摘要
对象存储是存储领域新兴的发展趋势,它综合了SAN和NAS的优点,同时具有SAN的高速直接访问和NAS的数据共享等优势。与传统存储系统比较,实验证明对象存储是一种具有高性能、高可靠性、跨平台以及安全的数据共享的存储体系结构。然而,因为网络技术的体系结构具有一定的开放性,必须采用必要的措施来保证对象存储系统的高可靠性和安全性。
系统的可靠性以可靠度和可用度来衡量,其中系统的可靠度函数服从指数分布规律,这是可靠性建模和分析的基础。
容错和除错是提高系统可靠性的两种比较好的方法,低密度奇偶校验码(Low-Density Parity-Check code,LDPC)是一种高效的纠错编码,它把k个源数据编码为n(n>k)个数据,用这n个数据中任意k个编码数据均可重构原来的k个源数据。将这一高效的编码运用于对象存储系统中,从分析对象存储文件系统入手,实现了Linux Client端LDPC码的编解码,设计了OSD端对象的放置策略,以及在MDS端添加了部分元数据信息。通过理论分析得出了这种冗余方案对提高系统可靠性更有优势:要使数据达到相同的可用性,基于LDPC码方案只需要较低的冗余度;同样在相同的冗余度情况下,基于LDPC码冗余方案的数据有更高的可用性。
在对象存储系统现有的几种安全方案中,客户机要么访问每个对象都请求一个能力钥(capability key),要么需要获得一个身份钥(identity key)。然而这两种方案中后者使得撤销十分困难;前者所需要的密钥数量太大,同时客户机需要频繁地访问元数据服务器以获得密钥,这大大加重了元数据服务器的处理和计算负荷,而且使它成为重要的攻击目标。因此研究了一种新颖的基于角色访问控制的对象存储访问控制和认证机制,从理论上分析了它可以抵御多种网络攻击,并提供客户和OSD之间的相互认证,同时也克服了现有方案中所需的密钥数量大和元数据服务器负荷重的缺陷。
Object-Based Storage(OBS) is a new emerging development tendency in storage field,which combines the advantages of the Storage Area Network(SAN) and Network Attached Storage(NAS),has the superiority of SAN’s high-speed direct access and NAS’s data sharing. Compared with the traditional storage systems, the experiment has proved OBS is a high-performance, high reliability, cross-platform data sharing and security of the storage structure. However,because network technology's architecture is somewhat opening,measure is necessary to ensure OBS system's high reliabiity and security.
Systemic reliability is measured by reliability and availability,where systemic reliability function obeys exponential distribution,which is the basis of modeling and analyzing reliability in this thesis.
Fault Tolerance and Error Removal are two better ways to improve the reliability of the system.Low-Density Parity-Check(LDPC) code is a highly efficient fault-tolerant coding, which encodes k-source data into n (n>k) of the data, using the arbitrary k data can reconstruct the original k data sources. By applying this highly efficient coding method to OBS system, the technology of encoding&decoding of LDPC is realized on Linux Client,LDPC-based objects distribution model is designed on OSD, and some meta data information is added in Meta Data Servers. The theoretical analysis concludes this redundancy scheme to enhance system reliability has more advantages: to obtain the same availability of data, LDPC code-based needs only lower edundancy degree;also in the same degree of redundancy, the scheme based on LDPC code has higher availability.
In the existing security schemes of OBS,a client either acquires a capability key for each object or an identity key from the Meta Data Server(MDS).Use of identity keys makes revocation difficult whereas,in the prior case,client needs to acquire a large number of keys.The client has to frequently contact the MDS to acquire a key for each object that he wants to access. This imposes a lot of overhead on the file manager, which also presents a single point of failure and an attractive attack target.So we research a novel mechanism of access control and authentication based on Role-Based Access Control for OBS.This scheme is robust against many networks attacks on theory and provides client to OSD mutual authentication.Besides,it reduces the total cryptographic keys of the existing schemes and the load on the MDS.
引文
[1]向东.iSCSI-SAN网络异构存储系统管理策略的研究: [博士学位论文].武汉:华中科技大学图书馆, 2005.
