CN103209189A - Distributed file system-based mobile cloud storage safety access control method - Google Patents
Distributed file system-based mobile cloud storage safety access control method Download PDFInfo
- Publication number
- CN103209189A CN103209189A CN2013101396389A CN201310139638A CN103209189A CN 103209189 A CN103209189 A CN 103209189A CN 2013101396389 A CN2013101396389 A CN 2013101396389A CN 201310139638 A CN201310139638 A CN 201310139638A CN 103209189 A CN103209189 A CN 103209189A
- Authority
- CN
- China
- Prior art keywords
- cloud storage
- access control
- user
- control method
- file system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a distributed file system-based mobile cloud storage safety access control method. The method comprises the following steps that 1, users send a file access request of cloud storage to a cloud storage platform; 2, an intermediate server loads user security policy configuration information; 3, the intermediate server is relevant with a user access request according to the configuration information to generate a permission expression; 4, the intermediate server solves the permission expression by a permission judgment method; and 5, a storage server processes an operating request of the users on files according to a solving result of the expression. According to the method, loss caused by traversal and recursion is avoided, and the performance of a system is improved substantially by optimizing a permission verification mechanism and analyzing and solving the permission expression, so that usability and high efficiency of a safety access control technology are improved.
Description
Technical field
The present invention relates to the cloud storage security problem of cloud computing application, relate in particular to the safe access control technology at mobile cloud storage.
Background technology
Cloud storage is a kind of service of the online memory module of network that is provided by the third party, and data are stored in the virtualized storage pool.Store such service platform that has mass users and mass data for cloud, the security requirement of data is self-evident.How to guarantee the fail safe that the user stores beyond the clouds, guarantee that data are not stolen by other people, provide the support of isolating and integrating to become important problem to the information of the different brackets that belongs to different tissues or classification.
The authorization check mechanism of traditional safe access control technology is comparatively complicated, needs constantly traversal and recurrence when verification, influences performance.
Summary of the invention
The present invention is directed to the authority decision method is optimized authorization check mechanism, by rights expression is analyzed evaluation, the loss of having avoided traversal and recurrence to bring has significantly improved systematic function, thereby has improved ease for use and the high efficiency of safe access control technology.In order to solve the problems of the prior art, the invention provides a kind of mobile cloud storage security access control method based on distributed file system, it is characterized in that:
Step 1: user Xiang Yun storage platform is sent the file access request of cloud storage;
Step 2: intermediate server is written into the user safety strategy configuration information;
Step 3: intermediate server generates rights expression according to configuration information associated user access request;
Step 4: intermediate server rights of using decision method is found the solution rights expression;
Step 5: storage server is according to the operation requests of expression formula solving result process user to file.
As a further improvement on the present invention, step 2 is specific as follows: when moving first in system, be written into user's security strategy configuration information from database or configuration file, comprise Role Information and authority information.
As a further improvement on the present invention, in the step 4, by the authority decision method expression formula is carried out evaluation, mainly is divided into following three steps:
A, decomposition and standardization expression formula: the logical operation expression formula is standardized, operator, label and bracket are all separated, also preserve in order;
B, normalized expression formula is changed into inverse Polan expression;
C, inverse Polan expression is decomposed and evaluation: at the inverse Polan expression that previous step generates, utilize stack architecture to decompose and evaluation, if the expression formula result be true, representing has corresponding access rights, otherwise does not then have.
As a further improvement on the present invention, the priority orders of operator:! 〉 ﹠amp; ﹠amp; ||, the associativity of equal operator is from right to left.
As a further improvement on the present invention, in the step 1, the user sends the file access request that cloud is stored from PC end or Android end, and the PC end is realized file management system, allow the user to the operation of high in the clouds file, the Android end is realized mobile cloud stores service by mobile the application.
As a further improvement on the present invention, the cloud storage platform is become with two data groups of nodes by a namenode, wherein namenode is being stored tree directory and the file metamessage of whole distributed file system, and back end is actual place of depositing file data blocks and copy thereof.
As a further improvement on the present invention, build on the intermediate server based on the WebService service of axis2 and carry out alternately with the mobile phone end, and the backstage working procedure is responsible for calling HDFS APIs and carry out alternately in high in the clouds; Axis2: realize a kind of Technical Architecture of network service, WebService: based on the network server of the Internet, HDFS APIs: APPLICATION OF A DISTRIBUTED SYSTEM programming interface.
