CN107483491A - The access control method of distributed storage under a kind of cloud environment - Google Patents
The access control method of distributed storage under a kind of cloud environment Download PDFInfo
- Publication number
- CN107483491A CN107483491A CN201710848558.9A CN201710848558A CN107483491A CN 107483491 A CN107483491 A CN 107483491A CN 201710848558 A CN201710848558 A CN 201710848558A CN 107483491 A CN107483491 A CN 107483491A
- Authority
- CN
- China
- Prior art keywords
- ranger
- system user
- user
- components
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The present invention relates to a kind of access control method of distributed storage under cloud environment.Cloud storage of this method based on the HDFS distributed file systems of Hadoop clusters, on the basis of the basic cloud storage system, increase safe access control function.Access control technology in cloud storage system is broken through by Ranger; build the fine-grained access control mandate system of based role; the cloud storage system is reliably supported the different stage of multi-user or the information of type is effectively isolated and integrity protection, realize high in the clouds data isolation.The access control of specific back end in cloud storage system is broken through by Kerberos, solves the problems, such as the access control between Hadoop cluster internals, client and management node, management node and back end and back end.
Description
Technical field
The present invention relates to a kind of access control method of distributed storage under cloud environment, belong to what is had secure access under cloud environment
Technical field.
Background technology
Cloud computing (Cloud Computing) is related service increase, use and delivery mode based on internet, and it is
The Network Computing Technologies that progressively fusion development gets up in the technical foundation such as parallel processing, Distributed Calculation, grid computing.Cloud meter
Calculation was initially formally proposed in 2008 by Google.It is various to the definition saying of cloud computing, National Institute of Standards and Technology
(NIST) define:Cloud computing be it is a kind of for whenever and wherever possible, conveniently, request access configurable calculating to response (on-demand)
Shared resource pond (such as:Network, service, storage, using) a kind of computation schema, this pattern can reduce user quick
Obtain and release resource when with ISP interact and administration overhead.Under cloud computing mode, subscriber terminal equipment will
Become very simple, because user only needs transmission request to be provided to provide the calculating of " charging on demand " by cloud service provider
Source, memory space and other application software etc..Cloud computing has been widely applied to every field, including:Cloud Internet of Things, Yunan County
Entirely, cloud storage, mobile communication etc..
Distributed storage is to interconnect substantial amounts of common PC server by internet, is externally provided as an entirety
Service.Under current cloud computing, big data environment, distributed memory system is with its favorable expandability, cost is low, performance is high, ease for use
The features such as obtained large-scale application.Distributed file system is exactly the framework being deployed in distributed storage resource.Distribution
Formula file system (Distributed File System, DFS) refers mainly to distributed thought being applied in file storage,
Here, all resources are all stored in the storage device of some specific physical machines in the form of a file, and these physical machines
Device is perhaps the different physical equipment of physical location.Meanwhile this distributed memory mechanism and flow, it is for a user
Transparent.Common distributed file system includes:Lustre、HDFS、FastDFS、MogileFS、GoogleFS、
MooseFS, Ceph and Gluster etc..
With the demand that magnanimity data safety stores under big data environment, research is based on distributed structure/architecture, key breakthrough point
The key technologies such as access control, authentication, data isolation storage under cloth framework, are developed under cloud computing and big data environment
With high availability, high security, high stability and high performance storage system, it appears abnormal important.On the one hand, high availability
Distributed memory system meet effective storage demand under cloud computing, big data environment;On the other hand, realize mass data by
The function that user, application, safe class are not protected, prevents data by unauthorized access.
A kind of file similar with POSIX systems and the authority mould of catalogue are realized in Hadoop distributed file system
Type.I.e. each file and catalogue have an owner (owner) and a group (group).File or catalogue to the owner,
There is different authorities respectively with the other users of group and every other group of user, different user is accessed so as to realize
The control of authority of HDFS catalogues.But the access control method is single, set just for the authority of a traditional file and catalogue
Put;A kind of this access control is merely relied on, demand for security can not be met well.
The content of the invention
In view of the shortcomings of the prior art, the present invention provides a kind of access control method of distributed storage under cloud environment.
