Container-native Managed Data Sharing

Abstract

Cross-industrial collaboration can yield disruptive innovations. However, there are fears regarding data sharing across different organizations. Even if data providers make contracts covering the data shared with their consumers, they will not be able to delete the shared data in accordance with the expiration dates and modify them after they were delivered to the consumers. Data consumers need to be extremely careful about management of shared data since huge penalties are imposed against violations of data protection laws. To allay these fears, we propose a system to handle external data management instead of data providers and consumers. In our system, containerized lifetime controllers delete expired shared data in accordance with contracts for shared data called life cycle policies. To allow only service programs stipulated in the policies to manipulate shared data, containerized volume controllers enforce the access control on the basis of the FUSE interceptions and the /proc file system. The proposed system is transparent to service programs because the containerized controllers run in execution environments that are separate from service programs. The proposed system can be applied to multiple container orchestration clusters in which a provider and consumer independently administer Kubernetes container orchestrators, as well as a single container orchestration cluster. We built a prototype system on Kubernetes container orchestrators presented by the Kubernetes community and public cloud service providers. Experimental results demonstrate that the proposed system achieves data sharing between a provider and consumer with moderate overheads for disk consumption of the containerized controllers, the extensions of the volume drivers, and execution time of the FUSE access control.