HDFS access control method based on role and user trust value

A technology of access control and trust value, applied in user identity/authority verification, secure communication devices, digital transmission systems, etc., can solve problems such as non-mandatory access control measures, no security certification, security risks, etc. Behavioural credibility issues, reducing complexity and administrative overhead, and improving the effect of flexibility

Inactive Publication Date: 2015-09-23
NANJING UNIV OF AERONAUTICS & ASTRONAUTICS
View PDF4 Cites 40 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

HDFS does not provide sufficient security authentication between users and services. By default, HDFS uniquely determines the identity of the client through the user name and user group of the running process. However, since the client is remote, users can simply log in remotely. Create an account in your own name on the system, so that the user can pretend to be any identity, thereby bypassing HDFS permission verification and accessing data in HDFS at will
In addition, since the Data Node node does not enforce any access control measures for client access, this may cause an unauthorized client to directly read the data block as long as it knows the BlockID of the data block, bypassing the communication with the Name Node node At the same time, anyone can write arbitrary data blocks to the Data Node node, or pretend to be a legitimate Data Node node to receive the tasks and data of the Name Node node
Although HDFS itself supports permission control, it only provides simple autonomous access control, which is represented by 9-bit bits, which has weak support and has a large security risk.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • HDFS access control method based on role and user trust value
  • HDFS access control method based on role and user trust value
  • HDFS access control method based on role and user trust value

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0034] In order to solve the access control problem of Hadoop distributed file system HDFS, the present invention provides a kind of HDFS access control method based on role and user trust value, specific process is as follows figure 2 As shown, the method includes:

[0035] When a user sends an operation request, the role management server first verifies the integrity of the operation request, and then checks the user's operation authority. After the check is passed, the role management server queries the user and role database according to the user identity, assigns the corresponding role to the user, and The role certificate is sent to the user along with the shared secret.

[0036]The user sends his plaintext user information to the Kerberos key distribution manager (Key Distribution Center, KDC), and the KDC server judges whether the user is in the key database through the authentication server (AS), and if so, generates a ticket authorization ticket ( TGT), and encrypt...

Embodiment 2

[0039] Embodiment 2 of the present invention provides a role-based HDFS access control method in combination with the traditional role-based access control policy RBAC. The steps of the method are as follows: image 3 shown, including:

[0040] (1) The user Client requests the role management server to assign a role;

[0041] (2) The role management server assigns roles to users, and issues role certificates and shared keys to users;

[0042] (3) Set and update the shared key between the role management server and the Name Node node;

[0043] (4) The user Client accesses the Name Node node with the role certificate and shared key, and applies for access services;

[0044] (5) After the Name Node node verifies that the user's role is legal and the shared key is legal, it returns the best copy address of the data block to the user;

[0045] (6) The user Client requests the required services from all the Data Node nodes notified by the Name Node node;

[0046] (7) After recei...

Embodiment 3

[0049] Embodiment 3 of the present invention combines the concepts of Kerberos and user trust value to provide a HDFS access control method based on user trust value. The steps of the method are as follows Figure 4 shown, including:

[0050] (1) Client encrypts its identity authentication information with K1 and sends it to KDC to request identity authentication;

[0051] (2) KDC verifies that the client's identity is legal and valid, issues a ticket authorization ticket TGT, and encrypts it with K1 and sends it back to the client;

[0052] (3) Client sends a service request to KDC with TGT, and the request content is encrypted with K1;

[0053] (4) KDC receives the request and generates a service ticket Ticket={K3, username, IP, address, service name, validity period, time stamp};

[0054] (5) KDC encrypts K3 with K1, encrypts Ticket with K2 and sends it back to Client;

[0055] (6) Client decrypts and obtains the session key K3 with the Name Node node, and generates Auth...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an HDFS access control method based on a role and a user trust value and belongs to the field of computer cloud storage access control. The HDFS access control method of the invention firstly combines with a role-based access control policy RBAC to replace a discretionary access control policy of an HDFS, thereby reducing complexity and management expenditure of HDFS authorization management and improving flexibility of the authorization management. When a user accesses the HDFS for the first time, a role is granted to the user, so that users are isolated from authorization through roles, and the management is facilitated. On this basis, the HDFS access control method of the invention further introduces a concept of the user trust value and sets one trust value for each user so that different users with the same role could obtain different access permissions because of their different trust values, and the trust value of the user is dynamically updated according to the later behavior of the user, thereby dynamically and effectively controlling the access of the user to a resource in the HDFS.

Description

technical field [0001] The invention relates to an HDFS access control method based on roles and user trust values, and belongs to the field of computer cloud storage access control. Background technique [0002] With the rapid development of cloud storage technology, more and more users and enterprises use cloud storage to save data or backup data to enhance data mobility, but the resulting security issues have not been effectively resolved. The core of cloud storage is actually a distributed file system, so the data security problem of cloud storage is actually the data security problem of distributed file system. [0003] The original design of Hadoop assumed that HDFS was running in a safe and closed environment, and all nodes in the cluster were reliable and trustworthy, and provided to a group of users who cooperated with each other, so the main consideration of HDFS at the beginning of the design was performance issues for large-scale data storage, and not much atten...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L9/32H04L29/08
CPCH04L63/083H04L9/3213H04L63/102H04L67/1097
Inventor 秦小麟史文浩王胜王潇逸
Owner NANJING UNIV OF AERONAUTICS & ASTRONAUTICS
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap