【摘要】：近年來電子商務和移動互聯(lián)網(wǎng)的迅速崛起,使得各種網(wǎng)絡業(yè)務生成了海量的數(shù)據(jù)信息,如何有效的保存管理運用這些海量的信息,推動了云計算技術的發(fā)展。在如今云計算技術當中,開源云計算框架平臺Hadoop,因其其開源、可伸縮、強大計算性能和低廉成本上的優(yōu)勢,成為當前全球大型互聯(lián)網(wǎng)企業(yè)所使用的主流云計算平臺。隨著Hadoop的廣泛使用,其安全性不足的缺陷也逐漸暴露,受到人們越來越多的關注。 本文分析研究了Kerberos認證體系的認證過程,和Kerberos的安全性設計；介紹了BAN邏輯推理的語法和規(guī)則,以及BAN邏輯對Kerberos協(xié)議的推理證明過程；還對SAML認證標準相關技術知識和Artifact的概念進行了說明。在此基礎之上,本文闡述了Hadoop云計算平臺當前的運行機制；介紹了Hadoop平臺最初和當前的安全現(xiàn)狀；詳細說明了包括HDFS、MapReduce、RPC在內(nèi)的Hadoop云計算平臺安全機制；并進一步對Hadoop平臺的Token密鑰和認證數(shù)據(jù)流作了總結(jié)。 針對目前Hadoop云計算平臺的安全現(xiàn)狀,本文提出了基于SAML的Hadoop云計算安全平臺認證授權方法,并根據(jù)該方法設計實現(xiàn)了基于SAML的Hadoop認證授權系統(tǒng)。該認證授權系統(tǒng)將Hadoop中的認證用戶和授權服務存儲在系統(tǒng)服務器數(shù)據(jù)庫中,把頒發(fā)給用戶的認證票據(jù),和頒發(fā)給服務的授權票據(jù)簡化為數(shù)據(jù)庫中信息的索引,實現(xiàn)了認證授權票據(jù)的輕量化。這樣就避免了認證授權票據(jù)在Hadoop集群內(nèi)部網(wǎng)絡中的直接傳輸,可以防止認證和授權信息的泄露,并在一定程度上減少了集群網(wǎng)絡間傳輸?shù)臄?shù)據(jù)流量,減輕了系統(tǒng)的網(wǎng)絡負載。除此之外,本文通過運用BAN邏輯推理,證明了基于SAML的Hadoop云計算安全平臺認證授權方法在設計上安全可靠、無冗余,也為該認證授權方法提供了理論上的依據(jù)。
[Abstract]:In recent years, with the rapid rise of electronic commerce and mobile Internet, a variety of network services have generated a large number of data information. How to effectively save and manage these massive information has promoted the development of cloud computing technology. In today's cloud computing technology, open source cloud computing framework platform Hadoop, has become the mainstream cloud computing platform used by large Internet enterprises around the world because of its advantages in open source, scalability, strong computing performance and low cost. With the wide use of Hadoop, the defects of its lack of security are gradually exposed, and more attention has been paid to it. In this paper, the authentication process of Kerberos authentication system and the security design of Kerberos are analyzed and studied, the syntax and rules of BAN logic reasoning and the reasoning proof process of BAN logic to Kerberos protocol are introduced, and the technical knowledge of SAML authentication standard and the concept of Artifact are also explained. On this basis, this paper expounds the current running mechanism of Hadoop cloud computing platform, introduces the initial and current security situation of Hadoop platform, explains in detail the security mechanism of Hadoop cloud computing platform, including HDFS,MapReduce,RPC, and further summarizes the Token key and authentication data stream of Hadoop platform. In view of the current security situation of Hadoop cloud computing platform, this paper proposes an authentication and authorization method of Hadoop cloud computing security platform based on SAML, and designs and implements a Hadoop authentication and authorization system based on SAML according to this method. The authentication authorization system stores the authentication user and authorization service in Hadoop in the system server database, simplifies the authentication bill issued to the user and the authorization bill issued to the service into the index of the information in the database, and realizes the lightweight of the authentication authorization bill. In this way, the direct transmission of authentication authorization bill in Hadoop cluster internal network can be avoided, the leakage of authentication and authorization information can be prevented, and the data flow transmitted between cluster networks can be reduced to a certain extent, and the network load of the system can be reduced. In addition, by using BAN logic reasoning, this paper proves that the authentication authorization method of Hadoop cloud computing security platform based on SAML is safe and reliable in design, and there is no redundancy, which also provides a theoretical basis for the authentication and authorization method.
【學位授予單位】：北京郵電大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前2條

1 陳燦;李俊;;Kerberos協(xié)議的形式化分析[J];微電子學與計算機;2006年06期

2 金松昌;楊樹強;樊華;劉斐;;面向大型關鍵業(yè)務的Hadoop云計算平臺數(shù)據(jù)安全策略研究[J];信息網(wǎng)絡安全;2012年08期

，

本文編號：2499384