Research On Access Control Policy Management For Cloud Service Composition

As the main service form of cloud computing,cloud services have been widely used.In the actual business environment,a single service only provides a single function.Through the cloud service composition can achieve the integration of different cloud services,it can meet the flexible and complex application requirements.Because of the autonomy of cloud service,it is common for mismatches or incompatibilities of security policies among composite services.Therefore,it is the key of guaranteeing the availability and controllability of cloud compose service how to implement the access control of cloud composite service based on the access control policy of each cloud service.In contrast to the shortcomings and problems of current research,this thesis is studied in the following aspects.1.An access control policy negotiation mechanism based on historical information is proposed.The access control mechanism is the key to protect the information security of cloud service.To solve access control problem of cross-cloud service composition,an access control policy negotiation mechanism called PNMH(access control Policy Negotiation Mechanism based on Historical information)is proposed for cloud composite service.In PNMH,an authorization relation among service components is described at the attribute level.The mechanism uses policy negotiation to achieve interactive process of access control and ensures the consistent presentation of the policies of different service components in global composite service.We design a negotiation algorithm based on historical information.By synchronizing high frequency negotiation policy,storing history information of negotiation and calculating cost of attribute disclosure,we optimize the negotiation process and improve the efficiency of negotiation.Finally,our experiments show that the mechanism not only realizes the protection of the resources in the cloud services,but also can improve efficiency of negotiation for cloud composite service.2.A policy conflict detection mechanism based on policy generated graph model is proposed.To solve the problem of policy conflict detection under cloud service composition environment,according to the attribute relationship of cloud composite service and the invoking relationship of the component service,this thesis proposes the basic conflict,hierarchical conflict,exclusive conflict,composite constraint conflict.Then a policy conflict detection mechanism called PGGM(Policy conflict detection mechanism based on policy Generated Graph Model)is proposed.In PGGM,the policy generated graph model can express access control policy set of cloud service composition well.This model can show the attribute relationship and the invoking relationship of the component services well.It is flexible,easy to update and extensible.The conflict problem is transformed to the connectivity problem of graphs in PGGM.It can achieve efficient conflict detection and meet needs of large-scale policy set conflict detection under cloud environment.Finally,simulation verifies and evaluates the effectiveness and performance of the mechanism.3.A policy conflict resolution mechanism based on multiple resolution policy is proposed.To solve the problem of conflict policy resolution under cloud service composition environment,on the basis of the analysis of different conflict resolution situation,a policy conflict resolution mechanism called CMRP(policy Conflict resolution mechanism based on Multiple Resolution Policy)is proposed.According to different policy priorities,the mechanism selects negative priority,timing priority,positive priority or recent priority resolution policy to achieve the resolution of conflict policies.It can better balance the security and availability of system.In addition,by calculating the attribute relevance of the policy,users can select coarse-grained resolution method of policy-level or fine-grained resolution method of attribute-level according to the actual demand.The resolution process minimizes the change of initial security intent and can better meet the conflict resolution needs of flexible cloud composite service.The CMRP can implement the consistency of the composite service global policies.Finally,the effectiveness of the mechanism is verified by simulation experiments and its usability is evaluated.4.An access control architecture based on policy management for cloud composite service is designed.This thesis comprehensively analyzes access control needs of composite service for inside-cloud and cross-cloud.Based on the study of access control policy management for cloud service composition,ACA-PM(Access Control Architecture based on Policy Management of cloud composite service)is designed.ACA-PM lays the foundation for the implementation of access control of cloud composite service.