CN114745130B - Authentication method and device for multi-KDC data source - Google Patents
Authentication method and device for multi-KDC data source Download PDFInfo
- Publication number
- CN114745130B CN114745130B CN202210349920.9A CN202210349920A CN114745130B CN 114745130 B CN114745130 B CN 114745130B CN 202210349920 A CN202210349920 A CN 202210349920A CN 114745130 B CN114745130 B CN 114745130B
- Authority
- CN
- China
- Prior art keywords
- information
- authentication
- user group
- authentication information
- data source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000002372 labelling Methods 0.000 claims abstract description 5
- 238000004590 computer program Methods 0.000 claims description 8
- 230000000737 periodic effect Effects 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 description 4
- 238000003491 array Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a method and a device for authenticating a multi-KDC data source, wherein the method comprises the following steps: acquiring authentication information of a data source to be identified; labeling and analyzing the authentication information; acquiring and caching user group information, wherein the user group information is authenticated information; and authenticating the data source to be identified according to the user group information and the parsed authentication information. The invention can support Kerberos authentication of multiple KDC data sources, thereby reducing development cost.
Description
Technical Field
The invention relates to the technical field of data security authentication, in particular to an authentication method of a multi-KDC data source and an authentication device of the multi-KDC data source.
Background
In the field of big data technology data processing, most data sources support to use Kerberos for security authentication, and Kerberos authentication is needed when the data sources for starting Kerberos are used in a system, so that logic is complex, and authentication of a plurality of KDCs (Key Distribute Center, a center responsible for distributing keys) cannot be flexibly performed.
Disclosure of Invention
The invention provides an authentication method of a multi-KDC data source for solving the technical problems, which can support Kerberos authentication of the multi-KDC data source, thereby reducing development cost.
The technical scheme adopted by the invention is as follows:
an authentication method of a multi-KDC data source comprises the following steps: acquiring authentication information of a data source to be identified; labeling and analyzing the authentication information; acquiring and caching user group information, wherein the user group information is authenticated information; and authenticating the data source to be identified according to the user group information and the parsed authentication information.
According to one embodiment of the present invention, the authentication information is a Kerberos authentication file including a Keytab file and a krb5.Conf file.
According to one embodiment of the present invention, the marking and analyzing the authentication information specifically includes the following steps: uploading the authentication information to a public storage component; marking the authentication information uploaded to the public storage component with uploading time stamp information; and analyzing the Keytab file in the marked authentication information.
According to one embodiment of the present invention, the method for acquiring and caching user group information specifically includes the following steps: defining a cache Map object of the user group information; caching the user group information by adopting the Map object; packaging UGIData class which stores the user group information, wherein the UGIData class also stores authentication timestamp information; defining an update period scheduling thread pool of the user group information; and updating the user group information according to the periodic scheduling thread pool.
According to one embodiment of the invention, the Map object is defined using New HashMap < String, UGIData > (); new ScheduledThreadPoolExecutor (1,New DtClass Thread Factory ("ugi CacheFactoy")) is used to define the periodic pool of dispatch threads.
According to one embodiment of the present invention, the authenticating the data source to be identified according to the user group information and the parsed authentication information specifically includes the following steps: judging whether corresponding user group information exists in the Map object; if not, judging whether the authentication information uploaded to the public storage component needs to be downloaded according to the uploading time stamp information; if yes, setting a system variable and clearing current authentication information, and then downloading the authentication information uploaded to a public storage component; and authenticating the data source to be identified according to the authentication information obtained by downloading.
According to one embodiment of the invention, the system variable is a Java.security.krb5.Conf value.
An authentication device for a multi-KDC data source, comprising: the acquisition module is used for acquiring authentication information of the data source to be identified; the marking analysis module is used for marking and analyzing the authentication information; the cache module is used for acquiring and caching user group information, wherein the user group information is authenticated information; and the authentication module is used for authenticating the data source to be identified according to the user group information and the parsed authentication information.
The computer equipment comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor, wherein the authentication method of the multi-KDC data source is realized when the processor executes the computer program.
A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described authentication method for a multi-KDC data source.
The invention has the beneficial effects that:
according to the authentication method and the device for the multi-KDC data source, which are provided by the embodiment of the invention, a user can upload authentication information of the multi-KDC data source, such as a Keystab file and a Krb5.Conf file, and perform authentication operation by processing and caching the authentication information, such as the Keystab file and the Krb5.Conf file, so that Kerberos authentication of the multi-KDC data source can be supported, and development cost can be reduced.
Drawings
FIG. 1 is a flow chart of a method for authenticating a multi-KDC data source according to an embodiment of the present invention;
FIG. 2 is a flow chart of an authentication process for a data source to be identified according to user group information and parsed authentication information according to an embodiment of the present invention;
fig. 3 is a block diagram of an authentication device with multiple KDC data sources according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flowchart of an authentication method of a multi-KDC data source according to an embodiment of the present invention.
As shown in fig. 1, the authentication method of the multi-KDC data source according to the embodiment of the invention includes the following steps:
s1, acquiring authentication information of a data source to be identified.
The authentication information may be a Kerberos authentication file, and the Kerberos authentication file may include a Keytab file and a krb5.Conf file, thereby enabling secure authentication of the data source to be identified through the Kerberos authentication file.
S2, marking and analyzing the authentication information.
Specifically, the authentication information may be uploaded to the public storage component, the authentication information uploaded to the public storage component may be marked with uploading timestamp information, and then the Keytab file in the marked authentication information may be parsed.
More specifically, before uploading the authentication information, it is further required to determine whether the acquired authentication information includes files necessary for authentication, i.e., a Keytab file and a krb5.Conf file, and if the acquired authentication information includes files necessary for authentication, i.e., a Keytab file and a krb5.Conf file, the authentication information may be uploaded to a common storage component, for example, SFTP, and upload timestamp information is added for high availability deployment.
Further, the Keytab file, more specifically, the principle information in the Keytab file, in the noted authentication information may be parsed, and the parsing result may be returned to the user for selection.
S3, obtaining and caching user group information, wherein the user group information is authenticated information.
Specifically, a Map object of the user group information can be customized, for example, a New HashMap < String, UGIData > () can be used to define the Map object, then the user group information can be cached by using the Map object, in addition, a UGIData class storing the user group information can be packaged, wherein the UGIData class also stores authentication timestamp information, then an update period scheduling thread pool of the user group information can be defined, for example, new ScheduledThreadPoolExecutor (1, newdtclassthreadfactor) can be used to define the period scheduling thread pool, and finally the user group information in the Map object can be updated according to the period scheduling thread pool. The Key of the user group information cached in the Map object is a combination of Principal information and a Keytab file path in the authentication information, so that the user group information and the authentication information can be associated.
More specifically, in the above process of updating the user group information in the Map object by using the periodic scheduling thread pool, the update time frequency may be set, for example, the update is performed once every 3 hours, that is, whether the user group information in the Map object is out of date is judged every 3 hours, that is, whether the authentication timestamp in the UGIData class exceeds the preset time, if yes, the corresponding user group information is judged to be out of date, and the out of date user group information is cleared.
And S4, authenticating the data source to be identified according to the user group information and the analyzed authentication information.
Specifically, as shown in fig. 2, the method comprises the following steps:
s401, judging whether corresponding user group information exists in the Map object.
Specifically, whether the Map object has the corresponding user group information can be judged according to the principle information and the Keytab file path in the authentication information.
S402, if not, judging whether the authentication information uploaded to the public storage component needs to be downloaded according to the uploading time stamp information.
Specifically, whether the local file, such as the Map object, has authentication information or not can be judged first, if the Map object has authentication information, the local file, such as timestamp information between the authentication information in the Map object and the authentication information in the public storage component, such as the SFTP, is compared, and the authentication information with a newer timestamp is selected for use; if the Map object has no authentication information, the authentication information is downloaded from a common storage component, such as SFTP for use.
S403, if yes, setting a system variable, clearing current authentication information, and then downloading the authentication information uploaded to the public storage component.
Specifically, the system variable may be a java.security.krb5.Conf value, and the system variable, i.e., the java.security.krb5.Conf value, may be set as a local file, such as a path of the krb5.Conf file in the Map object, for finding KDC information at the time of authentication.
S404, authenticating the data source to be identified according to the authentication information obtained by downloading.
Specifically, the UGIData type loginUserUqwerUqyKeytabAndReturn UGI method can be called to transmit the absolute path of the Pprinciple information and the Keytab file for authentication, and the returned user group information can be cached and returned to the user.
Further, the user may invoke the DoAs method to perform its business logic after taking the returned user group information, such as uploading and downloading of hdfs files, reading of the yarn log, and/or submission of mr tasks.
