基于电信综合统计分析平台的用户管理和认证系统研究与实现
摘要
随着网络规模的日益扩大和网络信息的逐渐增加,一些大型的组织机构中应用系统比较多,这些应用系统由于开发的时间和背景不同,相应的平台和技术架构也不一样。这样就会出现每个应用系统管理着自己的一套用户资源,而这些用户资源信息只能在本应用系统中使用,不能被其他应用系统共享。另外,用户面对不同的授权服务要重复进行身份认证,操作繁琐,且存在一定的安全隐患。这样使得我们迫切需要一个统一的、完善的、安全的、易于管理的、有良好的可移植性和扩展性的统一用户管理和授权系统。
在广泛研究了当前各种用户身份管理技术之后,发现使用目录服务来管理用户资源,能够解决一部分使用关系数据库时所出现的问题,其中最突出的一点就是目录服务的平台无关性。
本论文首先详细分析和研究了基于角色的访问控制(Role-based AccessControl,RBAC)和轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)这两大关键理论,结合实习期间参与设计的某电信企业的综合统计分析平台用户管理模块的实际情况,设计了一种基于LDAP和RBAC相结合的用户管理模型。利用LDAP目录服务技术实现了用户统一认证,解决了传统数据库对这些信息管理带来的数据冗余问题,使得用户信息管理的高效,对企业的变化有很大的伸缩性;同时结合RBAC思想进行用户授权,减少授权管理复杂性,灵活支持了企业的安全策略。
Because of the increasing scale of networks, network information increases gradually. There are many application systems in some large-scale organization. These application systems developed at different time and used in different background, so their corresponding platform and technical framework were different too. Consequently, each application system only manage its own set of user resources which can only use in it's application system, can't be shared with other application systems. Moreover, the users must carry on the status authentication for different authorized service, which is tedious and has certain safe hidden trouble. Therefore, we need a unified, perfection, safe, easy to manage, portability and scalable user management and authorization system urgently.
By extensive research of the current user identity management technology, we find that the use of directory services can manage the user resources and solve part of the problems that encountered when use relational database. A most prominent advantage of the directory services is its platform independency.
This dissertation mainly focuses on the theories of role-based access control and lightweight directory access protocol. Based on the theory of RBAC and LDAP, we design and implement a user management model based on LDAP and RBAC. Using LDAP directory services technology can achieve the reunification of the user authentication and solve data redundancy issues that encountered when using relational database to manage those data. By using user management model can improve the efficiency of managing user information and increase the flexibility of enterprise changes. Simultaneously, we unify the RBAC thought to carry on the user authorization, which can reduce the authorization management complexity, and support enterprise's security policy with great flexibility.
在广泛研究了当前各种用户身份管理技术之后,发现使用目录服务来管理用户资源,能够解决一部分使用关系数据库时所出现的问题,其中最突出的一点就是目录服务的平台无关性。
本论文首先详细分析和研究了基于角色的访问控制(Role-based AccessControl,RBAC)和轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)这两大关键理论,结合实习期间参与设计的某电信企业的综合统计分析平台用户管理模块的实际情况,设计了一种基于LDAP和RBAC相结合的用户管理模型。利用LDAP目录服务技术实现了用户统一认证,解决了传统数据库对这些信息管理带来的数据冗余问题,使得用户信息管理的高效,对企业的变化有很大的伸缩性;同时结合RBAC思想进行用户授权,减少授权管理复杂性,灵活支持了企业的安全策略。
Because of the increasing scale of networks, network information increases gradually. There are many application systems in some large-scale organization. These application systems developed at different time and used in different background, so their corresponding platform and technical framework were different too. Consequently, each application system only manage its own set of user resources which can only use in it's application system, can't be shared with other application systems. Moreover, the users must carry on the status authentication for different authorized service, which is tedious and has certain safe hidden trouble. Therefore, we need a unified, perfection, safe, easy to manage, portability and scalable user management and authorization system urgently.
By extensive research of the current user identity management technology, we find that the use of directory services can manage the user resources and solve part of the problems that encountered when use relational database. A most prominent advantage of the directory services is its platform independency.
This dissertation mainly focuses on the theories of role-based access control and lightweight directory access protocol. Based on the theory of RBAC and LDAP, we design and implement a user management model based on LDAP and RBAC. Using LDAP directory services technology can achieve the reunification of the user authentication and solve data redundancy issues that encountered when using relational database to manage those data. By using user management model can improve the efficiency of managing user information and increase the flexibility of enterprise changes. Simultaneously, we unify the RBAC thought to carry on the user authorization, which can reduce the authorization management complexity, and support enterprise's security policy with great flexibility.
引文
[1]Ravi S Sandhu.Role-Base Access Control[M].Advices in Computers,Adcademic press,1998:46
[2]OSBORN,S.,SANDHU,R.,AND MUNAWER.Q.2000.Configuring role-based access control to enforce mandatory and discretionary access control policies.ACM Trans.Inf.Syst.Sec.3,2
[3]GAVRILA,S.AND BARKLEY,J.1998.Formal Specification for RBAC User/Role and Role Relationship Management.In Proceeding of the Third ACM Workshop on Role Based Access Control,81-90.
[4]叶大海.基于LDAP的用户认证与授权技术在网管系统中的应用:[硕士学位论文].北京:北京邮电大学.2006.
[5]胡立春.LDAP环境下统一用户管理组件的研究与实现:[硕士学位论文].南昌:南昌大学.2007.
[6]宁静.基于异构平台的权限管理研究与应用:[硕士学位论文].北京:北京科技大学.2006.
[7]何海云,张春,赵战生.基于角色的访问控制分析.计算机工程,1997,25(8):39-44.
[8]Ravi S.Sandhu,Role-based Access Control Models.IEEE Computer,1996,b:pp38-47.
[9]David F.Ferraiolo,Janet A.cugini,D.Richard Kuhn.Role-Based Access Control:Features and Motivations,Computer Security Applications Conference,1995.
[10]夏志熊,张曙光.RBAC在基于Web管理信息系统中的应用[J].计算机应用研究.2004(7)。
[11]宋黎宁.X.500目录服务概述[J].数字通信.1996.
[12]徐建波,李仁发,蒋云霞.基于IDAP的目录服务分析与实践[J].湘潭矿业学院学报,2002,(1).
[13]徐志大,白鹏等.目录服务协议分析、比较与实现[J].计算机工程与应用,2001.
[14]朱强.基于目录服务的研究与应用:[硕士学位论文].苏锡:河海大学.2002.
[15]ITU-T Rec.X.500(93)|ISO/IEC 9594-1(94).The Directory:Overview of Concepts,Models and Services
[16]M.Wahl,T.Howes,S.Kile.R FC2251"lightweigbt DirectoryAccess Protocol(v3)",1997.
[17]M.Wahl,T.Howes,S.Kile.R FC2252 lightweight Directory Access Protocol(v3),1997.
[18]Jeff Hodges.A tutorial aid to navigating various LDAP and X.500 Directory Services resources on the Internet[EB/OL],http://www.kingsmountain.com/ldapRoadmap.shtml
[19]徐建波,李仁发,蒋云霞.基于IDAP的目录服务分析与实践.湘潭矿业学院学报,2002,1.
[20]Sandhu R.Role Based Access Control Models[J].IEEE Computer,1996,29(2):38.
[21]Sandhu R,Ferraiolo D,Kuhn R.The NIST model for role-based access control:Towards a unified standard[Z].The Fifth ACM Workshop on Role-Based Access Control,Berlin,2000.
[22]Sandhu R,Bhamidpati V,Munawer Q.The ARBAC 97 model for role-based administration of roles[J].ACM Transactions on Information and System Security,1999,2(1):105.
[23]尹泉.基于扩展RBAC模型访问控制理论在工商电子政务系统中的研究与实现.[硕士学位论文].北京:北京邮电大学,2007.
[24]吕宜洪,宋瀚涛,龚元明.基于RBAC改进模型的角色权限及层次关系分析[J].北京理工大学学报,2002,22(5):611.
[25]张志勇.RBAC模型的研究及其在数据库访问控制中的应用.[硕士学位论文].大连:大连理工大学,2003.
[26]关婷婷.LDAP的安全性分析及改进.[硕士学位论文].郑州:解放军信息工程大学,2006.
[27]方璞.安全机制及其应用的改进.[硕士学位论文].合肥:合肥工业大学,2005.
[28]宋志伟.LDAP协议研究.[硕士学位论文].南京:南京理工大学,2003.
[29]T.Howes.The String Representation of LDAP Search Filter FC2254,1997.
[30]杜鹃.LDAP及其在PKI系统中的实现与应用研究.[硕士学位论文].北京:中国科学院软件研究所,2004.
[31]陈小弟.LDAP及其在电信Internet认证/计费系统中的应用研究.[硕士学位论文].西 安:西安理工大,2002.
[32]孙黎明.办公自动化系统认证的设计和实现.[硕士学位论文].合肥:合肥工业大学,2005.
[2]OSBORN,S.,SANDHU,R.,AND MUNAWER.Q.2000.Configuring role-based access control to enforce mandatory and discretionary access control policies.ACM Trans.Inf.Syst.Sec.3,2
[3]GAVRILA,S.AND BARKLEY,J.1998.Formal Specification for RBAC User/Role and Role Relationship Management.In Proceeding of the Third ACM Workshop on Role Based Access Control,81-90.
[4]叶大海.基于LDAP的用户认证与授权技术在网管系统中的应用:[硕士学位论文].北京:北京邮电大学.2006.
[5]胡立春.LDAP环境下统一用户管理组件的研究与实现:[硕士学位论文].南昌:南昌大学.2007.
[6]宁静.基于异构平台的权限管理研究与应用:[硕士学位论文].北京:北京科技大学.2006.
[7]何海云,张春,赵战生.基于角色的访问控制分析.计算机工程,1997,25(8):39-44.
[8]Ravi S.Sandhu,Role-based Access Control Models.IEEE Computer,1996,b:pp38-47.
[9]David F.Ferraiolo,Janet A.cugini,D.Richard Kuhn.Role-Based Access Control:Features and Motivations,Computer Security Applications Conference,1995.
[10]夏志熊,张曙光.RBAC在基于Web管理信息系统中的应用[J].计算机应用研究.2004(7)。
[11]宋黎宁.X.500目录服务概述[J].数字通信.1996.
[12]徐建波,李仁发,蒋云霞.基于IDAP的目录服务分析与实践[J].湘潭矿业学院学报,2002,(1).
[13]徐志大,白鹏等.目录服务协议分析、比较与实现[J].计算机工程与应用,2001.
[14]朱强.基于目录服务的研究与应用:[硕士学位论文].苏锡:河海大学.2002.
[15]ITU-T Rec.X.500(93)|ISO/IEC 9594-1(94).The Directory:Overview of Concepts,Models and Services
[16]M.Wahl,T.Howes,S.Kile.R FC2251"lightweigbt DirectoryAccess Protocol(v3)",1997.
[17]M.Wahl,T.Howes,S.Kile.R FC2252 lightweight Directory Access Protocol(v3),1997.
[18]Jeff Hodges.A tutorial aid to navigating various LDAP and X.500 Directory Services resources on the Internet[EB/OL],http://www.kingsmountain.com/ldapRoadmap.shtml
[19]徐建波,李仁发,蒋云霞.基于IDAP的目录服务分析与实践.湘潭矿业学院学报,2002,1.
[20]Sandhu R.Role Based Access Control Models[J].IEEE Computer,1996,29(2):38.
[21]Sandhu R,Ferraiolo D,Kuhn R.The NIST model for role-based access control:Towards a unified standard[Z].The Fifth ACM Workshop on Role-Based Access Control,Berlin,2000.
[22]Sandhu R,Bhamidpati V,Munawer Q.The ARBAC 97 model for role-based administration of roles[J].ACM Transactions on Information and System Security,1999,2(1):105.
[23]尹泉.基于扩展RBAC模型访问控制理论在工商电子政务系统中的研究与实现.[硕士学位论文].北京:北京邮电大学,2007.
[24]吕宜洪,宋瀚涛,龚元明.基于RBAC改进模型的角色权限及层次关系分析[J].北京理工大学学报,2002,22(5):611.
[25]张志勇.RBAC模型的研究及其在数据库访问控制中的应用.[硕士学位论文].大连:大连理工大学,2003.
[26]关婷婷.LDAP的安全性分析及改进.[硕士学位论文].郑州:解放军信息工程大学,2006.
[27]方璞.安全机制及其应用的改进.[硕士学位论文].合肥:合肥工业大学,2005.
[28]宋志伟.LDAP协议研究.[硕士学位论文].南京:南京理工大学,2003.
[29]T.Howes.The String Representation of LDAP Search Filter FC2254,1997.
[30]杜鹃.LDAP及其在PKI系统中的实现与应用研究.[硕士学位论文].北京:中国科学院软件研究所,2004.
[31]陈小弟.LDAP及其在电信Internet认证/计费系统中的应用研究.[硕士学位论文].西 安:西安理工大,2002.
[32]孙黎明.办公自动化系统认证的设计和实现.[硕士学位论文].合肥:合肥工业大学,2005.