Security Analysis And Improvement Of Openstack Object Storage

With the booming development of cloud computing, OpenStack as a new platform in the range of cloud management is gradually becoming the core technology, which provides a common technical basis for public and private cloud. It can not only friendly provide a base platform layer service, but also uniformly achieve an automated cloud management platform. However, there still exist several weaknesses in the aspect of security due to its dynamic nature of the emerging OpenStack. In this thesis, we focus on the research of OpenStack Object Storage, and find out some security risks in its three modules of authentication, access management, data management of OpenStack Object Storage. In order to solve these security problems, this thesis puts forward the corresponding improved schemes. These improvements can enhance the safety level of OpenStack Object Storage, and provide users with a more secure service platform.1. We improve the identity authentication scheme in OpenStack Object Storage.Through the analysis on the authentication system in OpenStack Object Storage, we find out that user password lacks of validity check and user data files are saved as plaintext in the specified location. These security problems usually lead to illegal invasion of user data and cause malicious leakage of user information. Therefore, this thesis makes use of the python-crack technology and python module encryption technology to put forward our improved identity authentication scheme in OpenStack Object Storage. Our proposal will make the user identity authentication system more robust and enhance the security of user information. 2. We improve the access management scheme in OpenStack Object Storage.Through analyzing the access authentication system and token authentication system in OpenStack Object Storage, we point out that the above two systems utilize the HTTP reference field for authorization. But the division of user purview is not clear, restrictions for some administrators are not enough. These security problems will easily cause permission confusion in OpenStack Object Storage, and lead the data leakage. Therefore, we take advantage of Service Provisioning Markup Language, Security Assertion Markup Language and Extensible Access Control Markup technology to propose a modified access management scheme in OpenStack Object Storage. The modification will enhance the security of access management mechanism in OpenStack Object Storage.3. We improve the data management scheme in OpenStack Object Storage.By means of analyzing the method of data storage in OpenStack Object Storage, we find out that OpenStack Object Storage lacks of data integrity checking. In this way, data backup is incomplete and it is vulnerable to data breaches. Therefore, we combine the implementation of data backup, data recovery and data deletion in OpenStack Object Storage, and compare the data storage location and container structure. Finally, we propose some improvement ideas for data management in OpenStack Object Storage so as to enhance the data integrity and improve the storage reliability.