In summary, according to the authentication method for the multi-KDC data source provided by the embodiment of the present invention, the user may upload the authentication information of the multi-KDC data source, such as the Keytab file and the krb5.Conf file, and perform the authentication operation by processing and caching the authentication information, such as the Keytab file and the krb5.Conf file, so that Kerberos authentication of the multi-KDC data source can be supported, and thus development cost can be reduced.
Corresponding to the authentication method of the multi-KDC data source provided by the embodiment, the invention also provides an authentication device of the multi-KDC data source.
As shown in fig. 3, the authentication device for multiple KDC data sources according to the embodiment of the present invention includes an acquisition module 10, a label parsing module 20, a caching module 30, and an authentication module 40. The acquisition module 10 is used for acquiring authentication information of a data source to be identified; the labeling analysis module 20 is used for labeling and analyzing the authentication information; the caching module 30 is configured to obtain and cache user group information, where the user group information is authenticated information; the authentication module 40 is configured to authenticate the data source to be identified according to the user group information and the parsed authentication information.
In one embodiment of the present invention, the authentication information may be a Kerberos authentication file, and the Kerberos authentication file may include a Keytab file and a krb5.Conf file, whereby the data source to be identified can be securely authenticated through the Kerberos authentication file.
In one embodiment of the present invention, the label parsing module 20 may be specifically configured to upload the authentication information to the public storage component, and may label the authentication information uploaded to the public storage component with uploading timestamp information, and then may parse the Keytab file in the labeled authentication information.
More specifically, before uploading the authentication information, it is further required to determine whether the acquired authentication information includes files necessary for authentication, i.e., a Keytab file and a krb5.Conf file, and if the acquired authentication information includes files necessary for authentication, i.e., a Keytab file and a krb5.Conf file, the authentication information may be uploaded to a common storage component, for example, SFTP, and upload timestamp information is added for high availability deployment.
Further, the Keytab file, more specifically, the principle information in the Keytab file, in the noted authentication information may be parsed, and the parsing result may be returned to the user for selection.
In one embodiment of the present invention, the caching module 30 may be specifically configured to customize a Map object of the user group information, for example, a New HashMap < String, UGIData > () may be used to define the Map object, then the user group information may be cached using the Map object, and further, a UGIData class that stores the user group information may be encapsulated, where the UGIData class further stores authentication timestamp information, then an update period scheduling thread pool of the user group information may be defined, for example, a period scheduling thread pool may be defined using New ScheduledThreadPool Executor (1, newdtclassthread entity), and finally the user group information in the Map object may be updated according to the period scheduling thread pool. The Key of the user group information cached in the Map object is a combination of Principal information and a Keytab file path in the authentication information, so that the user group information and the authentication information can be associated.
More specifically, in the above process of updating the user group information in the Map object by using the periodic scheduling thread pool, the update time frequency may be set, for example, the update is performed once every 3 hours, that is, whether the user group information in the Map object is out of date is judged every 3 hours, that is, whether the authentication timestamp in the UGIData class exceeds the preset time, if yes, the corresponding user group information is judged to be out of date, and the out of date user group information is cleared.
In one embodiment of the present invention, as shown in FIG. 2, the authentication module 40 may be specifically configured to:
s401, judging whether corresponding user group information exists in the Map object.
Specifically, whether the Map object has the corresponding user group information can be judged according to the principle information and the Keytab file path in the authentication information.
S402, if not, judging whether the authentication information uploaded to the public storage component needs to be downloaded according to the uploading time stamp information.
Specifically, whether the local file, such as the Map object, has authentication information or not can be judged first, if the Map object has authentication information, the local file, such as timestamp information between the authentication information in the Map object and the authentication information in the public storage component, such as the SFTP, is compared, and the authentication information with a newer timestamp is selected for use; if the Map object has no authentication information, the authentication information is downloaded from a common storage component, such as SFTP for use.
S403, if yes, setting a system variable, clearing current authentication information, and then downloading the authentication information uploaded to the public storage component.
Specifically, the system variable may be a java.security.krb5.Conf value, and the system variable, i.e., the java.security.krb5.Conf value, may be set as a local file, such as a path of the krb5.Conf file in the Map object, for finding KDC information at the time of authentication.
S404, authenticating the data source to be identified according to the authentication information obtained by downloading.
Specifically, the UGIData type loginUserUqwerUqyKeytabAndReturn UGI method can be called to transmit the absolute path of the Pprinciple information and the Keytab file for authentication, and the returned user group information can be cached and returned to the user.