Summary of the invention:
The core of the present invention is the cloud storage based on the HDFS distributed file systems of Hadoop clusters, basic at this
On the basis of cloud storage system, increase safe access control function.Access control skill in cloud storage system is broken through by Ranger
Art, the fine-grained access control mandate system of based role is built, the cloud storage system is reliably supported multi-user
Different stage or the information of type be effectively isolated and integrity protection, realize high in the clouds data isolation.Pass through Kerberos
The access control of specific back end in cloud storage system is broken through, solves Hadoop cluster internals, client and management node, pipe
Manage the access control problem between node and back end and back end.
Term explanation:
1st, role-base access control, so-called access control refer to after authentication to user the body, it is necessary to by user
Part and certain definition group of user attaching limit access of the user to some resource informations, or limitation user's control function makes
With.In access control based roles (RBAC), authority is associated with role, and user obtains accordingly according to its role
Authority, while user can also obtain new authority according to the merging of new demand and system.
2nd, Ranger, it is a kind of centralized framework for realizing, monitoring and managing Hadoop platform integrated data safety, it is carried
A centralized management platform is supplied, (policies) is realized to different user's impartings to particular path by generating strategy
Access rights.
3rd, Kerberos, it is a kind of safe network authenticating protocol, it is using generated by the symmetric encipherment algorithm, time
Sensitive bill, realizes that client and server end need not can be carried out certification in transmission over networks password, so as to provide
A kind of method of new safety certification and access control.
4th, KDC, KDC (Key Distribution Center).
5th, ticket authorisation bill, (Ticket Grant Ticket, TGT) are sent out in kerberos Verification Systems to user
TGT is put, the TGT is used to obtain service ticket.
The technical scheme is that:
The access control method of distributed storage under a kind of cloud environment, realized based on Ranger frameworks and Kerberos;
Ranger frameworks include Ranger Admin components, Ranger plugin components and Ranger Usersync components;
Kerberos component includes KDC and assists instrument ks_tool;Specific function realizes that step is as follows:
A, the access control based on user
A1, deployment Hadoop clusters;Hadoop clusters include at least one Master nodes and multiple slave nodes;
Hadoop clusters realize upload, download and the access to HDFS;The realization of access control based on Ranger, it is the peace of cloud storage
First " certification threshold " is added entirely, in Hadoop cluster internals, including client and management node, management node and data
Verify Your Identity questions between node, back end, then realized by Kerberos.
The realization of distributed storage access control, it is main to include two aspects:On the one hand it is the visit that user stores to HDFS
Ask the control of authority;On the other hand it is authentication and the access control between each node of Hadoop cluster internals.
A2, the component for disposing Ranger frameworks;Wherein Ranger admin deployment of components is on slave nodes, Ranger
Plugin components and UserSync deployment of components are on Master nodes;Ranger admin components are arrived into system user renewal
In, and the memory carrier of the strategy and audit log using mysql databases as Ranger frameworks;Wherein, by system user more
Newly to the realization in admin, implemented according to real needs.
A3, in Ranger admin components, HDFS is defined local_hdfs service;Ranger admin components are
Local_hdfs service customization access strategies, realize the User/Group and User/ being had an effect to tactful access path, strategy
The setting for the authority that Group should be endowed;
The access strategy of A4, local_hdfs service is updated into HDFS by Ranger Plugin components, realizes system
Solution omits the certain access rights of access path;Meanwhile Ranger Plugin components are by access of the system user to HDFS
Daily record is synchronized in Ranger admin components, forms audit log, for detecting the footprint of user's access;
B, the certification of Hadoop cluster internals controls
B1, when system user access DataNode or NameNode servers when, send request to AS first, show oneself
Identity, ask TGT;The effective time for asking to include the name/ID of system user, system user IP address and TGT;Its
In, TGT is ticket grant ticket, ticket mandate ticket;
Hadoop clusters mainly include two kinds of servers:Server (generally one) where NameNode and
Server (generally multiple) where DataNode;During distributed storage, data are especially stored in DataNode, but,
, it is necessary to which DataNode could be accessed by providing related DataNode information by NameNode when client accesses the storage catalogue.
