CN114462003A - Server user permission control method and device under multi-type test environment - Google Patents
Server user permission control method and device under multi-type test environment Download PDFInfo
- Publication number
- CN114462003A CN114462003A CN202210114194.2A CN202210114194A CN114462003A CN 114462003 A CN114462003 A CN 114462003A CN 202210114194 A CN202210114194 A CN 202210114194A CN 114462003 A CN114462003 A CN 114462003A
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- server
- application
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a device for controlling the authority of a server user under a multi-type test environment, wherein the method comprises the following steps: verifying the login authority of the user according to a pre-generated association relation between the application and the user; if the verification is passed, acquiring the authority type corresponding to the user from the configuration management database and acquiring a corresponding password according to the authority type for logging in; monitoring the logged user operation in real time and judging the danger of the user operation; and determining whether to execute the user operation according to the judgment result. By dividing the types of the authorities and then distributing different authority types to the authorities according to the roles of the users, the users only need to log in the server at the front end once without paying attention to relevant information such as server background configuration, user name and password, refined authority management can be realized, the operation of the user server is effectively monitored, high-risk command execution is filtered, and the whole operation execution process is recorded so as to facilitate problem troubleshooting and after-audit.
Description
Technical Field
The present application belongs to the field of software technology, and in particular, to a method and an apparatus for controlling server user permissions in a multi-type test environment.
Background
The existing login Management mode for the multi-application large-scale test environment server is simple, a Configuration Management Database (CMDB) is responsible for managing and registering all application server information, and a user inquires corresponding server information through a machine account and logs in the server through a remote login (telent) or secure shell protocol (ssh) tool for operation. However, the existing server login operation is not bound with the unique ID and the related application authority of the user, the user can log in at will after obtaining the IP user password of the server, the user execution command cannot be effectively monitored, the server password may be leaked, the login operation behavior of the server and the user application authority cannot be effectively associated, and the risk that the server is mistakenly logged in and mistakenly operated is increased.
Disclosure of Invention
The application provides a server user permission control method and device under a multi-type test environment, and aims to at least solve the problems that the current server login operation is not bound with the unique ID and the related application permission of a user, the user can randomly log in the server after obtaining the IP user password of the server, and the user execution command cannot be effectively monitored.
According to a first aspect of the present application, a method for controlling server user permissions in a multi-type test environment is provided, which includes:
verifying the login authority of the user according to a pre-generated association relation between the application and the user;
if the verification is passed, acquiring the authority type corresponding to the user from the configuration management database and acquiring a corresponding password according to the authority type for logging in;
monitoring the logged user operation in real time and judging the danger of the user operation;
and determining whether to execute the user operation according to the judgment result.
In an embodiment, the method for controlling the user authority of the server in the multi-type test environment further includes:
and associating the application with the user according to the server standing book information acquired from the configuration management database to generate an association relation.
In an embodiment, the auditing the login authority of the user according to the pre-generated association relationship between the application and the user includes:
searching an accessible application set corresponding to the user information from the association relation according to the acquired user information;
and judging whether the currently logged application is in the application set, and if so, checking to pass.
In an embodiment, acquiring a permission type corresponding to a user from a configuration management database and acquiring a corresponding password according to the permission type for logging in includes:
inquiring the authority type of the user information from a configuration management database according to the user information; the types of rights include: developing authority, testing authority and operation and maintenance authority;
acquiring a corresponding password according to the authority type to log in; the password includes: developing an authority password, testing the authority password and operating and maintaining the authority password.
In an embodiment, monitoring user operations after logging in real time and performing risk judgment on the user operations includes:
monitoring a user operation command;
judging whether the user operation command is a high-risk command or not according to a preset high-risk command list;
if not, the command is sent to the corresponding server to be executed and an execution result is returned.
According to a second aspect of the present application, there is provided a server user authority control apparatus under a multi-type test environment, including:
the login authority verifying unit is used for verifying the login authority of the user according to the association relationship between the application and the user which is generated in advance;
the password acquisition unit is used for acquiring the authority type corresponding to the user from the configuration management database and acquiring the corresponding password according to the authority type for logging in if the verification is passed;
the risk judgment unit is used for monitoring the logged user operation in real time and judging the risk of the user operation;
and the execution unit is used for determining whether to execute the user operation according to the judgment result.