As a further improvement on the present invention, intermediate server is made of three modules, and first is user identity verification module, is used for verifying validated user, and makes the role set of its association oneself; Second is the access control policy module, mutual in client and high in the clouds in, all to test through safe access control strategy on the intermediate server, see whether the active user has legal access rights; The 3rd is the high in the clouds interactive module, is the sets of interfaces in a visit high in the clouds to client.
As a further improvement on the present invention, storing the essential information of high in the clouds system user at intermediate server: user name, password, role set.
Technical scheme of the present invention has been furtherd investigate cloud storage and relevant safety problem thereof, designs and realized a kind of safe access control technology of distributed file system.The authorization check mechanism of traditional safe access control technology is comparatively complicated, needs constantly traversal and recurrence when verification, influences performance.The present invention is directed to the authority decision method is optimized authorization check mechanism, by rights expression is analyzed evaluation, the loss of having avoided traversal and recurrence to bring has significantly improved systematic function, thereby has improved ease for use and the high efficiency of safe access control technology.
Description of drawings
Fig. 1 is the mobile cloud storage security access control system Organization Chart that the present invention is based on distributed file system;
Fig. 2 is that intermediate server of the present invention is realized module;
Fig. 3 is that the present invention moves cloud storing framework figure;
Fig. 4 is a kind of mobile cloud storage security access control method flow chart based on distributed file system of the present invention;
Fig. 5 is safe access control techniqueflow figure structure schematic representation of the present invention.
Embodiment
The present invention will be further described below in conjunction with accompanying drawing.
A kind of mobile cloud storage security access control method based on distributed file system, it may further comprise the steps:
Step 1: the user sends the file access request of cloud storage from PC end or Android end;
Step 2: intermediate server is written into the user safety strategy configuration information;
Step 3: intermediate server generates rights expression according to configuration information associated user access request;
Step 4: intermediate server rights of using decision method is found the solution rights expression;
Step 5: storage server is according to the operation requests of expression formula solving result process user to file.
Specific as follows:
When 1, moving first in system, be written into the security strategy configuration information of all corporate users from database or configuration file; The Role Information and the authority information that comprise each company;
2, generate corresponding rights expression according to the security strategy configuration information;
3, by the authority decision method expression formula is carried out evaluation, mainly is divided into following three steps:
A, decomposition and standardization expression formula.The logical operation expression formula is standardized, operator, label and bracket are all separated, also preserve in order.
B, normalized expression formula is changed into inverse Polan expression (be postfix expression, the expression formula of will standardizing is converted into computer easy to handle expression formula).Here need to consider priority and the associativity of operator.The priority orders of operator:! 〉 ﹠amp; ﹠amp; ||, the associativity of equal operator is from right to left.
C, inverse Polan expression is decomposed and evaluation.At the inverse Polan expression that previous step generates, utilize stack architecture to decompose and evaluation, if the expression formula result is true, expression has corresponding access rights, otherwise does not then have.
4, the result according to the authority decision method determines whether the user has corresponding access rights to file, if corresponding authority is arranged, then allows the user that file is carried out corresponding operating, if then do not block the user to the operation of file, thereby realizes secure access.
System mainly contains three parts and forms: client application (PC end and Android(mobile device) is held), the safe access control module of intermediate server and based on the cloud storage platform of HDFS.System architecture such as Fig. 1.Wherein realize the centralized stores of data based on the cloud storage platform of HDFS, be deployed on the cluster; The safe access control module of intermediary service realizes the secure access of data, fail safe and the legitimacy of check data operation; The realization of client is divided into PC and Android end, and the PC end is realized file management system, allows the user to the operation of high in the clouds file, and the Android end is realized mobile cloud stores service by mobile the application.
Cloud storage platform based on HDFS realizes
Native system is based on the cloud storage platform of HDFS, is implemented on the cluster virtual machine of cloud computing platform.This platform is become with two data groups of nodes by a namenode, and wherein namenode is being stored tree directory and the file metamessage of whole distributed file system, and back end is actual place of depositing file data blocks and copy thereof.That native system is selected for use is hadoop-0.20.2(hadoop: the distributed system) platform of version.
The realization of intermediate server
Intermediate server is the core of system, is mainly used to the access control safety strategy of realizing that this paper is designed, realizes the safe access control in high in the clouds.In addition, also built on the intermediate server based on axis2(axis2: WebService(WebService a kind of Technical Architecture of realizing the network service): based on the network server of the Internet) service is carried out alternately with the mobile phone end, and the backstage working procedure is responsible for calling HDFS APIs(HDFS APIs: APPLICATION OF A DISTRIBUTED SYSTEM programming interface) carry out alternately with high in the clouds.
