混合云模式下企业业务应用和数据经常跨云流转迁移, 面对多样复杂的云服务环境, 当前大多数混合云应用仅以主体为中心制定数据的访问控制策略并通过人工调整策略, 无法满足数据在全生命周期不同阶段时的细粒度动态访问控制需求. 为此, 提出一种混合云环境下面向数据生命周期的自适应访问控制方法AHCAC. 该方法首先采用基于关键属性的策略描述思想去统一混合云下数据全生命周期的异构策略, 尤其引入“阶段”属性显式标识数据的生命周期状态, 为实现面向数据生命周期的细粒度访问控制提供基础; 其次针对数据生命周期同阶段策略具有相似性和一致性的特点, 定义策略距离, 引入基于策略距离的层次聚类算法实现数据生命周期各阶段对应访问控制策略的构建; 最后通过关键属性匹配实现当数据所处阶段变化时, 触发策略评估引擎上数据对应阶段策略的自适应调整和加载, 最终实现面向数据生命周期的自适应访问控制. 在OpenStack和开源策略评估引擎Balana上通过实验验证了所提方法的有效性和可行性.
In a hybrid cloud environment, enterprise business applications and data are often transferred across different cloud services. For complex and diversified cloud service environments, most hybrid cloud applications adopt access control policies made around only access subjects and adjust the policies manually, which cannot meet the fine-grained dynamic access control requirements at different stages of the data life cycle. This study proposes AHCAC, an adaptive access control method oriented to data life cycle in a hybrid cloud environment. Firstly, the the policy description idea based on key attributes are employed to unify the heterogeneous policies of the full life cycle of data under the hybrid cloud. Especially, the “stage” attribute is introduced to explicitly identify the life-cycle state of data, which is the basis for achieving fine-grained access control oriented to data life cycle. Secondly, in view of the similarity and consistency of access control policy with the same life-cycle stage, the policy distance is defined, and a hierarchical clustering algorithm based on the policy distance is proposed to construct the corresponding data access control policy in each life-cycle stage. Finally, when the life-cycle stage of data is changed, the adaptation and loading of policies of corresponding data stages in the policy evaluation are triggered through key attribute matching, which realizes the adaptive access control oriented to the data life cycle. This study also conducts experiments to verify the effectiveness and feasibility of the proposed method on OpenStack and open-source policy evaluation engine Balana.