In one embodiment, the apparatus for controlling server user authority under a multi-type test environment further includes:
and the incidence relation pre-generation unit is used for associating the application with the user according to the server ledger information acquired from the configuration management database to generate the incidence relation.
In one embodiment, the login authority verifying unit includes:
the application permission searching module is used for searching an accessible application set corresponding to the user information from the association relation according to the acquired user information;
and the permission judging module is used for judging whether the currently logged application is in the application set or not, and if so, the current logged application passes the verification.
In one embodiment, the password obtaining unit includes:
the authority type inquiry module is used for inquiring the authority type of the user information from the configuration management database according to the user information; the types of rights include: developing authority, testing authority and operation and maintenance authority;
the related password acquisition module is used for acquiring a corresponding password according to the authority type to log in; the password includes: developing an authority password, testing the authority password and operating and maintaining the authority password.
In one embodiment, the risk judging unit includes:
the monitoring module is used for monitoring user operation commands;
the high-risk identification module is used for judging whether the user operation command is a high-risk command according to a preset high-risk command list;
and the execution module is used for sending the command to the corresponding server to execute and returning an execution result if the command is not sent to the corresponding server.
According to a third aspect of the present application, there is also provided an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps of the server user permission control method in the multi-type test environment.
According to a fourth aspect of the present application, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the server user entitlement control method in a multi-type test environment.
According to the technical scheme, the application provides a method and a device for controlling the authority of the server user under the multi-type test environment, and the method comprises the following steps: verifying the login authority of the user according to a pre-generated association relation between the application and the user; if the verification is passed, acquiring the authority type corresponding to the user from the configuration management database and acquiring a corresponding password according to the authority type for logging in; monitoring the logged user operation in real time and judging the danger of the user operation; and determining whether to execute the user operation according to the judgment result. By dividing the types of the authorities and then distributing different authority types to the authorities according to the roles of the users, the users only need to log in the server at the front end once without paying attention to relevant information such as server background configuration, user name and password, refined authority management can be realized, the operation of the user server is effectively monitored, high-risk command execution is filtered, and the whole operation execution process is recorded so as to facilitate problem troubleshooting and after-audit.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for controlling server user permissions in a multi-type test environment according to the present application.
Fig. 2 is a schematic structural diagram of a server user authority control system in an embodiment of the present application.
Fig. 3 is a flowchart of a method for auditing login permissions of a user in an embodiment of the present application.
Fig. 4 is a flowchart of a method for obtaining a corresponding password according to a permission type to log in the embodiment of the present application.
Fig. 5 is a flowchart of a method for monitoring user operations after login in real time and determining risk of the user operations in the embodiment of the present application.
Fig. 6 is a block diagram illustrating a structure of a server user permission control device in a multi-type test environment according to the present application.
Fig. 7 is a block diagram of a structure of a login authority verifying unit in an embodiment of the present application.
Fig. 8 is a block diagram of a configuration of a password obtaining unit in the embodiment of the present application.
Fig. 9 is a block diagram of a risk judging unit in the embodiment of the present application.
Fig. 10 is a specific implementation of an electronic device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the server user permission control method and apparatus in the multi-type testing environment disclosed in the present application may be applied to the financial field, and may also be applied to other fields except the financial field.
The existing login Management mode for the multi-application large-scale test environment server is simple, a Configuration Management Database (CMDB) is responsible for managing and registering all application server information, and a user inquires corresponding server information through a machine account and logs in the server through a remote login (telent) or secure shell protocol (ssh) tool for operation. However, the existing server login operation is not bound with the unique ID and the related application authority of the user, the user can log in at will after obtaining the IP user password of the server, the user execution command cannot be effectively monitored, the server password may be leaked, the login operation behavior of the server and the user application authority cannot be effectively associated, and the risk that the server is mistakenly logged in and mistakenly operated is increased.
Based on the above, the application provides a server user permission control method under a multi-type test environment, a server user permission control device under the multi-type test environment, an electronic device and a computer readable storage medium, the application divides the types of permissions, then different permission types are distributed to the users according to the roles of the users, the users only need to log in the server at the front end once without paying attention to relevant information such as server background configuration, user name and password, refined permission management can be realized, the operation of the user server is effectively monitored, high-risk command execution is filtered, and the whole operation execution process is recorded so as to facilitate problem troubleshooting and after-audit.
