Virtualization-aware access control for multitenant filesystems

Author

Kappes, Giorgos ; Hatzieleftheriou, Andromachi ; Anastasiadis, Stergios V.

Author_Institution

Dept. of Comput. Sci. & Eng., Univ. of Ioannina, Ioannina, Greece

fYear

2014

fDate

2-6 June 2014

Firstpage

1

Lastpage

6

Abstract

In a virtualization environment that serves multiple tenants, storage consolidation at the filesystem level is desirable because it enables data sharing, administration efficiency, and performance optimizations. The scalable deployment of filesystems in such environments is challenging due to intermediate translation layers required for networked file access or identity management. First we present several security requirements in multitenant filesystems. Then we introduce the design of the Dike authorization architecture. It combines native access control with tenant namespace isolation and compatibility to object-based filesystems. We use a public cloud to experimentally evaluate a prototype implementation of Dike that we developed. At several thousand tenants, our prototype incurs limited performance overhead up to 16%, unlike an existing solution whose multitenancy overhead approaches 84% in some cases.

Keywords

authorisation; electronic data interchange; file organisation; virtualisation; Dike authorization architecture; data sharing; filesystem level; identity management; intermediate translation layers; multiple tenants; multitenant filesystems; native access control; networked file access; object-based filesystems; security requirements; storage consolidation; tenant namespace isolation; virtualization environment; virtualization-aware access control; Access control; Authentication; Cloud computing; Levee; Prototypes; Scalability; Servers;

fLanguage

English

Publisher

ieee

Conference_Titel

Mass Storage Systems and Technologies (MSST), 2014 30th Symposium on

Conference_Location

Santa Clara, CA

Type

conf

DOI

10.1109/MSST.2014.6855543

Filename

6855543