MapReduce现有调度策略无法实现云环境中多租户作业的安全隔离。提出一种基于动态域划分的安全冗余调度策略:通过引入冲突关系、信任度、安全标签等概念,建立一种动态域划分模型,以将待调度节点划分为与不同租户作业关联的冲突域、可信域或调度域;结合冗余方式,将租户作业同时调度到其可信域节点和调度域节点(但不允许为其冲突域节点),通过二者执行环境和部分计算结果的一致性验证决定是否重新调度。实验分析了其有效性和安全性。 MapReduce’s current scheduling policies could not ensure the isolation between multi-tenant Tasks in the cloud. A securely redundant scheduling policy based on dynamic domains partition was proposed. First, a kind of dy-namic domain partition model was introduced in this policy. Based on the node’s current belief, security labels with the conflict relationship between tenants, a computing node was partitioned into the conflict domain, trusted domain or schedulable domain in this model. Second, through redundantly computing, two copies of each Task were assigned re-spectively to its trusted domain node and its schedulable domain node (but not allow for its conflict domain node) in this policy. And the integrity of the two nodes’execution environments and the consistence of their results on a small part of original input data were verified. Accordingly, it decided whether the schedulable domain node was trusted. Finally, the performance and security analysis in the prototype show its effectiveness.MapReduce's current scheduling policies could not ensure the isolation between multi-tenant Tasks in the cloud. A securely redundant scheduling policy based on dynamic domains partition was proposed. First, a kind of dynamic domain partition model was introduced in this policy. Based on the node's current belief, security labels with the conflict relationship between tenants, a computing node was partitioned into the conflict domain, trusted domain or schedulable domain in this model. Second, through redundantly computing, two copies of each Task were assigned respectively to its trusted domain node and its schedulable domain node (but not allow for its conflict domain node) in this policy. And the integrity of the two nodes' execution environments and the consistence of their results on a small part of original input data were verified. Accordingly, it decided whether the schedulable domain node was trusted. Finally, the performance and security analysis in the prototype show its effectiveness
