CN110022294A - A kind of proxy server, Docker system and its right management method, storage medium - Google Patents

A kind of proxy server, Docker system and its right management method, storage medium Download PDF

Info

Publication number
CN110022294A
CN110022294A CN201910147160.1A CN201910147160A CN110022294A CN 110022294 A CN110022294 A CN 110022294A CN 201910147160 A CN201910147160 A CN 201910147160A CN 110022294 A CN110022294 A CN 110022294A
Authority
CN
China
Prior art keywords
terminal device
proxy server
server
warehouse
permission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910147160.1A
Other languages
Chinese (zh)
Inventor
莫晨成
曾勇明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Huya Information Technology Co Ltd
Original Assignee
Guangzhou Huya Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Huya Information Technology Co Ltd filed Critical Guangzhou Huya Information Technology Co Ltd
Priority to CN201910147160.1A priority Critical patent/CN110022294A/en
Publication of CN110022294A publication Critical patent/CN110022294A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

This application discloses a kind of proxy server, Docker system and its right management method, storage medium, the right management method of the proxy server includes: the operational order that proxy server receiving terminal apparatus is sent;Whether proxy server verifying terminal device has the permission of operation command;If having permission, operational order is sent to warehouse server by proxy server, so that warehouse server responds operational order.By the above-mentioned means, can be realized the isolation of the mirror image resources to the warehouse Docker, it is therefore prevented that the mirror image of user misoperation others user.

