CN102611699A - Method and system for access control in cloud operation system - Google Patents
Method and system for access control in cloud operation system Download PDFInfo
- Publication number
- CN102611699A CN102611699A CN2012100429978A CN201210042997A CN102611699A CN 102611699 A CN102611699 A CN 102611699A CN 2012100429978 A CN2012100429978 A CN 2012100429978A CN 201210042997 A CN201210042997 A CN 201210042997A CN 102611699 A CN102611699 A CN 102611699A
- Authority
- CN
- China
- Prior art keywords
- user
- information
- role
- visit
- operation set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method and system for access control in a cloud operation system. The method comprises the steps of: respectively allocating role information corresponding to a user for each user accessing the cloud operation system; configuring an operation set corresponding to a role for each piece of role information, wherein the operation set records access permission information of the cloud operation system allowing the role to access a functional module; when receiving an access request of some user, obtaining the role information of the user; and according to the operation set corresponding to the role information of the user, controlling the access initiated by the user.
Description
Technical field
The present invention relates to computer realm, relate in particular to the method and system of access control in a kind of cloud operating system.
Background technology
Current, by the industry approval, cloud operating system (cloud OS) realizes and is committed to practice gradually gradually in cloud computing.In cloud OS; Services such as calculating, storage, network, virtual resource are provided for the user; Because number of users will be very many, this just has higher requirement to the system safety aspect, and the work of system management is also said very heavy; How user's access rights being carried out safety, managed the permission modification that reaches in the face of complicated rationally, efficiently, is the important topic that cloud OS faces.
Summary of the invention
The present invention provides the method and system of access control in a kind of cloud operating system, the technical problem that solve be how to user's access rights carry out safety, rationally, management efficiently.
For solving the problems of the technologies described above, the invention provides following technical scheme:
The method of access control in a kind of cloud operating system, the functional module in the said cloud operating system is separate, and wherein said method comprises:
For each user who visits said cloud operating system distributes the corresponding Role Information of this user respectively;
Be the pairing operation set of each Role Information this role of configuration, wherein said operation set records said cloud operating system and allows the access authority information of this role to functional module;
When receiving a certain user's access request, obtain said user's Role Information;
According to the pairing operation set of said user's Role Information, said Client-initiated visit is controlled.
Preferably, said method also has following characteristics: said each user for the said cloud operating system of visit distributes the corresponding Role Information of this user respectively, comprising:
Obtain user's identity identification information;
According to said identity identification information is that said user distributes corresponding Role Information.
Preferably, said method also has following characteristics: the pairing operation set of said Role Information according to said user, said Client-initiated visit is controlled, and comprising:
Obtain user's visit information, wherein said visit information comprises functional module that the user will visit and to the mode of operation of this functional module;
Judge whether said visit information is recorded in the operation set;
If said visit information is recorded in the operation set, then allow said user to initiate visit; Otherwise, refuse said user and initiate visit.
Preferably, said method also has following characteristics: said method also comprises:
After the role who receives the user changes request, change request according to said role, to said user's Role Information.
The system of access control in a kind of cloud operating system, the functional module in the said cloud operating system is separate, and wherein said system comprises:
Distributor, each user who is used to the said cloud operating system of visit distributes the corresponding Role Information of this user respectively;
Inking device links to each other with said distributor, is used to the pairing operation set of each Role Information this role of configuration, and wherein said operation set records said cloud operating system and allows the access authority information of this role to functional module;
Deriving means links to each other with said inking device, when receiving a certain user's access request, obtains said user's Role Information;
Control device links to each other with said deriving means, is used for according to the pairing operation set of said user's Role Information, and said Client-initiated visit is controlled.
Preferably, said system also has following characteristics: said distributor comprises:
First acquisition module is used to obtain user's identity identification information;
Distribution module, being used for according to said identity identification information is that said user distributes corresponding Role Information.
Preferably, said system also has following characteristics: control device comprises:
Second acquisition module is used to obtain user's visit information, and wherein said visit information comprises functional module that the user will visit and to the mode of operation of this functional module;
Judge module links to each other with said second acquisition module, is used for judging whether said visit information is recorded in operation set;
Control module links to each other with said judge module, is recorded in operation set if be used for said visit information, then allows said user to initiate visit; Otherwise, refuse said user and initiate visit.
Preferably, said system also has following characteristics: said system also comprises:
Updating device links to each other with deriving means with said distributor, is used for after the role who receives the user changes request, changing request according to said role, to said user's Role Information.