[2]谭毓安,余峰,曹元大.面向对象的网络存储技术.高性能计算技术,2003,08(163):9~13
[3] Genbin Zheng, Terry Wilmarth, Orion Sky Lowlor, et al. Performance Modeling and Programming Environments for Petaflops Computers and the Blue Gene Machine. In: The 18th International Parallel Distributed Processing Symposium (IPDPS’04). American: IEEE Computer Society, 2004.197~203
[4] G. A Gibson, D P Nagle, K Amiri, et al. Filesystems for Network-attached Secure Disks. Technical Report CMU-CS, 1997, March: 1~18
[5] Mesnier M, Ganger G. R, Riedel E. Object-based storage. Communications Magazine, IEEE, 2003, 41(8): 84~90
[6] Mesnier M, Ganger G R, Riedel E. Object-based storage:pushing more functionality into storage. Potentials, IEEE, 2005, 24(2): 31~34
[7] J. Satran, A. Teperman. Object Store Based SAN File Systems. IBM SYSTEMS JOURNAL, 2003, 47(1):25~29
[8] Garth A Gibson, David F Nagle, William Courtright, et al. NASD Scalable Storage Systems. In: USENIX 1999, Linux Workshop. Monterey, CA, America: USENIX, 1999.1~6
[9] John B Lohmeyer, George O Penokie, Paul D Aloisi, et al. Information technology-SCSI Object-Based Storage Device Commands (OSD). In:CITS T10 Working Draft. http://www.t10.org/drafts.htm, 2005.16~121
[10] Yingping Lu, David H C Du, Tom Ruwart. Qos Provisioning Framework for an OSD-based Storage System. In: The 22nd IEEE/13th NASA Goddard Conference on Mass Storage System Technologies (MSST’05). American: IEEE Computer Society, 2005.135~139
[11] Panasas, Inc. Activescale Storage Cluster. Panasas White Paper. http://www. panasas.com, 2004.2~8
[12]王慧强,倪峥梅.一个分布式冗余磁盘系统设计及其可靠性分析.哈尔滨工程大学学报,1998,19 (1):67~73
[13] Rich Hernandez. Improving e-business server availability. http://www. dell.com/us /en /es g/topics/power_ps3g00-heman.htm,2000
[14] Barlow,Richard E..Mathematical Theory of Reliability:A Historical Perespective IEEE Transactionson Reliability,1984,33(1):16~20
[15] R. A. Sahner, K. S. Trivedi, and A. Puliafito. Performance and Reliability Analysis of Computer Systems:An Example Based Approach Using the SHARPE Software Package,Boston:Kluwer Academic Publishers,1996.
[16]邹逢兴.计算机应用系统的故障诊断与可靠性技术基础.北京:高等教育出版社,1999
[17] Balagurusamy E.. Reliability Engineering. New Delhi: Tata McGraw-Hill Publishing Co.Ltd.,1984
[18] K. Trivedi,B. Haverkort,A Rindos,et al.Techniques and Tools for Reliability and Performance Evaluation:Problems and Perspectives.In:G. Haring,eds. Computer Performance Evaluation:ModelingTechniques and Tools. Springer Verlag, 1994.1~24
[19] R. Tewari, D. M. Dias, W. Kish, and et al. High Availability for Clustered Multimedia Servers.In:Stanley Y. W. Su ed..Proc. of International Conference on Data Engineering( ICDE’96).New Orleans,Louisiana,USA.February 1996: IEEE Computer Society,1996.387~395
[20] John L. Hennessey,David A. Paterson.Computer Architecture:A Quantitative Approach(3rd Edition).Oxford,United Kingdom:Elsevier Science Ltd.,2002. 704~705
[21] J.H Howard. An overview of the andrew file system. In:Proceedings of the USENIX Winter Technical Conference. TX :Dallas, February 1998.200~240
[22] Matt Blaze. A cryptographic file system for unix. In:Proceedings of the 1st ACMConference on Communications and Computing Security.Fairfax, VA: ACM, 1993.9~16
[23] H. Gobioff. Security for high performance commodity subsystem.[PhD thesis]. CMU, July 1999.
