CN107483491A - The access control method of distributed storage under a kind of cloud environment - Google Patents

The access control method of distributed storage under a kind of cloud environment Download PDF

Info

Publication number
CN107483491A
CN107483491A CN201710848558.9A CN201710848558A CN107483491A CN 107483491 A CN107483491 A CN 107483491A CN 201710848558 A CN201710848558 A CN 201710848558A CN 107483491 A CN107483491 A CN 107483491A
Authority
CN
China
Prior art keywords
ranger
system user
user
components
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710848558.9A
Other languages
Chinese (zh)
Inventor
张卫品
戴鸿君
崔立真
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong University
Original Assignee
Shandong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong University filed Critical Shandong University
Priority to CN201710848558.9A priority Critical patent/CN107483491A/en
Publication of CN107483491A publication Critical patent/CN107483491A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Abstract

The present invention relates to a kind of access control method of distributed storage under cloud environment.Cloud storage of this method based on the HDFS distributed file systems of Hadoop clusters, on the basis of the basic cloud storage system, increase safe access control function.Access control technology in cloud storage system is broken through by Ranger; build the fine-grained access control mandate system of based role; the cloud storage system is reliably supported the different stage of multi-user or the information of type is effectively isolated and integrity protection, realize high in the clouds data isolation.The access control of specific back end in cloud storage system is broken through by Kerberos, solves the problems, such as the access control between Hadoop cluster internals, client and management node, management node and back end and back end.

