一种基于XACML的混合云跨域资源访问控制方案

AN XACML-BASED CROSS-DOMAIN RESOURCES ACCESS CONTROL SCHEME IN HYBRID CLOUD COMPUTING

混合云计算环境下,服务资源组合灵活、迁移频繁,资源之间的访问授权不易建立与维护。采用传统的访问控制机制对跨域资源进行授权,存在性能瓶颈与共谋攻击等问题。在研究混合云架构的基础上,提出一种基于XACML属性协商机制的混合云跨域资源访问控制方案。采用XACML架构作为跨域资源间授权访问模型,为细粒度的资源授权访问提供支持。在该模型基础上,通过属性协商策略推理引擎对协商属性进行扩展,提高协商效率。采用树状结构的XML语言描述协商策略,便于进行属性授权推理。针对协商推理过程中产生的属性暴露树结构,设计协商策略剪枝算法。最后,通过实验验证方案的可行性和高效性。

In hybrid cloud computing environment, the services resource are combined flexibly and migrated in domains frequently, the access authorisation between services resources is hard to be established and maintained. Traditional access control mechanism for authorising the cross-domain resources will cause some problems, such as performance bottleneck and collusion attacks. In this paper, we propose an access control solution for cress-domain resources in hybrid cloud computing environment. ＂By adopting XACML architecture as the authorised access model between the cross-domain resources, it provides the support for fine-grained resources authorised access. And based on this model, we expand the negotiation attributes by reasoning engine of attributes negotiation policy for promoting the negotiation efficiency. To facilitate the attribute authorisation reasoning, we describe the negotiation policy by XML with tree structure. For the attributes disclosure tree structure generated in negotiation reasoning process, we design the negotiation policy prune algorithm. At last, the feasibility and high efficiency of this scheme are verified through experiment.