CN101673215A - Computer and user management method in virtual environment - Google Patents
Computer and user management method in virtual environment Download PDFInfo
- Publication number
- CN101673215A CN101673215A CN200810119904A CN200810119904A CN101673215A CN 101673215 A CN101673215 A CN 101673215A CN 200810119904 A CN200810119904 A CN 200810119904A CN 200810119904 A CN200810119904 A CN 200810119904A CN 101673215 A CN101673215 A CN 101673215A
- Authority
- CN
- China
- Prior art keywords
- user
- virtual machine
- operating system
- resource
- correspondence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a computer and a user management method in a virtual environment. The computer comprises a hardware platform, a virtual machine manager, a first operation unit, a second operation unit, a second operation system installed on the virtual machine manager and a virtual machine operation management unit, wherein the first operation unit comprises a management unit for setting aplurality of users and distributing corresponding resources and authorities for each of the plurality of users; and the virtual machine operation management unit is used for collecting the resources and the authorities corresponding to each of the plurality of users, transmitting a first user in the plurality of users, the resources and the authorities corresponding to the first user to the secondoperation system, acquiring read/write operation requests of the first user on resources corresponding to the first user according to the authorities corresponding to the first user, and returning corresponding read/write operation results to the second operation system through the virtual machine manager. The method avoids a condition that the first user uses resources of other users over the authority of the first user.
Description
Technical field
The present invention relates to computer system user management in the computer realm, be meant user management method in a kind of computing machine and the virtual environment especially.
Background technology
Present PC is all supported multi-user, multi-task operation system.Generally speaking, a default power user is arranged in the computer, he can create other users, and gives other users certain authority.Other users that create out by the power user, since role's difference, the computer resource that can see and also inequality to the operating right of computer resource; But the user that power user or power user authorize can see and operate all computer resources.
Under the normal condition, this user authority management scheme can realize the management of computer user resource well.The Internet era, under hacker, virus etc. are attacked and are destroyed, rudimentary user often appears by the leaky program of operation, do not knowing under the situation of password, obtain power user's the authority and the control of all computer resources, and then caused information leakage or data corruption etc.This has become system manager and software developer's a big worry.
At present, mostly the solution of industry is to take the method for " mending the fold after the sheep is lost ".Such as, the antivirus software of packing in the system detects data and software in real time, in case find virus, wooden horse, just forbids user's service data or forbids running software.And for example, the fire wall of packing in the system is chopped the approach that the evil backstage manipulator is stretched to computer system off.And for example, user data is encrypted or hide to be handled to guarantee the safe storage and the use of data.In this attacking and defending fight, the offense has the initiative always.
More satisfactory method is the flawless system of exploitation, can avoid buffer zone to overflow or the like such as high-quality code.Analyze theoretically, system lags behind system development on service time, can't expect during a lot of situation development system.In the reality, system development personnel level is uneven, and the system testing dynamics varies in size.So defect free system can only infinitely be approached, can not finally realize.
By analysis, have two reasons to cause this difficult problem: the one, the user right classification, not only there is the difference of power user, system manager, domestic consumer, also has user model, two kinds of running statuses of kernel mode, allow also that under certain conditions authority takes place and switch; The 2nd, lack measures necessary, the user who has top authority can see and operate all computer resources, and in a single day the offense obtains top authority, very harmful.
The inventor is in realizing process of the present invention, and there are the following problems at least to find prior art:
The multi-user, in the computer system of multitask, because a plurality of users operate resource in same operating system, but the user who has top authority can operate all computer resources, the user that authority is low can be by certain leaky software of operation like this, obtain this user's who has top authority the authority and the control of all computer resources, and then cause information leakage or data corruption.
Summary of the invention
The technical problem to be solved in the present invention provides user management method in a kind of computing machine and the virtual environment, authority and resource between the multi-user of computer system are well isolated, guaranteed that each user uses this user's resource in extent of competence separately, avoided this user to exceed one's competence using the situation of other users' resource.
For solving the problems of the technologies described above, embodiments of the invention provide technical scheme as follows:
On the one hand, provide a kind of computing machine, comprising:
Hardware platform,
The Virtual Machine Manager unit is positioned on the described hardware platform, and virtual machine manager is installed;
First operating unit is positioned on the described hardware platform, and first operating system is installed;
Second operating unit is equipped with second operating system, and described second operating system installation is on described virtual machine manager; Described first operating unit comprises:
Administrative unit is used to be provided with a plurality of users, and distributes corresponding resource and authority for each user among described a plurality of users;
Virtual machine operational management unit, be connected respectively with described virtual machine manager with described administrative unit, be used for collecting described a plurality of users' pairing resource of each user and authority, and with first user among described a plurality of users, the authority of the resource of described first user's correspondence and described first user's correspondence transfers to described second operating system by described virtual machine manager, and by described virtual machine manager obtain described first user in described second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager.