Embodiment provided by the invention; Through distribute suitable role to the user, let user and access rights interrelate, thereby make when access control; Come effectively control user's visit by the pairing operation set of this role; Can reduce the complexity of empowerment management, reduce administration overhead, and the environment of a complicated safety policy of reasonable realization can also be provided for the keeper.
Description of drawings
Fig. 1 is the schematic flow sheet of the method embodiment of access control in the cloud operating system provided by the invention;
Fig. 2 is the structural representation of the system embodiment of access control in the cloud operating system provided by the invention;
Fig. 3 is the structural representation of distributor 201 in the system shown in Figure 2;
Fig. 4 is the structural representation of control device 204 in the system shown in Figure 2;
Fig. 5 is another structural representation of system shown in Figure 2.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, will combine accompanying drawing and specific embodiment that the present invention is made further detailed description below.Need to prove that under the situation of not conflicting, embodiment among the application and the characteristic among the embodiment be combination in any each other.
For solving cloud OS system access control problem, according to cloud OS characteristic, a kind of follow-on access control scheme based on the role has been proposed, different users is according to the role access different functional of taking on and visit different server groups.Specifically:
Cloud operating system provides the physical infrastructure service for the user: calculating, storage, network, virtual resource; In the face of various user; Guarantee the safety and efficiency of sea of clouds OS access control, will not have the disabled user of authority to keep outside of the door, a kind of rational access control mechanisms must be provided.Different access privilege is different, and access rights have determined whether a user or programmer have the right a certain specific resources is carried out certain operation, can solve this problem based on role's access control.
Need to prove that functional module is separate in the cloud operating system as referred to herein, does not promptly intercouple, be appreciated that the function that realizes for individual module need not to call the code information of other modules.
Fig. 1 is the schematic flow sheet of the method embodiment of access control in the cloud operating system provided by the invention.Among the method embodiment shown in Figure 1, the functional module in the said cloud operating system is separate, and wherein said method embodiment comprises:
Specifically, obtaining user's identity identification information, is that said user distributes corresponding Role Information according to said identity identification information; For example, can confirm this user task for accomplishing in enterprise according to identity identification information, perhaps, the powers and responsibilities in enterprise, thus for the user role is set according to above-mentioned information.
Certainly, same user can be a plurality of roles' member, and promptly same user can play the part of a plurality of roles; Equally, a role can have a plurality of user members
Further, the user can change in the role, and system can add, delete the role.Specifically, change request through the role who receives the user, and change request, upgrade said user's Role Information according to said role.
Wherein, the role can regard the set of one group of operation as, and different roles has the different operation collection, and these operation sets can be distributed by the safety officer.
Wherein this cloud operating system of operation set record allows the mode of operation of this role to each functional module, can all can wait for not allowing visit, read-only, read-write.Certainly, also can further limit operating right to the subfunction in the individual module.
Step 103, when receiving a certain user's access request, obtain said user's Role Information;
Specifically, obtain user's visit information, wherein said visit information comprises functional module that the user will visit and to the mode of operation of this functional module; Judge whether said visit information is recorded in the operation set; If said visit information is recorded in the operation set, then allow said user to initiate visit; Otherwise, refuse said user and initiate visit.
When in the customer requirements access system during certain resource; The role that system obtains the user earlier and taken on; Whether the role who judges this user again has this system resource of authority visit, and then the functional module and the server group of control user capture, and will keep outside of the door less than the user who authorizes.
Method embodiment provided by the invention; Through distribute suitable role to the user, let user and access rights interrelate, thereby make when access control; Come effectively control user's visit by the pairing operation set of this role; Can reduce the complexity of empowerment management, reduce administration overhead, and the environment of a complicated safety policy of reasonable realization can also be provided for the keeper.
Need to prove that because tide sea of clouds OS number of users will be very many, the work of system management will be very heavy also.In order to alleviate the pressure of system management, just need the differentiated control of realization system, with the work dispersion of management system, according to such demand, tide sea of clouds OS has proposed the Managed Solution of user's classification, server grouping and partition functionality module.Wherein:
User's classification; All users of system are divided into two types: safety officer, common management person.The safety officer manages common management person only, can manage Any user and role, and user and role are authorized, and various constraintss are set.Common management person has the operating right of specific functional modules, concrete server group, and operating right is given through the role.
The server of server divides into groups; The function that provides according to server is different, server is divided into three groups: memory node group, network node group, computing node group.
The partition functionality module: based on the characteristics of role's access control, the functional module among the sea of clouds OS is that the role according to the user divides, and promptly each functional module has relatively independent function.The authorities that system is all are divided on the basis of each sub-function module, and each authority all is under the jurisdiction of some functional modules.