Description

The access control method of distributed storage under a kind of cloud environment
Technical field
The present invention relates to a kind of access control method of distributed storage under cloud environment, belong to what is had secure access under cloud environment Technical field.
Background technology
Cloud computing (Cloud Computing) is related service increase, use and delivery mode based on internet, and it is The Network Computing Technologies that progressively fusion development gets up in the technical foundation such as parallel processing, Distributed Calculation, grid computing.Cloud meter Calculation was initially formally proposed in 2008 by Google.It is various to the definition saying of cloud computing, National Institute of Standards and Technology (NIST) define:Cloud computing be it is a kind of for whenever and wherever possible, conveniently, request access configurable calculating to response (on-demand) Shared resource pond (such as:Network, service, storage, using) a kind of computation schema, this pattern can reduce user quick Obtain and release resource when with ISP interact and administration overhead.Under cloud computing mode, subscriber terminal equipment will Become very simple, because user only needs transmission request to be provided to provide the calculating of " charging on demand " by cloud service provider Source, memory space and other application software etc..Cloud computing has been widely applied to every field, including:Cloud Internet of Things, Yunan County Entirely, cloud storage, mobile communication etc..
Distributed storage is to interconnect substantial amounts of common PC server by internet, is externally provided as an entirety Service.Under current cloud computing, big data environment, distributed memory system is with its favorable expandability, cost is low, performance is high, ease for use The features such as obtained large-scale application.Distributed file system is exactly the framework being deployed in distributed storage resource.Distribution Formula file system (Distributed File System, DFS) refers mainly to distributed thought being applied in file storage, Here, all resources are all stored in the storage device of some specific physical machines in the form of a file, and these physical machines Device is perhaps the different physical equipment of physical location.Meanwhile this distributed memory mechanism and flow, it is for a user Transparent.Common distributed file system includes:Lustre、HDFS、FastDFS、MogileFS、GoogleFS、 MooseFS, Ceph and Gluster etc..
With the demand that magnanimity data safety stores under big data environment, research is based on distributed structure/architecture, key breakthrough point The key technologies such as access control, authentication, data isolation storage under cloth framework, are developed under cloud computing and big data environment With high availability, high security, high stability and high performance storage system, it appears abnormal important.On the one hand, high availability Distributed memory system meet effective storage demand under cloud computing, big data environment;On the other hand, realize mass data by The function that user, application, safe class are not protected, prevents data by unauthorized access.
A kind of file similar with POSIX systems and the authority mould of catalogue are realized in Hadoop distributed file system Type.I.e. each file and catalogue have an owner (owner) and a group (group).File or catalogue to the owner, There is different authorities respectively with the other users of group and every other group of user, different user is accessed so as to realize The control of authority of HDFS catalogues.But the access control method is single, set just for the authority of a traditional file and catalogue Put;A kind of this access control is merely relied on, demand for security can not be met well.
The content of the invention
In view of the shortcomings of the prior art, the present invention provides a kind of access control method of distributed storage under cloud environment.
Summary of the invention:
The core of the present invention is the cloud storage based on the HDFS distributed file systems of Hadoop clusters, basic at this On the basis of cloud storage system, increase safe access control function.Access control skill in cloud storage system is broken through by Ranger Art, the fine-grained access control mandate system of based role is built, the cloud storage system is reliably supported multi-user Different stage or the information of type be effectively isolated and integrity protection, realize high in the clouds data isolation.Pass through Kerberos The access control of specific back end in cloud storage system is broken through, solves Hadoop cluster internals, client and management node, pipe Manage the access control problem between node and back end and back end.
Term explanation:
1st, role-base access control, so-called access control refer to after authentication to user the body, it is necessary to by user Part and certain definition group of user attaching limit access of the user to some resource informations, or limitation user's control function makes With.In access control based roles (RBAC), authority is associated with role, and user obtains accordingly according to its role Authority, while user can also obtain new authority according to the merging of new demand and system.
2nd, Ranger, it is a kind of centralized framework for realizing, monitoring and managing Hadoop platform integrated data safety, it is carried A centralized management platform is supplied, (policies) is realized to different user's impartings to particular path by generating strategy Access rights.
