一种面向多域云系统的扩展RBAC模型

计算机工程与科学

一种面向多域云系统的扩展RBAC模型

蔡婷1，聂清彬1，欧阳凯2，周敬利2

(1.重庆邮电大学移通学院计算机系,重庆 401520;2.华中科技大学计算机学院,湖北武汉 430074)

收稿日期:2015-12-14 修回日期:2016-05-10 出版日期:2017-04-25 发布日期:2017-04-25
基金资助:
重庆市本科高校“三特行动计划”特色专业建设项目(渝教高(2013)49号);重庆市教委科学技术研究项目(KJ1502002,KJ1502003);重庆市高等教育学会2015-2016年度高等教育科学研究课题(CQGJ15203B);重庆市教委科学“十二五”规划高等教育质量提升专项成果(2015-GX-086)

An enhanced role-based access control model

for multi-domains in cloud systems

CAI Ting1,NIE Qing-bin1,OUYANG Kai2,ZHOU Jing-li2

(1.Department of Computer,College of Mobile Telecommunications,

Chongqing University of Posts and Telecommunications,Chongqing 401520;

2.College of Computer,Huazhong University of Science and Technology,Wuhan 430074,China)

Received:2015-12-14 Revised:2016-05-10 Online:2017-04-25 Published:2017-04-25

摘要/Abstract

摘要：

提出一种扩展的基于角色的访问控制ERBAC模型，以解决RBAC在多域云系统的资源使用约束、策略管理和互操作安全性等方面存在的不足。首先，通过引入容器元素和两类角色基数约束，构建了基于容器元素+动态角色基数约束的资源使用策略；其次，深入研究了多域角色继承管理，提出基于先检测后建立角色关系的域间策略管理函数，并给出各类安全策略冲突检测算法。分析表明，ERBAC模型实现了资源使用约束、支持高效的安全策略管理，提高了跨域互操作的安全性，且性能测试说明了该模型在多域云系统中具有适应性和可行性。

关键词: ERBAC, 多域云, 安全互操作, 资源使用, 策略管理

Abstract:

We propose an enhanced role-based access control (ERBAC) model to solve the shortcomings of the RBAC’s resource usage constraints, policy management and interoperability security in multi-domain cloud systems. Firstly, we introduce elements of containers and two role cardinality constraints into the RBAC, and establish the containers + dynamic role cardinality constraints based resource usage policy. Secondly, we study the role inheritance management for multi-domains in depth and present an inter-domain policy management function, whose objective is to check for the number of violations before committing an inter-domain role inheritance relation. Then, various security detection algorithms for policy conflict are given. Analysis results show that the ERBAC model can improve the security of inter-domain interoperation, enforce usage constraints upon resources and manage the security policies in an easy and effective way, which proves to be feasible and applicable for multi-domain cloud systems.

Key words: ERBAC, multi-domain cloud, secure inter-operation, resource usage, policy management

蔡婷1，聂清彬1，欧阳凯2，周敬利2. 一种面向多域云系统的扩展RBAC模型[J]. 计算机工程与科学.

CAI Ting1,NIE Qing-bin1,OUYANG Kai2,ZHOU Jing-li2.

An enhanced role-based access control model

for multi-domains in cloud systems

[J]. Computer Engineering & Science.

[1]	李真，岳厚光，陈才贤. PLM系统中访问控制的研究与实现[J]. J4, 2010, 32(4): 39-41.
[2]	冯学斌[1] 郑峰[2] 洪帆[1]. IRBAC 2000角色转换冲突处理策略[J]. J4, 2007, 29(9): 53-55.
[3]	林晨李之棠. VPN系统中安全策略系统的设计与实现[J]. J4, 2007, 29(6): 21-23.
[4]	隋品波史殿习王玉峰. 可移植对象适配器策略机制的分析与设计[J]. J4, 2006, 28(8): 134-139.
[5]	蒋江张民选等. 一种基于多种资源的负载平衡算法的设计与模拟[J]. J4, 2002, 24(6): 71-74.