Description

A kind of proxy server, Docker system and its right management method, storage medium
Technical field
This application involves Docker technical fields, more particularly to a kind of proxy server, Docker system and its permission Management method, storage medium.
Background technique
Docker is the application container engine of an open source, and developer can be packaged their application and rely on packet and arrives In one transplantable container, then it is published on the Linux machine of any prevalence, also may be implemented to virtualize, Docker is mentioned The container technique permission of confession runs several containers (container) on same host or virtual machine, and each container is exactly One independent virtual environment or application.
Container derives from Docker mirror image (image), and mirror image can be made by oneself (build) by user or by running appearance After device submits (commit) Lai Shengcheng, mirror image to generate, (push) can be pushed and saved in mirror image warehouse (registry), (pull) can also be pulled from mirror image warehouse to local to run container.
The server in current mirror image warehouse does not control the permission of user, only one primary account number, and institute is useful It is modified with the mirror image that the same primary account number will lead to other users upload by other users at family.
Summary of the invention
The application mainly provides a kind of proxy server, Docker system and its right management method, storage medium, can Realize the isolation of the mirror image resources to the warehouse Docker, it is therefore prevented that the mirror image of user misoperation others user.
A kind of technical solution that the application uses is to provide a kind of right management method of proxy server, the agency service Device is applied to Docker system, and Docker system includes terminal device, proxy server and warehouse server, this method packet It includes: the operational order that proxy server receiving terminal apparatus is sent;Whether proxy server verifying terminal device executes operation The permission of order;If having permission, operational order is sent to warehouse server by proxy server, so that warehouse server is to behaviour Make order to be responded.
Wherein, after whether proxy server verifying terminal device has the step of permission of operation command, further includes: If authentication url is sent to terminal device by proxy server without permission;Terminal device is based on authentication url and takes to agency Business device sends account information and encrypted message to carry out purview certification.
Wherein, proxy server receiving terminal apparatus send operational order the step of before, further includes: terminal device to Proxy server sends log on request;Whether proxy server verifying terminal device, which has permission, is logged in;If having permission, eventually End equipment logs in success.
Wherein, whether proxy server verifying terminal device has permission the step of being logged in, comprising: proxy server is tested Token in card log on request whether there is;If it exists, it is determined that terminal device, which has permission, to be logged in.
Wherein, after whether proxy server verifying terminal device has permission the step of being logged in, further includes: if not having Authentication url is then sent to terminal device by permission, proxy server;Terminal device is based on authentication url and sends out to proxy server Account information and encrypted message are sent to carry out purview certification.
The another technical solution that the application uses is to provide a kind of right management method of Docker system, the Docker System includes terminal device, proxy server and warehouse server, this method comprises: terminal device is sent to proxy server Operational order;Whether proxy server verifying terminal device has the permission of operation command;If having permission, proxy server Operational order is sent to warehouse server;Warehouse server responds operational order.
Wherein, the step of terminal device sends operational order to proxy server, comprising: terminal device is to proxy server Send the push order of target mirror image;The step of warehouse server responds operational order, comprising: terminal device is by target Mirror image cutting is multiple Image Planes;Multiple Image Planes are successively uploaded to warehouse server by terminal device;On multiple Image Planes It passes after completing, the manifest data of target mirror image are uploaded to warehouse server by terminal device.
Wherein, the step of multiple Image Planes are successively uploaded to warehouse server by terminal device, comprising: proxy server is sentenced In disconnected warehouse server whether existing target Image Planes;If it does not exist, proxy server then initializes a upload task;Eventually End equipment is based on upload task and target Image Planes is uploaded to warehouse server.
Wherein, terminal device is based on the step of target Image Planes are uploaded to warehouse server by upload task, comprising: terminal The mirror image layer data of target Image Planes is uploaded to warehouse server based on upload task by equipment;Warehouse server is to terminal device Send an interface IP address;The digest data of target Image Planes are uploaded to the interface IP address of warehouse server by terminal device.
Wherein, the step of terminal device sends operational order to proxy server, comprising: terminal device is to proxy server Send target mirror image pulls order;The step of warehouse server responds operational order, comprising: terminal device is from warehouse The manifest information of server acquisition target mirror image;Terminal device successively pulls the mirror of target mirror image based on manifest information As layer data.
The another technical solution that the application uses is to provide a kind of proxy server, which includes processor And transceiver and memory with processor coupling;Wherein, transceiver with terminal device and warehouse server for being counted According to interaction, memory is for storing program data, and processor is for executing program data to execute such as above-mentioned method.
The another technical solution that the application uses is to provide a kind of computer storage medium, which deposits Program data is contained, program data is when being executed by processor, for executing program data to execute such as above-mentioned method.
The another technical solution that the application uses is to provide a kind of Docker system, which includes that terminal is set Standby, proxy server and warehouse server;Wherein, which is such as above-mentioned proxy server.
The right management method of proxy server provided by the present application, comprising: proxy server receiving terminal apparatus is sent Operational order;Whether proxy server verifying terminal device has the permission of operation command;If having permission, proxy server Operational order is then sent to warehouse server, so that warehouse server responds operational order.By the above-mentioned means, energy It is enough that the verifying of permission is then carried out by increased proxy server by creating different accounts for different users, from And realize the isolation of the mirror image resources to the warehouse Docker, it is therefore prevented that the mirror image of user misoperation others user.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.Wherein:
Fig. 1 is the structural schematic diagram of one embodiment of Docker system provided by the present application;
Fig. 2 is the flow diagram of right management method first embodiment provided by the present application;
Fig. 3 is the flow diagram of right management method second embodiment provided by the present application;
Fig. 4 is the interaction schematic diagram of right management method second embodiment provided by the present application;
Fig. 5 is the flow diagram of right management method 3rd embodiment provided by the present application;
Fig. 6 is the flow diagram of right management method fourth embodiment provided by the present application;
Fig. 7 is the interaction schematic diagram of right management method fourth embodiment provided by the present application;
Fig. 8 is the flow diagram of the 5th embodiment of right management method provided by the present application;
Fig. 9 is the interaction schematic diagram of the 5th embodiment of right management method provided by the present application;
Figure 10 is the flow diagram of right management method sixth embodiment provided by the present application;
Figure 11 is the structural schematic diagram of one embodiment of proxy server provided by the present application;
Figure 12 is the structural schematic diagram of one embodiment of computer storage medium provided by the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description.It is understood that specific embodiment described herein is only used for explaining the application, rather than to the limit of the application It is fixed.It also should be noted that illustrating only part relevant to the application for ease of description, in attached drawing and not all knot Structure.Based on the embodiment in the application, obtained by those of ordinary skill in the art without making creative efforts Every other embodiment, shall fall in the protection scope of this application.
