【摘要】：近年來電子商務(wù)和移動互聯(lián)網(wǎng)的迅速崛起,使得各種網(wǎng)絡(luò)業(yè)務(wù)生成了海量的數(shù)據(jù)信息,如何有效的保存管理運(yùn)用這些海量的信息,推動了云計(jì)算技術(shù)的發(fā)展。在如今云計(jì)算技術(shù)當(dāng)中,開源云計(jì)算框架平臺Hadoop,因其其開源、可伸縮、強(qiáng)大計(jì)算性能和低廉成本上的優(yōu)勢,成為當(dāng)前全球大型互聯(lián)網(wǎng)企業(yè)所使用的主流云計(jì)算平臺。隨著Hadoop的廣泛使用,其安全性不足的缺陷也逐漸暴露,受到人們越來越多的關(guān)注。 本文分析研究了Kerberos認(rèn)證體系的認(rèn)證過程,和Kerberos的安全性設(shè)計(jì)；介紹了BAN邏輯推理的語法和規(guī)則,以及BAN邏輯對Kerberos協(xié)議的推理證明過程；還對SAML認(rèn)證標(biāo)準(zhǔn)相關(guān)技術(shù)知識和Artifact的概念進(jìn)行了說明。在此基礎(chǔ)之上,本文闡述了Hadoop云計(jì)算平臺當(dāng)前的運(yùn)行機(jī)制；介紹了Hadoop平臺最初和當(dāng)前的安全現(xiàn)狀；詳細(xì)說明了包括HDFS、MapReduce、RPC在內(nèi)的Hadoop云計(jì)算平臺安全機(jī)制；并進(jìn)一步對Hadoop平臺的Token密鑰和認(rèn)證數(shù)據(jù)流作了總結(jié)。 針對目前Hadoop云計(jì)算平臺的安全現(xiàn)狀,本文提出了基于SAML的Hadoop云計(jì)算安全平臺認(rèn)證授權(quán)方法,并根據(jù)該方法設(shè)計(jì)實(shí)現(xiàn)了基于SAML的Hadoop認(rèn)證授權(quán)系統(tǒng)。該認(rèn)證授權(quán)系統(tǒng)將Hadoop中的認(rèn)證用戶和授權(quán)服務(wù)存儲在系統(tǒng)服務(wù)器數(shù)據(jù)庫中,把頒發(fā)給用戶的認(rèn)證票據(jù),和頒發(fā)給服務(wù)的授權(quán)票據(jù)簡化為數(shù)據(jù)庫中信息的索引,實(shí)現(xiàn)了認(rèn)證授權(quán)票據(jù)的輕量化。這樣就避免了認(rèn)證授權(quán)票據(jù)在Hadoop集群內(nèi)部網(wǎng)絡(luò)中的直接傳輸,可以防止認(rèn)證和授權(quán)信息的泄露,并在一定程度上減少了集群網(wǎng)絡(luò)間傳輸?shù)臄?shù)據(jù)流量,減輕了系統(tǒng)的網(wǎng)絡(luò)負(fù)載。除此之外,本文通過運(yùn)用BAN邏輯推理,證明了基于SAML的Hadoop云計(jì)算安全平臺認(rèn)證授權(quán)方法在設(shè)計(jì)上安全可靠、無冗余,也為該認(rèn)證授權(quán)方法提供了理論上的依據(jù)。
[Abstract]:In recent years, with the rapid rise of electronic commerce and mobile Internet, a variety of network services have generated a large number of data information. How to effectively save and manage these massive information has promoted the development of cloud computing technology. In today's cloud computing technology, open source cloud computing framework platform Hadoop, has become the mainstream cloud computing platform used by large Internet enterprises around the world because of its advantages in open source, scalability, strong computing performance and low cost. With the wide use of Hadoop, the defects of its lack of security are gradually exposed, and more attention has been paid to it. In this paper, the authentication process of Kerberos authentication system and the security design of Kerberos are analyzed and studied, the syntax and rules of BAN logic reasoning and the reasoning proof process of BAN logic to Kerberos protocol are introduced, and the technical knowledge of SAML authentication standard and the concept of Artifact are also explained. On this basis, this paper expounds the current running mechanism of Hadoop cloud computing platform, introduces the initial and current security situation of Hadoop platform, explains in detail the security mechanism of Hadoop cloud computing platform, including HDFS,MapReduce,RPC, and further summarizes the Token key and authentication data stream of Hadoop platform. In view of the current security situation of Hadoop cloud computing platform, this paper proposes an authentication and authorization method of Hadoop cloud computing security platform based on SAML, and designs and implements a Hadoop authentication and authorization system based on SAML according to this method. The authentication authorization system stores the authentication user and authorization service in Hadoop in the system server database, simplifies the authentication bill issued to the user and the authorization bill issued to the service into the index of the information in the database, and realizes the lightweight of the authentication authorization bill. In this way, the direct transmission of authentication authorization bill in Hadoop cluster internal network can be avoided, the leakage of authentication and authorization information can be prevented, and the data flow transmitted between cluster networks can be reduced to a certain extent, and the network load of the system can be reduced. In addition, by using BAN logic reasoning, this paper proves that the authentication authorization method of Hadoop cloud computing security platform based on SAML is safe and reliable in design, and there is no redundancy, which also provides a theoretical basis for the authentication and authorization method.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前2條

1 陳燦;李俊;;Kerberos協(xié)議的形式化分析[J];微電子學(xué)與計(jì)算機(jī);2006年06期

2 金松昌;楊樹強(qiáng);樊華;劉斐;;面向大型關(guān)鍵業(yè)務(wù)的Hadoop云計(jì)算平臺數(shù)據(jù)安全策略研究[J];信息網(wǎng)絡(luò)安全;2012年08期

，

本文編號：2499384