After B2, AS receive request, go in mysql databases to verify that the system user whether there is first;If system is used
Family is present, then returns to two parts information to system user:A part of information is TGT, and the information is carried out by KDC itself password
Encryption;Another part information is the information of the key encryption through system user, includes TGS name/ID, timestamp, TGT life
Order cycle and TGS session key;Now, ask and be verified if user sends, use the secret key decryption of oneself
Part II information, obtain TGS session key;Otherwise authentification failure;TGS is ticket grant server, and ticket is awarded
Weigh server;
Effective time and timestamp on TGT, " TGT effective time " is user in request, tells AS, oneself
Need what time period interior to use TGT;" timestamp ", it is the specifically used time included in the TGT provided;
B3, system user send to TGS and asked, and request obtains ST;Request includes, and is encrypted using TGS session key
Authenticator, plaintext transmission special services request and TGT;ST is Service Ticket, service ticket;
B4, TGS verify to request;Checking includes, and contrasts the user name in the user name and authenticator in TGT;Than
Compared with timestamp, whether review time stamp is expired, checks whether IP address is consistent;Check authenticator whether TGS caching in;
After being verified, sent to system user and answer information;The answer information includes, and the service ticket ST of encryption, passes through TGS
The information of session key encryptions;
After B5, user receive answer information, decrypted by TGS session key, obtain the Service of corresponding with service
The Session Key and ST of encryption;So far system user obtain request service service ticket, and using service ticket for foundation to
The server specified sends access request;
B6, server verify after ST is decrypted, user name, system user IP address and the time of detecting system user
Stamp;If the verification passes, then the access of the system user is allowed.
According to currently preferred, the authenticator encrypted using TGS session key, include the name/ of system user
ID and timestamp;The request of the special services of plaintext transmission services for http.
According to currently preferred, the Ranger Admin components are the core interfaces of safety management, pass through centralization
Management console, realize the visualized operation of user, and visualized operation is applied in HDFS, final realize accesses control
System;The visualized operation includes establishment and renewal user/group, definition service and access strategy, checks access log;
The Ranger plugin components are the java programs of a lightweight, are embedded into HDFS components and are operated;
On the one hand Ranger plugin components are responsible for connecting HDFS and Ranger admin components;On the other hand, by Ranger
Access strategy defined in admin components is loaded on the main frame where HDFS, and the access log of system user is uploaded to
It is used to audit in Ranger admin components;
The Ranger Usersync components are the system user synchronizing functions that Ranger is provided, by Unix system, LDAP
In existing system user and system user group be loaded into Ranger Admin components, as access HDFS user.
According to currently preferred, the KDC offer authentication services and ticket authorisation service;Wherein responsible pair of authentication service
System user and destination service are authenticated, and the ticket that generation forms with ageing, code message is responsible in ticket authorisation service
According to;System user is authenticated by bill to destination service.Authentication service (Authentication Service, AS), ticket
According to authorization service (Ticker Granting Service, TGS).
Assistance instrument ks_tool is KDC tool-class, for assisting to use KDC;Assistance instrument ks_tool includes
Klist, klist are used to list the kerberos ticket evidence in the authority caching of client local.
According to currently preferred, the system user is Master system user or slave system user;
Master system user is Unix system user;The step A3) in tactful access path be HDFS file path.
Beneficial effects of the present invention are:
1. the access control method of distributed storage under cloud environment of the present invention, in the original permissions bases of Hadoop
On, this access rights model based on strategy of increase Ranger, Ranger is combined with Kerberos, the access to user
The access control between each component inside Hadoop is realized while control.
2. the access control method of distributed storage under cloud environment of the present invention, the concentration for making full use of Ranger to provide
The advantages of formula user authority management, tactical management, log management so that access control management is more efficient.
Brief description of the drawings
Fig. 1 is the integrated stand composition that the access control method of distributed storage under cloud environment of the present invention is realized;
Fig. 2 is to realize access control Organization Chart based on Ranger technologies;
Fig. 3 is to realize access control Organization Chart based on Kerberos technologies.
Embodiment
With reference to embodiment and Figure of description, the present invention will be further described, but not limited to this.
Embodiment 1
As Figure 1-3.
The access control method of distributed storage under a kind of cloud environment, realized based on Ranger frameworks and Kerberos;
Ranger frameworks include Ranger Admin components, Ranger plugin components and Ranger Usersync components;
Kerberos component includes KDC and assists instrument ks_tool;Specific function realizes that step is as follows:
A, the access control based on user
A1, deployment Hadoop clusters;Hadoop clusters include at least one Master nodes and 3 slave nodes;
Hadoop clusters realize upload, download and the access to HDFS;The realization of access control based on Ranger, it is the peace of cloud storage
First " certification threshold " is added entirely, in Hadoop cluster internals, including client and management node, management node and data
Verify Your Identity questions between node, back end, then realized by Kerberos.