Preferably, described virtual machine operational management unit comprises:
First processing unit is connected with described administrative unit, is used for collecting the resource of described a plurality of users' first user, described first user's correspondence and the authority of described first user's correspondence;
Second processing unit, be connected with described Virtual Machine Manager unit with described first processing unit, be used for the resource of described first user, described first user's correspondence and the authority of described first user's correspondence are transferred to described second operating system by described virtual machine manager;
The 3rd processing unit, be connected respectively with described Virtual Machine Manager unit with described first processing unit, be used for by described virtual machine manager obtain described first user in described second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager.
Preferably, described second processing unit is specially:
The Data View tectonic element, be connected with described Virtual Machine Manager unit with described first processing unit, be used for Data View, and send described Data View to described virtual machine manager according to mapping relations between described first user's of the authority of described first user's correspondence structure reflection visible resource and the real resource.
Preferably, described virtual machine manager comprises:
The Data View Administration device, be connected with described Data View tectonic element, be used to obtain described Data View, and be that described second operating system is created described first user hardware environment that service data relied in described second operating system according to described Data View;
Described the 3rd processing unit by described virtual machine manager obtain described first user in described second operating system according to of the read/write operation request of described Data View to the real resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager.
Preferably, described first operating unit also comprises:
Storer is connected respectively with described the 3rd processing unit with described administrative unit, is used for storing the real resource that described administrative unit is each user's distribution of described a plurality of users;
Described the 3rd processing unit by described virtual machine manager obtain described first user in described second operating system according to of the read/write operation request of described Data View to the real resource of described first user's correspondence, and from described storer, obtain corresponding read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager according to described read/write operation request.
Preferably, described virtual machine operational management unit also comprises:
Resource information database is connected with described administrative unit, is used for storing the mutual corresponding relation between the authority of described a plurality of users' the resource of each user, each user's correspondence and each user's correspondence.
Preferably, described first operating unit is installed on the described hardware platform, and described virtual machine manager and described second operating unit are installed in described first operating unit.
Preferably, described virtual machine manager is installed on the described hardware platform, and described first operating unit is installed on the described virtual machine manager.
Preferably, comprise a secure infomation passageway in the described virtual machine manager, be connected between described virtual machine operational management unit and described second operating system, be used to transmit the data between described virtual machine operational management unit and described second operating system.
On the other hand, also provide user management method in a kind of virtual environment, comprising:
Collecting first operating system is resource and the authority that each user among a plurality of users distributes;
The resource of first user among described a plurality of users, described first user's correspondence and the authority of described first user's correspondence are transferred to second operating system by virtual machine manager;
Obtain by described virtual machine manager, described first user in second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, return described read/write operation result to described second operating system by described virtual machine manager.
Preferably, described collection first operating system is that the resource of each user's distribution among a plurality of users and the step of authority are specially:
Collecting first operating system is resource and the authority that first user among described a plurality of user distributes.
Preferably, described the resource of first user among described a plurality of users, described first user's correspondence and the authority of described first user's correspondence are specially by the step that virtual machine manager transfers to second operating system:
According to the Data View of mapping relations between described first user's of the authority of described first user's correspondence structure reflection visible resource and the real resource, and send described Data View to described virtual machine manager;
According to described Data View is that described second operating system is created described first user hardware environment that service data relied in described second operating system.
Preferably, describedly obtain by described virtual machine manager, described first user in second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, the step of returning corresponding read/write operation result to described second operating system by described virtual machine manager is specially:
By described virtual machine manager obtain described first user in second operating system according to of the read/write operation request of described Data View to the real resource of described first user's correspondence, and from storer, obtain corresponding read-write operation result, and return described read/write operation result to described second operating system by described virtual machine manager according to described read/write operation request.
Embodiments of the invention have following beneficial effect:
Such scheme passes through the multi-user, in the computer system of multitask, different users operates this resource that has separately in different operating system respectively, for this second operating system is specified a user, as the first above-mentioned user, this user is the power user of second operating system, this first user can only the authority according to oneself conduct interviews to the own resource that is had in this second operating system, because the isolation of first operating system and second operating system, first user in this second operating system can't obtain the relevant information of the user in first operating system, therefore also just can't cross the authority of user in first operating system, to the administrator in first operating system or other users, perhaps can not visit the user resources of other second operating systems, like this, this first user just the situation of administrator's access resources can not occur walking around, thereby has avoided information leakage or the ruined situation of data.
Description of drawings
Fig. 1 is the one-piece construction synoptic diagram of embodiments of the invention computing machine;
Fig. 2 is a concrete structure synoptic diagram of computing machine shown in Figure 1;
Fig. 3 is a concrete structure synoptic diagram of computing machine shown in Figure 2;
Fig. 4 is a concrete structure synoptic diagram of computing machine shown in Figure 3;
Fig. 5 is installed in the structural representation of the first operating unit inside for second operating unit of embodiments of the invention computing machine;
Fig. 6 is installed in the outer structural representation of first operating unit for second operating unit of embodiments of the invention computing machine;
Fig. 7 is the schematic flow sheet of user management method in the embodiments of the invention virtual environment.
Embodiment
For technical matters, technical scheme and advantage that embodiments of the invention will be solved is clearer, be described in detail below in conjunction with the accompanying drawings and the specific embodiments.
In the computer system of embodiments of the invention at existing multi-user, multitask, the user that authority is low can be by certain leaky software of operation, power user's the authority and the control of all computer resources have been obtained, and then cause the problem of information leakage or data corruption, user management method in a kind of computing machine and the virtual environment is provided.
As shown in Figure 1, the embodiments of the invention computing machine comprises: hardware platform; The Virtual Machine Manager unit is positioned on the described hardware platform, and virtual machine manager is installed;
First operating unit is positioned on this hardware platform, and first operating system is installed;
Second operating unit is equipped with second operating system, and this second operating system installation is on virtual machine manager; This first operating unit comprises:
Administrative unit is used to be provided with a plurality of users, and distributes corresponding resource and authority for each user among these a plurality of users;
Virtual machine operational management unit, be connected respectively with virtual machine manager with this administrative unit, be used for collecting a plurality of users' pairing resource of each user and authority, and first user in will these a plurality of users, the authority of the resource of this first user correspondence and this first user correspondence transfers to second operating system by virtual machine manager, and by this virtual machine manager obtain first user in described second operating system according to the read/write operation request of the authority of this first user correspondence to the resource of this first user correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return described read/write operation result to second operating system by virtual machine manager.
The foregoing description is on the Intel Virtualization Technology basis, adopt the computer of Intel Virtualization Technology, can on a computer, move a plurality of virtual machines simultaneously, above-mentioned virtual machine manager can fictionalize a plurality of second operating systems, be to isolate mutually between these second operating systems and between second operating system and first operating system, among this embodiment with user's setting, user's the resource management and the right assignment of resource are placed on main frame (i.e. first operating system, sometimes also claim host operating system) in, and this user is placed on (promptly in second operating system) in the virtual machine to the use of resource, host operating system is according to user's difference, the resource that only provides access rights is given second operating system, second operating system is by first os starting, for this second operating system is specified a user, as the first above-mentioned user, this user is the power user of second operating system, this first user authority according to oneself in this second operating system conducts interviews to the own resource that is had, administrator or other users to main frame, perhaps can not visit the user resources of other second operating system, like this, the situation of administrator's access resources just can not appear walking around in this first user, avoids the ruined situation of information leakage or data.
As shown in Figure 2, be a concrete structure synoptic diagram of above-mentioned computing machine shown in Figure 1, wherein, above-mentioned virtual machine operational management unit comprises:
First processing unit is connected with above-mentioned administrative unit, is used for collecting a plurality of users' first user, the resource of this first user correspondence and the authority of this first user correspondence; In first operating system, above-mentioned administrative unit is provided with a plurality of users, and distribute spendable separately resource and authority respectively for these a plurality of users, this first processing unit is with one of them user, as first user, the authority of the resource of this first user correspondence and this first user correspondence collects, certainly, this first processing unit also can be with second user among a plurality of users, and the 3rd user and each self-corresponding resource thereof and authority collect; In a word, this first processing unit is collected a user and corresponding resource and the authority thereof among a plurality of users;
Second processing unit is connected with the Virtual Machine Manager unit with above-mentioned first processing unit, is used for the resource of this first user, this first user correspondence and the authority of this first user correspondence are transferred to second operating system by virtual machine manager;
The 3rd processing unit, be connected respectively with the Virtual Machine Manager unit with this first processing unit, be used for by virtual machine manager obtain this first user in second operating system according to the read/write operation request of the authority of this first user correspondence to the resource of this first user correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return this read/write operation result to second operating system by virtual machine manager.This first user is in second operating system, can carry out the read/write operation visit according to the resource that the pairing authority of this first user is had this first user, at this moment, the 3rd processing unit will obtain the read/write operation visit of this first user to its resource, and in first operating system, obtain the result of read/write operation visit, and return the result of this read/write operation visit to second operating system, so just this first user is confined in second operating system to the use of resource, and this first user's setting, this first user's the resource and the distribution of authority then are to carry out in first operating system, and this first user's actual available resources also are stored in first operating system.
As shown in Figure 3, above-mentioned second processing unit is specially:
The Data View tectonic element, be connected with the Virtual Machine Manager unit with above-mentioned first processing unit, be used for Data View, and send this Data View to virtual machine manager according to mapping relations between this first user's of the authority of this first user correspondence structure reflection visible resource and the real resource.
Accordingly, above-mentioned virtual machine manager comprises:
The Data View Administration device is connected with this Data View tectonic element, is used to obtain this Data View, and is that second operating system is created first user hardware environment that service data relied in second operating system according to this Data View;
The 3rd processing unit by virtual machine manager obtain this first user in second operating system according to of the read/write operation request of this Data View to the real resource of this first user correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return this read/write operation result to second operating system by virtual machine manager;
This Data View is made up of some system image, these mirror images are read-only, and these Data Views are to construct according to the authority of first user's correspondence, therefore, in second operating system, these Data Views have been represented this first user's operating right, these Data Views are injected in the configuration parameter of virtual machine manager, combine with the system environments resource in the virtual machine image, for this first user provides complete static software and hardware resources environment in second operating system to the visit of its resource.
Storer is connected respectively with described the 3rd processing unit with described administrative unit, is used for storing the real resource that described administrative unit is each user's distribution of described a plurality of users;
The 3rd processing unit then by virtual machine manager obtain this first user in second operating system according to the read/write operation request of Data View to the real resource of this first user correspondence, and from storer, obtain corresponding read-write operation result, and return this read/write operation result to second operating system by virtual machine manager according to this read/write operation request.
After second os starting, the resource environment that this first user operation in second operating system just is confined to this dynamic construction has suffered, this first user is in second operating system during service data, I/O operation requests such as it opens, close, reading and writing can be by virtual machine manager (Virtual Machine Monitor, VMM) interception, if system data, as the DLL of Windows system, the Data View Administration device can be directed to it data object in Data View; If user data, the object of operation exists in the Data View, be virtual user resources, real user resources are stored in the storer of first operating system, the Data View Administration device can be inquired about virtual machine operational management unit, this virtual machine operational management unit obtains actual user resources object, then the I/O request is redirected to the real user resource in the storer in first operating system.
For make first user in second operating system according to its corresponding authority, when the resource that it had is carried out the I/O solicit operation, improve the efficient of operation, as shown in Figure 4, above-mentioned virtual machine operational management unit also comprises: resource information database, be connected with administrative unit, be used for safeguarding and storing the mutual corresponding relation between the authority of a plurality of users' the resource of each user, each user's correspondence and each user's correspondence.Like this, when first user carries out the I/O operation requests, Data View Administration device in the virtual machine manager can be inquired about virtual machine operational management unit, and virtual machine operational management unit need not directly remove to read storer, but inquire about this resource information database earlier, obtain first user's real resources relevant information, go to read relevant real resources in the storer according to this first user's real resources relevant information again, and need not directly remove reference-to storage.
As shown in Figure 5, above-mentioned first operating unit is directly installed on the hardware platform, and the virtual machine manager and second operating unit are installed in first operating unit.This is a kind of framework in the Intel Virtualization Technology, and is same, and above-mentioned Fig. 1 extremely embodiment shown in Figure 4 equally also is applicable to based on the another kind of framework in the Intel Virtualization Technology.
As shown in Figure 6, directly on hardware platform, first operating unit is directly installed on the virtual machine manager in above-mentioned virtual machine manager installation.At this moment, also need between first operating system and second operating system, a secure infomation passageway be set, this secure infomation passageway is installed in the virtual machine manager, be connected between the virtual machine operational management unit and second operating system, be used to be transmitted in the data between the virtual machine operational management unit and second operating system.