3rd, Kerberos, it is a kind of safe network authenticating protocol, it is using generated by the symmetric encipherment algorithm, time Sensitive bill, realizes that client and server end need not can be carried out certification in transmission over networks password, so as to provide A kind of method of new safety certification and access control.
4th, KDC, KDC (Key Distribution Center).
5th, ticket authorisation bill, (Ticket Grant Ticket, TGT) are sent out in kerberos Verification Systems to user TGT is put, the TGT is used to obtain service ticket.
The technical scheme is that:
The access control method of distributed storage under a kind of cloud environment, realized based on Ranger frameworks and Kerberos; Ranger frameworks include Ranger Admin components, Ranger plugin components and Ranger Usersync components; Kerberos component includes KDC and assists instrument ks_tool;Specific function realizes that step is as follows:
A, the access control based on user
A1, deployment Hadoop clusters;Hadoop clusters include at least one Master nodes and multiple slave nodes; Hadoop clusters realize upload, download and the access to HDFS;The realization of access control based on Ranger, it is the peace of cloud storage First " certification threshold " is added entirely, in Hadoop cluster internals, including client and management node, management node and data Verify Your Identity questions between node, back end, then realized by Kerberos.
The realization of distributed storage access control, it is main to include two aspects:On the one hand it is the visit that user stores to HDFS Ask the control of authority;On the other hand it is authentication and the access control between each node of Hadoop cluster internals.
A2, the component for disposing Ranger frameworks;Wherein Ranger admin deployment of components is on slave nodes, Ranger Plugin components and UserSync deployment of components are on Master nodes;Ranger admin components are arrived into system user renewal In, and the memory carrier of the strategy and audit log using mysql databases as Ranger frameworks;Wherein, by system user more Newly to the realization in admin, implemented according to real needs.
A3, in Ranger admin components, HDFS is defined local_hdfs service;Ranger admin components are Local_hdfs service customization access strategies, realize the User/Group and User/ being had an effect to tactful access path, strategy The setting for the authority that Group should be endowed;
The access strategy of A4, local_hdfs service is updated into HDFS by Ranger Plugin components, realizes system Solution omits the certain access rights of access path;Meanwhile Ranger Plugin components are by access of the system user to HDFS Daily record is synchronized in Ranger admin components, forms audit log, for detecting the footprint of user's access;
B, the certification of Hadoop cluster internals controls
B1, when system user access DataNode or NameNode servers when, send request to AS first, show oneself Identity, ask TGT;The effective time for asking to include the name/ID of system user, system user IP address and TGT;Its In, TGT is ticket grant ticket, ticket mandate ticket;
Hadoop clusters mainly include two kinds of servers:Server (generally one) where NameNode and Server (generally multiple) where DataNode;During distributed storage, data are especially stored in DataNode, but, , it is necessary to which DataNode could be accessed by providing related DataNode information by NameNode when client accesses the storage catalogue.
After B2, AS receive request, go in mysql databases to verify that the system user whether there is first;If system is used Family is present, then returns to two parts information to system user:A part of information is TGT, and the information is carried out by KDC itself password Encryption;Another part information is the information of the key encryption through system user, includes TGS name/ID, timestamp, TGT life Order cycle and TGS session key;Now, ask and be verified if user sends, use the secret key decryption of oneself Part II information, obtain TGS session key;Otherwise authentification failure;TGS is ticket grant server, and ticket is awarded Weigh server;
Effective time and timestamp on TGT, " TGT effective time " is user in request, tells AS, oneself Need what time period interior to use TGT;" timestamp ", it is the specifically used time included in the TGT provided;
B3, system user send to TGS and asked, and request obtains ST;Request includes, and is encrypted using TGS session key Authenticator, plaintext transmission special services request and TGT;ST is Service Ticket, service ticket;
B4, TGS verify to request;Checking includes, and contrasts the user name in the user name and authenticator in TGT;Than Compared with timestamp, whether review time stamp is expired, checks whether IP address is consistent;Check authenticator whether TGS caching in; After being verified, sent to system user and answer information;The answer information includes, and the service ticket ST of encryption, passes through TGS The information of session key encryptions;
After B5, user receive answer information, decrypted by TGS session key, obtain the Service of corresponding with service The Session Key and ST of encryption;So far system user obtain request service service ticket, and using service ticket for foundation to The server specified sends access request;
B6, server verify after ST is decrypted, user name, system user IP address and the time of detecting system user Stamp;If the verification passes, then the access of the system user is allowed.