Based on the above, the present application further provides a server user permission control device under a multi-type test environment for implementing the server user permission control method under the multi-type test environment provided in one or more embodiments of the present application, where the device may be in communication connection with a client device by itself or through a third-party server, and returns an execution result to a client.
It is understood that the client devices may include smart phones, tablet electronic devices, network set-top boxes, portable computers, desktop computers, Personal Digital Assistants (PDAs), in-vehicle devices, smart wearable devices, and the like. Wherein, intelligence wearing equipment can include intelligent glasses, intelligent wrist-watch, intelligent bracelet etc..
In another practical application scenario, the part of the server user right control apparatus under the multi-type test environment performing the server user right control under the multi-type test environment may be executed in the server as described above, or all operations may be performed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. If all operations are completed in the client device, the client device may further include a processor for performing specific processing of server user permission control in a multi-type test environment.
The client device may have a communication module (i.e., a communication unit), and may be communicatively connected to a remote server to implement data transmission with the server. The server may include a server on the task scheduling center side, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling center server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
The server and the client device may communicate using any suitable network protocol, including network protocols not yet developed at the filing date of this application. The network protocol may include, for example, a TCP/IP protocol, a UDP/IP protocol, an HTTP protocol, an HTTPS protocol, or the like. Of course, the network Protocol may also include, for example, an RPC Protocol (Remote Procedure Call Protocol), a REST Protocol (Representational State Transfer Protocol), and the like used above the above Protocol.
The following embodiments and application examples are specifically and individually described in detail.
The application provides a method for controlling server user permission under a multi-type test environment, as shown in fig. 1, including:
s101: and verifying the login authority of the user according to the pre-generated association relationship between the application and the user.
S102: and if the verification is passed, acquiring the authority type corresponding to the user from the configuration management database and acquiring a corresponding password according to the authority type for logging in.
S103: and monitoring the logged user operation in real time and judging the danger of the user operation.
S104: and determining whether to execute the user operation according to the judgment result.
As shown in fig. 2, for the structural schematic diagram of the system provided by the present application, the CMDB system synchronizes the information related to the server to the bastion machine, the application project management platform synchronizes the preset application and the information related to the user role to the bastion machine, the bastion machine interfaces N different servers, and the bastion machine performs one-click refinement login on different servers according to the user application role authority.
In a specific embodiment, server login users with corresponding permissions are allocated based on the roles of application groups where the users are located, that is, application roles are used for distinguishing, developing, testing, and operating and maintaining, so that the permissions of different users for logging in the servers are divided more finely, an administrator can set the relationship between the development, testing, and operating and maintaining in the system at an earlier stage, that is, the relationship between different applications and different users is established and synchronized to the bastion machine, for example, the application that the user 1 can log in is A, B, C. When the user 1 enters the bastion machine system, the authority of the user 1 is checked, the role of the user is judged, and the corresponding server is logged in by using the corresponding role authority after the user logs in the bastion machine. The method and the device realize that the corresponding server can be logged in by one key under the condition that the user does not need to pay attention to sensitive information such as the type of the server, a user name and a password required by logging in the corresponding server. After the verification is passed, the type of the authority corresponding to the role of the user 1 is obtained from the configuration management database, the corresponding password is obtained, the corresponding server is logged in, then all actions of the user 1 are monitored in real time, whether the actions are high-risk actions or not is judged, and the damage caused by the high-risk actions is avoided.
In an embodiment, the method for controlling the user authority of the server in the multi-type test environment further includes:
and associating the application with the user according to the server standing book information acquired from the configuration management database to generate an association relation.
In a specific embodiment, the bastion machine system acquires the server account information of the CMDB and also acquires the application role and other related information of the user, associates the server carrying the corresponding application with the user, and generates an association relationship between the application and the user.
In an embodiment, the auditing the login authority of the user according to the pre-generated association relationship between the application and the user, as shown in fig. 3, includes:
s301: and searching an accessible application set corresponding to the user information from the association relation according to the acquired user information.
S302: and judging whether the currently logged application is in the application set, and if so, checking to pass.
In a specific embodiment, according to the obtained user information of the user 1, finding that the accessible application set corresponding to the user 1 is { A, B, C } from the association relationship, and then the user 1 may log in the application a, the application B, and the application C. For example, if the current user 1 wants to log in is application a, then application a is in the set of applications, then user 1 is allowed to log in.