Fig. 2 is the structural representation of the system embodiment of access control in the cloud operating system provided by the invention.In conjunction with method embodiment shown in Figure 1, the functional module in the operating system of cloud described in the system shown in Figure 2 embodiment is separate, wherein:
Deriving means 203 links to each other with said inking device 202, when receiving a certain user's access request, obtains said user's Role Information;
Fig. 3 is the structural representation of distributor 201 in the system shown in Figure 2.Distributor 201 shown in Figure 3 comprises:
Fig. 4 is the structural representation of control device 204 in the system shown in Figure 2.Control device 204 shown in Figure 4 comprises:
Second acquisition module 401 is used to obtain user's visit information, and wherein said visit information comprises functional module that the user will visit and to the mode of operation of this functional module;
Judge module 402 links to each other with said second acquisition module 401, is used for judging whether said visit information is recorded in operation set;
Control module 403 links to each other with said judge module 402, is recorded in operation set if be used for said visit information, then allows said user to initiate visit; Otherwise, refuse said user and initiate visit.
Fig. 5 is another structural representation of system shown in Figure 2.System shown in Figure 5 also comprises:
Receiving system 501 links to each other with said distributor 201, and the role who is used to receive the user changes request;
Updating device 502 links to each other with said deriving means 203 with said receiving system 501, is used for changing request according to said role, upgrades said user's Role Information.
System embodiment provided by the invention; Through distribute suitable role to the user, let user and access rights interrelate, thereby make when access control; Come effectively control user's visit by the pairing operation set of this role; Can reduce the complexity of empowerment management, reduce administration overhead, and the environment of a complicated safety policy of reasonable realization can also be provided for the keeper.
The above; Be merely embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses; Can expect easily changing or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the described protection range of claim.
Claims (8)
1. the method for access control in the cloud operating system is characterized in that the functional module in the said cloud operating system is separate, and wherein said method comprises:
For each user who visits said cloud operating system distributes the corresponding Role Information of this user respectively;
Be the pairing operation set of each Role Information this role of configuration, wherein said operation set records said cloud operating system and allows the access authority information of this role to functional module;
When receiving a certain user's access request, obtain said user's Role Information;
According to the pairing operation set of said user's Role Information, said Client-initiated visit is controlled.
2. method according to claim 1 is characterized in that, said each user for the said cloud operating system of visit distributes the corresponding Role Information of this user respectively, comprising:
Obtain user's identity identification information;
According to said identity identification information is that said user distributes corresponding Role Information.
3. method according to claim 1 is characterized in that, the pairing operation set of said Role Information according to said user is controlled said Client-initiated visit, comprising:
Obtain user's visit information, wherein said visit information comprises functional module that the user will visit and to the mode of operation of this functional module;
Judge whether said visit information is recorded in the operation set;
If said visit information is recorded in the operation set, then allow said user to initiate visit; Otherwise, refuse said user and initiate visit.
4. method according to claim 1 is characterized in that, said method also comprises:
After the role who receives the user changes request, change request according to said role, to said user's Role Information.
5. the system of access control in the cloud operating system is characterized in that the functional module in the said cloud operating system is separate, and wherein said system comprises:
Distributor, each user who is used to the said cloud operating system of visit distributes the corresponding Role Information of this user respectively;
Inking device links to each other with said distributor, is used to the pairing operation set of each Role Information this role of configuration, and wherein said operation set records said cloud operating system and allows the access authority information of this role to functional module;
Deriving means links to each other with said inking device, when receiving a certain user's access request, obtains said user's Role Information;
Control device links to each other with said deriving means, is used for according to the pairing operation set of said user's Role Information, and said Client-initiated visit is controlled.
6. system according to claim 5 is characterized in that, said distributor comprises:
First acquisition module is used to obtain user's identity identification information;
Distribution module, being used for according to said identity identification information is that said user distributes corresponding Role Information.
7. system according to claim 5 is characterized in that control device comprises:
Second acquisition module is used to obtain user's visit information, and wherein said visit information comprises functional module that the user will visit and to the mode of operation of this functional module;
Judge module links to each other with said second acquisition module, is used for judging whether said visit information is recorded in operation set;
Control module links to each other with said judge module, is recorded in operation set if be used for said visit information, then allows said user to initiate visit; Otherwise, refuse said user and initiate visit.
8. system according to claim 5 is characterized in that, said system also comprises:
Updating device links to each other with deriving means with said distributor, is used for after the role who receives the user changes request, changing request according to said role, to said user's Role Information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100429978A CN102611699A (en) | 2012-02-22 | 2012-02-22 | Method and system for access control in cloud operation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100429978A CN102611699A (en) | 2012-02-22 | 2012-02-22 | Method and system for access control in cloud operation system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102611699A true CN102611699A (en) | 2012-07-25 |
Family
ID=46528853
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012100429978A Pending CN102611699A (en) | 2012-02-22 | 2012-02-22 | Method and system for access control in cloud operation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102611699A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102904892A (en) * | 2012-10-17 | 2013-01-30 | 浪潮(北京)电子信息产业有限公司 | Security model and security strategy of cloud computing data center operating system |
| CN103067406A (en) * | 2013-01-14 | 2013-04-24 | 暨南大学 | Access control system and access control method between public cloud and private cloud |
| CN103716412A (en) * | 2014-01-03 | 2014-04-09 | 汉柏科技有限公司 | Cloud computing system and method and device for controlling user permission through quadratic mapping of cloud computing system |
| CN104199979A (en) * | 2014-09-24 | 2014-12-10 | 国云科技股份有限公司 | Modeled data source management system and method thereof |
| CN104994086A (en) * | 2015-06-26 | 2015-10-21 | 北京京东尚科信息技术有限公司 | Database cluster authority control method and device |
| CN105225072A (en) * | 2015-11-05 | 2016-01-06 | 浪潮(北京)电子信息产业有限公司 | A kind of access management method of multi-application system and system |
| CN105721420A (en) * | 2015-12-11 | 2016-06-29 | 中国地质调查局发展研究中心 | Access authority control method and reverse agent server |
| CN105868649A (en) * | 2016-03-29 | 2016-08-17 | 上海赞越软件服务中心 | Synthetic operation mechanism based on role settings |
| CN106961441A (en) * | 2017-04-06 | 2017-07-18 | 中国民航大学 | A kind of user's dynamic accesses control method for Hadoop cloud platform |
| CN107104931A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | A kind of access control method and platform |
| CN109472159A (en) * | 2018-11-15 | 2019-03-15 | 泰康保险集团股份有限公司 | Access control method, device, medium and electronic equipment |
| CN109948360A (en) * | 2019-02-26 | 2019-06-28 | 维正知识产权服务有限公司 | A kind of more control domain security kernel construction methods and system for complex scene |
| CN113495921A (en) * | 2020-04-02 | 2021-10-12 | 北京京东振世信息技术有限公司 | Routing method and device of database cluster |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0697662A1 (en) * | 1994-08-15 | 1996-02-21 | International Business Machines Corporation | Method and system for advanced role-based access control in distributed and centralized computer systems |
| CN101340444A (en) * | 2008-08-26 | 2009-01-07 | 华为技术有限公司 | Fireproof wall and server policy synchronization method, system and apparatus |
| CN101588242A (en) * | 2008-05-19 | 2009-11-25 | 北京亿企通信息技术有限公司 | Method and system for realizing authority management |
| CN101901465A (en) * | 2009-05-26 | 2010-12-01 | 北京正辰科技发展有限责任公司 | Operational safety based on comprehensive management platform system |
| CN102004868A (en) * | 2009-09-01 | 2011-04-06 | 上海杉达学院 | Role access control-based information system data storage layer and building method |
| CN102195956A (en) * | 2010-03-19 | 2011-09-21 | 富士通株式会社 | Cloud service system and user right management method thereof |
-
2012
- 2012-02-22 CN CN2012100429978A patent/CN102611699A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0697662A1 (en) * | 1994-08-15 | 1996-02-21 | International Business Machines Corporation | Method and system for advanced role-based access control in distributed and centralized computer systems |
| CN101588242A (en) * | 2008-05-19 | 2009-11-25 | 北京亿企通信息技术有限公司 | Method and system for realizing authority management |
| CN101340444A (en) * | 2008-08-26 | 2009-01-07 | 华为技术有限公司 | Fireproof wall and server policy synchronization method, system and apparatus |
| CN101901465A (en) * | 2009-05-26 | 2010-12-01 | 北京正辰科技发展有限责任公司 | Operational safety based on comprehensive management platform system |
| CN102004868A (en) * | 2009-09-01 | 2011-04-06 | 上海杉达学院 | Role access control-based information system data storage layer and building method |
| CN102195956A (en) * | 2010-03-19 | 2011-09-21 | 富士通株式会社 | Cloud service system and user right management method thereof |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102904892A (en) * | 2012-10-17 | 2013-01-30 | 浪潮(北京)电子信息产业有限公司 | Security model and security strategy of cloud computing data center operating system |