Further, the user may invoke the DoAs method to perform its business logic after taking the returned user group information, such as uploading and downloading of hdfs files, reading of the yarn log, and/or submission of mr tasks.
In summary, according to the authentication device for multi-KDC data sources provided in the embodiments of the present invention, a user may upload authentication information of the multi-KDC data sources, such as a Keytab file and a krb5.Conf file, and perform authentication operations by processing and caching the authentication information, such as the Keytab file and the krb5.Conf file, so that Kerberos authentication of the multi-KDC data sources can be supported, and development cost can be reduced.
Corresponding to the embodiment, the invention also provides a computer device.
The computer device of the embodiment of the invention comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the authentication method of the multi-KDC data source of the embodiment is realized when the processor executes the program.
According to the computer equipment provided by the embodiment of the invention, a user can upload authentication information of a KDC data source, such as a Keystab file and a Krb5.Conf file, and perform authentication operation by processing and caching the authentication information, such as the Keystab file and the Krb5.Conf file, so that Kerberos authentication of the multi-KDC data source can be supported, and development cost can be reduced.
The present invention also proposes a non-transitory computer-readable storage medium corresponding to the above-described embodiments.
The non-transitory computer readable storage medium of the embodiment of the present invention stores a computer program that, when executed by a processor, implements the above-described authentication method for multi-KDC data sources.
According to the non-transitory computer readable storage medium of the embodiment of the invention, a user can upload authentication information such as a Keytab file and a krb5.Conf file without using a KDC data source, and perform authentication operations by processing and caching the authentication information such as the Keytab file and the krb5.Conf file, thereby supporting Kerberos authentication of multiple KDC data sources and reducing development cost
In the description of the present invention, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. The meaning of "a plurality of" is two or more, unless specifically defined otherwise.
In the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured," and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communicated with the inside of two elements or the interaction relationship of the two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.
In the present invention, unless expressly stated or limited otherwise, a first feature "up" or "down" a second feature may be the first and second features in direct contact, or the first and second features in indirect contact via an intervening medium. Moreover, a first feature being "above," "over" and "on" a second feature may be a first feature being directly above or obliquely above the second feature, or simply indicating that the first feature is level higher than the second feature. The first feature being "under", "below" and "beneath" the second feature may be the first feature being directly under or obliquely below the second feature, or simply indicating that the first feature is less level than the second feature.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily for the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (6)
1. The authentication method of the multi-KDC data source is characterized by comprising the following steps:
acquiring authentication information of a data source to be identified;
labeling and analyzing the authentication information;
acquiring and caching user group information, wherein the user group information is authenticated information;
authenticating the data source to be identified according to the user group information and the parsed authentication information
Wherein the authentication information is a Kerberos authentication file, the Kerberos authentication file includes a Keystab file and a Krb5.Conf file,
the marking and analyzing the authentication information specifically comprises the following steps: uploading the authentication information to a public storage component; marking the authentication information uploaded to the public storage component with uploading time stamp information; analyzing the Keytab file in the marked authentication information,
the step of obtaining and caching the user group information specifically comprises the following steps: defining a cache Map object of the user group information; caching the user group information by adopting the Map object; packaging UGIData class which stores the user group information, wherein the UGIData class also stores authentication timestamp information; defining an update period scheduling thread pool of the user group information; updating the user group information according to the periodically scheduled thread pool,
the authentication of the data source to be identified is carried out according to the user group information and the parsed authentication information, and the method specifically comprises the following steps: judging whether corresponding user group information exists in the Map object; if not, judging whether the authentication information uploaded to the public storage component needs to be downloaded according to the uploading time stamp information; if yes, setting a system variable and clearing current authentication information, and then downloading the authentication information uploaded to a public storage component; and authenticating the data source to be identified according to the authentication information obtained by downloading.
2. The method of authenticating a multi-KDC data source of claim 1, wherein,
defining the Map object by using New HashMap < String, UGIData > ();
new ScheduledThreadPoolExecutor (1,New DtClassThreadFactory ("ugi CacheFactoy")) is used to define the periodic pool of dispatch threads.
3. The method of claim 1, wherein the system variable is a java.security.krb5.conf value.
4. An authentication device for a multi-KDC data source, comprising:
the acquisition module is used for acquiring authentication information of the data source to be identified;
the marking analysis module is used for marking and analyzing the authentication information;
the cache module is used for acquiring and caching user group information, wherein the user group information is authenticated information;
an authentication module for authenticating the data source to be identified according to the user group information and the parsed authentication information,
wherein the authentication information is a Kerberos authentication file, the Kerberos authentication file includes a Keystab file and a Krb5.Conf file,
the annotation analysis module is specifically used for: uploading the authentication information to a public storage component, marking the authentication information uploaded to the public storage component with uploading time stamp information, then analyzing a Keytab file in the marked authentication information,
the cache module is specifically used for: the user group information is self-defined to buffer Map object, then Map object is adopted to buffer user group information, UGIData class which is used for storing user group information is also packaged, wherein UGIData class is also used for storing authentication timestamp information, then update period scheduling thread pool of user group information is defined, finally user group information in Map object is updated according to period scheduling thread pool,
the authentication module is specifically used for: judging whether corresponding user group information exists in the Map object; if not, judging whether the authentication information uploaded to the public storage component needs to be downloaded or not according to the uploading time stamp information; if yes, setting a system variable and clearing current authentication information, and then downloading the authentication information uploaded to the public storage component; and authenticating the data source to be identified according to the authentication information obtained by downloading.
5. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the computer program, implements the method of authenticating a multi-KDC data source according to any one of claims 1 to 3.
6. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements a method of authenticating a multi-KDC data source according to any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210349920.9A CN114745130B (en) | 2022-04-02 | 2022-04-02 | Authentication method and device for multi-KDC data source |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210349920.9A CN114745130B (en) | 2022-04-02 | 2022-04-02 | Authentication method and device for multi-KDC data source |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114745130A CN114745130A (en) | 2022-07-12 |
| CN114745130B true CN114745130B (en) | 2023-12-08 |
Family
ID=82279265
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210349920.9A Active CN114745130B (en) | 2022-04-02 | 2022-04-02 | Authentication method and device for multi-KDC data source |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745130B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5241594A (en) * | 1992-06-02 | 1993-08-31 | Hughes Aircraft Company | One-time logon means and methods for distributed computing systems |
| JP2011164686A (en) * | 2010-02-04 | 2011-08-25 | Ricoh Co Ltd | Information processor, image processor, login authentication method, program, and recording medium |
| CN104363095A (en) * | 2014-11-12 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Method for establishing hadoop identity authentication mechanism |
| CN106375323A (en) * | 2016-09-09 | 2017-02-01 | 浪潮软件股份有限公司 | Method for carrying out kerberos identity authentication in multi-tenant mode |
| CN106656514A (en) * | 2017-03-02 | 2017-05-10 | 北京搜狐新媒体信息技术有限公司 | kerberos authentication cluster access method, SparkStandalone cluster, and driving node of SparkStandalone cluster |
| CN110471732A (en) * | 2019-08-15 | 2019-11-19 | 浪潮云信息技术有限公司 | A kind of method of controlling operation thereof of Linux Kerberos Principal |
| CN110519285A (en) * | 2019-08-30 | 2019-11-29 | 浙江大搜车软件技术有限公司 | User authen method, device, computer equipment and storage medium |
| CN111597536A (en) * | 2020-05-19 | 2020-08-28 | 重庆第二师范学院 | Hadoop cluster kerberos high-availability authentication method |
| CN112311830A (en) * | 2019-07-31 | 2021-02-02 | 华为技术有限公司 | Cloud storage-based Hadoop cluster multi-tenant authentication system and method |
| CN112540830A (en) * | 2020-12-21 | 2021-03-23 | 广州华资软件技术有限公司 | Method for simultaneously supporting multiple Kerberos authentication in single JVM process |
| CN113377454A (en) * | 2021-06-23 | 2021-09-10 | 浪潮云信息技术股份公司 | Method for realizing Flink dynamic connection Kerberos authentication component |