In an embodiment, acquiring a right category corresponding to a user from a configuration management database and acquiring a corresponding password according to the right category for login, as shown in fig. 4, includes:
s401: inquiring the authority type of the user information from a configuration management database according to the user information; the types of rights include: development authority, test authority and operation and maintenance authority.
S402: acquiring a corresponding password according to the authority type to log in; the password includes: developing an authority password, testing the authority password and operating and maintaining the authority password.
In a specific embodiment, inquiring the authority of the user 1 from the configuration management database, if the user has the development authority, acquiring a user password of the development authority login server and logging in the server by using the password; if the server has the test authority, acquiring a user password of the test authority login server and logging in the server by using the password; and if the operation and maintenance authority exists, acquiring the user password of the operation and maintenance authority login server and logging in the server by using the password.
In an embodiment, monitoring the logged user operation in real time and performing risk judgment on the user operation as shown in fig. 5 includes:
s501: and monitoring a user operation command.
S502: and judging whether the user operation command is a high-risk command or not according to a preset high-risk command list.
S503: if not, the command is sent to the corresponding server to be executed and an execution result is returned.
In a specific embodiment, after the user 1 logs in the server, when the user 1 executes the command, the system determines whether the input command is a high-risk command, if the input command is determined to be the high-risk command by querying from the high-risk command list, the system does not execute the command, and prompts the user, and all commands and results executed by the user are synchronously stored in the system for subsequent query and audit.
In the actual operation process, server login users with corresponding permissions are allocated based on the roles of application groups where the users are located, namely, the application roles are used for carrying out development, test and operation and maintenance in a distinguishing mode, the permissions of different users for logging in the servers are divided into finer-grained modes, an administrator can set the development, test and operation and maintenance in the system in an early stage to log in the servers by users with specific permissions, namely, the incidence relations between different applications and different users are synchronized into the bastion machine, and for example, the application which can be logged in by the user 1 is A, B, C. When the user 1 enters the bastion machine system, the authority of the user 1 is checked, the role of the user is judged, and the corresponding server is logged in by using the corresponding role authority after the user logs in the bastion machine. The method and the device realize that the corresponding server can be logged in by one key under the condition that the user does not need sensitive information such as the type of the tubular column server, and a user name, a password and the like required by logging in the corresponding server. After the verification is passed, the type of the authority corresponding to the role of the user 1 is obtained from the configuration management database, the corresponding password is obtained, the corresponding server is logged in, then all actions of the user 1 are monitored in real time, whether the actions are high-risk actions or not is judged, and the damage caused by the high-risk actions is avoided.
And the bastion machine system acquires the server account information of the CMDB and also acquires the relevant information such as the application role of the user, and associates the server with the user to generate an association relationship. According to the obtained user information of the user 1, finding that the accessible application set corresponding to the user 1 is { A, B, C } from the association relationship, and then the user 1 can log in the application A, the application B and the application C. For example, if the current user 1 wants to log in is application a, then application a is in the set of applications, then user 1 is allowed to log in. Inquiring the authority of the user 1 from a configuration management database, if the user has the development authority, acquiring a user password of the development authority login server and logging in the server by using the password; if the server has the test authority, acquiring a user password of the test authority login server and logging in the server by using the password; and if the operation and maintenance authority exists, acquiring the user password of the operation and maintenance authority login server and logging in the server by using the password.
After the user 1 logs in the server, when the user 1 executes the command, the system judges whether the input command is a high-risk command, if the command is inquired from a high-risk command list and confirmed to be the high-risk command, the command is not executed, the user is prompted, and the command and the result executed by all the users are synchronously stored in the system so as to be convenient for follow-up inquiry and audit.
The application provides a method and a device for controlling the authority of a server user in a multi-type test environment, wherein the method comprises the following steps: verifying the login authority of the user according to a pre-generated association relation between the application and the user; if the verification is passed, acquiring the authority type corresponding to the user from the configuration management database and acquiring a corresponding password according to the authority type for logging in; monitoring the logged user operation in real time and judging the danger of the user operation; and determining whether to execute the user operation according to the judgment result. By dividing the types of the authorities and then distributing different authority types to the authorities according to the roles of the users, the users only need to log in the server at the front end once without paying attention to relevant information such as server background configuration, user name and password, refined authority management can be realized, the operation of the user server is effectively monitored, high-risk command execution is filtered, and the whole operation execution process is recorded so as to facilitate problem troubleshooting and after-audit.
