大数据平台下多租户模型管理关键技术研究

发布时间：2018-12-31 07:40

【摘要】：随着SaaS云技术的迅速发展,越来越多的软件开发商开始通过云平台向用户提供高效便捷的软件服务。为了满足同时向多个用户提供软件服务的需求,这些云平台常采用了“单实例,多租户”的运行模式,多个租户同时在同一个系统实例中运行就导致了系统访问控制安全方面出现了许多问题,例如,租户间的数据隔离性难以保证,租户数据容易被非法访问和篡改;平台的权限系统单一,不能满足不同租户的需求;多租户的权限管理工作量巨大且容易出错等。针对这些多租户环境下的访问控制问题,本文在现有研究的基础上进行了改进,主要工作内容包括:1)为了解决多租户环境下暴露出的访问控制方面的问题,本文提出了一种基于角色的多租户访问控制模型(MT-RBAC模型),该模型提出了对客体、操作和权限进行区域划分的基本思想,还制定了权限设计时必须遵守的原子权限、各域权限集互斥和角色的权限域单一的三大规定。通过对MT-RBAC模型分析可知,该模型不仅保证了租户间的数据隔离性,还能满足不同租户的不同权限配置的需求,并使权限管理变得更加便捷。2)分析了MT-RBAC模型在数据共享方面的需求和不足,提出了支持数据共享的MT-RBAC模型(SMT-RBAC模型),该模型在不破坏MT-RBAC模型的数据隔离性的基础上,增添了特殊的共享域和相应的共享机制,使租户间能通过共享域进行安全的资源共享。3)将SMT-RBAC模型应用在实验室工程项目——大数据处理SaaS平台中,首先简单介绍了平台总体概述、用户管理模块、模型管理模块,然后详细描述了基于SMT-RBAC模型的平台访问控制模块的设计与实现,并进行了功能和性能的测试与分析,最后介绍了平台实现中的单点登录和模型数据一致性检查两个关键技术的设计与实现。
[Abstract]:With the rapid development of SaaS cloud technology, more and more software developers begin to provide users with efficient and convenient software services through cloud platform. To meet the need to provide software services to multiple users at the same time, these cloud platforms often run in a "single instance, multi-tenant" mode. Many tenants run in the same system instance at the same time, which leads to many problems in system access control security. For example, the data isolation between tenants is difficult to guarantee, and tenant data is easy to be accessed and tampered with illegally. The privilege system of the platform is single, which can not meet the needs of different tenants, and the privilege management of multi-tenant has a huge workload and is prone to error and so on. In order to solve these access control problems in multi-tenant environment, this paper improves on the existing research. The main work includes: 1) in order to solve the problems of access control exposed in multi-tenant environment, In this paper, a role-based multi-tenant access control model (MT-RBAC model) is proposed. The model presents the basic idea of dividing objects, operations and permissions into regions, and formulates the atomic permissions that must be observed in the design of permissions. Each domain permission set mutually exclusive and the role authority domain single three big stipulation. According to the analysis of MT-RBAC model, this model not only ensures the data isolation among tenants, but also meets the requirements of different tenants' different permission configuration. And make the privilege management more convenient. 2) analyze the requirement and deficiency of MT-RBAC model in data sharing, and propose the MT-RBAC model (SMT-RBAC model) which supports data sharing. On the basis of not breaking the data isolation of MT-RBAC model, this model adds special shared domain and corresponding sharing mechanism. The SMT-RBAC model is applied to the laboratory project big data to deal with the SaaS platform. Firstly, the general overview of the platform and the user management module are briefly introduced. Then the design and implementation of platform access control module based on SMT-RBAC model are described in detail, and the function and performance of the module are tested and analyzed. Finally, the design and implementation of two key technologies, single sign-on and model data consistency checking, are introduced.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.09;TP311.13

【参考文献】