Design And Implementation Of Identity Authentication And Access Control System Oriented To Public Cloud Service

As one of the most active open-source projects in the world,OpenStack has worked in the field of cloud computing for twelve years and has become one of the most popular open-source cloud computing projects.However,when OpenStack is applied to the public cloud scenario,its identity authentication and access control mechanism encounter problems of lack of API call mechanism,dynamic user access management and cross-domain resource access mechanism which greatly restrict its application in public cloud scenario.In response to above problems,this thesis has designed Improved Identity and Access Management System(IIAMS)as a solution to the problems based on OpenStack security component which is known as Keystone.The specific work is as follows:(1)Design and implementation of API call mechanism.This system can be accessed programmatically through an API call mechanism based on digital signature which solves the problem of token expiration and tampering when an application calls IIAMS services.This signature mechanism effectively guarantees the security of API calls and expands the way of authentication.(2)The design and implementation of dynamic access management in cloud service.This thesis combines the OSAC(OpenStack Access Control)model with the access control meta-model PERM(Policy Effect Request Matcher)and decouples the binding relationship between roles and access in native OSAC model to realize dynamic user access control.(3)The design and implementation of cross-domain access to cloud resources.To achieve crossdomain access to cloud resources,this thesis designs and implements a set of role-playing mechanisms by obtaining virtual roles set and authorized by other root accounts without exposing indomain login credentials to users outside the domain.(4)The design and implementation of system security and operation audit.To ensure all operations are traceable,this thesis designs and implements the operation audit mechanism which will send all requests and responses to audit message queue for auditing.This thesis also realizes the limit of API call by using cache database.(5)Automated deployment in multi-node cluster and system testing.This thesis designs a highavailability deployment scheme in multi-node cluster using service health detection and floating IP.Related Ansible playbooks are designed to realize automated deployment.System testing is divided into three parts: smoke testing,functional testing and performance testing to conduct comprehensive system inspection.Taking account of the three test results,IIAMS not only realizes the API calling mechanism,dynamic permission access control and cross-domain access mechanism but also realizes operation audit and API access quota,meeting the desired security and performance requirements.