Term " first ", " second " in the application etc. be for distinguishing different objects, rather than it is specific suitable for describing Sequence.In addition, term " includes " and " having " and their any deformations, it is intended that cover and non-exclusive include.Such as comprising The process, method, system, product or equipment of a series of steps or units are not limited to listed step or unit, and It is optionally further comprising the step of not listing or unit, or optionally further comprising for these process, methods, product or equipment Intrinsic other step or units.
Referenced herein " embodiment " is it is meant that a particular feature, structure, or characteristic described can wrap in conjunction with the embodiments It is contained at least one embodiment of the application.Each position in the description occur the phrase might not each mean it is identical Embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art explicitly and Implicitly understand, embodiment described herein can be combined with other embodiments.
Refering to fig. 1, Fig. 1 is the structural schematic diagram of one embodiment of Docker system provided by the present application, the Docker system 10 include terminal device 11, proxy server 12 and warehouse server 13.
Wherein, terminal device 11 can be PC (personal computer), mobile terminal, tablet computer etc., and terminal is set Docker client is installed in standby 11, and application of the Docker client realization about Docker, the client can be run End can be using browser (web terminal), be also possible to APP (application program) end.Wherein, may include in warehouse server 13 Multiple mirror image warehouses, such as official's mirror image warehouse, privately owned mirror image warehouse.
It should be understood that between terminal device 11, proxy server 12 and warehouse server 13 can by wired or It wirelessly connects, such as can realize wired connection by interface, or be wirelessly connected by realizations such as base station, WIFI.
When Docker client accesses Docker mirror image warehouse, for the mirror image in different mirror image warehouses, need to refine Access privilege control.For example, any user can pull (Pull) mirror image, and only have for public Docker mirror image warehouse System manager can push (Push) mirror image.For another example, for privately owned Docker mirror image warehouse, Authority Verification has only been passed through Docker client can pull/push mirror image, i.e., need to be judged whether according to the identity of terminal device 11 in access It has permission and pulls or push mirror image, perhaps have the mirror image in which warehouse that can pull or can push into which warehouse Mirror image can be improved the safety of mirror image.
In the prior art, it generally uses for the permission for verifying terminal device 11 and uses Docker client software It realizes the Telnet of SSH (Secure Shell), or is based on the end Web SSH login mode, be easy to implement and user's operation Advantage, but these modes also have the drawback that 1, user host capable of making remote access by the limit that early period, Service was configured System, can not any host of optionally Telnet, flexibility is poor;2, the login for only supporting distance host, does not support directly to log in Docker container.
Specifically, the proxy server 12 in the present embodiment is as the generation between terminal device 11 and warehouse server 13 Reason, is managed for the permission to Docker client, the proxy server that this mode passes through additionally one centre of increase 12 realize the verifying of permission, not will increase the load of warehouse server 13.
(Docker login) is logged in below by client, mirror image pushes (Docker push), mirror image pulls (Docker pull) several ways, are described in detail the mode of rights management.
Referring to Fig.2, Fig. 2 is the flow diagram of right management method first embodiment provided by the present application, this method is answered For Docker system, this method comprises:
Step 21: terminal device sends log on request to proxy server.
Optionally, on the terminal device, Docker mirror image warehouse, push Docker mirror are logged in by Docker client When as, the order such as pull Docker mirror image, issues and request from Docker client process to proxy server.
Step 22: whether proxy server verifying terminal device, which has permission, is logged in.
Optionally, proxy server can be whether there is by the Token (token) in detection log on request, and if it exists, It then determines that terminal device has permission to be logged in, if it does not exist, it is determined that terminal device does not have permission to be logged in.
When the verification result of step 22 is to have permission, step 23 is executed.
Step 23: terminal device logs in success.
Generally, when proxy server identification Docker client is to access for the first time, Docker client can be regarded as It is not logged on permission, the information of authentication failed can be returned to Docker client, can also be prompted in the file header of information The method of client certificate prompts client to need to obtain Token.
It is the flow diagram of right management method second embodiment provided by the present application refering to Fig. 3, Fig. 3, this method is answered For Docker system, this method comprises:
Step 31: terminal device sends log on request to proxy server.
Optionally, it in log on request information, prompts to believe according to the authentication method of client by docker client process Breath encrypts user authentication information, is placed on the request header of https request, and the request header generation based on https request is stepped on Land solicited message.
Step 32: whether proxy server verifying terminal device, which has permission, is logged in.
When the verification result of step 32 is to have permission, step 33 is executed, is no permission in the verification result of step 32 When, execute step 34.
Step 33: terminal device logs in success.
Step 34: authentication url is sent to terminal device by proxy server.
Optionally, which can be URL (Uniform Resource Locator) link.
Step 35: terminal device is based on authentication url and sends account information and encrypted message to proxy server to be weighed Limit certification.
It is the interaction schematic diagram of right management method second embodiment provided by the present application refering to Fig. 4, Fig. 4, is applied to Docker system, the Docker system include terminal device, proxy server and warehouse server.
Wherein, which includes Docker client and Docker process two parts, proxy server include generation Reason and purview certification two parts.
1, after Docker client sends Docker login, a Docker process is generated in terminal device.
2, Docker process transmission/v2/ interface call instruction so that proxy server call warehouse server /v2/ connects Mouthful, the Token in warehouse server verification Authorization request header whether there is.
3,401 are then responded if it does not exist, and the address of purview certification is returned in head response www-Authenticate (address URL).
4, after Docker process obtains purview certification address, just username and password is connected with colon, and carried out Base64 coding is put into Authorization request header and request purview certification address is gone to obtain Token.
5, after Docker process obtains Token, request call/v2/ interface, warehouse server it can verify Token again and close Method, it is legal, log in success.
By the above-mentioned means, proxy server is interacted between above-mentioned Docker process and warehouse server by realizing / v2/ interface and purview certification interface, realize the interaction of docker login and this proxy server.
Be different from the prior art, above-described embodiment by increasing by a proxy server in Docker system, for realizing Interaction between terminal device and warehouse server further by proxy server to the Authority Verification of terminal device, makes The terminal device for obtaining different user can carry out the operation of different rights to warehouse server, to realize between different user Isolation, it is therefore prevented that the maloperation between user.It calls in addition, carrying out interface by proxy server to realize that permission is recognized Card, avoids and causes excessive pressure to warehouse server, alleviate the load of warehouse server.
It is the flow diagram of right management method 3rd embodiment provided by the present application refering to Fig. 5, Fig. 5, this method is answered For proxy server, this method comprises:
Step 51: the operational order that proxy server receiving terminal apparatus is sent.
Optionally, it in operation requests information, prompts to believe according to the authentication method of client by docker client process Breath encrypts user authentication information, is placed on the request header of https request, the mirrored content range of request is placed in https and is asked In the required parameter asked, request header and required parameter based on https request generate operation requests information.
Specifically, operation requests information includes username and password, when it is implemented, first by docker client process root According to the prompt that mirror image warehouse returns, https (Hypertext Transfer will be placed on after the encrypted authentication information of user Protocol over Secure Socket Layer is to be briefly the safety of HTTP safely for the channel HTTP of target Version) request the head AUTHORIZATION, while by user request mirrored content range be placed in https request request join In number, it is sent to proxy server, transfers to proxy server to handle purview certification work.
Step 52: whether proxy server verifying terminal device has the permission of operation command.
Optionally, which may include mirror image search command, mirror image delete command, mirror image push order and mirror image Pull order etc..
Optionally, it after getting identity information and the operation information of user, is verified accordingly, whether judges the user It has permission and continues the operation.Specifically, the verifying that can first carry out identity information, if identity information is verified, then obtains The corresponding authority information of user;Proxy server is compared operation information is corresponding with authority information, to judge whether the user has Permission executes the operation.
Obtaining the Docker client really after the identity information verifying in proxy server is to allow in access list Pre-stored user, then identity information is verified, what which stored in returned data library after being verified The corresponding mirror image operation authority information of the user, in order to carry out operation information verifying.Receiving the corresponding mirror image of the user It requests the Mirror Info of operation to be compared with the user of acquisition after authority information, including compares mirror image title and to the mirror image The action type etc. of progress, without limitation to specific comparison method at this.
Different from the direct interaction of terminal device in the prior art and warehouse server, increase by an agency service in this implementation Device carries out the verifying of permission as the agency between terminal device and warehouse server, avoids the Docker visitor of not permission Family end directly accesses the problem that warehouse server causes server stress excessive.
When the verification result of step 52 is to have permission, step 53 is executed.
Step 53: operational order is sent to warehouse server by proxy server, so that warehouse server is to operational order It is responded.
Optionally, Push mirror image verification process is introduced for operation A at this.By mirror image renamed as (10.166.14.11:5000/test/test:01 warehouse ip: warehouse port/project name/mirror image title: mirror image tag).
By the user information got, user's first and logging device second belong to permission access list, obtain user's first Operation information, obtain to 10.166.14.11:5000/test/test:01 execute operation A, user's first according to the pre-stored data Belong to Administrator Level, all operations can be executed to all mirror images, carrying out verifying discovery user's first to operation information can be right 10.166.14.11:5000/test/test:01 executing operation A, then warehouse is operated.
Wherein, database depends on the official's registry mirror image or privately owned registry mirror image of docker.In addition, user Intuitively user and permission can also be managed and checked by Docker client, have ten to system administration maintenance Divide important role.
Optionally, in addition, following step can also be performed: if not having when the verification result of step 52 is not have permission It has permission, authentication url is then sent to terminal device by proxy server;Terminal device is based on authentication url to proxy server Account information and encrypted message are sent to carry out purview certification.Purview certification when here with logging in is similar, repeats no more.
It is the flow diagram of right management method fourth embodiment provided by the present application refering to Fig. 6, Fig. 6, this method is answered For Docker system, this method comprises:
Step 61: terminal device sends the push order of target mirror image to proxy server.
Step 62: whether proxy server verifying terminal device has the permission for executing push order.
When the verification result of step 62 is to have permission, step 63 is executed.
Step 63: push order is sent to warehouse server by proxy server.
Step 64: target mirror image cutting is multiple Image Planes by terminal device.
It should be understood that mirror image is to be superimposed generation in layer from base (basis) mirror image.As soon as every installation software, Increase by one layer on the basis of existing image.
Step 65: multiple Image Planes are successively uploaded to warehouse server by terminal device.
Optionally, step 65 can be with specifically: terminal device is based on the task of upload by the mirror image layer data of target Image Planes It is uploaded to warehouse server;Warehouse server sends an interface IP address to terminal device;Terminal device is by target Image Planes Digest data are uploaded to the interface IP address of warehouse server.
Step 66: after multiple Image Planes upload completion, terminal device uploads the manifest data of target mirror image To warehouse server.
It is the interaction schematic diagram of right management method fourth embodiment provided by the present application refering to Fig. 7, Fig. 7, is applied to Docker system, the Docker system include terminal device, proxy server and warehouse server.
Wherein, which includes Docker client and Docker process two parts, proxy server include generation Reason and purview certification two parts.
1, after Docker client sends Docker login, a Docker process is generated in terminal device.
2, Docker process transmission/v2/ interface call instruction so that proxy server call warehouse server /v2/ connects Mouthful, the Token in warehouse server verification Authorization request header whether there is.
3,401 are then responded if it does not exist, and the address of purview certification is returned in head response www-Authenticate (address URL).
4, after Docker process obtains purview certification address, just username and password is connected with colon, and carried out Base64 coding is put into Authorization request header and request purview certification address is gone to obtain Token.
5, after Docker process obtains Token, request call/v2/ interface, warehouse server it can verify Token again and close Method, it is legal, log in success.
6, Docker process pushes one and is mirrored to warehouse server.
Docker process can first call purview certification interface first, judge whether there is the permission for operating this mirror image, Docker Process can be cut into mirror image multilayer, then upload from level to level, and Docker process will be mirror image after layer has uploaded Manifest data upload to warehouse server, complete to this mirror image push.And the upload of one layer of mirror image, Docker process Divide four steps that one layer of mirror image of data are uploaded to warehouse server again.
6.1, the first step, Docker process first call HEAD/v2/<name>/b lobs/<digest>of warehouse server Interface judges that the data of this layer whether there is in warehouse server, exists, then do not do next operation, be not present, then hold The operation of row second step.
6.2, second step, Docker process call POST/v2/<name>/blob s/uploads/ of warehouse server to connect Mouth one upload task of initialization, initializes successfully, connecing for following step 3 calling can be returned in Location head response Port address identifies a upload task by Docker-Upload-Uuid.
6.3, third step, after passing Mission Success in initialization, Docker process will call warehouse server PATCH/v2/<name>/ blobs/uploads/<uuid>interface uploads mirror image layer data to warehouse server, uploads successfully Afterwards, the interface IP address of next step can be returned in Location head response.
6.4, the 4th step, Docker process can call PUT/v2/<name>/ blobs/uploads/<uu id>digest =<digest>interface uploads the digest data of Image Planes, uploads successfully, returns in Locati on head response and inquires this The interface IP address of Image Planes, Docker process meeting calling interface inquire whether Image Planes exist in warehouse server, In the presence of then showing to upload successfully.
By the above-mentioned means, proxy server is interacted between above-mentioned Docker process and warehouse server by realizing / v2/ interface and purview certification interface, realize the interaction of docker push and this proxy server.In addition, passing through agency's clothes Business device calls to carry out interface to realize purview certification, avoids and causes excessive pressure to warehouse server, alleviates warehouse The load of server.
It is the flow diagram of the 5th embodiment of right management method provided by the present application refering to Fig. 8, Fig. 8, this method is answered For Docker system, this method comprises:
Step 81: terminal device pulls order to proxy server transmission target mirror image.
Step 82: the permission whether proxy server verifying terminal device has execution to pull order.
When the verification result of step 82 is to have permission, step 83 is executed.
Step 83: operational order is sent to warehouse server by proxy server.
Step 84: terminal device obtains the manifest information of target mirror image from warehouse server.
Step 85: terminal device successively pulls the mirror image layer data of target mirror image based on manifest information.
It is the interaction schematic diagram of the 5th embodiment of right management method provided by the present application refering to Fig. 9, Fig. 9, is applied to Docker system, the Docker system include terminal device, proxy server and warehouse server.
Wherein, which includes Docker client and Docker process two parts, proxy server include generation Reason and purview certification two parts.
1, after Docker client sends Docker login, a Docker process is generated in terminal device.
2, Docker process transmission/v2/ interface call instruction so that proxy server call warehouse server /v2/ connects Mouthful, the Token in warehouse server verification Authorization request header whether there is.
3,401 are then responded if it does not exist, and the address of purview certification is returned in head response www-Authenticate (address URL).
4, after Docker process obtains purview certification address, just username and password is connected with colon, and carried out Base64 coding is put into Authorization request header and request purview certification address is gone to obtain Token.
5, after Docker process obtains Token, request call/v2/ interface, warehouse server it can verify Token again and close Method, it is legal, log in success.
6, Docker process pulls a mirror image to warehouse server.
Docker process first, need it is the same to docker login, call purview certification interface, acquisition pull this mirror image Operating right, obtain the success of mirror image operation permission, then available to arrive T oken, later step requires to take Token. Docker process pulls mirror image in two steps to warehouse server.
6.1, the first step, Docker process call warehouse server GET/v2/<name>/manif ests/< Reference > interface obtains the manifest information of mirror image, Docker process according to the manifest information got come pair Mirror image carries out layering acquisition.
6.2, second step, Docker process call GET/v2/<name>/blobs/<digest>interface of warehouse server Mirror image layer data is pulled, is finished until all mirror image layer datas all pull, then entire mirror image, which just pulls, finishes.
By the above-mentioned means, proxy server is interacted between above-mentioned Docker process and warehouse server by realizing / v2/ interface and purview certification interface, realize the interaction of docker pull and this proxy server.In addition, passing through agency's clothes Business device calls to carry out interface to realize purview certification, avoids and causes excessive pressure to warehouse server, alleviates warehouse The load of server.
It is different from the prior art, the right management method of docker system provided by the present application, comprising: terminal device is to generation It manages server and sends operational order;Whether proxy server verifying terminal device has the permission of operation command;If having permission, Operational order is then sent to warehouse server by proxy server;Warehouse server responds operational order.By above-mentioned Then mode can carry out permission by increased proxy server by creating different accounts for different users Verifying, to realize the isolation of the mirror image resources to the warehouse Docker, it is therefore prevented that the mirror image of user misoperation others user.
0, Figure 10 is the flow diagram of right management method sixth embodiment provided by the present application refering to fig. 1, is applied to Proxy server, this method comprises:
Step 101: the log on request that proxy server receiving terminal apparatus is sent.
Step 102: whether proxy server verifying terminal device, which has permission, is logged in.
When the verification result of step 102 is to have permission, step 103 is executed.
In addition, can also be performed when the verification result of step 102 is not have permission: if without permission, proxy server Authentication url is then sent to terminal device;Terminal device is based on authentication url and sends account information and password to proxy server Information is to carry out purview certification.
Step 103: if having permission, terminal device logs in success.
Step 104: the operational order that proxy server receiving terminal apparatus is sent.
Step 105: whether proxy server verifying terminal device has the permission of operation command.
When the verification result of step 105 is to have permission, step 106 is executed.
In addition, can also be performed when the verification result of step 105 is not have permission: if without permission, proxy server Authentication url is then sent to terminal device;Terminal device is based on authentication url and sends account information and password to proxy server Information is to carry out purview certification.
Step 106: operational order is then sent to warehouse server by proxy server, so that warehouse server response operation Order.
It should be understood that the executing subject of the present embodiment is proxy server, principle is similar to the above embodiments, here It repeats no more.
1, Figure 11 is the structural schematic diagram of one embodiment of proxy server provided by the present application, the agency service refering to fig. 1 Device 110 includes processor 111 and transceiver 112 and memory 113 with the coupling of processor 111.
Wherein, transceiver 112 is used to carry out data interaction with terminal device and warehouse server.Optionally, the transceiver 112 can be a data-interface, to realize wired data transfer, be also possible to a communications module, realize that wireless data passes It is defeated, such as WIFI mould group, bluetooth mould group, 4G/5G communications module etc..
Wherein, for the memory 113 for storing program data, processor 111 is as follows to execute for executing program data Method: proxy server receiving terminal apparatus send operational order;Whether proxy server verifying terminal device has execution The permission of operational order;If having permission, operational order is sent to warehouse server by proxy server, so that warehouse server Respond operational order.
Optionally, processor 111 executes program data and is also used to execute following method: proxy server receives terminal and sets The log on request that preparation is sent;Whether proxy server verifying terminal device, which has permission, is logged in;If having permission, terminal device Log in success.
2, Figure 12 is the structural schematic diagram of one embodiment of computer storage medium provided by the present application, the calculating refering to fig. 1 Program data 121 is stored in machine storage medium 120, the program data 121 is when being executed by processor, for realizing below Method and step: the operational order that receiving terminal apparatus is sent;Whether verifying terminal device has the permission of operation command;If having Operational order is then sent to warehouse server by permission, so that warehouse server responds operational order.
Optionally, which is also used to realize the following method step when being executed by processor: receiving eventually The log on request that end equipment is sent;Whether verifying terminal device, which has permission, is logged in;If having permission, terminal device is logged in into Function.
It should be understood that the method and step realized in the embodiment of above-mentioned proxy server and computer storage medium, Can be with reference to the step in right management method in above-described embodiment, principle is similar, and which is not described herein again.
If the integrated unit in above-mentioned other embodiments is realized in the form of SFU software functional unit and as independence Product when selling or using, can store in a computer readable storage medium.Based on this understanding, the application Technical solution substantially all or part of the part that contributes to existing technology or the technical solution can be in other words It is expressed in the form of software products, which is stored in a storage medium, including some instructions are used So that a computer equipment (can be personal computer, server or the network equipment etc.) or processor (processor) all or part of the steps of each embodiment the method for the application is executed.And storage medium packet above-mentioned It includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), the various media that can store program code such as magnetic or disk.
The foregoing is merely presently filed embodiments, are not intended to limit the scope of the patents of the application, all to utilize this Equivalent structure or equivalent flow shift made by application specification and accompanying drawing content, it is relevant to be applied directly or indirectly in other Technical field similarly includes in the scope of patent protection of the application.

Claims (13)

1. a kind of right management method of proxy server, which is characterized in that the proxy server is applied to Docker system, The Docker system includes terminal device, proxy server and warehouse server, which comprises
The proxy server receives the operational order that the terminal device is sent;
The proxy server verifies whether the terminal device has the permission for executing the operational order;
If having permission, the operational order is sent to the warehouse server by the proxy server, so that the warehouse Server responds the operational order.
2. the method according to claim 1, wherein
The proxy server is verified after whether the terminal device have the step of permission for executing the operational order, is also wrapped It includes:
If authentication url is sent to the terminal device by the proxy server without permission;
The terminal device is based on the authentication url and sends account information and encrypted message to the proxy server to carry out Purview certification.
3. the method according to claim 1, wherein
The proxy server received before the step of operational order that the terminal device is sent, further includes:
The terminal device sends log on request to the proxy server;
Whether the proxy server verifying terminal device, which has permission, is logged in;
If having permission, the terminal device logs in success.
4. according to the method described in claim 3, it is characterized in that,
The proxy server verifies whether the terminal device has permission the step of being logged in, comprising:
The Token that the proxy server is verified in the log on request whether there is;
If it exists, it is determined that the terminal device, which has permission, to be logged in.
5. according to the method described in claim 3, it is characterized in that,
Whether the proxy server verifying terminal device had permission after the step of being logged in, further includes:
If authentication url is sent to the terminal device by the proxy server without permission;
The terminal device is based on the authentication url and sends account information and encrypted message to the proxy server to carry out Purview certification.
6. a kind of right management method of Docker system, which is characterized in that the Docker system includes terminal device, agency Server and warehouse server, which comprises
The terminal device sends operational order to the proxy server;
The proxy server verifies whether the terminal device has the permission for executing the operational order;
If having permission, the operational order is sent to the warehouse server by the proxy server;
The warehouse server responds the operational order.
7. according to the method described in claim 6, it is characterized in that,
The step of terminal device sends operational order to the proxy server, comprising:
The terminal device sends the push order of target mirror image to the proxy server;
The step of warehouse server responds the operational order, comprising:
The target mirror image cutting is multiple Image Planes by the terminal device;
The multiple Image Planes are successively uploaded to the warehouse server by the terminal device;
After the multiple Image Planes upload completion, the terminal device uploads the manifest data of the target mirror image To the warehouse server.
8. the method according to the description of claim 7 is characterized in that
The step of the multiple Image Planes are successively uploaded to the warehouse server by the terminal device, comprising:
The proxy server judge in the warehouse server whether existing target Image Planes;
If it does not exist, the proxy server then initializes a upload task;
The terminal device is based on the upload task and the target Image Planes is uploaded to the warehouse server.
9. according to the method described in claim 8, it is characterized in that,
The terminal device is based on the step of target Image Planes are uploaded to the warehouse server by the upload task, packet It includes:
The mirror image layer data of the target Image Planes is uploaded to the warehouse based on the upload task and taken by the terminal device Business device;
The warehouse server sends an interface IP address to the terminal device;
The digest data of the target Image Planes are uploaded to the interface of the warehouse server by the terminal device Location.
10. according to the method described in claim 6, it is characterized in that,
The step of terminal device sends operational order to the proxy server, comprising:
The terminal device pulls order to proxy server transmission target mirror image;
The step of warehouse server responds the operational order, comprising:
The terminal device obtains the manifest information of target mirror image from the warehouse server;
The terminal device successively pulls the mirror image layer data of the target mirror image based on the manifest information.
11. a kind of proxy server, which is characterized in that the proxy server includes processor and couples with the processor Transceiver and memory;
Wherein, the transceiver is used to carry out data interaction with terminal device and warehouse server, and the memory is for storing Program data, the processor is for executing described program data to execute the method according to claim 1 to 5.
12. a kind of computer storage medium, which is characterized in that the computer storage medium is stored with program data, the journey Ordinal number evidence is when being executed by processor, for executing described program data to execute side as described in any one in claim 1-5 Method.
13. a kind of Docker system, which is characterized in that the Docker system includes terminal device, proxy server and storehouse Library server;
Wherein, the proxy server is proxy server as claimed in claim 11.
CN201910147160.1A 2019-02-27 2019-02-27 A kind of proxy server, Docker system and its right management method, storage medium Pending CN110022294A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910147160.1A CN110022294A (en) 2019-02-27 2019-02-27 A kind of proxy server, Docker system and its right management method, storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910147160.1A CN110022294A (en) 2019-02-27 2019-02-27 A kind of proxy server, Docker system and its right management method, storage medium