The realization of distributed storage access control, it is main to include two aspects:On the one hand it is the visit that user stores to HDFS
Ask the control of authority;On the other hand it is authentication and the access control between each node of Hadoop cluster internals.
A2, the component for disposing Ranger frameworks;Wherein Ranger admin deployment of components is on slave nodes, Ranger
Plugin components and UserSync deployment of components are on Master nodes;Ranger admin components are arrived into system user renewal
In, and the memory carrier of the strategy and audit log using mysql databases as Ranger frameworks;Wherein, by system user more
Newly to the realization in admin, implemented according to real needs.
A3, in Ranger admin components, HDFS is defined local_hdfs service;Ranger admin components are
Local_hdfs service customization access strategies, realize the User/Group and User/ being had an effect to tactful access path, strategy
The setting for the authority that Group should be endowed;
The access strategy of A4, local_hdfs service is updated into HDFS by Ranger Plugin components, realizes system
Solution omits the certain access rights of access path;Meanwhile Ranger Plugin components are by access of the system user to HDFS
Daily record is synchronized in Ranger admin components, forms audit log, for detecting the footprint of user's access;
B, the certification of Hadoop cluster internals controls
B1, when system user access DataNode or NameNode servers when, send request to AS first, show oneself
Identity, ask TGT;The effective time for asking to include the name/ID of system user, system user IP address and TGT;Its
In, TGT is ticket grant ticket, ticket mandate ticket;
After B2, AS receive request, go in mysql databases to verify that the system user whether there is first;If system is used
Family is present, then returns to two parts information to system user:A part of information is TGT, and the information is carried out by KDC itself password
Encryption;Another part information is the information of the key encryption through system user, includes TGS name/ID, timestamp, TGT life
Order cycle and TGS session key;Now, ask and be verified if user sends, use the secret key decryption of oneself
Part II information, obtain TGS session key;Otherwise authentification failure;TGS is ticket grant server, and ticket is awarded
Weigh server;
Effective time and timestamp on TGT, " TGT effective time " is user in request, tells AS, oneself
Need what time period interior to use TGT;" timestamp ", it is the specifically used time included in the TGT provided;
B3, system user send to TGS and asked, and request obtains ST;Request includes, and is encrypted using TGS session key
Authenticator, plaintext transmission special services request and TGT;ST is Service Ticket, service ticket;
B4, TGS verify to request;Checking includes, and contrasts the user name in the user name and authenticator in TGT;Than
Compared with timestamp, whether review time stamp is expired, checks whether IP address is consistent;Check authenticator whether TGS caching in;
After being verified, sent to system user and answer information;The answer information includes, and the service ticket ST of encryption, passes through TGS
The information of session key encryptions;
After B5, user receive answer information, decrypted by TGS session key, obtain the Service of corresponding with service
The Session Key and ST of encryption;So far system user obtain request service service ticket, and using service ticket for foundation to
The server specified sends access request;
B6, server verify after ST is decrypted, user name, system user IP address and the time of detecting system user
Stamp;If the verification passes, then the access of the system user is allowed.
Specific method flow as shown in figure 1, in figure,
1) user interacts with Kerberos, obtains ticket authorisation bill (TGT), and then obtains service ticket (ST),
So as to obtain the authority for accessing NameNode.
2) user interacts with Ranger, detects whether that the user has the authority for accessing HDFS by Ranger, Ranger will
The authorization policy of the user can be searched in database;
3) after user is by certification, NameNode is connected to, request accesses the data block stored in HDFS;
4) NameNode passes through after Kerberos service authentications, and concrete operations are distributed into each DataNode nodes.
Embodiment 2
The access control method of distributed storage under cloud environment as described in Example 1, except that, use TGS
The authenticator of session key encryptions, include the name/ID and timestamp of system user;The special services of plaintext transmission are asked
Ask and serviced for http.
Embodiment 3
The access control method of distributed storage under cloud environment as described in Example 1, except that, the Ranger
Admin components are the core interfaces of safety management, by the management console of centralization, realize the visualized operation of user,
And visualized operation is applied in HDFS, finally realize access control;The visualized operation include create and renewal user/
Group, definition service and access strategy, check access log;
The Ranger plugin components are the java programs of a lightweight, are embedded into HDFS components and are operated;
On the one hand Ranger plugin components are responsible for connecting HDFS and Ranger admin components;On the other hand, by Ranger
Access strategy defined in admin components is loaded on the main frame where HDFS, and the access log of system user is uploaded to
It is used to audit in Ranger admin components;
The Ranger Usersync components are the system user synchronizing functions that Ranger is provided, by Unix system, LDAP
In existing system user and system user group be loaded into Ranger Admin components, as access HDFS user.