Based on the same inventive concept, the embodiment of the present application further provides a server user permission control device in a multi-type test environment, which can be used to implement the method described in the foregoing embodiment, as described in the following embodiment. The principle of solving the problems of the server user permission control device under the multi-type test environment is similar to that of the server user permission control method under the multi-type test environment. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
According to a second aspect of the present application, there is provided a server user authority control apparatus in a multi-type test environment, as shown in fig. 6, including:
a login authority verifying unit 601, configured to verify a login authority of a user according to a pre-generated association relationship between an application and the user;
a password obtaining unit 602, configured to obtain, if the verification is passed, a permission type corresponding to the user from the configuration management database, and obtain a corresponding password according to the permission type for login;
a risk judgment unit 603, configured to monitor a logged user operation in real time and perform risk judgment on the user operation;
an executing unit 604, configured to determine whether to execute the user operation according to the determination result.
In a specific embodiment, server login users with corresponding permissions are allocated based on the roles of application groups where the users are located, that is, application roles are used for distinguishing, developing, testing, and operating and maintaining, so that the permissions of different users for logging in the servers are divided more finely, an administrator can set the relationship between the development, testing, and operating and maintaining in the system at an earlier stage, that is, the relationship between different applications and different users is established and synchronized to the bastion machine, for example, the application that the user 1 can log in is A, B, C. When the user 1 enters the bastion machine system, the authority of the user 1 is checked, the role of the user is judged, and the corresponding server is logged in by using the corresponding role authority after the user logs in the bastion machine. The method and the device realize that the user can log in the corresponding server by one key under the condition that the user does not need sensitive information such as the type of the tubular column server, a user name and a password required by logging in the corresponding server. After the verification is passed, the type of the authority corresponding to the role of the user 1 is obtained from the configuration management database, the corresponding password is obtained, the corresponding server is logged in, then all actions of the user 1 are monitored in real time, whether the actions are high-risk actions or not is judged, and the damage caused by the high-risk actions is avoided.
In one embodiment, the apparatus for controlling server user authority under a multi-type test environment further includes:
and the incidence relation pre-generating unit is used for associating the application with the user according to the server standing book information acquired from the configuration management database to generate the incidence relation.
In a specific embodiment, the bastion machine system acquires the server ledger information of the CMDB and also acquires the related information such as the application role of the user, and associates the server and the user to generate an association relation.
In one embodiment, as shown in fig. 7, the login authority verifying unit 601 includes:
an application permission searching module 701, configured to search, according to the obtained user information, an accessible application set corresponding to the user information from the association relationship;
and the permission judging module 702 is configured to judge whether the currently logged-in application is in the application set, and if so, the current logged-in application passes the audit.
In a specific embodiment, according to the obtained user information of the user 1, finding that the accessible application set corresponding to the user 1 is { A, B, C } from the association relationship, and then the user 1 may log in the application a, the application B, and the application C. For example, if the current user 1 wants to log in is application a, then application a is in the set of applications, then user 1 is allowed to log in.
In one embodiment, as shown in fig. 8, the password obtaining unit 602 includes:
an authority type query module 801, configured to query, according to the user information, an authority type of the user information from the configuration management database; the types of rights include: developing authority, testing authority and operation and maintenance authority;
a related password obtaining module 802, configured to obtain a corresponding password according to the permission type for login; the password includes: developing an authority password, testing the authority password and operating and maintaining the authority password.
In a specific embodiment, inquiring the authority of the user 1 from the configuration management database, if the user has the development authority, acquiring a user password of the development authority login server and logging in the server by using the password; if the server has the test authority, acquiring a user password of the test authority login server and logging in the server by using the password; and if the operation and maintenance authority exists, acquiring the user password of the operation and maintenance authority login server and logging in the server by using the password.
In one embodiment, as shown in fig. 9, the risk judging unit 603 includes:
a monitoring module 901, configured to monitor a user operation command;
the high-risk identification module 902 is configured to determine whether the user operation command is a high-risk command according to a preset high-risk command list;
and the execution module 903 is used for sending the command to the corresponding server to execute if the command is not sent, and returning an execution result.