According to currently preferred, the authenticator encrypted using TGS session key, include the name/ of system user ID and timestamp;The request of the special services of plaintext transmission services for http.
According to currently preferred, the Ranger Admin components are the core interfaces of safety management, pass through centralization Management console, realize the visualized operation of user, and visualized operation is applied in HDFS, final realize accesses control System;The visualized operation includes establishment and renewal user/group, definition service and access strategy, checks access log;
The Ranger plugin components are the java programs of a lightweight, are embedded into HDFS components and are operated; On the one hand Ranger plugin components are responsible for connecting HDFS and Ranger admin components;On the other hand, by Ranger Access strategy defined in admin components is loaded on the main frame where HDFS, and the access log of system user is uploaded to It is used to audit in Ranger admin components;
The Ranger Usersync components are the system user synchronizing functions that Ranger is provided, by Unix system, LDAP In existing system user and system user group be loaded into Ranger Admin components, as access HDFS user.
According to currently preferred, the KDC offer authentication services and ticket authorisation service;Wherein responsible pair of authentication service System user and destination service are authenticated, and the ticket that generation forms with ageing, code message is responsible in ticket authorisation service According to;System user is authenticated by bill to destination service.Authentication service (Authentication Service, AS), ticket According to authorization service (Ticker Granting Service, TGS).
Assistance instrument ks_tool is KDC tool-class, for assisting to use KDC;Assistance instrument ks_tool includes Klist, klist are used to list the kerberos ticket evidence in the authority caching of client local.
According to currently preferred, the system user is Master system user or slave system user; Master system user is Unix system user;The step A3) in tactful access path be HDFS file path.
Beneficial effects of the present invention are:
1. the access control method of distributed storage under cloud environment of the present invention, in the original permissions bases of Hadoop On, this access rights model based on strategy of increase Ranger, Ranger is combined with Kerberos, the access to user The access control between each component inside Hadoop is realized while control.
2. the access control method of distributed storage under cloud environment of the present invention, the concentration for making full use of Ranger to provide The advantages of formula user authority management, tactical management, log management so that access control management is more efficient.
Brief description of the drawings
Fig. 1 is the integrated stand composition that the access control method of distributed storage under cloud environment of the present invention is realized;
Fig. 2 is to realize access control Organization Chart based on Ranger technologies;
Fig. 3 is to realize access control Organization Chart based on Kerberos technologies.
Embodiment
With reference to embodiment and Figure of description, the present invention will be further described, but not limited to this.
Embodiment 1
As Figure 1-3.
The access control method of distributed storage under a kind of cloud environment, realized based on Ranger frameworks and Kerberos; Ranger frameworks include Ranger Admin components, Ranger plugin components and Ranger Usersync components; Kerberos component includes KDC and assists instrument ks_tool;Specific function realizes that step is as follows:
A, the access control based on user
A1, deployment Hadoop clusters;Hadoop clusters include at least one Master nodes and 3 slave nodes; Hadoop clusters realize upload, download and the access to HDFS;The realization of access control based on Ranger, it is the peace of cloud storage First " certification threshold " is added entirely, in Hadoop cluster internals, including client and management node, management node and data Verify Your Identity questions between node, back end, then realized by Kerberos.
The realization of distributed storage access control, it is main to include two aspects:On the one hand it is the visit that user stores to HDFS Ask the control of authority;On the other hand it is authentication and the access control between each node of Hadoop cluster internals.
A2, the component for disposing Ranger frameworks;Wherein Ranger admin deployment of components is on slave nodes, Ranger Plugin components and UserSync deployment of components are on Master nodes;Ranger admin components are arrived into system user renewal In, and the memory carrier of the strategy and audit log using mysql databases as Ranger frameworks;Wherein, by system user more Newly to the realization in admin, implemented according to real needs.
A3, in Ranger admin components, HDFS is defined local_hdfs service;Ranger admin components are Local_hdfs service customization access strategies, realize the User/Group and User/ being had an effect to tactful access path, strategy The setting for the authority that Group should be endowed;
The access strategy of A4, local_hdfs service is updated into HDFS by Ranger Plugin components, realizes system Solution omits the certain access rights of access path;Meanwhile Ranger Plugin components are by access of the system user to HDFS Daily record is synchronized in Ranger admin components, forms audit log, for detecting the footprint of user's access;
B, the certification of Hadoop cluster internals controls
B1, when system user access DataNode or NameNode servers when, send request to AS first, show oneself Identity, ask TGT;The effective time for asking to include the name/ID of system user, system user IP address and TGT;Its In, TGT is ticket grant ticket, ticket mandate ticket;
After B2, AS receive request, go in mysql databases to verify that the system user whether there is first;If system is used Family is present, then returns to two parts information to system user:A part of information is TGT, and the information is carried out by KDC itself password Encryption;Another part information is the information of the key encryption through system user, includes TGS name/ID, timestamp, TGT life Order cycle and TGS session key;Now, ask and be verified if user sends, use the secret key decryption of oneself Part II information, obtain TGS session key;Otherwise authentification failure;TGS is ticket grant server, and ticket is awarded Weigh server;
Effective time and timestamp on TGT, " TGT effective time " is user in request, tells AS, oneself Need what time period interior to use TGT;" timestamp ", it is the specifically used time included in the TGT provided;
B3, system user send to TGS and asked, and request obtains ST;Request includes, and is encrypted using TGS session key Authenticator, plaintext transmission special services request and TGT;ST is Service Ticket, service ticket;
B4, TGS verify to request;Checking includes, and contrasts the user name in the user name and authenticator in TGT;Than Compared with timestamp, whether review time stamp is expired, checks whether IP address is consistent;Check authenticator whether TGS caching in; After being verified, sent to system user and answer information;The answer information includes, and the service ticket ST of encryption, passes through TGS The information of session key encryptions;
After B5, user receive answer information, decrypted by TGS session key, obtain the Service of corresponding with service The Session Key and ST of encryption;So far system user obtain request service service ticket, and using service ticket for foundation to The server specified sends access request;
B6, server verify after ST is decrypted, user name, system user IP address and the time of detecting system user Stamp;If the verification passes, then the access of the system user is allowed.
Specific method flow as shown in figure 1, in figure,
1) user interacts with Kerberos, obtains ticket authorisation bill (TGT), and then obtains service ticket (ST), So as to obtain the authority for accessing NameNode.
2) user interacts with Ranger, detects whether that the user has the authority for accessing HDFS by Ranger, Ranger will The authorization policy of the user can be searched in database;
3) after user is by certification, NameNode is connected to, request accesses the data block stored in HDFS;
4) NameNode passes through after Kerberos service authentications, and concrete operations are distributed into each DataNode nodes.
Embodiment 2
The access control method of distributed storage under cloud environment as described in Example 1, except that, use TGS The authenticator of session key encryptions, include the name/ID and timestamp of system user;The special services of plaintext transmission are asked Ask and serviced for http.
Embodiment 3
The access control method of distributed storage under cloud environment as described in Example 1, except that, the Ranger Admin components are the core interfaces of safety management, by the management console of centralization, realize the visualized operation of user, And visualized operation is applied in HDFS, finally realize access control;The visualized operation include create and renewal user/ Group, definition service and access strategy, check access log;
The Ranger plugin components are the java programs of a lightweight, are embedded into HDFS components and are operated; On the one hand Ranger plugin components are responsible for connecting HDFS and Ranger admin components;On the other hand, by Ranger Access strategy defined in admin components is loaded on the main frame where HDFS, and the access log of system user is uploaded to It is used to audit in Ranger admin components;
The Ranger Usersync components are the system user synchronizing functions that Ranger is provided, by Unix system, LDAP In existing system user and system user group be loaded into Ranger Admin components, as access HDFS user.
Embodiment 4
The access control method of distributed storage under cloud environment as described in Example 1, except that, the KDC is carried For authentication service and ticket authorisation service;Wherein authentication service is responsible for being authenticated system user and destination service, and bill is awarded The bill that generation forms with ageing, code message is responsible in power service;System user is carried out by bill to destination service Certification.Authentication service (Authentication Service, AS), ticket authorisation service (Ticker Granting Service, TGS).
Assistance instrument ks_tool is KDC tool-class, for assisting to use KDC;Assistance instrument ks_tool includes Klist, klist are used to list the kerberos ticket evidence in the authority caching of client local.
Embodiment 5
The access control method of distributed storage under cloud environment as described in Example 1, except that, the system is used Family is Master system user or slave system user;Master system user is Unix system user;The step Rapid A3) in tactful access path be HDFS file path.

Claims (5)

  1. A kind of 1. access control method of distributed storage under cloud environment, it is characterised in that based on Ranger frameworks and Kerberos is realized;Ranger frameworks include Ranger Admin components, Ranger plugin components and Ranger Usersync components;Kerberos component includes KDC and assists instrument ks_tool;Specific function realizes that step is as follows:
    A, the access control based on user
    A1, deployment Hadoop clusters;Hadoop clusters include at least one Master nodes and multiple slave nodes;
    A2, the component for disposing Ranger frameworks;Wherein Ranger admin deployment of components is on slave nodes, Ranger Plugin components and UserSync deployment of components are on Master nodes;Ranger admin components are arrived into system user renewal In, and the memory carrier of the strategy and audit log using mysql databases as Ranger frameworks;
    A3, in Ranger admin components, HDFS is defined local_hdfs service;Ranger admin components are local_ Hdfs service customization access strategies, realize the User/Group and User/Group being had an effect to tactful access path, strategy The setting for the authority that should be endowed;
    The access strategy of A4, local_hdfs service is updated into HDFS by Ranger Plugin components, realizes system user To the certain access rights of tactful access path;Meanwhile access log of the Ranger Plugin components by system user to HDFS It is synchronized in Ranger admin components, forms audit log, for detects the footprint of user's access;
    B, the certification of Hadoop cluster internals controls
    B1, when system user access DataNode or NameNode servers when, send request to AS first, show the body of oneself Part, ask TGT;The effective time for asking to include the name/ID of system user, system user IP address and TGT;
    After B2, AS receive request, go in mysql databases to verify that the system user whether there is first;If system user is deposited Two parts information is then being returned to system user:A part of information is TGT, and the information is added by KDC itself password It is close;The information that another part information is encrypted for the key through system user, include TGS name/ID, timestamp, TGT life Cycle and TGS session key;
    B3, system user send to TGS and asked, and request obtains ST;Request includes, and uses recognizing for TGS session key encryptions Demonstrate,prove device, plaintext transmission special services request and TGT;
    B4, TGS verify to request;Checking includes, and contrasts the user name in the user name and authenticator in TGT;When comparing Between stab, the review time stamp it is whether expired, check IP address it is whether consistent;Check authenticator whether TGS caching in;Checking By rear, sent to system user and answer information;The answer information includes, and the service ticket ST of encryption, passes through TGS The information of session key encryptions;
    After B5, user receive answer information, decrypted by TGS session key, obtain the Service of corresponding with service The Session Key and ST of encryption;So far system user obtain request service service ticket, and using service ticket for foundation to The server specified sends access request;
    B6, server verify after ST is decrypted, user name, system user IP address and the timestamp of detecting system user; If the verification passes, then the access of the system user is allowed.
  2. 2. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that use TGS The authenticator of session key encryptions, include the name/ID and timestamp of system user;The special services of plaintext transmission are asked Ask and serviced for http.
  3. 3. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that described Ranger Admin components are the core interfaces of safety management, by the management console of centralization, realize that user's is visual Change operation, and visualized operation is applied in HDFS, finally realize access control;The visualized operation is including creating and more New user/group, definition service and access strategy, check access log;
    The Ranger plugin components are the java programs of a lightweight, are embedded into HDFS components and are operated; On the one hand Ranger plugin components are responsible for connecting HDFS and Ranger admin components;On the other hand, by Ranger Access strategy defined in admin components is loaded on the main frame where HDFS, and the access log of system user is uploaded to It is used to audit in Ranger admin components;
    The Ranger Usersync components are the system user synchronizing functions that Ranger is provided, by Unix system, LDAP Existing system user and system user group are loaded into Ranger Admin components, as the user for accessing HDFS.
  4. 4. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that the KDC Authentication service and ticket authorisation service are provided;Wherein authentication service is responsible for being authenticated system user and destination service, bill Authorization service is responsible for the bill that generation forms with ageing, code message;System user is entered by bill to destination service Row certification;
    Assistance instrument ks_tool is KDC tool-class, for assisting to use KDC;Assistance instrument ks_tool includes klist, Klist is used to list the kerberos ticket evidence in the authority caching of client local.
  5. 5. the access control method of distributed storage under cloud environment according to claim 1, it is characterised in that the system User is Master system user or slave system user;Master system user is Unix system user;It is described Step A3) in tactful access path be HDFS file path.
CN201710848558.9A 2017-09-19 2017-09-19 The access control method of distributed storage under a kind of cloud environment Pending CN107483491A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710848558.9A CN107483491A (en) 2017-09-19 2017-09-19 The access control method of distributed storage under a kind of cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710848558.9A CN107483491A (en) 2017-09-19 2017-09-19 The access control method of distributed storage under a kind of cloud environment

Publications (1)

Publication Number Publication Date
CN107483491A true CN107483491A (en) 2017-12-15

Family

ID=60586637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710848558.9A Pending CN107483491A (en) 2017-09-19 2017-09-19 The access control method of distributed storage under a kind of cloud environment

Country Status (1)

Country Link
CN (1) CN107483491A (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965266A (en) * 2018-06-28 2018-12-07 如般量子科技有限公司 A kind of User-to-User identity authorization system and method based on group key pond and Kerberos
CN109213095A (en) * 2018-08-13 2019-01-15 珠海格力电器股份有限公司 Distributed central control method and system, server-side, network layer controller
CN109815010A (en) * 2018-12-29 2019-05-28 深圳供电局有限公司 A kind of cloud platform unified identity authentication method and system
CN109871484A (en) * 2019-01-31 2019-06-11 广州工程技术职业学院 A kind of financial product real-time recommendation method
CN110086805A (en) * 2019-04-25 2019-08-02 四川师范大学 Based on the information secure transmission method under cross-domain distributed micro services framework
CN110309666A (en) * 2019-07-10 2019-10-08 浪潮云信息技术有限公司 A kind of fine-grained access control method and system based on tactful grammer
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN110569637A (en) * 2019-08-07 2019-12-13 苏州浪潮智能科技有限公司 Visualization system and method for managing HDFS space resources
CN110602136A (en) * 2019-09-25 2019-12-20 华为技术有限公司 Cluster access method and related product
CN111010401A (en) * 2019-12-23 2020-04-14 华中科技大学 Token-based network security framework for distributed water resource management support system
CN111107099A (en) * 2019-12-28 2020-05-05 北京工业大学 Self-adaptive access control method suitable for mixed cloud environment
CN111597536A (en) * 2020-05-19 2020-08-28 重庆第二师范学院 Hadoop cluster kerberos high-availability authentication method
CN112311830A (en) * 2019-07-31 2021-02-02 华为技术有限公司 Cloud storage-based Hadoop cluster multi-tenant authentication system and method
CN112668022A (en) * 2020-12-25 2021-04-16 深圳创新科技术有限公司 License management method, device and system for invoking cloud disk service
CN112861158A (en) * 2021-03-03 2021-05-28 深圳市鹰硕云科技有限公司 Range-based safety protection method and system in intelligent education platform
CN112948884A (en) * 2021-03-25 2021-06-11 中国电子科技集团公司第三十研究所 Method and system for implementing big data access control on application level user
WO2021115231A1 (en) * 2019-12-10 2021-06-17 华为技术有限公司 Authentication method and related device
CN113630365A (en) * 2020-05-07 2021-11-09 中移动信息技术有限公司 Parallel transmission method, device and equipment for mass heterogeneous data and storage medium
CN114374524A (en) * 2020-10-14 2022-04-19 北京金山云网络技术有限公司 Access control method and device for object storage, storage medium and electronic device
WO2023088090A1 (en) * 2021-11-22 2023-05-25 华为技术有限公司 File verification method and related device
CN117278342A (en) * 2023-11-23 2023-12-22 数字苏州建设有限公司 Multi-environment Hadoop KMS proxy service method and system
CN117439823A (en) * 2023-12-20 2024-01-23 深圳市智安网络有限公司 Cloud data intelligent authority authentication safety protection method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363095A (en) * 2014-11-12 2015-02-18 浪潮(北京)电子信息产业有限公司 Method for establishing hadoop identity authentication mechanism
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN106375323A (en) * 2016-09-09 2017-02-01 浪潮软件股份有限公司 Method for carrying out kerberos identity authentication in multi-tenant mode
CN107066867A (en) * 2017-03-11 2017-08-18 郑州云海信息技术有限公司 A kind of big data cluster resource allocation methods and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363095A (en) * 2014-11-12 2015-02-18 浪潮(北京)电子信息产业有限公司 Method for establishing hadoop identity authentication mechanism
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN106375323A (en) * 2016-09-09 2017-02-01 浪潮软件股份有限公司 Method for carrying out kerberos identity authentication in multi-tenant mode
CN107066867A (en) * 2017-03-11 2017-08-18 郑州云海信息技术有限公司 A kind of big data cluster resource allocation methods and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
KAI ZHENG.ET: ""A token authentication solution for hadoop based on kerberos pre-authentication"", 《IEEE CONFERENCE》 *
王文杰等: ""开源大数据治理与安全软件综述"", 《信息网络安全》 *

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965266A (en) * 2018-06-28 2018-12-07 如般量子科技有限公司 A kind of User-to-User identity authorization system and method based on group key pond and Kerberos
CN108965266B (en) * 2018-06-28 2021-03-02 如般量子科技有限公司 User-to-User identity authentication system and method based on group key pool and Kerberos
CN109213095A (en) * 2018-08-13 2019-01-15 珠海格力电器股份有限公司 Distributed central control method and system, server-side, network layer controller
CN109815010A (en) * 2018-12-29 2019-05-28 深圳供电局有限公司 A kind of cloud platform unified identity authentication method and system
CN109871484A (en) * 2019-01-31 2019-06-11 广州工程技术职业学院 A kind of financial product real-time recommendation method
CN109871484B (en) * 2019-01-31 2022-02-18 广州工程技术职业学院 Real-time financial product recommendation method
CN110086805A (en) * 2019-04-25 2019-08-02 四川师范大学 Based on the information secure transmission method under cross-domain distributed micro services framework
CN110086805B (en) * 2019-04-25 2021-10-26 四川师范大学 Information security transmission method based on cross-domain distributed micro-service architecture
CN110309666A (en) * 2019-07-10 2019-10-08 浪潮云信息技术有限公司 A kind of fine-grained access control method and system based on tactful grammer
CN112311830A (en) * 2019-07-31 2021-02-02 华为技术有限公司 Cloud storage-based Hadoop cluster multi-tenant authentication system and method
CN112311830B (en) * 2019-07-31 2022-03-01 华为云计算技术有限公司 Cloud storage-based Hadoop cluster multi-tenant authentication system and method
CN110569637A (en) * 2019-08-07 2019-12-13 苏州浪潮智能科技有限公司 Visualization system and method for managing HDFS space resources
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN110602136B (en) * 2019-09-25 2021-09-14 华为技术有限公司 Cluster access method and related product
CN110602136A (en) * 2019-09-25 2019-12-20 华为技术有限公司 Cluster access method and related product
WO2021115231A1 (en) * 2019-12-10 2021-06-17 华为技术有限公司 Authentication method and related device
CN111010401A (en) * 2019-12-23 2020-04-14 华中科技大学 Token-based network security framework for distributed water resource management support system
CN111107099A (en) * 2019-12-28 2020-05-05 北京工业大学 Self-adaptive access control method suitable for mixed cloud environment
CN113630365B (en) * 2020-05-07 2023-03-21 中移动信息技术有限公司 Parallel transmission method, device and equipment for mass heterogeneous data and storage medium
CN113630365A (en) * 2020-05-07 2021-11-09 中移动信息技术有限公司 Parallel transmission method, device and equipment for mass heterogeneous data and storage medium
CN111597536A (en) * 2020-05-19 2020-08-28 重庆第二师范学院 Hadoop cluster kerberos high-availability authentication method
CN114374524A (en) * 2020-10-14 2022-04-19 北京金山云网络技术有限公司 Access control method and device for object storage, storage medium and electronic device
CN112668022A (en) * 2020-12-25 2021-04-16 深圳创新科技术有限公司 License management method, device and system for invoking cloud disk service
CN112861158A (en) * 2021-03-03 2021-05-28 深圳市鹰硕云科技有限公司 Range-based safety protection method and system in intelligent education platform
CN112948884A (en) * 2021-03-25 2021-06-11 中国电子科技集团公司第三十研究所 Method and system for implementing big data access control on application level user
WO2023088090A1 (en) * 2021-11-22 2023-05-25 华为技术有限公司 File verification method and related device
CN117278342A (en) * 2023-11-23 2023-12-22 数字苏州建设有限公司 Multi-environment Hadoop KMS proxy service method and system
CN117278342B (en) * 2023-11-23 2024-03-01 数字苏州建设有限公司 Multi-environment Hadoop KMS proxy service method and system
CN117439823A (en) * 2023-12-20 2024-01-23 深圳市智安网络有限公司 Cloud data intelligent authority authentication safety protection method and system
CN117439823B (en) * 2023-12-20 2024-03-12 深圳市智安网络有限公司 Cloud data intelligent authority authentication safety protection method and system

Similar Documents

Publication Publication Date Title
CN107483491A (en) The access control method of distributed storage under a kind of cloud environment
US11606352B2 (en) Time-based one time password (TOTP) for network authentication
CN105577665B (en) Identity and access control management system and method under a kind of cloud environment
US10027670B2 (en) Distributed authentication
CN105103488B (en) By the policy Enforcement of associated data
CN103327084B (en) The cloud storage system of a kind of public and private mixed distribution formula and cloud storage method
CN100542092C (en) Distributed access control method in multistage securities
CN113507458B (en) Cross-domain identity authentication method based on block chain
CN104935590A (en) HDFS access control method based on role and user trust value
CN109088857B (en) Distributed authorization management method in scene of Internet of things
CN103259663A (en) User unified authentication method in cloud computing environment
WO2022121461A1 (en) Method, apparatus and device for constructing token for cloud platform resource access control
CN106127368A (en) Date storage method for ERP System
CN106095954A (en) Data base management method for enterprise supply chain
CN106127064A (en) Date storage method for enterprise supply chain
CN108259422A (en) A kind of multi-tenant access control method and device
CN109728903A (en) A kind of block chain weak center password authorization method using properties secret
Aung et al. Ethereum-based emergency service for smart home system: Smart contract implementation
CN101291220B (en) System, device and method for identity security authentication
CN103166969A (en) Security access method for cloud controller based on cloud computing platform
CN105635321A (en) Registration method for dynamic networking equipment
CN110891067B (en) Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system
Dong et al. Anonymous cross-domain authentication scheme for medical PKI system
Chen et al. Design of web service single sign-on based on ticket and assertion
Yan et al. Distributed authentication scheme for industry internet platform application based on consortium blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171215