As shown in Figure 2, intermediate server is made of three modules, and first is user identity verification module, is used for verifying validated user, and makes the role set of its association oneself; Second is the access control policy module, mutual in client and high in the clouds in, all to test through safe access control strategy on the intermediate server, see whether the active user has legal access rights; The 3rd is the high in the clouds interactive module, is the sets of interfaces in a visit high in the clouds to client.Storing the essential information (user name, password, role set) of high in the clouds system user at intermediate server.
File management application based on PC
This application is with by HDFS(hadoop: the cloud stores service conversion of distributed system) building is mapped to the file management application of client.This system applies has been write the file management interface of PC end, and by calling the API(API of HDFS: application programming interface) interface is mapped to client with the data tree catalogue of the corresponding company of high in the clouds storage.By the judgement of security strategy, that realizes user security uploads, downloads, browses functions such as catalogue, establishment, deleted file, and refreshes demonstration in real time, thereby realizes the access control of safety.The front has clearly defined the read-write operation of file and file, and browsing catalogue here is read operation, and uploading, download establishment, deleted file and folder function all is write operation.
Based on the Android(mobile device) the storage of mobile cloud use
At the Web(network) background program of server operation, the action of monitoring the Web end constantly.When the user sends the associative operation request by mobile phone, call Webservice(WebService: based on the network server of the Internet) the corresponding interface, Webservice(WebService: based on the network server of the Internet) passing through the Socket(socket in its each interface: being used for describing IP address and port, is the handle of a communication chain.) keep in communication with background program, and transmission user's operation requests, background program removes to call HDFS API(HDFS APIs then: APPLICATION OF A DISTRIBUTED SYSTEM programming interface) carry out corresponding request and use the Socket(socket again: being used for describing IP address and port, is the handle of a communication chain.) communication return result.Webservice(WebService: based on the network server of the Internet) again the result is turned back to the mobile phone end.Mutual by background program and high in the clouds and Web end, thus realize safety mobile high in the clouds storage.
Above content be in conjunction with concrete preferred implementation to further describing that the present invention does, can not assert that concrete enforcement of the present invention is confined to these explanations.For the general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, can also make some simple deduction or replace, all should be considered as belonging to protection scope of the present invention.
Claims (9)
1. mobile cloud storage security access control method based on distributed file system is characterized in that:
Step 1: user Xiang Yun storage platform is sent the file access request of cloud storage;
Step 2: intermediate server is written into the user safety strategy configuration information;
Step 3: intermediate server generates rights expression according to configuration information associated user access request;
Step 4: intermediate server rights of using decision method is found the solution rights expression;
Step 5: storage server is according to the operation requests of expression formula solving result process user to file.
2. a kind of mobile cloud storage security access control method based on distributed file system according to claim 1, it is characterized in that: step 2 is specific as follows: when moving first in system, be written into user's security strategy configuration information from database or configuration file, comprise Role Information and authority information.
3. a kind of mobile cloud storage security access control method based on distributed file system according to claim 1 is characterized in that: in the step 4, by the authority decision method expression formula is carried out evaluation, mainly be divided into following three steps:
A, decomposition and standardization expression formula: the logical operation expression formula is standardized, operator, label and bracket are all separated, also preserve in order;
B, normalized expression formula is changed into inverse Polan expression;
C, inverse Polan expression is decomposed and evaluation: at the inverse Polan expression that previous step generates, utilize stack architecture to decompose and evaluation, if the expression formula result be true, representing has corresponding access rights, otherwise does not then have.
4. a kind of mobile cloud storage security access control method based on distributed file system according to claim 3 is characterized in that: the priority orders of operator:! 〉 ﹠amp; ﹠amp; ||, the associativity of equal operator is from right to left.
5. a kind of mobile cloud storage security access control method based on distributed file system according to claim 1, it is characterized in that: in the step 1, the user sends the file access request of cloud storage from PC end or Android end, the PC end is realized file management system, allow the user to the operation of high in the clouds file, the Android end is realized mobile cloud stores service by mobile the application.
6. a kind of mobile cloud storage security access control method based on distributed file system according to claim 1, it is characterized in that: the cloud storage platform is become with two data groups of nodes by a namenode, wherein namenode is being stored tree directory and the file metamessage of whole distributed file system, and back end is actual place of depositing file data blocks and copy thereof.
7. a kind of mobile cloud storage security access control method based on distributed file system according to claim 1, it is characterized in that: build on the intermediate server based on the WebService service of axis2 and carry out alternately with the mobile phone end, and the backstage working procedure is responsible for calling HDFS APIs and carry out alternately in high in the clouds; Axis2: realize a kind of Technical Architecture of network service, WebService: based on the network server of the Internet, HDFS APIs: APPLICATION OF A DISTRIBUTED SYSTEM programming interface.
8. a kind of mobile cloud storage security access control method based on distributed file system according to claim 1, it is characterized in that: intermediate server is made of three modules, first is user identity verification module, is used for verifying validated user, and makes the role set of its association oneself; Second is the access control policy module, mutual in client and high in the clouds in, all to test through safe access control strategy on the intermediate server, see whether the active user has legal access rights; The 3rd is the high in the clouds interactive module, is the sets of interfaces in a visit high in the clouds to client.
9. a kind of mobile cloud storage security access control method based on distributed file system according to claim 8 is characterized in that: the essential information of storing the high in the clouds system user at intermediate server: user name, password, role set.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2013101396389A CN103209189A (en) | 2013-04-22 | 2013-04-22 | Distributed file system-based mobile cloud storage safety access control method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2013101396389A CN103209189A (en) | 2013-04-22 | 2013-04-22 | Distributed file system-based mobile cloud storage safety access control method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103209189A true CN103209189A (en) | 2013-07-17 |
Family
ID=48756273
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2013101396389A Pending CN103209189A (en) | 2013-04-22 | 2013-04-22 | Distributed file system-based mobile cloud storage safety access control method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103209189A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104021351A (en) * | 2014-05-28 | 2014-09-03 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for data resource access |
CN104023014A (en) * | 2014-06-04 | 2014-09-03 | 深圳市深信服电子科技有限公司 | Method and system of controlling data access permission |
CN104092652A (en) * | 2013-12-25 | 2014-10-08 | 腾讯数码(天津)有限公司 | Data processing system and method |
CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
CN105243702A (en) * | 2015-11-04 | 2016-01-13 | 江苏南亿迪纳数字科技发展有限公司 | Automobile black box data processing method based on cloud storage |
CN106325069A (en) * | 2016-08-28 | 2017-01-11 | 北京工业大学 | Method for designing optimal linear control strategy for wireless network control system |
WO2017028517A1 (en) * | 2015-08-18 | 2017-02-23 | 华为技术有限公司 | Method for managing data file in cloud, cloud management point, and system |
CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
CN108270718A (en) * | 2016-12-30 | 2018-07-10 | 北京观数科技有限公司 | A kind of control method and system based on Hadoop clusters |
CN110363026A (en) * | 2019-07-19 | 2019-10-22 | 深圳前海微众银行股份有限公司 | File operation method, device, equipment, system and computer readable storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1756190A (en) * | 2004-09-30 | 2006-04-05 | 北京航空航天大学 | Distributed performance data acquisition method |
CN201199639Y (en) * | 2008-04-17 | 2009-02-25 | 国电南瑞科技股份有限公司 | Test control apparatus for transforming plant capable of implementing anti-error closedown function |
CN101930449A (en) * | 2009-06-22 | 2010-12-29 | 三星电子株式会社 | Client computer, acting server and be used to provide the method for cloud storage |
CN102055730A (en) * | 2009-11-02 | 2011-05-11 | 华为终端有限公司 | Cloud processing system, cloud processing method and cloud computing agent device |
CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
US20120182891A1 (en) * | 2011-01-19 | 2012-07-19 | Youngseok Lee | Packet analysis system and method using hadoop based parallel computation |
-
2013
- 2013-04-22 CN CN2013101396389A patent/CN103209189A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1756190A (en) * | 2004-09-30 | 2006-04-05 | 北京航空航天大学 | Distributed performance data acquisition method |
CN201199639Y (en) * | 2008-04-17 | 2009-02-25 | 国电南瑞科技股份有限公司 | Test control apparatus for transforming plant capable of implementing anti-error closedown function |
CN101930449A (en) * | 2009-06-22 | 2010-12-29 | 三星电子株式会社 | Client computer, acting server and be used to provide the method for cloud storage |
CN102055730A (en) * | 2009-11-02 | 2011-05-11 | 华为终端有限公司 | Cloud processing system, cloud processing method and cloud computing agent device |
US20120182891A1 (en) * | 2011-01-19 | 2012-07-19 | Youngseok Lee | Packet analysis system and method using hadoop based parallel computation |
CN102307185A (en) * | 2011-06-27 | 2012-01-04 | 北京大学 | Data isolation method used in storage cloud |
CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
Non-Patent Citations (1)
Title |
---|
熊智等: "一种基于属性的企业云存储访问控制方案", 《计算机应用研究》, vol. 30, no. 2, 11 September 2012 (2012-09-11) * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104092652A (en) * | 2013-12-25 | 2014-10-08 | 腾讯数码(天津)有限公司 | Data processing system and method |
CN104092652B (en) * | 2013-12-25 | 2017-08-01 | 腾讯数码(天津)有限公司 | Data handling system and method |
CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
CN104021351A (en) * | 2014-05-28 | 2014-09-03 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for data resource access |
CN104021351B (en) * | 2014-05-28 | 2017-11-17 | 宇龙计算机通信科技(深圳)有限公司 | The access method and device of a kind of data resource |
CN104023014A (en) * | 2014-06-04 | 2014-09-03 | 深圳市深信服电子科技有限公司 | Method and system of controlling data access permission |
CN104023014B (en) * | 2014-06-04 | 2018-05-22 | 深信服科技股份有限公司 | The control method and system of data access authority |
WO2017028517A1 (en) * | 2015-08-18 | 2017-02-23 | 华为技术有限公司 | Method for managing data file in cloud, cloud management point, and system |
CN105243702A (en) * | 2015-11-04 | 2016-01-13 | 江苏南亿迪纳数字科技发展有限公司 | Automobile black box data processing method based on cloud storage |
CN106325069B (en) * | 2016-08-28 | 2019-10-15 | 北京工业大学 | A kind of wireless network control system optimum linearity control strategy design method |
CN106325069A (en) * | 2016-08-28 | 2017-01-11 | 北京工业大学 | Method for designing optimal linear control strategy for wireless network control system |
CN108270718A (en) * | 2016-12-30 | 2018-07-10 | 北京观数科技有限公司 | A kind of control method and system based on Hadoop clusters |
CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
CN107196951B (en) * | 2017-06-12 | 2019-02-26 | 北京明朝万达科技股份有限公司 | A kind of implementation method and firewall system of HDFS system firewall |
CN110363026A (en) * | 2019-07-19 | 2019-10-22 | 深圳前海微众银行股份有限公司 | File operation method, device, equipment, system and computer readable storage medium |
WO2021013033A1 (en) * | 2019-07-19 | 2021-01-28 | 深圳前海微众银行股份有限公司 | File operation method, apparatus, device, and system, and computer readable storage medium |
CN110363026B (en) * | 2019-07-19 | 2021-06-25 | 深圳前海微众银行股份有限公司 | File operation method, device, equipment, system and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103209189A (en) | Distributed file system-based mobile cloud storage safety access control method | |
CN102651775B (en) | Based on method, the equipment and system of many tenants shared object management of cloud computing | |
US10409781B2 (en) | Multi-regime caching in a virtual file system for cloud-based shared content | |
US9047462B2 (en) | Computer account management system and realizing method thereof | |
CN104335189B (en) | Secure access to sharing storage resource | |
CN107315776A (en) | A kind of data management system based on cloud computing | |
CN104603762A (en) | Supporting coordinated access to file system's shared storage using automatic alignment of parallel file access protocol and metadata management | |
CN109634619A (en) | Credible performing environment implementation method and device, terminal device, readable storage medium storing program for executing | |
CN108694189A (en) | The management of the Database Systems of co-ownership | |
CN103399942A (en) | Data engine system supporting SaaS multi-tenant function and working method of data engine system | |
CN109906597A (en) | To with data set that restricted data set and untethered system are stored and fetched from cloud network | |
CN105516117A (en) | Cloud computing based power data security storage method | |
CN103546544A (en) | Data management system on basis of cloud computing | |
CN103744618A (en) | Method and system for achieving team shared storage | |
CN108092936A (en) | A kind of Host Supervision System based on plug-in architecture | |
CN103067519A (en) | Method and device of data distribution storage under heterogeneous platform | |
CN109284322A (en) | A kind of data center | |
CN106570153A (en) | Data extraction method and system for mass URLs | |
US11200218B2 (en) | Providing consistent data masking using causal ordering | |
CN110765192A (en) | GIS data management and processing method based on cloud platform | |
JP2024506818A (en) | Cache indexing using fingerprint-based data addresses | |
CN102427477A (en) | Wireless cloud storage device | |
CN110457307B (en) | Metadata management system, user cluster creation method, device, equipment and medium | |
Huo et al. | Design and implementation of private cloud storage platform based on OpenStack | |
CN112818038A (en) | Data management method based on combination of block chain and IPFS (Internet protocol file system) and related equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130717 |
|
RJ01 | Rejection of invention patent application after publication |