Embodiment 4
The access control method of distributed storage under cloud environment as described in Example 1, except that, the KDC is carried
For authentication service and ticket authorisation service;Wherein authentication service is responsible for being authenticated system user and destination service, and bill is awarded
The bill that generation forms with ageing, code message is responsible in power service;System user is carried out by bill to destination service
Certification.Authentication service (Authentication Service, AS), ticket authorisation service (Ticker Granting
Service, TGS).
Assistance instrument ks_tool is KDC tool-class, for assisting to use KDC;Assistance instrument ks_tool includes
Klist, klist are used to list the kerberos ticket evidence in the authority caching of client local.
Embodiment 5
The access control method of distributed storage under cloud environment as described in Example 1, except that, the system is used
Family is Master system user or slave system user;Master system user is Unix system user;The step
Rapid A3) in tactful access path be HDFS file path.
Claims (5)
- A kind of 1. access control method of distributed storage under cloud environment, it is characterised in that based on Ranger frameworks and Kerberos is realized;Ranger frameworks include Ranger Admin components, Ranger plugin components and Ranger Usersync components;Kerberos component includes KDC and assists instrument ks_tool;Specific function realizes that step is as follows:A, the access control based on userA1, deployment Hadoop clusters;Hadoop clusters include at least one Master nodes and multiple slave nodes;A2, the component for disposing Ranger frameworks;Wherein Ranger admin deployment of components is on slave nodes, Ranger Plugin components and UserSync deployment of components are on Master nodes;Ranger admin components are arrived into system user renewal In, and the memory carrier of the strategy and audit log using mysql databases as Ranger frameworks;A3, in Ranger admin components, HDFS is defined local_hdfs service;Ranger admin components are local_ Hdfs service customization access strategies, realize the User/Group and User/Group being had an effect to tactful access path, strategy The setting for the authority that should be endowed;The access strategy of A4, local_hdfs service is updated into HDFS by Ranger Plugin components, realizes system user To the certain access rights of tactful access path;Meanwhile access log of the Ranger Plugin components by system user to HDFS It is synchronized in Ranger admin components, forms audit log, for detects the footprint of user's access;B, the certification of Hadoop cluster internals controlsB1, when system user access DataNode or NameNode servers when, send request to AS first, show the body of oneself Part, ask TGT;The effective time for asking to include the name/ID of system user, system user IP address and TGT;After B2, AS receive request, go in mysql databases to verify that the system user whether there is first;If system user is deposited Two parts information is then being returned to system user:A part of information is TGT, and the information is added by KDC itself password It is close;The information that another part information is encrypted for the key through system user, include TGS name/ID, timestamp, TGT life Cycle and TGS session key;B3, system user send to TGS and asked, and request obtains ST;Request includes, and uses recognizing for TGS session key encryptions Demonstrate,prove device, plaintext transmission special services request and TGT;B4, TGS verify to request;Checking includes, and contrasts the user name in the user name and authenticator in TGT;When comparing Between stab, the review time stamp it is whether expired, check IP address it is whether consistent;Check authenticator whether TGS caching in;Checking By rear, sent to system user and answer information;The answer information includes, and the service ticket ST of encryption, passes through TGS The information of session key encryptions;After B5, user receive answer information, decrypted by TGS session key, obtain the Service of corresponding with service The Session Key and ST of encryption;So far system user obtain request service service ticket, and using service ticket for foundation to The server specified sends access request;B6, server verify after ST is decrypted, user name, system user IP address and the timestamp of detecting system user; If the verification passes, then the access of the system user is allowed.
- 2. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that use TGS The authenticator of session key encryptions, include the name/ID and timestamp of system user;The special services of plaintext transmission are asked Ask and serviced for http.
- 3. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that described Ranger Admin components are the core interfaces of safety management, by the management console of centralization, realize that user's is visual Change operation, and visualized operation is applied in HDFS, finally realize access control;The visualized operation is including creating and more New user/group, definition service and access strategy, check access log;The Ranger plugin components are the java programs of a lightweight, are embedded into HDFS components and are operated; On the one hand Ranger plugin components are responsible for connecting HDFS and Ranger admin components;On the other hand, by Ranger Access strategy defined in admin components is loaded on the main frame where HDFS, and the access log of system user is uploaded to It is used to audit in Ranger admin components;The Ranger Usersync components are the system user synchronizing functions that Ranger is provided, by Unix system, LDAP Existing system user and system user group are loaded into Ranger Admin components, as the user for accessing HDFS.
- 4. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that the KDC Authentication service and ticket authorisation service are provided;Wherein authentication service is responsible for being authenticated system user and destination service, bill Authorization service is responsible for the bill that generation forms with ageing, code message;System user is entered by bill to destination service Row certification;Assistance instrument ks_tool is KDC tool-class, for assisting to use KDC;Assistance instrument ks_tool includes klist, Klist is used to list the kerberos ticket evidence in the authority caching of client local.
- 5. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that the system User is Master system user or slave system user;Master system user is Unix system user;It is described Step A3) in tactful access path be HDFS file path.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710848558.9A CN107483491A (en) | 2017-09-19 | 2017-09-19 | The access control method of distributed storage under a kind of cloud environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710848558.9A CN107483491A (en) | 2017-09-19 | 2017-09-19 | The access control method of distributed storage under a kind of cloud environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107483491A true CN107483491A (en) | 2017-12-15 |
Family
ID=60586637
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710848558.9A Pending CN107483491A (en) | 2017-09-19 | 2017-09-19 | The access control method of distributed storage under a kind of cloud environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107483491A (en) |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108965266A (en) * | 2018-06-28 | 2018-12-07 | 如般量子科技有限公司 | A kind of User-to-User identity authorization system and method based on group key pond and Kerberos |
CN109213095A (en) * | 2018-08-13 | 2019-01-15 | 珠海格力电器股份有限公司 | Distributed central control method and system, server-side, network layer controller |
CN109815010A (en) * | 2018-12-29 | 2019-05-28 | 深圳供电局有限公司 | A kind of cloud platform unified identity authentication method and system |
CN109871484A (en) * | 2019-01-31 | 2019-06-11 | 广州工程技术职业学院 | A kind of financial product real-time recommendation method |
CN110086805A (en) * | 2019-04-25 | 2019-08-02 | 四川师范大学 | Based on the information secure transmission method under cross-domain distributed micro services framework |
CN110309666A (en) * | 2019-07-10 | 2019-10-08 | 浪潮云信息技术有限公司 | A kind of fine-grained access control method and system based on tactful grammer |
CN110519285A (en) * | 2019-08-30 | 2019-11-29 | 浙江大搜车软件技术有限公司 | User authen method, device, computer equipment and storage medium |
CN110569637A (en) * | 2019-08-07 | 2019-12-13 | 苏州浪潮智能科技有限公司 | Visualization system and method for managing HDFS space resources |
CN110602136A (en) * | 2019-09-25 | 2019-12-20 | 华为技术有限公司 | Cluster access method and related product |
CN111010401A (en) * | 2019-12-23 | 2020-04-14 | 华中科技大学 | Token-based network security framework for distributed water resource management support system |
CN111107099A (en) * | 2019-12-28 | 2020-05-05 | 北京工业大学 | Self-adaptive access control method suitable for mixed cloud environment |
CN111597536A (en) * | 2020-05-19 | 2020-08-28 | 重庆第二师范学院 | Hadoop cluster kerberos high-availability authentication method |
CN112311830A (en) * | 2019-07-31 | 2021-02-02 | 华为技术有限公司 | Cloud storage-based Hadoop cluster multi-tenant authentication system and method |
CN112668022A (en) * | 2020-12-25 | 2021-04-16 | 深圳创新科技术有限公司 | License management method, device and system for invoking cloud disk service |
CN112861158A (en) * | 2021-03-03 | 2021-05-28 | 深圳市鹰硕云科技有限公司 | Range-based safety protection method and system in intelligent education platform |
CN112948884A (en) * | 2021-03-25 | 2021-06-11 | 中国电子科技集团公司第三十研究所 | Method and system for implementing big data access control on application level user |
WO2021115231A1 (en) * | 2019-12-10 | 2021-06-17 | 华为技术有限公司 | Authentication method and related device |
CN113630365A (en) * | 2020-05-07 | 2021-11-09 | 中移动信息技术有限公司 | Parallel transmission method, device and equipment for mass heterogeneous data and storage medium |
CN114374524A (en) * | 2020-10-14 | 2022-04-19 | 北京金山云网络技术有限公司 | Access control method and device for object storage, storage medium and electronic device |
WO2023088090A1 (en) * | 2021-11-22 | 2023-05-25 | 华为技术有限公司 | File verification method and related device |
CN117278342A (en) * | 2023-11-23 | 2023-12-22 | 数字苏州建设有限公司 | Multi-environment Hadoop KMS proxy service method and system |
CN117439823A (en) * | 2023-12-20 | 2024-01-23 | 深圳市智安网络有限公司 | Cloud data intelligent authority authentication safety protection method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363095A (en) * | 2014-11-12 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Method for establishing hadoop identity authentication mechanism |
CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
CN106375323A (en) * | 2016-09-09 | 2017-02-01 | 浪潮软件股份有限公司 | Method for carrying out kerberos identity authentication in multi-tenant mode |
CN107066867A (en) * | 2017-03-11 | 2017-08-18 | 郑州云海信息技术有限公司 | A kind of big data cluster resource allocation methods and device |
-
2017
- 2017-09-19 CN CN201710848558.9A patent/CN107483491A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363095A (en) * | 2014-11-12 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Method for establishing hadoop identity authentication mechanism |
CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
CN106375323A (en) * | 2016-09-09 | 2017-02-01 | 浪潮软件股份有限公司 | Method for carrying out kerberos identity authentication in multi-tenant mode |
CN107066867A (en) * | 2017-03-11 | 2017-08-18 | 郑州云海信息技术有限公司 | A kind of big data cluster resource allocation methods and device |
Non-Patent Citations (2)
Title |
---|
KAI ZHENG.ET: ""A token authentication solution for hadoop based on kerberos pre-authentication"", 《IEEE CONFERENCE》 * |
王文杰等: ""开源大数据治理与安全软件综述"", 《信息网络安全》 * |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108965266A (en) * | 2018-06-28 | 2018-12-07 | 如般量子科技有限公司 | A kind of User-to-User identity authorization system and method based on group key pond and Kerberos |
CN108965266B (en) * | 2018-06-28 | 2021-03-02 | 如般量子科技有限公司 | User-to-User identity authentication system and method based on group key pool and Kerberos |
CN109213095A (en) * | 2018-08-13 | 2019-01-15 | 珠海格力电器股份有限公司 | Distributed central control method and system, server-side, network layer controller |
CN109815010A (en) * | 2018-12-29 | 2019-05-28 | 深圳供电局有限公司 | A kind of cloud platform unified identity authentication method and system |
CN109871484A (en) * | 2019-01-31 | 2019-06-11 | 广州工程技术职业学院 | A kind of financial product real-time recommendation method |
CN109871484B (en) * | 2019-01-31 | 2022-02-18 | 广州工程技术职业学院 | Real-time financial product recommendation method |
CN110086805A (en) * | 2019-04-25 | 2019-08-02 | 四川师范大学 | Based on the information secure transmission method under cross-domain distributed micro services framework |
CN110086805B (en) * | 2019-04-25 | 2021-10-26 | 四川师范大学 | Information security transmission method based on cross-domain distributed micro-service architecture |
CN110309666A (en) * | 2019-07-10 | 2019-10-08 | 浪潮云信息技术有限公司 | A kind of fine-grained access control method and system based on tactful grammer |
CN112311830A (en) * | 2019-07-31 | 2021-02-02 | 华为技术有限公司 | Cloud storage-based Hadoop cluster multi-tenant authentication system and method |
CN112311830B (en) * | 2019-07-31 | 2022-03-01 | 华为云计算技术有限公司 | Cloud storage-based Hadoop cluster multi-tenant authentication system and method |
CN110569637A (en) * | 2019-08-07 | 2019-12-13 | 苏州浪潮智能科技有限公司 | Visualization system and method for managing HDFS space resources |
CN110519285A (en) * | 2019-08-30 | 2019-11-29 | 浙江大搜车软件技术有限公司 | User authen method, device, computer equipment and storage medium |
CN110602136B (en) * | 2019-09-25 | 2021-09-14 | 华为技术有限公司 | Cluster access method and related product |
CN110602136A (en) * | 2019-09-25 | 2019-12-20 | 华为技术有限公司 | Cluster access method and related product |
WO2021115231A1 (en) * | 2019-12-10 | 2021-06-17 | 华为技术有限公司 | Authentication method and related device |
CN111010401A (en) * | 2019-12-23 | 2020-04-14 | 华中科技大学 | Token-based network security framework for distributed water resource management support system |
CN111107099A (en) * | 2019-12-28 | 2020-05-05 | 北京工业大学 | Self-adaptive access control method suitable for mixed cloud environment |
CN113630365B (en) * | 2020-05-07 | 2023-03-21 | 中移动信息技术有限公司 | Parallel transmission method, device and equipment for mass heterogeneous data and storage medium |
CN113630365A (en) * | 2020-05-07 | 2021-11-09 | 中移动信息技术有限公司 | Parallel transmission method, device and equipment for mass heterogeneous data and storage medium |
CN111597536A (en) * | 2020-05-19 | 2020-08-28 | 重庆第二师范学院 | Hadoop cluster kerberos high-availability authentication method |
CN114374524A (en) * | 2020-10-14 | 2022-04-19 | 北京金山云网络技术有限公司 | Access control method and device for object storage, storage medium and electronic device |
CN112668022A (en) * | 2020-12-25 | 2021-04-16 | 深圳创新科技术有限公司 | License management method, device and system for invoking cloud disk service |
CN112861158A (en) * | 2021-03-03 | 2021-05-28 | 深圳市鹰硕云科技有限公司 | Range-based safety protection method and system in intelligent education platform |
CN112948884A (en) * | 2021-03-25 | 2021-06-11 | 中国电子科技集团公司第三十研究所 | Method and system for implementing big data access control on application level user |
WO2023088090A1 (en) * | 2021-11-22 | 2023-05-25 | 华为技术有限公司 | File verification method and related device |
CN117278342A (en) * | 2023-11-23 | 2023-12-22 | 数字苏州建设有限公司 | Multi-environment Hadoop KMS proxy service method and system |
CN117278342B (en) * | 2023-11-23 | 2024-03-01 | 数字苏州建设有限公司 | Multi-environment Hadoop KMS proxy service method and system |
CN117439823A (en) * | 2023-12-20 | 2024-01-23 | 深圳市智安网络有限公司 | Cloud data intelligent authority authentication safety protection method and system |
CN117439823B (en) * | 2023-12-20 | 2024-03-12 | 深圳市智安网络有限公司 | Cloud data intelligent authority authentication safety protection method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107483491A (en) | The access control method of distributed storage under a kind of cloud environment | |
US11606352B2 (en) | Time-based one time password (TOTP) for network authentication | |
CN105577665B (en) | Identity and access control management system and method under a kind of cloud environment | |
US10027670B2 (en) | Distributed authentication | |
CN105103488B (en) | By the policy Enforcement of associated data | |
CN103327084B (en) | The cloud storage system of a kind of public and private mixed distribution formula and cloud storage method | |
CN100542092C (en) | Distributed access control method in multistage securities | |
CN113507458B (en) | Cross-domain identity authentication method based on block chain | |
CN104935590A (en) | HDFS access control method based on role and user trust value | |
CN109088857B (en) | Distributed authorization management method in scene of Internet of things | |
CN103259663A (en) | User unified authentication method in cloud computing environment | |
WO2022121461A1 (en) | Method, apparatus and device for constructing token for cloud platform resource access control | |
CN106127368A (en) | Date storage method for ERP System | |
CN106095954A (en) | Data base management method for enterprise supply chain | |
CN106127064A (en) | Date storage method for enterprise supply chain | |
CN108259422A (en) | A kind of multi-tenant access control method and device | |
CN109728903A (en) | A kind of block chain weak center password authorization method using properties secret | |
Aung et al. | Ethereum-based emergency service for smart home system: Smart contract implementation | |
CN101291220B (en) | System, device and method for identity security authentication | |
CN103166969A (en) | Security access method for cloud controller based on cloud computing platform | |
CN105635321A (en) | Registration method for dynamic networking equipment | |
CN110891067B (en) | Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system | |
Dong et al. | Anonymous cross-domain authentication scheme for medical PKI system | |
Chen et al. | Design of web service single sign-on based on ticket and assertion | |
Yan et al. | Distributed authentication scheme for industry internet platform application based on consortium blockchain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171215 |