In a specific embodiment, after the user 1 logs in the server, when the user 1 executes the command, the system determines whether the input command is a high-risk command, if the input command is determined to be the high-risk command by querying from the high-risk command list, the system does not execute the command, and prompts the user, and all commands and results executed by the user are synchronously stored in the system for subsequent query and audit.
The application provides a server user authority control method and device under a multi-type test environment, the authority types are divided, different authority types are distributed to the user according to the role of the user, the user only needs to log in a server at the front end once, the user does not need to pay attention to relevant information such as server background configuration, user name and password, refined authority management can be achieved, the operation of the user server is effectively monitored, high-risk command execution is filtered, and the whole operation execution process is recorded so as to facilitate problem troubleshooting and after audit.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
An embodiment of the present application further provides a specific implementation manner of an electronic device capable of implementing all steps in the method in the foregoing embodiment, and referring to fig. 10, the electronic device specifically includes the following contents:
a processor (processor)1001, a memory 1002, a communication Interface (Communications Interface)1003, a bus 1004, and a nonvolatile memory 1005;
the processor 1001, the memory 1002, and the communication interface 1003 complete mutual communication through the bus 1004;
the processor 1001 is configured to call the computer programs in the memory 1002 and the nonvolatile memory 1005, and when the processor executes the computer programs, the processor implements all the steps in the method in the foregoing embodiments, for example, when the processor executes the computer programs, the processor implements the following steps:
s101: and auditing the login authority of the user according to the pre-generated association relationship between the application and the user.
S102: and if the verification is passed, acquiring the authority type corresponding to the user from the configuration management database and acquiring a corresponding password according to the authority type for logging in.
S103: and monitoring the logged user operation in real time and judging the danger of the user operation.
S104: and determining whether to execute the user operation according to the judgment result.
Embodiments of the present application also provide a computer-readable storage medium capable of implementing all the steps of the method in the above embodiments, where the computer-readable storage medium stores thereon a computer program, and the computer program when executed by a processor implements all the steps of the method in the above embodiments, for example, the processor implements the following steps when executing the computer program:
s101: and verifying the login authority of the user according to the pre-generated association relationship between the application and the user.
S102: and if the verification is passed, acquiring the authority type corresponding to the user from the configuration management database and acquiring a corresponding password according to the authority type for logging in.
S103: and monitoring the logged user operation in real time and judging the danger of the user operation.
S104: and determining whether to execute the user operation according to the judgment result.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment. Although embodiments of the present description provide method steps as described in embodiments or flowcharts, more or fewer steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the embodiments of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, and the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein. The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of an embodiment of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction. The above description is only an example of the embodiments of the present disclosure, and is not intended to limit the embodiments of the present disclosure. Various modifications and variations to the embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the embodiments of the present specification should be included in the scope of the claims of the embodiments of the present specification.
Claims (10)
1. A method for controlling the authority of a server user under a multi-type test environment is characterized by comprising the following steps:
verifying the login authority of the user according to a pre-generated association relation between the application and the user;
if the verification is passed, acquiring the authority type corresponding to the user from a configuration management database and acquiring a corresponding password according to the authority type for logging in;
monitoring user operation after login in real time and carrying out danger judgment on the user operation;
and determining whether to execute the user operation according to the judgment result.
2. The method for controlling authority of a user of a server under a multi-type test environment according to claim 1, further comprising:
and associating the application with the user according to the server standing book information acquired from the configuration management database to generate an association relation.
3. The method for controlling the authority of the server user under the multi-type test environment according to claim 2, wherein the verifying the login authority of the user according to the pre-generated association relationship between the application and the user includes:
searching an accessible application set corresponding to the user information from the association relation according to the acquired user information;
and judging whether the currently logged application is in the application set, and if so, checking to pass.
4. The method according to claim 3, wherein the obtaining the permission type corresponding to the user from the configuration management database and obtaining the corresponding password according to the permission type for login comprises:
inquiring the authority type of the user information from a configuration management database according to the user information; the permission types include: developing authority, testing authority and operation and maintenance authority;
acquiring a corresponding password according to the authority type for logging in; the password includes: developing an authority password, testing the authority password and operating and maintaining the authority password.