| CN103067406A (en) * | 2013-01-14 | 2013-04-24 | 暨南大学 | Access control system and access control method between public cloud and private cloud |
| CN103067406B (en) * | 2013-01-14 | 2015-07-22 | 暨南大学 | Access control system and access control method between public cloud and private cloud |
| CN103716412A (en) * | 2014-01-03 | 2014-04-09 | 汉柏科技有限公司 | Cloud computing system and method and device for controlling user permission through quadratic mapping of cloud computing system |
| CN104199979A (en) * | 2014-09-24 | 2014-12-10 | 国云科技股份有限公司 | Modeled data source management system and method thereof |
| CN104994086A (en) * | 2015-06-26 | 2015-10-21 | 北京京东尚科信息技术有限公司 | Database cluster authority control method and device |
| CN104994086B (en) * | 2015-06-26 | 2018-09-04 | 北京京东尚科信息技术有限公司 | A kind of control method and device of data-base cluster permission |
| CN105225072A (en) * | 2015-11-05 | 2016-01-06 | 浪潮(北京)电子信息产业有限公司 | A kind of access management method of multi-application system and system |
| CN105225072B (en) * | 2015-11-05 | 2020-12-04 | 浪潮(北京)电子信息产业有限公司 | Access management method and system for multiple application systems |
| CN105721420B (en) * | 2015-12-11 | 2019-04-16 | 中国地质调查局发展研究中心 | Access right control method and Reverse Proxy |
| CN105721420A (en) * | 2015-12-11 | 2016-06-29 | 中国地质调查局发展研究中心 | Access authority control method and reverse agent server |
| CN107104931A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | A kind of access control method and platform |
| CN105868649A (en) * | 2016-03-29 | 2016-08-17 | 上海赞越软件服务中心 | Synthetic operation mechanism based on role settings |
| CN106961441B (en) * | 2017-04-06 | 2020-05-22 | 中国民航大学 | User dynamic access control method for Hadoop cloud platform |
| CN106961441A (en) * | 2017-04-06 | 2017-07-18 | 中国民航大学 | A kind of user's dynamic accesses control method for Hadoop cloud platform |
| CN109472159A (en) * | 2018-11-15 | 2019-03-15 | 泰康保险集团股份有限公司 | Access control method, device, medium and electronic equipment |
| CN109948360A (en) * | 2019-02-26 | 2019-06-28 | 维正知识产权服务有限公司 | A kind of more control domain security kernel construction methods and system for complex scene |
| CN113495921A (en) * | 2020-04-02 | 2021-10-12 | 北京京东振世信息技术有限公司 | Routing method and device of database cluster |
| CN113495921B (en) * | 2020-04-02 | 2023-09-26 | 北京京东振世信息技术有限公司 | Routing method and device for database cluster |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102611699A (en) | Method and system for access control in cloud operation system | |
| CN106506521B (en) | Resource access control method and device | |
| CN110990150A (en) | Tenant management method and system of container cloud platform, electronic device and storage medium | |
| CN103049482B (en) | The implementation method that in a kind of distributed heterogeneous system, data fusion stores | |
| CN109284839A (en) | Mobile operation management platform safe operation and big data application system under cloud environment | |
| CN102917006B (en) | A kind of unified control and management method and device realizing computational resource and object permission | |
| CN102231693A (en) | Method and apparatus for managing access authority | |
| CN108092945B (en) | Method and device for determining access authority and terminal | |
| CN105183820A (en) | Multi-tenant supported large data platform and tenant access method | |
| CN104363211A (en) | Method and system for managing authority | |
| CN102567675A (en) | User authority management method and system in business system | |
| CN105184144A (en) | Multi-system privilege management method | |
| CN112835977B (en) | Database management method and system based on block chain | |
| CN107659450A (en) | Distribution method, distributor and the storage medium of big data cluster resource | |
| CN102638566A (en) | BLOG system running method based on cloud storage | |
| CN108132775A (en) | A kind of tenant manages system and method | |
| CN105303119A (en) | Multi-data center privilege management method and system | |
| CN110765192A (en) | GIS data management and processing method based on cloud platform | |
| CN102904877A (en) | Binary serialization role permission management method based on cloud storage | |
| CN102918519A (en) | Leader arbitration for provisioning services | |
| CN105046165A (en) | Network project platform hierarchy right control method | |
| WO2010028583A1 (en) | Method and apparatus for managing the authority in workflow component based on authority component | |
| CN106533961A (en) | Flow control method and device | |
| CN114650170B (en) | Cross-cluster resource management method, device, equipment and storage medium | |
| CN106789267B (en) | Public cloud management system and management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120725 |