| CN113704724A (en) * | 2021-11-01 | 2021-11-26 | 天津南大通用数据技术股份有限公司 | Method for realizing database login authentication based on Kerberos mechanism |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050108575A1 (en) * | 2003-11-18 | 2005-05-19 | Yung Chong M. | Apparatus, system, and method for faciliating authenticated communication between authentication realms |
| US7461400B2 (en) * | 2004-12-22 | 2008-12-02 | At&T Intellectual Property, I,L.P. | Methods, systems, and computer program products for providing authentication in a computer environment |
| US8151338B2 (en) * | 2005-09-29 | 2012-04-03 | Cisco Technology, Inc. | Method and system for continuously serving authentication requests |
| US20080083026A1 (en) * | 2006-10-02 | 2008-04-03 | Bea Systems, Inc. | Kerberos Protocol Security Provider for a Java Based Application Server |
| US8458470B2 (en) * | 2010-05-28 | 2013-06-04 | International Business Machinces Corporation | Authentication in data management |
-
2022
- 2022-04-02 CN CN202210349920.9A patent/CN114745130B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5241594A (en) * | 1992-06-02 | 1993-08-31 | Hughes Aircraft Company | One-time logon means and methods for distributed computing systems |
| JP2011164686A (en) * | 2010-02-04 | 2011-08-25 | Ricoh Co Ltd | Information processor, image processor, login authentication method, program, and recording medium |
| CN104363095A (en) * | 2014-11-12 | 2015-02-18 | 浪潮(北京)电子信息产业有限公司 | Method for establishing hadoop identity authentication mechanism |
| CN106375323A (en) * | 2016-09-09 | 2017-02-01 | 浪潮软件股份有限公司 | Method for carrying out kerberos identity authentication in multi-tenant mode |
| CN106656514A (en) * | 2017-03-02 | 2017-05-10 | 北京搜狐新媒体信息技术有限公司 | kerberos authentication cluster access method, SparkStandalone cluster, and driving node of SparkStandalone cluster |
| CN112311830A (en) * | 2019-07-31 | 2021-02-02 | 华为技术有限公司 | Cloud storage-based Hadoop cluster multi-tenant authentication system and method |
| CN110471732A (en) * | 2019-08-15 | 2019-11-19 | 浪潮云信息技术有限公司 | A kind of method of controlling operation thereof of Linux Kerberos Principal |
| CN110519285A (en) * | 2019-08-30 | 2019-11-29 | 浙江大搜车软件技术有限公司 | User authen method, device, computer equipment and storage medium |
| CN111597536A (en) * | 2020-05-19 | 2020-08-28 | 重庆第二师范学院 | Hadoop cluster kerberos high-availability authentication method |
| CN112540830A (en) * | 2020-12-21 | 2021-03-23 | 广州华资软件技术有限公司 | Method for simultaneously supporting multiple Kerberos authentication in single JVM process |
| CN113377454A (en) * | 2021-06-23 | 2021-09-10 | 浪潮云信息技术股份公司 | Method for realizing Flink dynamic connection Kerberos authentication component |
| CN113704724A (en) * | 2021-11-01 | 2021-11-26 | 天津南大通用数据技术股份有限公司 | Method for realizing database login authentication based on Kerberos mechanism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114745130A (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10318287B2 (en) | Deploying documents to a server in a specific environment | |
| EP3488337B1 (en) | Shared software libraries for computing devices | |
| US9778926B2 (en) | Minimizing image copying during partition updates | |
| US20200409819A1 (en) | Automatic software defect repair | |
| US10810041B1 (en) | Providing computing workflows to remote environments | |
| CN105279278A (en) | File searching method and device | |
| US20120054728A1 (en) | Maintaining a database of patch data | |
| US9830376B2 (en) | Language tag management on international data storage | |
| CN105446868B (en) | System compatibility test method, testing case management and relevant apparatus | |
| US20110107301A1 (en) | Selective delta validation of a shared artifact | |
| CN110019239B (en) | Storage method and device of reported data, electronic equipment and storage medium | |
| US20110078673A1 (en) | Persisting the changes for managed components in an application server | |
| CN112947983A (en) | Application program updating method and device, electronic equipment and storage medium | |
| US9436444B2 (en) | Method and system to determine component deprecation | |
| US11010333B2 (en) | Ideal age vector based file retention in a software testing system | |
| US8332335B2 (en) | Systems and methods for decision pattern identification and application | |
| CN114745130B (en) | Authentication method and device for multi-KDC data source | |
| CN113138781A (en) | CSV configuration updating method and storage medium | |
| CN108255503A (en) | The firmware upgrade method and device of measuring instrument | |
| CN112328284A (en) | Application program upgrading method, system, equipment and storage medium | |
| CN113448793A (en) | System monitoring method and device compatible with multiple operating systems | |
| CN113641389B (en) | Software upgrading method, device and equipment based on OpenCPU | |
| CN113127413B (en) | Operator data processing method, device, server and storage medium | |
| US10958514B2 (en) | Generating application-server provisioning configurations | |
| CN111046003A (en) | Method and device for updating soil erosion factor data and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |