Giorgos Kappes , Department of Computer Science and Engineering, University of Ioannina, Ioannina, Ioannina Greece (e-mail: firstname.lastname@example.org)
Andromachi Hatzieleftheriou , Systems and Networking, Microsoft Research Ltd, 10438 Cambridge, Cambridgeshire United Kingdom of Great Britain and Northern Ireland (e-mail: email@example.com)
V. Stergios Anastasiadis , Department of Computer Science and Engineering, University of Ioannina, Ioannina, Ioannina Greece (e-mail: firstname.lastname@example.org)
In a virtualization environment that serves multiple tenants (independent organizations), storage consolidation at the filesystem level is desirable because it enables data sharing, administration efficiency, and performance optimizations. The scalable deployment of filesystems in such environments is challenging due to intermediate translation layers required for networked file access or identity management. First we define the entities involved in a multitenant filesystem and present relevant security requirements. Then we introduce the design of the Dike authorization architecture. It combines native access control with tenant namespace isolation and compatibility to object-based filesystems. We introduce secure protocols to authenticate the participating entities and authorize the data access over the network. We alternatively use a local cluster and a public cloud to experimentally evaluate a Dike prototype implementation that we developed. At several thousand tenants, our prototype incurs limited performance overhead below 21%, unlike a solution from industry whose multitenancy overhead approaches 84% in some cases.
security services, cloud storage, distributed filesystems, datacenter infrastructure, identity management, authorization
G. Kappes, A. Hatzieleftheriou and V. S. Anastasiadis, "Multitenant Access Control for Cloud-Aware Distributed Filesystems," in IEEE Transactions on Dependable and Secure Computing.