Publications (1)

Publication Number Publication Date
CN110022294A true CN110022294A (en) 2019-07-16

Family

ID=67189088

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910147160.1A Pending CN110022294A (en) 2019-02-27 2019-02-27 A kind of proxy server, Docker system and its right management method, storage medium

Country Status (1)

Country Link
CN (1) CN110022294A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277565A (en) * 2020-01-08 2020-06-12 北京松果电子有限公司 Information processing method and device, and storage medium
CN111641610A (en) * 2020-05-19 2020-09-08 深信服科技股份有限公司 Remote response and remote control method, device, equipment and storage medium
CN112667998A (en) * 2020-12-08 2021-04-16 中国科学院信息工程研究所 Safe access method and system for container mirror image warehouse
CN112688983A (en) * 2019-10-18 2021-04-20 顺丰科技有限公司 Proxy right management device, terminal device and storage medium
CN113067814A (en) * 2021-03-17 2021-07-02 成都飞鱼星科技股份有限公司 Connection pipe control method and device for server and Internet of things terminal
CN114050911A (en) * 2021-09-27 2022-02-15 度小满科技(北京)有限公司 Container remote login method and system
CN114070637A (en) * 2021-11-23 2022-02-18 北京天融信网络安全技术有限公司 Access control method and system based on attribute label, electronic device and storage medium
CN114124558A (en) * 2021-11-30 2022-03-01 北京天融信网络安全技术有限公司 Operation response method and device, electronic equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948201A (en) * 2017-12-29 2018-04-20 平安科技(深圳)有限公司 The purview certification method and system in Docker mirror images warehouse
CN108011862A (en) * 2016-10-31 2018-05-08 中兴通讯股份有限公司 The mandate of mirror image warehouse, access, management method and server and client side
CN108241797A (en) * 2018-01-10 2018-07-03 郑州云海信息技术有限公司 Mirror image warehouse user right management method, device, system and readable storage medium storing program for executing
US20180302399A1 (en) * 2017-04-13 2018-10-18 BlueTalon, Inc. Protocol-Level Identity Mapping
CN109309693A (en) * 2017-07-26 2019-02-05 财付通支付科技有限公司 Services system, dispositions method and device, equipment and storage medium based on docker

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108011862A (en) * 2016-10-31 2018-05-08 中兴通讯股份有限公司 The mandate of mirror image warehouse, access, management method and server and client side
US20180302399A1 (en) * 2017-04-13 2018-10-18 BlueTalon, Inc. Protocol-Level Identity Mapping
CN109309693A (en) * 2017-07-26 2019-02-05 财付通支付科技有限公司 Services system, dispositions method and device, equipment and storage medium based on docker
CN107948201A (en) * 2017-12-29 2018-04-20 平安科技(深圳)有限公司 The purview certification method and system in Docker mirror images warehouse
CN108241797A (en) * 2018-01-10 2018-07-03 郑州云海信息技术有限公司 Mirror image warehouse user right management method, device, system and readable storage medium storing program for executing

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112688983A (en) * 2019-10-18 2021-04-20 顺丰科技有限公司 Proxy right management device, terminal device and storage medium
US11777939B2 (en) 2020-01-08 2023-10-03 Beijing Xiaomi Pinecone Electronics Co., Ltd. Method and device for processing information, and storage medium
CN111277565B (en) * 2020-01-08 2022-04-12 北京小米松果电子有限公司 Information processing method and device, and storage medium
CN111277565A (en) * 2020-01-08 2020-06-12 北京松果电子有限公司 Information processing method and device, and storage medium
CN111641610B (en) * 2020-05-19 2023-04-07 深信服科技股份有限公司 Remote response and remote control method, device, equipment and storage medium
CN111641610A (en) * 2020-05-19 2020-09-08 深信服科技股份有限公司 Remote response and remote control method, device, equipment and storage medium
CN112667998B (en) * 2020-12-08 2024-03-01 中国科学院信息工程研究所 Safe access method and system for container mirror image warehouse
CN112667998A (en) * 2020-12-08 2021-04-16 中国科学院信息工程研究所 Safe access method and system for container mirror image warehouse
CN113067814A (en) * 2021-03-17 2021-07-02 成都飞鱼星科技股份有限公司 Connection pipe control method and device for server and Internet of things terminal
CN113067814B (en) * 2021-03-17 2023-02-28 成都飞鱼星科技股份有限公司 Connection pipe control method and device for server and Internet of things terminal
CN114050911A (en) * 2021-09-27 2022-02-15 度小满科技(北京)有限公司 Container remote login method and system
CN114050911B (en) * 2021-09-27 2023-05-16 度小满科技(北京)有限公司 Remote login method and system for container
CN114070637B (en) * 2021-11-23 2024-01-23 北京天融信网络安全技术有限公司 Access control method, system, electronic equipment and storage medium based on attribute tag
CN114070637A (en) * 2021-11-23 2022-02-18 北京天融信网络安全技术有限公司 Access control method and system based on attribute label, electronic device and storage medium
CN114124558A (en) * 2021-11-30 2022-03-01 北京天融信网络安全技术有限公司 Operation response method and device, electronic equipment and computer readable storage medium
CN114124558B (en) * 2021-11-30 2024-02-06 北京天融信网络安全技术有限公司 Operation response method, device, electronic equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN110022294A (en) A kind of proxy server, Docker system and its right management method, storage medium
CN105554098B (en) A kind of equipment configuration method, server and system
CN104994073B (en) Mobile phone terminal, server and its account number and apparatus bound control execute method
CN104753887B (en) Security management and control implementation method, system and cloud desktop system
CN104247329B (en) The safety of the device of cloud service is asked to be remedied
CN105100052B (en) Server, mobile phone terminal and its account number and apparatus bound execution, control method
CN104144163B (en) Auth method, apparatus and system
CN107948201A (en) The purview certification method and system in Docker mirror images warehouse
CN103313429B (en) A kind of processing method identifying forgery WIFI hot spot
CN109981653B (en) Web vulnerability scanning method
CN102045337A (en) Apparatus and methods for managing network resources
WO2016173199A1 (en) Mobile application single sign-on method and device
CN104221414A (en) Secure and automatic connection to wireless network
US20140041002A1 (en) Secure Access Method, Apparatus And System For Cloud Computing
CN106105154B (en) The method, apparatus and system of data upload
US9232340B2 (en) Application store system and application development method using the application store system
CN111191283A (en) Beidou positioning information security encryption method and device based on alliance block chain
CN104092647A (en) Network access method, system and client
CN105119722A (en) Identity verification method, equipment and system
CN108920919A (en) Control method, device and system of interactive intelligent equipment
CN105636030B (en) Share the method and device of access point
CN113922982A (en) Login method, electronic device and computer-readable storage medium
CN105337967A (en) Method and system for achieving target server logging by user and central server
CN109409109A (en) Data processing method, device, processor and server in network service
US11792290B2 (en) Methods to enable automated M2M/IoT product management services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190716