022-03-02 2022-05-31 临沂大学 Dynamic access control method based on service body
CN114567473A (en) * 2022-02-23 2022-05-31 南通大学 Zero-trust mechanism-based Internet of vehicles access control method
CN114666079A (en) * 2020-12-22 2022-06-24 中国科学院沈阳自动化研究所 Industrial control system access control method based on attribute certificate
CN114928499A (en) * 2022-06-21 2022-08-19 重庆邮电大学 Access control method based on block chain and trust system
CN116881956A (en) * 2023-09-08 2023-10-13 国网信息通信产业集团有限公司 Permission management method and device oriented to multi-cloud resource management
CN117177243A (en) * 2023-10-30 2023-12-05 吉林大学 Biomedical data sharing system based on 5G Internet of things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
CN102457555A (en) * 2010-10-28 2012-05-16 中兴通讯股份有限公司 Security system and method for distributed storage
US20140196115A1 (en) * 2013-01-07 2014-07-10 Zettaset, Inc. Monitoring of Authorization-Exceeding Activity in Distributed Networks
CN104301301A (en) * 2014-09-04 2015-01-21 南京邮电大学 Inter-cloud-storage-system data migration encryption method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457555A (en) * 2010-10-28 2012-05-16 中兴通讯股份有限公司 Security system and method for distributed storage
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
US20140196115A1 (en) * 2013-01-07 2014-07-10 Zettaset, Inc. Monitoring of Authorization-Exceeding Activity in Distributed Networks
CN104301301A (en) * 2014-09-04 2015-01-21 南京邮电大学 Inter-cloud-storage-system data migration encryption method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘莎: "Hadoop云平台的用户可信访问控制模型研究与实现", 《信息科技辑》 *
柴黄琪等: "基于HDFS的安全机制设计", 《计算机安全》 *

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105656903B (en) * 2016-01-15 2018-07-27 国家计算机网络与信息安全管理中心 A kind of user safety management system of Hive platforms and application
CN105656903A (en) * 2016-01-15 2016-06-08 国家计算机网络与信息安全管理中心 Hive platform user safety management system and application
CN106790027B (en) * 2016-12-15 2020-09-11 国家计算机网络与信息安全管理中心 Multi-tenant network disk authority management method and system of HDFS file system
CN106790026A (en) * 2016-12-15 2017-05-31 国家计算机网络与信息安全管理中心 A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop
CN106790027A (en) * 2016-12-15 2017-05-31 国家计算机网络与信息安全管理中心 The multi-tenant Dropbox right management method and system of HDFS file system
CN106790026B (en) * 2016-12-15 2020-07-07 国家计算机网络与信息安全管理中心 Hadoop-based multi-tenant network disk authentication method and system
CN107342975A (en) * 2016-12-21 2017-11-10 安徽师范大学 Trust computational methods based on domain division under insincere cloud environment
CN107342975B (en) * 2016-12-21 2020-03-24 安徽师范大学 Domain division-based trust computing method in untrusted cloud environment
CN108427677A (en) * 2017-02-13 2018-08-21 阿里巴巴集团控股有限公司 A kind of object accesses method, apparatus and electronic equipment
CN106961441B (en) * 2017-04-06 2020-05-22 中国民航大学 User dynamic access control method for Hadoop cloud platform
CN106961441A (en) * 2017-04-06 2017-07-18 中国民航大学 A kind of user's dynamic accesses control method for Hadoop cloud platform
CN106997440A (en) * 2017-04-10 2017-08-01 中经汇通电子商务有限公司 A kind of role access control method
CN107196951B (en) * 2017-06-12 2019-02-26 北京明朝万达科技股份有限公司 A kind of implementation method and firewall system of HDFS system firewall
CN107196951A (en) * 2017-06-12 2017-09-22 北京明朝万达科技股份有限公司 The implementation method and firewall system of a kind of HDFS systems fire wall
CN107483491A (en) * 2017-09-19 2017-12-15 山东大学 The access control method of distributed storage under a kind of cloud environment
CN107612910A (en) * 2017-09-19 2018-01-19 北京邮电大学 A kind of distributed document data access method and system
CN107665315B (en) * 2017-10-31 2020-12-15 上海应用技术大学 Role and trust-based access control method suitable for Hadoop
CN107665315A (en) * 2017-10-31 2018-02-06 上海应用技术大学 A kind of based role suitable for Hadoop and the access control method trusted
CN107800723A (en) * 2017-12-06 2018-03-13 中盈优创资讯科技有限公司 CC attack guarding methods and equipment
CN108111348A (en) * 2017-12-20 2018-06-01 杭州云屏科技有限公司 A kind of security policy manager method and system for enterprise's cloud application
CN108924120A (en) * 2018-06-28 2018-11-30 电子科技大学 A kind of dynamic accesses control method of multi-dimensional state perception
CN109063495A (en) * 2018-07-24 2018-12-21 中国人民解放军陆军工程大学 A kind of access control risk analysis method based on spatial weighting
CN109063495B (en) * 2018-07-24 2021-12-10 中国人民解放军陆军工程大学 Access control risk analysis method based on spatial weighting
CN109245880A (en) * 2018-09-07 2019-01-18 国网福建省电力有限公司 One kind is based on to hadoop component safety reinforcement means
CN109245880B (en) * 2018-09-07 2021-06-22 国网福建省电力有限公司 Hadoop component safety reinforcement method
CN109815685A (en) * 2019-01-18 2019-05-28 新华网股份有限公司 Method for managing user right, device, electronic equipment and readable storage medium storing program for executing
CN109831459A (en) * 2019-03-22 2019-05-31 百度在线网络技术(北京)有限公司 Method, apparatus, storage medium and the terminal device of secure access
CN113076552B (en) * 2020-01-03 2022-10-18 中国移动通信集团广东有限公司 HDFS (Hadoop distributed File System) resource access permission verification method and device and electronic equipment
CN113076552A (en) * 2020-01-03 2021-07-06 中国移动通信集团广东有限公司 HDFS (Hadoop distributed File System) resource access permission verification method and device and electronic equipment
CN111353172A (en) * 2020-03-02 2020-06-30 山东工商学院 Hadoop cluster big data access method and system based on block chain
CN111353172B (en) * 2020-03-02 2023-04-11 山东工商学院 Hadoop cluster big data access method and system based on block chain
CN114666079A (en) * 2020-12-22 2022-06-24 中国科学院沈阳自动化研究所 Industrial control system access control method based on attribute certificate
CN114666079B (en) * 2020-12-22 2023-03-24 中国科学院沈阳自动化研究所 Industrial control system access control method based on attribute certificate
CN113824554A (en) * 2021-08-30 2021-12-21 山东健康医疗大数据有限公司 Dynamic authentication method and device for data transmission between middleware and computer medium
CN113824554B (en) * 2021-08-30 2024-02-13 山东浪潮智慧医疗科技有限公司 Dynamic authentication method, device and computer medium for data transmission between middleware
CN114465777A (en) * 2021-12-31 2022-05-10 惠州华阳通用智慧车载系统开发有限公司 TSP server access control method
CN114465777B (en) * 2021-12-31 2023-06-30 惠州华阳通用智慧车载系统开发有限公司 TSP server access control method
CN114567473B (en) * 2022-02-23 2024-01-09 南通大学 Internet of vehicles access control method based on zero trust mechanism
CN114567473A (en) * 2022-02-23 2022-05-31 南通大学 Zero-trust mechanism-based Internet of vehicles access control method
CN114567489A (en) * 2022-03-02 2022-05-31 临沂大学 Dynamic access control method based on service body
CN114567489B (en) * 2022-03-02 2023-09-15 临沂大学 Dynamic access control method based on service body
CN114928499A (en) * 2022-06-21 2022-08-19 重庆邮电大学 Access control method based on block chain and trust system
CN114928499B (en) * 2022-06-21 2023-09-19 深圳建科网络科技有限公司 Access control method based on block chain and trust system
CN116881956B (en) * 2023-09-08 2024-01-09 国网信息通信产业集团有限公司 Permission management method and device oriented to multi-cloud resource management
CN116881956A (en) * 2023-09-08 2023-10-13 国网信息通信产业集团有限公司 Permission management method and device oriented to multi-cloud resource management
CN117177243A (en) * 2023-10-30 2023-12-05 吉林大学 Biomedical data sharing system based on 5G Internet of things
CN117177243B (en) * 2023-10-30 2023-12-29 吉林大学 Biomedical data sharing system based on 5G Internet of things

Similar Documents

Publication Publication Date Title
CN104935590A (en) HDFS access control method based on role and user trust value
US20210336782A1 (en) Cryptoasset custodial system with different rules governing access to logically separated cryptoassets and proof-of-stake blockchain support
US10673626B2 (en) Threshold secret share authentication proof and secure blockchain voting with hardware security modules
Liang et al. PDPChain: A consortium blockchain-based privacy protection scheme for personal data
US11301845B2 (en) Cryptoasset custodial system with proof-of-stake blockchain support
De Oliveira et al. Towards a blockchain-based secure electronic medical record for healthcare applications
Zhu et al. Digital asset management with distributed permission over blockchain and attribute-based access control
US8726342B1 (en) Keystore access control system
US9736186B2 (en) Public and private hybrid distributed cloud storage system and cloud storage method
US8850593B2 (en) Data management using a virtual machine-data image
CN108390876A (en) Revocation outsourcing is supported to can verify that more authorization center access control methods, Cloud Server
CN110099043A (en) The hiding more authorization center access control methods of support policy, cloud storage system
CN109818757A (en) Cloud storage data access control method, Attribute certificate awarding method and system
CN115701301A (en) Integration of blockchains, administrative group permissions, and access in an enterprise environment
CN107483491A (en) The access control method of distributed storage under a kind of cloud environment
CN108833393A (en) A kind of revocable data sharing method calculated based on mist
CN103780607B (en) The method of the data de-duplication based on different rights
CN103391192B (en) A kind of based on secret protection across security domain access control system and control method thereof
CN103259663A (en) User unified authentication method in cloud computing environment
CN103220141B (en) A kind of protecting sensitive data method and system based on group key strategy
CN101321064A (en) Information system access control method and apparatus based on digital certificate technique
CN113645195B (en) Cloud medical record ciphertext access control system and method based on CP-ABE and SM4
CN116090000A (en) File security management method, system, device, medium and program product
CN111538973A (en) Personal authorization access control system based on state cryptographic algorithm
CN104935576A (en) Data safe divided storage and assigned user sharing system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20150923

WD01 Invention patent application deemed withdrawn after publication