节点文献
基于策略集自动组合的网格访问控制模型研究
Study on the Access Control Model Based on Automatic Composition for Policy Set in Grid
【作者】 王荣斌;
【导师】 陈蜀宇;
【作者基本信息】 重庆大学 , 计算机应用技术, 2008, 博士
【摘要】 网格计算是当今信息技术领域的研究热点,网格环境下安全机制的构建异常复杂,分布式系统中已有的安全技术已不能完全解决网格安全的应用需求,因此建立适应网格环境下的安全机制非常重要。作者针对目前网格系统中的访问控制大多集中在实现机制上的研究,很少研究网格环境下访问控制的自动实现机制,并且在访问控制粒度、动态适应性和可扩展性等方面存在许多不足的研究现状,结合网格服务的组合关系,采用策略集自动组合及主要元素自动合并方法来改进基于属性的访问控制技术,建立一种更适合网格环境的访问控制模型,在安全可靠性、动态适应性、可扩展性等方面有更大的提高,为网格环境下的安全研究进行有益的探索。该论文主要进行了以下研究:①采用基于关系的五元组表达法及XML语言描述模型中的主要元素,并采用XACML语言描述访问控制策略集。论文提出了基于关系的五元组表达法,来定义模型元素及其间关系,并采用了XML规范语言描述模型元素,以适应论文中模型的组合、授权控制及元素撤销、更新管理。论文基于XACML语言对策略集定义及描述,以适应属性集表达方面支持。②根据网格服务与策略集组合之间的依赖关系,提出了网格虚拟组织内策略集的自动组合方法。作者提出了沿着服务组合路径建立策略集的组合关系,体现了策略集的组合与服务组合强依赖关系。本论文通过策略集自动组合引擎实现自治域策略集的自动组合,并提出了策略集自动组合实现算法。该组合方法并不会破坏策略集访问授权的确定性和一致性。③通过解析组合后的策略集主要元素,并通过自动合并计算,自动生成虚拟组织内的策略集。针对现有分布式系统的多策略组合方法并没有考虑主要元素的合并简化问题,本论文构建了模型元素描述文档的解析框架,提出了属性合并算法、权限集合并实现算法及相关约束。通过论文的主要元素合并方法及约束,生成了虚拟组织内的全局策略集,可提高授权及验证效率,且不会破坏原来的安全约束要求。④建立了基于策略集自动组合的访问控制模型(PCACM)。作者针对目前的访问控制模型不具有与网格服务动态组合相匹配的能力,并在控制粒度、可扩展和动态适应性方面存在不足的问题,引用基于属性的访问控制技术,基于策略集自动组合及元素合并实现方法,提出了PCACM模型。文中通过对PCACM模型的理论分析和试验表明,该模型具有较强的安全性、控制粒度更细、验证效率高和更大的动态适应性和灵活性。⑤通过实例介绍了PCACM模型在实际应用中的实现过程。本论文以重庆高速公路区域联网监控管理网格系统作为PCACM模型实现平台系统,经过实例分析,证明PCACM模型在实际应用中具有较强的实用性和可行性。综上所述,针对目前网格环境访问控制研究存在访问控制粒度、动态适应性和可扩展性等不足,本论文提出的PCACM模型具有更好的安全性、动态适应性和可扩展性,并且授权验证效率高的特点,论文较为完整地提出了模型构建方法及实现框架,通过分析及实现证明,该模型可以较好地满足网格环境中的应用需求。
【Abstract】 The research on grid computing is very prevalent in information technology field currently, the secure mechanism in grid is very complex, and the traditional secure technology in distributed system couldn’t solve these requirements of grid, of course, it’s very important to construct a new secure mechanism for grid environment. In this thesis, according to the status in grid access control, which many researches mainly concentrated on the implementation mechanism of access control, few researches are on automatic implementation mechanism for access control in grid, and these researches are also inadequate in fine-grained, dynamically suitable and extensible. So the author considered the services composition relations, adopted the methods to improve the attribute-based access control technology for grid ,which are policy set automatic composition and main elements automatic combination, and presented the access control model to improve these characters of secure reliability, dynamic adaptability and extensibility, which much more suitable for grid environment than others. So,these works in this thesis are meaningful exploring for security research in grid environment.The main researches in this thesis are summarized as follows:①According to the traditional grid policies only defined subjects, objects and permissions simply, and which were inadequate to support attribute set description for subjects, objects and circumstance, the author utilized XML to describe these main elements based on relation-based quintuple expression method in the model, and described the policy set based on XACML. After analyzed the relations among elements in grid access control, the quintuple expression method presented in this thesis could describe these relations of elements much exactly, and this description could be convenient for policy set composition, elements combination and updating management. So the description method in this thesis for policy set and main elements could be more suitable for the requirements of grid security than others.②According to the current mutipolicy composition didn’t consider the dependency relations between grid services and policy set composition, the author put forward the policy set automatic composition for grid virtual organizations.The author constructed the policy set composition relations along with services composition path, which embodied the composition relations between the services and policy set were strongly dependent. In this thesis, the automatic composition was based on the automatic composition engine, and the automatic composition algorithm was also presented. After the analysis, the conclusions could be made that policy set composition didn’t break the determination and continuity for authorization for access in policy set.③Aimed at production the new global policy set in virtual organization, the main elements in policy set must be parsed and combined, after combined, the new global policy set in virtual organization was born automatically. According to the current mutipolicy composition neither combine nor simplify elements in policy set, the author constructed the parsing framework for the description documents. In the thesis, the attribute set and permission combination algorithm has been presented, and the interrelated constraints were also discussed. According to the combination method and constraints, the global policy set in virtual organization was produced, the attribute set and permission set combination method raised verification efficiency, and couldn’t break these secure constraints before composition.④Aimed at solve these question in current access control model, which they hadn’t the suited capability with the automatic composition of grid services, and they were inadequate in control grain, extensibility and dynamic adaptability, so the author take advantage of the access control based on attribute, and put forward the access control model based on policy set automatic composition (PCACM). In the PCACM, the author analyzed the model in theory and simulation,which stated clearly that the model was better in security, control grain, verification efficiency and dynamic adaptability than others.⑤In order to introduce the PCACM model how to work, the author implementedthe PCACM model in practical application, which is the chongqing expressway zone-network-supervision management grid system. These works expressed that the PCACM model had much stronger availability and feasibility, and it was more suitable for grid environment than previous models.To sum up, aimed at solve these question in current access control model, which they hadn’t the suited capability with the automatic composition of grid services, and they were inadequate in control grain, extensibility and dynamic adaptability, the PCACM model was put forward in this thesis, which was better in security, control grain, extensibility and dynamic adaptability than previous models, and the verification efficiency of this model was high,. The author has presented the construction method for the PCACM model and implementation framework, from all these works, it is clear that the PCACM model was feasible, and it was more suitable for grid environment than previous models.
【Key words】 grid computing; automatic composition; automatic combination; attribute authorization; access control;