In sum, the foregoing description the situation that the resource user walks around the Resource Manager access resources can not occur by user, user's the resource and the management and the user of authority are isolated the use of resource is strict; Realized the isolation fully of resource between the user, just first user's the resource that second operating system (virtual machine) is seen, rather than all users' resource, neither the total system resource, same user for other, as the administrator, can be in first operating system, because the isolation of first operating system and second operating system, first user in second operating system can't obtain the relevant information of the user in first operating system, therefore also just can't cross the authority of user in first operating system, the resource of the user in first operating system is conducted interviews; In addition, even hacker, virus have broken through second operating system or virtual machine, its harm also is confined in second operating system, and the user or the operating system that can not endanger other.But original safety prevention measure is still effective in the whole computer system, in second operating system, still can use safeguard measures such as antivirus software, fire wall, in first operating system or in the master operating system, the security of means enhanced system resource such as still can adopt encryption, password and hide; In addition, virtual machine image can also be made read-only (be in the Data View mirror image also be read-only), and regular update, like this,, also can not influence other users' operating environment even second operating system or virtual machine have infected virus, wooden horse etc.; And in first operating system, utilize original operation interface can dynamically realize the customization of user's operating environment, owing to allow a plurality of virtual machines to move simultaneously, that is to say that can allow a plurality of second operating systems to move simultaneously, the switching between the user is directly carried out, there has not been the link of nullifying, in this way, make PC still support multi-user, multitask.
As shown in Figure 7, embodiments of the invention also provide user management method in a kind of virtual environment, comprising:
Step S70, collecting first operating system is resource and the authority that each user among a plurality of users distributes;
Step S71 transfers to second operating system with the resource of first user among a plurality of users, first user's correspondence and the authority of first user's correspondence by virtual machine manager;
Step S72, by virtual machine manager obtain first user in second operating system according to the read/write operation request of the authority of first user's correspondence to the resource of this first user correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, return this read/write operation result to second operating system by virtual machine manager.
Among the above-mentioned steps S70, a plurality of users, and corresponding respectively resource and the authority of these a plurality of users is to be provided with in first operating system and distribution, and the resource and the mutual corresponding relation between the authority of each user among these a plurality of users, each user's correspondence be maintained in the information resource database, and in the present embodiment, collect resource and the authority of one of them user among a plurality of users, promptly collect first user's resource and authority; Above-mentioned steps S71 can be specially:
According to the Data View of mapping relations between this first user's of the authority of this first user correspondence structure reflection visible resource and the real resource, and send this Data View to virtual machine manager;
According to this Data View is that second operating system is created first user hardware environment that service data relied in second operating system; Accordingly, step S72 can be specially:
By virtual machine manager obtain first user in second operating system according to of the read/write operation request of this Data View to the real resource of first user's correspondence, and from storer, obtain corresponding read-write operation result, and return this read/write operation result to second operating system by virtual machine manager according to this read/write operation request; In this step, when obtaining first user's read/write operation request, the above-mentioned information resource database of inquiry is gone to read in the storer corresponding read/write operation result again, and is returned this read/write operation result to second operating system earlier.
So just realized, be that second operating system is only specified a user, i.e. first user, this first user is not subjected to other users' influence to the use of its resource in second operating system, this first user's resource can not visited by other users yet, simultaneously, this first user can only conduct interviews to the represented resource of the Data View in its extent of competence, the extraneous resource of this first user right is sightless to this first user, therefore this first user resource that also can't visit other users, like this, support the multi-user in original operating system, under the situation of multitask, user's management is separated with the user to the use of resource is strict, can not occur that domestic consumer walks around power user's authority and the situation of visiting the resource that the power user has is avoided the ruined situation of information leakage or data.
The above is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from principle of the present invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (13)
1. computing machine comprises:
Hardware platform,
The Virtual Machine Manager unit is positioned on the described hardware platform, and virtual machine manager is installed;
First operating unit is positioned on the described hardware platform, and first operating system is installed;
Second operating unit is equipped with second operating system, and described second operating system installation is on described virtual machine manager; It is characterized in that described first operating unit comprises:
Administrative unit is used to be provided with a plurality of users, and distributes corresponding resource and authority for each user among described a plurality of users;
Virtual machine operational management unit, be connected respectively with described virtual machine manager with described administrative unit, be used for collecting described a plurality of users' pairing resource of each user and authority, and with first user among described a plurality of users, the authority of the resource of described first user's correspondence and described first user's correspondence transfers to described second operating system by described virtual machine manager, and by described virtual machine manager obtain described first user in described second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager.
2. computing machine according to claim 1 is characterized in that, described virtual machine operational management unit comprises:
First processing unit is connected with described administrative unit, is used for collecting the resource of described a plurality of users' first user, described first user's correspondence and the authority of described first user's correspondence;
Second processing unit, be connected with described Virtual Machine Manager unit with described first processing unit, be used for the resource of described first user, described first user's correspondence and the authority of described first user's correspondence are transferred to described second operating system by described virtual machine manager;
The 3rd processing unit, be connected respectively with described Virtual Machine Manager unit with described first processing unit, be used for by described virtual machine manager obtain described first user in described second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager.
3. computing machine according to claim 2 is characterized in that, described second processing unit is specially:
The Data View tectonic element, be connected with described Virtual Machine Manager unit with described first processing unit, be used for Data View, and send described Data View to described virtual machine manager according to mapping relations between described first user's of the authority of described first user's correspondence structure reflection visible resource and the real resource.
4. computing machine according to claim 3 is characterized in that, described virtual machine manager comprises:
The Data View Administration device, be connected with described Data View tectonic element, be used to obtain described Data View, and be that described second operating system is created described first user hardware environment that service data relied in described second operating system according to described Data View;
Described the 3rd processing unit by described virtual machine manager obtain described first user in described second operating system according to of the read/write operation request of described Data View to the real resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager.
5. computing machine according to claim 4 is characterized in that, described first operating unit also comprises:
Storer is connected respectively with described the 3rd processing unit with described administrative unit, is used for storing the real resource that described administrative unit is each user's distribution of described a plurality of users;
Described the 3rd processing unit by described virtual machine manager obtain described first user in described second operating system according to of the read/write operation request of described Data View to the real resource of described first user's correspondence, and from described storer, obtain corresponding read/write operation result, and return described read/write operation result to described second operating system by described virtual machine manager according to described read/write operation request.
6. computing machine according to claim 1 is characterized in that, described virtual machine operational management unit also comprises:
Resource information database is connected with described administrative unit, is used for storing the mutual corresponding relation between the authority of described a plurality of users' the resource of each user, each user's correspondence and each user's correspondence.
7. according to each described computing machine in the claim 1 to 6, it is characterized in that described first operating unit is installed on the described hardware platform, described virtual machine manager and described second operating unit are installed in described first operating unit.
8. according to each described computing machine in the claim 1 to 6, it is characterized in that described virtual machine manager is installed on the described hardware platform, described first operating unit is installed on the described virtual machine manager.
9. computing machine according to claim 8, it is characterized in that, comprise a secure infomation passageway in the described virtual machine manager, be connected between described virtual machine operational management unit and described second operating system, be used to transmit the data between described virtual machine operational management unit and described second operating system.
10. user management method in the virtual environment is characterized in that, comprising:
Collecting first operating system is resource and the authority that each user among a plurality of users distributes;
The resource of first user among described a plurality of users, described first user's correspondence and the authority of described first user's correspondence are transferred to second operating system by virtual machine manager;
Obtain by described virtual machine manager, described first user in second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, return described read/write operation result to described second operating system by described virtual machine manager.
11. method according to claim 10 is characterized in that, described collection first operating system is that the resource of each user's distribution among a plurality of users and the step of authority are specially:
Collecting first operating system is resource and the authority that first user among described a plurality of user distributes.
12. method according to claim 10, it is characterized in that, described the resource of first user among described a plurality of users, described first user's correspondence and the authority of described first user's correspondence are specially by the step that virtual machine manager transfers to second operating system:
According to the Data View of mapping relations between described first user's of the authority of described first user's correspondence structure reflection visible resource and the real resource, and send described Data View to described virtual machine manager;
According to described Data View is that described second operating system is created described first user hardware environment that service data relied in described second operating system.