[24] Benjamin C. Reed, Mark A. Smith, and Dejan Diklic.Security considerations when designing a distributed file system using object storage devices. In: Proceedings of the First IEEE International Security. America:Storage Workshop, 2002.50~59
[25] Mesnier.M, Ganger. G. R, Riedel. E. Object-based storage. Communications Magazine, IEEE, 2003, 41(8): 84~90
[26] Mesnier.M, Ganger. G. R, Riedel. E. Object-based storage: pushing more functionality into storage. Potentials, IEEE, 2005, 24(2): 31~34
[27] Mike Mesnier, Carnegie Mellon , R.Ganger et al. Object-Based Storage. IEEE Communication Magazine,August 2003:84~91
[28] Dan Feng, Lingfang Zeng, Fang Wang, et al. Adaptive policy trigger mechanism for OBSS. In: Advanced Information Networking and Applications, 2005. AINA 2005 19th International Conference on,2005.591~595
[29] Feng, D, Ling-Jun Qin, Ling-Fang Zeng, et al. A Scalable Object-Based Intelligent Storage Device. In:Proceedings of 2004 International Conference on Machine Learning and Cybernetics. 2004. 26~29
[30] Clark Elizabeth. Lesson 179: Storage virtualization. Network Magazine, 2003, 18(6): 22~24
[31] EK Lee, CA Thekkath. Petal: Distributed Virtual Disks. A Thekkath Computer Architecture News,1996: 84~92
[32] N Talagala, S Asami, T Anderson, D Patterson. Tertiary Disk: Large Scale Distributed Storage. UCB Technical Report,1998:15~28
[33] JH Hartman, I. Murdock, and T. Spalink. The swarm scalable storage system. In:Proceedings of the 19th IEEE International Conference on Dis-tributedComputing Systems(ICDCS). Jun 1999.74~81
[34] Hwang Kai, Jin Hai, Ho Roy. RAID-x: a new distributed disk array for I/O-centric cluster computing. In:Proceedings of IEEE International Symposium on High Performance Distributed Computing.2000.279~286
[35]慕建君,路成业,王新梅.关于纠删码的研究与进展.电子与信息学报,2002,24(9):1276~1281
[36] .R.G.Gallager.Low-density parity-check codes.Cambridge,MA:MIT Press, 1963.1~55
[37] Gallager R..A simple derivation of the coding theorem and some applications.IEEE Transactions on Information Theory,Jan 1965:3~18
[38]王克朝.基于冗余机制的网络存储系统可靠性研究:[硕士学位论文].武汉:华中科技大学图书馆,2006.
[39] M.G.Luby, M.Mitzenmacher, M.A.Shokrollahi.Analysis of low-density parity-check codes and improved designs using irregular graphs.In:proceedings of the 30th Annual Symposium on Theory of Computing.1998.249~258
[40] D.J.C.Machay.Good error-correcting codes based on very sparse matrices.IEEE Trans.Inform.Theory,1999,45(2):399~431
[41] .J.Pearl.Probabilistic reasoning in Intelligent systems.In:Networks of plausible Inference.Morgan Kaufmanm Publishers Inc,1988.
[42]杨立辉.网络存储中高可靠性关键技术的研究:[博士学位论文].武汉:华中科技大学图书馆, 2003:3~55
[43] Hakim Weatherspoon and John D. Kubiatowicz. Erasure coding vs. replication: A quantitative comparison. In:Proc. 1st International Workshop on Peer-to-Peer Systems (IPTPS).Cambridge:MA, March 2002.328~338
[44] Rodrigo Rodrigues, Barbara Liskov. High Availability in DHTs: Erasure Coding vs. Replication. In:International Workshop on Peer-to-Peer Systems (IPTPS) . MIT:2005.226-239
[45] Fan Wu, Tongqing Qiu, Yuequan Chen.Redundancy Schemes for Highavailability in DHTs. ISPA,2005:990~1000
[46]周敬利,余胜生.网络存储原理与技术.北京:清华大学出版社,2005.174~195
[47] Alain Azagury,Vladimir Dreizin,Michael Factor et al.Towards an Object Store. In:Proceedings of the 20th IEEE/11th NASA Goddard Conference on Mass Storage Systems and Techologies:Computer Society,2003.1~12
[48] Vishal Kher,Yongdae Kim.Decentralized Authentication Mechanisms for Object-based Storage Devices.In:Proceedings of the Second IEEE International Security in Storage Workshop(SISW’03):Computer Society,2004.
[49] B. Clifford Neumann,Theodore Ts’o.Kerberos:An authentication service for Computer networks.IEEE Communications,September 1994,32(9):33~38