5. The method for controlling the user authority of the server under the multi-type test environment according to any one of claims 1 to 4, wherein the monitoring the logged-in user operation in real time and performing the risk judgment on the user operation includes:
monitoring a user operation command;
judging whether the user operation command is a high-risk command or not according to a preset high-risk command list;
if not, the command is sent to the corresponding server to be executed and an execution result is returned.
6. A server user right control apparatus under a multi-type test environment, comprising:
the login authority verifying unit is used for verifying the login authority of the user according to the association relationship between the application and the user which is generated in advance;
the password acquisition unit is used for acquiring the authority type corresponding to the user from a configuration management database and acquiring a corresponding password according to the authority type for logging in if the verification is passed;
the risk judgment unit is used for monitoring the logged user operation in real time and judging the risk of the user operation;
and the execution unit is used for determining whether to execute the user operation according to the judgment result.
7. The apparatus for controlling authority of a user of a server under the multi-type test environment according to claim 6, further comprising:
and the incidence relation pre-generating unit is used for associating the application with the user according to the server standing book information acquired from the configuration management database to generate the incidence relation.
8. The apparatus of claim 7, wherein the login authority verifying unit comprises:
the application permission searching module is used for searching an accessible application set corresponding to the user information from the incidence relation according to the acquired user information;
and the permission judging module is used for judging whether the currently logged application is in the application set or not, and if so, the current logged application passes the verification.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the server user entitlement control method in a multi-type test environment of any one of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, the computer program, when being executed by a processor, implementing the steps of the server user authorization control method in the multi-type test environment according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210114194.2A CN114462003A (en) | 2022-01-30 | 2022-01-30 | Server user permission control method and device under multi-type test environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210114194.2A CN114462003A (en) | 2022-01-30 | 2022-01-30 | Server user permission control method and device under multi-type test environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114462003A true CN114462003A (en) | 2022-05-10 |
Family
ID=81412175
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210114194.2A Pending CN114462003A (en) | 2022-01-30 | 2022-01-30 | Server user permission control method and device under multi-type test environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114462003A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115314245A (en) * | 2022-06-30 | 2022-11-08 | 青岛海尔科技有限公司 | Authority management method, system, storage medium and electronic device |
-
2022
- 2022-01-30 CN CN202210114194.2A patent/CN114462003A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115314245A (en) * | 2022-06-30 | 2022-11-08 | 青岛海尔科技有限公司 | Authority management method, system, storage medium and electronic device |
| CN115314245B (en) * | 2022-06-30 | 2024-03-22 | 青岛海尔科技有限公司 | Authority management method, system, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2946224C (en) | Method and apparatus for automating the building of threat models for the public cloud | |
| US10496987B2 (en) | Containerization of network services | |
| US20190187865A1 (en) | Framework actuator integration | |
| US8695075B2 (en) | System and method for discovery enrichment in an intelligent workload management system | |
| JP5961638B2 (en) | System and method for application certification | |
| US10397213B2 (en) | Systems, methods, and software to provide access control in cloud computing environments | |
| US12041125B2 (en) | State management for device-driven management workflows | |
| US12026237B2 (en) | Software license manager | |
| US11216423B2 (en) | Granular analytics for software license management | |
| US11921826B2 (en) | Automatically detecting misuse of licensed software | |
| US11593463B2 (en) | Execution type software license management | |
| CN112910904A (en) | Login method and device of multi-service system | |
| CN114780214B (en) | Task processing method, device, system and equipment | |
| CN113872991A (en) | Method, device, equipment and medium for controlling cloud platform interface authority | |
| CN114462003A (en) | Server user permission control method and device under multi-type test environment | |
| US11783049B2 (en) | Automated code analysis tool | |
| US8839408B1 (en) | Integration of cloud management systems with on-premise systems | |
| US11711373B2 (en) | Platform-based authentication for external services | |
| CN114065183A (en) | Authority control method and device, electronic equipment and storage medium | |
| MVP et al. | Microsoft System Center 2012 R2 Operations Manager Cookbook | |
| US11979287B1 (en) | Data center monitoring and management operation including a microservice autoscaling operation | |
| US12021696B2 (en) | Data center monitoring and management operation including microservice centrality calculation operation | |
| US11907731B1 (en) | Configurable cloud development environments | |
| US20240248830A1 (en) | Smart Microservice Testing Based on Centrality Prioritization | |
| US20240223618A1 (en) | Auto-tuning permissions using a learning mode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |