基于等级的电子政务云跨域访问控制技术

doi:10.11772/j.issn.1001-9081.2016.02.0402

计算机应用 ›› 2016, Vol. 36 ›› Issue (2): 402-407.DOI: 10.11772/j.issn.1001-9081.2016.02.0402

• 第三届CCF大数据学术会议(CCF BigData 2015) • 上一篇下一篇

基于等级的电子政务云跨域访问控制技术

池亚平¹, 王艳², 王慧丽¹, 李欣²

1. 北京电子科技学院通信工程系, 北京 100070;
2. 西安电子科技大学通信工程学院, 西安 710071

收稿日期:2015-08-29 修回日期:2015-09-12 出版日期:2016-02-10 发布日期:2016-02-03
通讯作者: 王艳(1988-),女,河北廊坊人,硕士研究生,主要研究方向:云计算访问控制。
作者简介:池亚平(1969-),女,北京人,教授,硕士,CCF会员,主要研究方向:网络安全;王慧丽(1991-),女,吉林长春人,硕士研究生,主要研究方向:身份认证、云计算安全;李欣(1989-),女,陕西咸阳人,硕士研究生,主要研究方向:云计算身份认证、可信计算。
基金资助:
中央高校基本科研业务费专项资金资助项目(YZDJ1202);中央高校基本科研业务费资助项目(328201537)。

Cross-domain access control for e-government cloud based on classification

CHI Yaping¹, WANG Yan², WANG Huili¹, LI Xin²

1. Department of Communication Engineering, Beijing Electronic Science and Technology Institute, Beijing 100070, China;
2. School of Telecommunications Engineering, Xidian University, Xi'an Shaanxi 710071, China

Received:2015-08-29 Revised:2015-09-12 Online:2016-02-10 Published:2016-02-03

摘要/Abstract

摘要： 针对电子政务云跨域访问中用户资源共享访问控制细粒度不足的安全问题,提出一种基于用户等级的跨域访问控制方案。该方案采用了云计算典型访问控制机制——身份和访问控制管理(IAM),实现了基于用户等级的断言属性认证,消除了用户在资源共享中由于异构环境带来的阻碍,提供一种细粒度的跨域访问控制机制。基于Shibboleth和OpenStack的keystone安全组件,搭建了云计算跨域访问系统,通过测试对比用户的域外和域内token,证明了方案的可行性。

关键词: 电子政务云, 跨域访问控制, 等级, 身份和访问控制管理, 安全断言标记语言

Abstract: Since the access control grain is not enough fine while users share resource during e-government cloud cross-domain access, a cross-domain access control scheme based on user's classification was proposed. In this scheme, a typical cloud computing access control mechanism——Identity and Access-control Management (IAM) was adopted, the assertion attribute authentication based on user classification was implemented, the obstruction caused by heterogeneity during resource sharing was also eliminated, and a fine-grained cross-domain access control mechanism was provided. Finally, a cross-domain system for cloud computer environment based on Shibboleth and secure component keystone of OpenStack was built, the feasibility of the scheme was proved by the test of comparing the tokens between inter-domain and outer-domain of a user.

Key words: e-government cloud, cross-domain access control, classification, Identity and Access-control Management(IAM), Security Assertion Markup Language(SAML)

中图分类号:

TP309

池亚平, 王艳, 王慧丽, 李欣. 基于等级的电子政务云跨域访问控制技术[J]. 计算机应用, 2016, 36(2): 402-407.

CHI Yaping, WANG Yan, WANG Huili, LI Xin. Cross-domain access control for e-government cloud based on classification[J]. Journal of Computer Applications, 2016, 36(2): 402-407.

参考文献

[1] 刘彦凯.信息化建设"云计算"如何服务电子政务[J].信息化建设,2011(8):17-19. (LIU Y. How can "Cloud computing" services to e-government[J]. Information Construction, 2011(8): 17-19.)
[2] CHEN L, CRAMPTON J. Inter-domain role mapping and least privilege[C]//SACMAT '07: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. New York: ACM, 2007: 157-162.
[3] SAFFARIAN M, SADIGHI B. Owner-Based Role-Based Access Control OB-RBAC[C]//ARES 2010: Proceedings of the 2012 Seventh International Conference on Availability, Reliability and Security. Washington, DC: IEEE Computer Society, 2010: 236-241.
[4] 徐云,肖田元.基于角色映射的跨平台授权研究[J].计算机集成制造系统,2007,13(9):1866-1872. (XU Y, XIAO T Y. Cross-platform research authorization based on role mapping[J]. Computer Integrated Manufacturing Systems, 2007, 13(9): 1866-1872.)
[5] XU Z, FENG D, LI L, et al. UC-RBAC: a usage constrained role-based access control model[C]//ICICS 2003: Proceedings of the 5th International Conference on Information and Communications Security, LNCS 2836. Berlin: Springer-Verlag, 2003: 337-347.
[6] LIANG Z. A new kind of single sign-on model base on mobile Agent[C]//Proceedings of the 2010 2nd International Conference on Information Engineering and Computer Science. Piscataway, NJ: IEEE, 2010: 1-4.
[7] 马增红.基于SAML的统一身份认证和跨域单点登录的设计与实现[D].成都:电子科技大学,2008:12-15. (MA Z H. Design and implementation of unified identity authentication and cross-domain Single Sign-On (SSO) based on SAML [D]. Chengdu: University of Electronic Science and Technology of China, 2008: 12-15.)
[8] BAIER D, BERTOCCI V, BROWN K, et al. A guide to claims-based identity and access control: authentication and authorization for services and the Web[M]. 2nd ed. [S.l.]: Microsoft Patterns & Practices, 2013: 187-191.
[9] 冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83. (FENG D G, ZHANG M, ZHANG Y, et al. Cloud computing security research[J]. Journal of Software, 2011, 22(1): 71-83.)
[10] 李红霞.云计算中身份认证与访问控制管理系统的实现策略研究[D].北京:北京邮电大学,2011:8-12. (LI H X. Research on strategy of implementation of identity authentication and access control management system in cloud computing [D]. Beijing: Beijing University of Posts and Telecommunications, 2011: 8-12.)
[11] 曹源.面向跨域联邦环境的身份管理关键技术研究[D].长沙:国防科学技术大学,2013:21-23. (CAO Y. Research of key techniques for identity management in across domains federal environment [D]. Changsha: National University of Defense Technology, 2013:21-23.)
[12] ZHANG W, LI Y. Federation access control model based on Web-service[C]//ICEE '10: Proceedings of the 2010 International Conference on E-Business and E-Government. Washington, DC: IEEE Computer Society, 2010: 38-41.
[13] STANDARDWORKING O, CAHILL C P, AOL J, et al. Assertions and protocols for the OASIS Security Assertion Markup Language (SAML) V2. 0——errata composite [S/OL]. [S.l.]: OASIS, 2006: 243-247. (2014-03-15) [2015-07-22]. https://lists.oasis-open.org/archives/security-services/200404/pdf00002.pdf.
[14] TELNONI P, MUNIR R, ROSMANSYAH Y. SAML single sign-on protocol development using combination of speech and speaker recognition[C]//Proceedings of the 2014 International Conference of Advanced Informatics: Concept, Theory and Application. Piscataway, NJ: IEEE, 2014: 299-304.
[15] 张进铎,毛承国,李硕,等. OpenStack开源云平台主模块的架构分析[J].信息技术与信息化,2014(4):17-21. (ZHANG J D, MAO C G, LI S, et al. Main module architecture analysis of OpenStack cloud platform[J]. Information Technology and Informatization, 2014(4): 17-21.)
[16] 黄凯,毛伟杰,顾骏杰.OpenStack实战指南[M].北京:机械工业出版社,2014:23-39. (HUANG K, MAO W J, GU J J. OpenStack practical guide[M]. Beijing: China Machine Press, 2014: 23-39.)
[17] 汪奕君,张兴元.OpenLDAP中访问控制机制的分析[J].中国科技信息,2005(21):41. (WANG Y J, ZHANG X Y. Analysis of access control mechanism in the OpenLDAP[J]. Journal of Information Science and Technology of China, 2005(21): 41.)
[18] OpenStack. OpenStack installation guide for Ubuntu 14.04 [EB/OL]. [2015-03-29]. http://docs.openstack.org/kilo/install-guide/install/apt/content/.

基于等级的电子政务云跨域访问控制技术

Cross-domain access control for e-government cloud based on classification

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	汤安迪, 韩统, 徐登武, 谢磊. 混沌精英哈里斯鹰优化算法[J]. 计算机应用, 2021, 41(8): 2265-2272.
[2]	郑宗生, 胡晨雨, 姜晓轶. 基于改进的最大均值差异算法的深度迁移适配网络[J]. 计算机应用, 2020, 40(11): 3107-3112.
[3]	张恩, 侯缨盈, 李功丽, 李会敏, 李钰. 基于错误学习的自适应等级可搜索加密方案[J]. 计算机应用, 2020, 40(1): 148-156.
[4]	刘开南. 云数据中心基于贪心算法的虚拟机迁移策略[J]. 计算机应用, 2019, 39(11): 3333-3338.
[5]	肖玮, 涂亚庆. 基于等级的无线传感网自适应分簇算法[J]. 计算机应用, 2017, 37(6): 1532-1538.
[6]	陈丹伟, 杨晟. 基于动态信用等级的密文访问控制方案[J]. 计算机应用, 2017, 37(6): 1587-1592.
[7]	许晓洁, 王力生. 基于Birkhoff插值的可验证多等级秘密共享算法[J]. 计算机应用, 2016, 36(4): 952-955.
[8]	王占君, 马海英, 王金华. 完全安全的等级身份基在线/离线加密[J]. 计算机应用, 2015, 35(9): 2522-2526.
[9]	马满福, 王梅. 云环境下基于服务等级协议的信任评估模型[J]. 计算机应用, 2015, 35(6): 1567-1572.
[10]	尹文科, 吴姗姗, 丁峰, 荀智德. 基于Skyline的搜索结果排序方法[J]. 计算机应用, 2015, 35(4): 1154-1158.
[11]	李勇, 吴立慧, 黄宁, 吴维刚. 基于HBase的地理分布副本管理机制[J]. 计算机应用, 2015, 35(11): 3097-3101.
[12]	王小龙, 章恒, 杨博超, 沈玉琳. 基于语义网技术的服务等级协议协商机制[J]. 计算机应用, 2015, 35(10): 2927-2932.
[13]	崔转玲李国宁林森. 基于模糊神经网络的铁路车辆热轴等级判别模型[J]. 计算机应用, 2013, 33(09): 2566-2569.
[14]	孔令晶曾华燊李耀. 等级OSPF网的安全保护方案[J]. 计算机应用, 2013, 33(08): 2212-2217.
[15]	申海洋李月娥张甜. 基于边缘方向直方图相关性匹配的图像检索[J]. 计算机应用, 2013, 33(07): 1980-1983.