基于XACML的多租户访问控制的研究与应用
发布时间:2018-12-08 16:06
【摘要】:随着Web应用的迅速发展和软件规模的日益扩大,为了节约软硬件成本及维护的费用,软件即服务(Software as a Service, SaaS)作为一种新的软件应用模式应运而生。“单实例,多租户”是SaaS的一种模式,在这种模式下处于同一实例下的租户的数据有被其它租户非法访问的风险。访问控制技术是控制主体对客体的访问,它能够保证授权用户对资源的有效访问,因此进行访问控制技术的研究对Web应用的发展是非常有价值的。 本文首先研究)CACML策略描述语言的特点,分析了XACML2.0和3.0版本的不同,并在支持XACML2.0版本的umu-xacml-editor-v1.3.2编辑器基础上设计实现了满足XACML3.0规范的编辑器。然后分析了当前多租户环境下访问控制模型,扩展了XACML的数据流模型,使其适合作为多租户环境下的访问控制模型。 在整个访问控制过程中,租户策略的安全性是我们必须要保证的,它是租户正常访问应用的核心。本文设计并实现了基于文件过滤驱动的模块,在操作系统的底层对策略文件进行保护,同时设计并实现了基于Java实现的策略监控、更新模块来对策略文件进行管理。最后将基于)CACML数据流的ABAC扩展模型应用到具体的多租户系统中,并对系统进行分析和测试,验证了该模型能够适合灵活多变的多租户环境。
[Abstract]:With the rapid development of Web applications and the increasing expansion of software scale, in order to save the cost of software and hardware and maintenance, (Software as a Service, SaaS) as a new software application model emerged as the times require. "single instance, multi-tenant" is a pattern of SaaS, in which the data of tenants in the same instance may be accessed illegally by other tenants. The access control technology is to control the subject to the object access, it can guarantee the authorized user to the resources effective access, therefore carries on the access control technology research to the Web application development is very valuable. This paper first studies the characteristics of CACML policy description language, and analyzes the differences between XACML2.0 and 3.0 versions. On the basis of the umu-xacml-editor-v1.3.2 editor which supports XACML2.0 version, the editor that meets the XACML3.0 specification is designed and implemented. Then, the access control model under the current multi-tenant environment is analyzed, and the data flow model of XACML is extended to make it suitable for the access control model in the multi-tenant environment. In the whole process of access control, the security of tenant policy must be guaranteed, and it is the core of tenant's normal access application. This paper designs and implements the module based on file filter driver to protect the policy file at the bottom of the operating system, and designs and implements the policy monitoring based on Java, and updates the module to manage the policy file. Finally, the extended ABAC model based on the CACML data flow is applied to the concrete multi-tenant system, and the system is analyzed and tested. It is verified that the model is suitable for the flexible multi-tenant environment.
【学位授予单位】:内蒙古大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2368623
[Abstract]:With the rapid development of Web applications and the increasing expansion of software scale, in order to save the cost of software and hardware and maintenance, (Software as a Service, SaaS) as a new software application model emerged as the times require. "single instance, multi-tenant" is a pattern of SaaS, in which the data of tenants in the same instance may be accessed illegally by other tenants. The access control technology is to control the subject to the object access, it can guarantee the authorized user to the resources effective access, therefore carries on the access control technology research to the Web application development is very valuable. This paper first studies the characteristics of CACML policy description language, and analyzes the differences between XACML2.0 and 3.0 versions. On the basis of the umu-xacml-editor-v1.3.2 editor which supports XACML2.0 version, the editor that meets the XACML3.0 specification is designed and implemented. Then, the access control model under the current multi-tenant environment is analyzed, and the data flow model of XACML is extended to make it suitable for the access control model in the multi-tenant environment. In the whole process of access control, the security of tenant policy must be guaranteed, and it is the core of tenant's normal access application. This paper designs and implements the module based on file filter driver to protect the policy file at the bottom of the operating system, and designs and implements the policy monitoring based on Java, and updates the module to manage the policy file. Finally, the extended ABAC model based on the CACML data flow is applied to the concrete multi-tenant system, and the system is analyzed and tested. It is verified that the model is suitable for the flexible multi-tenant environment.
【学位授予单位】:内蒙古大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前9条
1 韩涛;郭荷清;高英;李冬;刘壮;;一个Web服务访问控制模型[J];计算机科学;2007年10期
2 赵亮,茅兵,谢立;访问控制研究综述[J];计算机工程;2004年02期
3 沈海波;;基于语义的访问控制模型及其推理机制[J];计算机工程;2010年03期
4 马晓普;李争艳;鲁剑锋;;访问控制策略描述语言与策略冲突研究[J];计算机工程与科学;2012年10期
5 金诗剑;蔡鸿明;姜丽红;;面向服务的多租户访问控制模型研究[J];计算机应用研究;2013年07期
6 李晓峰;冯登国;陈朝武;房子河;;基于属性的访问控制模型[J];通信学报;2008年04期
7 葛琨;郎波;;基于属性访问控制方法中的策略定义研究[J];微计算机信息;2008年33期
8 王晓贺;蔡国永;;基于描述逻辑的策略系统建模方法研究[J];计算机系统应用;2007年09期
9 沈晴霓;杨雅辉;禹熹;张力哲;陈钟;;一种面向多租户云存储平台的访问控制策略[J];小型微型计算机系统;2011年11期
,本文编号:2368623
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2368623.html