13. method according to claim 12, it is characterized in that, describedly obtain by described virtual machine manager, described first user in second operating system according to the read/write operation request of the authority of described first user's correspondence to the resource of described first user's correspondence, after according to described read/write operation request the resource of described first user's correspondence being handled, obtain the read/write operation result, the step of returning described read/write operation result to described second operating system by described virtual machine manager is specially:
By described virtual machine manager obtain described first user in second operating system according to of the read/write operation request of described Data View to the real resource of described first user's correspondence, and from storer, obtain corresponding read-write operation result, and return described read/write operation result to described second operating system by described virtual machine manager according to described read/write operation request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101199040A CN101673215B (en) | 2008-09-09 | 2008-09-09 | Computer and user management method in virtual environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101199040A CN101673215B (en) | 2008-09-09 | 2008-09-09 | Computer and user management method in virtual environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101673215A true CN101673215A (en) | 2010-03-17 |
| CN101673215B CN101673215B (en) | 2012-12-12 |
Family
ID=42020449
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101199040A Active CN101673215B (en) | 2008-09-09 | 2008-09-09 | Computer and user management method in virtual environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101673215B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103020501A (en) * | 2012-11-14 | 2013-04-03 | 曙光云计算技术有限公司 | Access control method and access control device of user data |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际***应用有限公司 | Vitualization environment data security partition method and system |
| CN103377330A (en) * | 2012-04-23 | 2013-10-30 | 佛山市智慧岛信息技术有限公司 | Virtual resource distribution method and virtual resource distribution system |
| CN103473503A (en) * | 2012-06-05 | 2013-12-25 | 广达电脑股份有限公司 | Dynamic Software Authorization Platform and Method |
| CN104427097A (en) * | 2013-08-26 | 2015-03-18 | 联想(北京)有限公司 | Terminal equipment and switching method |
| CN104657690A (en) * | 2013-11-20 | 2015-05-27 | 中兴通讯股份有限公司 | External equipment control method and device |
| CN104956376A (en) * | 2013-02-19 | 2015-09-30 | 赛门铁克公司 | Method and technique for application and device control in a virtualized environment |
| CN105099683A (en) * | 2014-05-08 | 2015-11-25 | 中兴通讯股份有限公司 | Account distribution method and device |
| CN105550854A (en) * | 2016-01-26 | 2016-05-04 | 中标软件有限公司 | Access control device of cloud environment management platform |
| CN105871939A (en) * | 2016-06-26 | 2016-08-17 | 杨越 | Virtual machine safety isolation system under network environment |
| CN105912931A (en) * | 2016-05-23 | 2016-08-31 | 北京北信源软件股份有限公司 | Method and system for repairing off-line virtual machine bug under virtualization environment |
| CN106295391A (en) * | 2015-06-09 | 2017-01-04 | 联想(北京)有限公司 | A kind of information processing method and electronic equipment |
| CN106548096A (en) * | 2015-09-23 | 2017-03-29 | 深圳市全智达科技有限公司 | Data transmission method and device |
| CN109923522A (en) * | 2016-11-12 | 2019-06-21 | 微软技术许可有限责任公司 | Anonymous container |
| CN113326096A (en) * | 2021-06-03 | 2021-08-31 | 成都市昊峰网络工程有限公司 | Virtual machine safety management system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7409719B2 (en) * | 2004-12-21 | 2008-08-05 | Microsoft Corporation | Computer security management, such as in a virtual machine or hardened operating system |
-
2008
- 2008-09-09 CN CN2008101199040A patent/CN101673215B/en active Active
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103377330B (en) * | 2012-04-23 | 2016-08-17 | 佛山市智慧岛信息技术有限公司 | A kind of virtual resource allocation method and virtual resource allocation system |
| CN103377330A (en) * | 2012-04-23 | 2013-10-30 | 佛山市智慧岛信息技术有限公司 | Virtual resource distribution method and virtual resource distribution system |
| CN103473503A (en) * | 2012-06-05 | 2013-12-25 | 广达电脑股份有限公司 | Dynamic Software Authorization Platform and Method |
| CN103473503B (en) * | 2012-06-05 | 2016-12-21 | 广达电脑股份有限公司 | dynamic software authorization platform and method |
| CN103020501B (en) * | 2012-11-14 | 2017-02-15 | 无锡城市云计算中心有限公司 | Access control method and access control device of user data |
| CN103020501A (en) * | 2012-11-14 | 2013-04-03 | 曙光云计算技术有限公司 | Access control method and access control device of user data |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际***应用有限公司 | Vitualization environment data security partition method and system |
| CN103107994B (en) * | 2013-02-06 | 2017-02-08 | 中电长城网际***应用有限公司 | Vitualization environment data security partition method and system |
| CN104956376A (en) * | 2013-02-19 | 2015-09-30 | 赛门铁克公司 | Method and technique for application and device control in a virtualized environment |
| CN104956376B (en) * | 2013-02-19 | 2018-09-18 | 赛门铁克公司 | Using the methods and techniques with equipment control in virtualized environment |
| CN104427097B (en) * | 2013-08-26 | 2017-06-27 | 联想(北京)有限公司 | Terminal device and changing method |
| CN104427097A (en) * | 2013-08-26 | 2015-03-18 | 联想(北京)有限公司 | Terminal equipment and switching method |
| CN104657690A (en) * | 2013-11-20 | 2015-05-27 | 中兴通讯股份有限公司 | External equipment control method and device |
| CN105099683A (en) * | 2014-05-08 | 2015-11-25 | 中兴通讯股份有限公司 | Account distribution method and device |
| CN106295391B (en) * | 2015-06-09 | 2021-02-19 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN106295391A (en) * | 2015-06-09 | 2017-01-04 | 联想(北京)有限公司 | A kind of information processing method and electronic equipment |
| CN106549934A (en) * | 2015-09-23 | 2017-03-29 | 深圳市全智达科技有限公司 | Network equipment security architecture |
| CN106548096A (en) * | 2015-09-23 | 2017-03-29 | 深圳市全智达科技有限公司 | Data transmission method and device |
| CN106549934B (en) * | 2015-09-23 | 2020-04-21 | 深圳市全智达科技有限公司 | Network equipment safety system |
| CN105550854A (en) * | 2016-01-26 | 2016-05-04 | 中标软件有限公司 | Access control device of cloud environment management platform |
| CN105912931A (en) * | 2016-05-23 | 2016-08-31 | 北京北信源软件股份有限公司 | Method and system for repairing off-line virtual machine bug under virtualization environment |
| CN105871939A (en) * | 2016-06-26 | 2016-08-17 | 杨越 | Virtual machine safety isolation system under network environment |
| CN109923522A (en) * | 2016-11-12 | 2019-06-21 | 微软技术许可有限责任公司 | Anonymous container |
| CN109923522B (en) * | 2016-11-12 | 2023-09-22 | 微软技术许可有限责任公司 | Anonymous container |
| CN113326096A (en) * | 2021-06-03 | 2021-08-31 | 成都市昊峰网络工程有限公司 | Virtual machine safety management system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101673215B (en) | 2012-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101673215B (en) | Computer and user management method in virtual environment | |
| EP2656206B1 (en) | Probe insertion via background virtual machine | |
| EP2649548B1 (en) | Antimalware protection of virtual machines | |
| US8732824B2 (en) | Method and system for monitoring integrity of running computer system | |
| US8127412B2 (en) | Network context triggers for activating virtualized computer applications | |
| EP2244204A1 (en) | Securely hosting workloads in virtual computing environments | |
| CN105512550B (en) | The system and method protected for active operating system nucleus | |
| Patrascu et al. | Logging system for cloud computing forensic environments | |
| CN103414585A (en) | Method and device for building safety baselines of service system | |
| CN109587106A (en) | Cross-domain safety in the cloud of password subregion | |
| CN104871174A (en) | Boot mechanisms for 'bring your own' management | |
| US9734325B1 (en) | Hypervisor-based binding of data to cloud environment for improved security | |
| CN103996003A (en) | Data wiping system in virtualization environment and method thereof | |
| US9785492B1 (en) | Technique for hypervisor-based firmware acquisition and analysis | |
| RU2557476C2 (en) | Robust and secure hardware-computer system in cloud computing environment | |
| CN104598842B (en) | A kind of monitor of virtual machine trusts domain splitting method | |
| KR101994664B1 (en) | Vulnerability checking system based on cloud service | |
| Han et al. | Empirical study on anti-virus architecture for container platforms | |
| US9696940B1 (en) | Technique for verifying virtual machine integrity using hypervisor-based memory snapshots | |
| Tsifountidis | Virtualization security: Virtual machine monitoring and introspection | |
| KR101467877B1 (en) | System and method for securing process memory using Hypervisor | |
| KR101512456B1 (en) | METHOD FOR RELOADING OS THROUGH network ON ANALYSIS SYTEM OF MALICIOUS CODE BASED ON CULTURE | |
| Pătraşcu et al. | Digital forensics in Cloud computing | |
| CN110008001A (en) | Safety encryption, system and the hardware security monitor card of monitor of virtual machine | |
| KR102431638B1 (en) | Method for controlling file access between partitioned file systems using malicious data classfication model based on artificial neural network and cloud system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |