CN117828565A - Resource processing method and device based on fort machine and computer equipment - Google Patents
Resource processing method and device based on fort machine and computer equipment Download PDFInfo
- Publication number
- CN117828565A CN117828565A CN202311838923.XA CN202311838923A CN117828565A CN 117828565 A CN117828565 A CN 117828565A CN 202311838923 A CN202311838923 A CN 202311838923A CN 117828565 A CN117828565 A CN 117828565A
- Authority
- CN
- China
- Prior art keywords
- target
- resource processing
- resource
- fort machine
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 22
- 238000012545 processing Methods 0.000 claims abstract description 338
- 238000000034 method Methods 0.000 claims abstract description 53
- 238000012795 verification Methods 0.000 claims abstract description 42
- 238000004590 computer program Methods 0.000 claims abstract description 26
- 230000008569 process Effects 0.000 claims description 33
- 230000000875 corresponding effect Effects 0.000 description 62
- 238000010586 diagram Methods 0.000 description 7
- 230000004044 response Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000002596 correlated effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Storage Device Security (AREA)
Abstract
The application relates to a resource processing method, a resource processing device, a computer device, a storage medium and a computer program product based on a fort machine. The method comprises the following steps: responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine. The method can improve the efficiency of determining the resource processing permission.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a resource processing method, apparatus, computer device, storage medium and computer program product based on a fort machine.
Background
Currently, in the field of network security, a fort machine can be adopted to realize the security isolation of an internal network and an external network. However, when the resource on the cloud is managed through the fort machine, the user is usually authorized manually, so that the target object can control the resource on the cloud through the fort machine, but different users may have different resource processing rights, and the efficiency is lower due to the manual authorization.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a resource processing method, apparatus, computer device, computer readable storage medium, and computer program product based on a fort machine, which can improve the efficiency of determining resource processing rights.
In a first aspect, the present application provides a resource processing method based on a fort machine. The method comprises the following steps:
responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
In a second aspect, the present application further provides a resource processing device based on the fort machine. The device comprises:
the target fort machine determining module is used for responding to the authority application request and searching for a target fort machine according to the identity of the target object in the authority application request;
the resource processing permission determining module is used for determining the resource processing permission according to the verification information included in the permission application request;
the page data determining module is used for determining page data according to the resource processing permission and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data;
the resource processing module is used for responding to a resource processing request sent based on a resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:
responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of:
responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
According to the resource processing method, the resource processing device, the computer equipment, the storage medium and the computer program product based on the bastion machine, the target bastion machine is searched according to the identity of the target object in the request of the authority application in response to the request of the authority application; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine. The resource processing permission of the target object for the target server corresponding to the target fort machine can be determined according to the identity identification and the verification information included in the permission application request, so that the participation of management personnel is not needed in the process of determining the resource processing permission, and the efficiency of determining the resource processing permission is improved; the page data is determined according to the resource processing permission, so that the resource processing page comprises a processing inlet of the target resource corresponding to the resource processing permission of the target object, and therefore the resource which does not have the resource processing permission cannot be processed, the resource processing permission is strictly controlled, and the safety of the target server is improved; in addition, the target server is logged in through the target fort machine, and the target fort machine processes the target resources within the resource processing authority range, so that the security risk of the target server can be reduced.
Drawings
FIG. 1 is an application environment diagram of a fort-based resource processing method in one embodiment;
FIG. 2 is a flow diagram of a resource processing method based on a fort in one embodiment;
FIG. 3 is a schematic diagram of interactions between a target object, a cloud platform, and a target fort machine in one embodiment;
FIG. 4 is a schematic diagram of synchronizing identification and resource handling rights to a target fort machine in one embodiment;
FIG. 5 is a schematic diagram of interactions between a target object, a cloud platform, and a target fort machine in another embodiment;
FIG. 6 is a flowchart of a resource processing method based on a fort machine according to another embodiment;
FIG. 7 is a block diagram of a resource handling device based on a fort in one embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The resource processing method based on the fort machine, provided by the embodiment of the application, can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network.
The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be placed on a cloud or other network server; the resource processing method based on the fort machine can be executed by the terminal 102 or the server 104, or can be executed cooperatively by the terminal 102 and the server 104.
Executing an example by the server 102 by using a resource processing method based on the fort machine; the server 102 responds to the authority application request and searches the target fort machine according to the identity of the target object in the authority application request; the server 102 determines the resource processing authority according to the verification information included in the authority application request; the server 102 determines page data according to the resource processing permission, and sends the page data to the terminal so that the terminal displays a resource processing page based on the page data; the server 102 logs in a corresponding target server through the target fort machine in response to a resource processing request sent based on the resource processing page, so as to process the target resource within the range of the resource processing authority through the target fort machine.
The terminal 102 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, an internet of things device, and a portable wearable device, and the internet of things device may be a smart speaker, a smart television, a smart air conditioner, and a smart vehicle device. The portable wearable device may be a smart watch, smart bracelet, headset, or the like.
The server 104 may be a separate physical server or may be a service node in a blockchain system, where a peer-to-peer network is formed between the service nodes.
The server 104 may be a server cluster formed by a plurality of physical servers, and may be a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.
The terminal 102 and the server 104 may be connected by a communication connection manner such as bluetooth, USB (Universal Serial Bus ) or a network, which is not limited herein.
In some embodiments, as shown in fig. 2, a resource processing method based on a fort machine is provided, where the method is performed by a server in fig. 1, and may also be performed by a cloud platform, and the method is performed by the cloud platform as an example, and includes the following steps:
step 202, responding to the authority application request, and searching for the target fort machine according to the identity of the target object in the authority application request.
The permission application request is used for applying to log in the target server through the target fort machine and carrying out resource processing on the target server.
The rights application request includes an identity of the target object, which is a unique identity of the target object. The identity of the target object may be information such as an account number, an identity ID, etc. of the target object.
The fort machine is used as an important component of cloud security, and can realize unified management, operation audit and security control of resources on the cloud; the target bastion machine is one of a plurality of bastion machines, and is a bastion machine which can be accessed by a target object. In practical applications, the fort machine may be a jumpsur.
In some embodiments, the target object sends the permission application request through the terminal, the cloud platform receives the permission application request, and the cloud platform obtains the identity of the target object in the permission application request, and can search for the target fort machine from the fort machines according to the identity.
In some embodiments, searching the target fort machine according to the identity of the target object in the rights application request includes: acquiring an identity of a target object in a permission application request; searching a fort identifier corresponding to the identity identifier in the authority list; taking the fort machine corresponding to the fort machine identification as a target fort machine.
Wherein the authority list is a preset mapping table; the permission list includes a correspondence between the identity and the fort machine identity.
In some embodiments, the cloud platform acquires the identity in the permission application request, searches the bastion machine identifier corresponding to the identity in the permission list, and takes the bastion machine corresponding to the bastion machine identifier as the target bastion machine.
It should be noted that, the number of the fort machine identifiers corresponding to the identity identifiers may be plural, so that the number of the target fort machines may be plural, that is, the number of the target fort machines that the target objects may access may be plural.
In some embodiments, the rights application request includes ciphertext information that is encrypted based on the symmetric key pair; after searching the fort machine identifier corresponding to the identity identifier in the authority list, the method further comprises the following steps: and obtaining a symmetric key corresponding to the fort machine identifier, decrypting the ciphertext information according to the symmetric key corresponding to the fort machine identifier, and when the ciphertext information passes the decryption, using the fort machine to represent the corresponding fort machine as a target fort machine.
The target object can acquire a symmetric key of the target fort machine in advance, and the ciphertext information can be obtained by encrypting an account number of the target object on the cloud platform based on the acquired symmetric key; and when the decrypted content is consistent with the account number of the target object on the cloud platform, determining that the decryption is passed.
In the above embodiment, the identifier of the bastion machine corresponding to the identifier can be quickly queried through the authority list, so as to determine the target bastion machine.
And 204, determining the resource processing permission according to the verification information included in the permission application request.
The verification information is used for determining the resource processing permission of the user, and the more the provided verification information is, the higher the resource processing permission is.
Specifically, the verification information may include job level information of the target object, and the resource processing authority of the target object for logging in the corresponding target server for the target fort machine is determined based on the job level information.
In some embodiments, determining the resource processing rights based on the authentication information included in the rights application request includes: acquiring a request source identifier included in verification information in a permission application request; searching an initial processing authority corresponding to the request source identifier; when the verification information further comprises user biological information, acquiring a first processing authority from the initial processing authority as a resource processing authority; and when the verification information does not comprise the user biological information, acquiring a second processing authority from the initial processing authority as a resource processing authority.
The request source identifier may represent a manner that the target object initiates the permission application request, and specifically, the request source identifier may be a mobile terminal application identifier, a mobile terminal applet identifier, a mobile terminal webpage identifier, a computer terminal application identifier and a computer terminal webpage identifier.
The user biometric information may be at least one of a face image, a fingerprint image, or voiceprint information.
The authority range corresponding to the first processing authority is smaller than the authority range corresponding to the initial processing authority, and the authority range corresponding to the second processing authority is smaller than the authority range corresponding to the initial processing authority.
In some embodiments, the cloud platform obtains a request source identifier, when the request source identifier is a mobile terminal application identifier or a computer end application identifier, the first initial processing permission can be used as an initial processing permission, and when the request source identifier is a mobile terminal applet identifier, a mobile terminal webpage identifier or a computer end webpage identifier, the second initial processing permission can be used as an initial processing permission; the authority range corresponding to the first initial processing authority is larger than the authority range corresponding to the second initial processing authority; the authority ranges corresponding to the first initial processing authority and the second initial processing authority can be set according to actual requirements, and the embodiment of the application is not limited to this.
When the authentication information includes user biometric information and the user biometric information includes any one of face image, fingerprint image, or voiceprint information, a first reference processing right of the initial processing rights may be used as the resource processing right, the first reference processing right including a first sensitive processing right of the initial processing rights.
When the authentication information includes user biometric information and the user biometric information includes at least two of a face image, a fingerprint image, or voiceprint information, a second reference process right of the initial process right may be used as the resource process right, the second reference process right including a first sensitive process right and a second sensitive process right of the initial process right.
When the verification information does not include the user biological information, acquiring a second processing authority from the initial processing authority as a resource processing authority; the second processing right does not include sensitive processing rights.
In the above embodiment, the resource processing authority of the target object for logging in the corresponding target server with respect to the target fort machine is determined according to the request source identifier and the user biological information included in the verification information, so that the target has different resource processing authorities under the condition that the target passes through different route application authorities and different provided user biological information is different, so that the determination of the resource processing authority has flexibility and meets different application scenarios of the target object application authorities.
And 206, determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays the resource processing page based on the page data.
The page data are used for generating a resource processing page, and the resource processing page comprises a resource processing control corresponding to the resource processing authority.
Specifically, the cloud platform acquires a processing link corresponding to the resource processing permission, generates page data according to the processing link and preset page data, sends the page data to the terminal, generates a resource processing page according to the page data after the terminal receives the page data, wherein the resource processing page comprises a resource processing control corresponding to the resource processing permission, the resource processing control can be obtained by packaging the processing link, and when the resource processing control is triggered, a resource processing request can be sent according to the resource processing link corresponding to the resource processing control.
It should be noted that, if the resource processing rights are different, the generated resource processing pages are different, and the resource processing pages only include the entrance of the target resource that can be processed, so that the target object cannot process the resource that does not have the resource processing rights, so that the resource processing rights are strictly controlled, and the security of the target server is improved.
In step 208, in response to the resource processing request sent based on the resource processing page, the corresponding target server is logged in through the target fort machine, so as to process the target resource within the range of the resource processing authority through the target fort machine.
Wherein the resource processing request may be triggered based on a resource processing control in the resource processing page. The resource processing controls may be controls corresponding to each of the following resource processes: closing the target server, opening the target server, modifying the target resource, adding the target resource, managing the target resource, and the like.
Specifically, the target object can initiate a resource processing request by triggering a resource processing control in a resource processing page, the cloud platform responds to the resource processing request, logs in a target server through a target fort machine, and processes target resources in a resource processing authority range based on the resource processing request.
In some embodiments, the bastion machine-based resource processing method further comprises: receiving a resource processing record which is sent by the target fort machine and is associated with the identity identifier; a resource processing record associated with the identity identification is maintained.
Wherein the resource processing record may be a log; the resource processing record may include: IP address of target object, processing time, processing operation.
Specifically, when the target object processes the target resource in the resource processing authority range in the target server, the target fort machine can record the processing process of the target object on the target resource in real time, generate a resource processing record according to the processing process of the real-time record, correlate the resource processing record with the identity identifier, synchronize the resource processing record with the identity identifier to the cloud platform, process the resource processing record correlated with the identity identifier by the cloud platform, and store the resource processing record correlated with the identity identifier in the cloud platform.
As shown in fig. 3, the target object sends a permission application request to the cloud platform, and the cloud platform performs identity authentication and resource authorization based on identity identification and verification information included in the permission application request to determine a target fort machine and resource processing permission of the target object, so that access of the target object to a target server is controlled through the cloud platform, and the cloud platform can also receive a resource processing record associated with the identity identification sent by the target fort machine to realize operation audit of resource processing.
In the above embodiment, the target fort synchronizes the resource processing record to the cloud platform, and the cloud platform can play back the process of processing the target resource by the target object according to the resource processing record associated with the identity identifier, so that the process of processing the target resource by the target object can be traced, and the fault cause can be determined according to the resource processing record when the target server fails, thereby improving the security of the target server.
In the resource processing method based on the bastion machine, the target bastion machine is searched according to the identity of the target object in the authority application request in response to the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine. The resource processing permission of the target object for the target server corresponding to the target fort machine can be determined according to the identity identification and the verification information included in the permission application request, so that the participation of management personnel is not needed in the process of determining the resource processing permission, and the efficiency of determining the resource processing permission is improved; the page data is determined according to the resource processing permission, so that the resource processing page comprises a processing inlet of the target resource corresponding to the resource processing permission of the target object, and therefore the resource which does not have the resource processing permission cannot be processed, the resource processing permission is strictly controlled, and the safety of the target server is improved; in addition, the target server is logged in through the target fort machine, and the target fort machine processes the target resources within the resource processing authority range, so that the security risk of the target server can be reduced.
In some embodiments, after determining the resource processing rights according to the verification information included in the rights application request, the method further includes: synchronizing the identity and the resource processing authority to the target fort machine.
Specifically, the cloud platform may synchronize multiple sets of identity and resource handling rights to the target fort machine, and illustratively, as shown in fig. 4, the cloud platform may synchronize identity a and resource handling rights a, identity B and resource handling rights B, identity C and resource handling rights C to the target fort machine.
The cloud platform sends the identity and the resource processing authority to the target fort machine, so that the target object can log in the target server through the target fort machine and process the target resource in the target server.
In some embodiments, logging in a corresponding target server through a target fort machine to process a target resource within a resource processing authority range through the target fort machine includes: and sending the resource processing request to the target fort machine, so that the target fort machine obtains a login identifier and a resource processing instruction included in the resource processing request, and when the login identifier and the identity identifier are determined to pass login verification and the target resource corresponding to the resource processing instruction is determined to be in the range of the resource processing authority, logging in a target server corresponding to the target fort machine through an object account included in the resource processing request, so as to process the target resource of the target server through the target fort machine.
The resource processing request comprises a login identifier, a resource processing instruction and an object account number.
The target fort machine searches a user identifier consistent with the login identifier, when the login identifier is consistent with the user representation, whether a target resource corresponding to the resource processing instruction is in a resource processing authority range corresponding to the target identifier is determined, if yes, a target server corresponding to the target fort machine is logged in through an object account number included in a resource processing request, and the target fort machine is allowed to process the target resource of the target server.
The object account is an account of the target object on the cloud platform, and under the condition that the target fort machine obtains the object identification and the resource processing instruction of the target object, the target object can directly log in the target server through the account on the cloud platform and process the target resource, so that single sign-on is realized, the target object does not need to additionally apply for the login account of the target server, and can log in the target server through the cloud platform without perception.
Illustratively, as shown in fig. 5, the target object sends a permission application request to the cloud platform, and the cloud platform performs identity authentication and resource authorization on the target object based on the permission application request, and synchronizes the user identifier and the resource processing permission to the target fort machine; the target object sends a resource processing request to the cloud platform, and the cloud platform forwards the resource processing request to the target fort machine, so that single sign-on can be realized; the target fort synchronizes the resource processing record and the identity of the target object to the cloud platform, so that the cloud platform can perform operation audit on the resource processing, and the safety of the target server resource is ensured.
In some embodiments, as shown in FIG. 6, the bastion machine-based resource processing method includes:
step 601, responding to a permission application request, and acquiring an identity of a target object in the permission application request; searching a fort identifier corresponding to the identity identifier in the authority list; taking the fort machine corresponding to the fort machine identification as a target fort machine;
step 602, obtaining a request source identifier included in verification information in a rights application request; searching an initial processing authority corresponding to the request source identifier; when the verification information further comprises user biological information, acquiring a first processing authority from the initial processing authority as a resource processing authority; when the verification information does not include the user biological information, acquiring a second processing authority from the initial processing authority as a resource processing authority;
step 603, synchronizing the identity and the resource processing authority to the target fort machine;
step 604, determining page data according to the resource processing authority, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data;
step 605, in response to a resource processing request sent based on a resource processing page, sending the resource processing request to a target fort machine, so that the target fort machine obtains a login identifier and a resource processing instruction included in the resource processing request, and when it is determined that the login identifier and the identity identifier pass login verification and it is determined that a target resource corresponding to the resource processing instruction is within a resource processing authority range, the target server corresponding to the target fort machine is logged in through an object account number included in the resource processing request, so that the target resource of the target server is processed through the target fort machine;
step 606, receiving a resource processing record associated with the identity sent by the target fort machine; a resource processing record associated with the identity identification is maintained.
In the above embodiment, according to the identification of the target object in the rights application request in response to the rights application request, searching the target fort machine; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine. The resource processing permission of the target object for the target server corresponding to the target fort machine can be determined according to the identity identification and the verification information included in the permission application request, so that the participation of management personnel is not needed in the process of determining the resource processing permission, and the efficiency of determining the resource processing permission is improved; the page data is determined according to the resource processing permission, so that the resource processing page comprises a processing inlet of the target resource corresponding to the resource processing permission of the target object, and therefore the resource which does not have the resource processing permission cannot be processed, the resource processing permission is strictly controlled, and the safety of the target server is improved; in addition, the target server is logged in through the target fort machine, and the target fort machine processes the target resources within the resource processing authority range, so that the security risk of the target server can be reduced.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a resource processing device based on the bastion machine, which is used for realizing the resource processing method based on the bastion machine. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the resource processing device based on the fort machine provided below may be referred to as the limitation of the resource processing method based on the fort machine hereinabove, and will not be repeated herein.
In some embodiments, as shown in fig. 7, there is provided a resource processing device based on a fort machine, comprising: a target fort determination module 701, a resource processing authority determination module 702, a page data determination module 703, and a resource processing module 704, wherein:
the target fort machine determining module 701 is configured to respond to the rights application request, and search for a target fort machine according to the identity of the target object in the rights application request;
a resource processing authority determining module 702, configured to determine a resource processing authority according to verification information included in the authority application request;
a page data determining module 703, configured to determine page data according to the resource processing authority, and send the page data to the terminal, so that the terminal displays a resource processing page based on the page data;
and the resource processing module 704 is configured to log in a corresponding target server through the target fort machine in response to a resource processing request sent based on the resource processing page, so as to process, through the target fort machine, the target resource within the range of the resource processing authority.
In some embodiments, the target fort determining module 701 is further configured to obtain an identity of a target object in the rights application request; searching a fort identifier corresponding to the identity identifier in the authority list; taking the fort machine corresponding to the fort machine identification as a target fort machine.
In some embodiments, the resource processing permission determination module 702 is further configured to obtain a request source identifier included in the verification information in the permission application request; searching an initial processing authority corresponding to the request source identifier; when the verification information further comprises user biological information, acquiring a first processing authority from the initial processing authority as a resource processing authority; and when the verification information does not comprise the user biological information, acquiring a second processing authority from the initial processing authority as a resource processing authority.
In some embodiments, the bastion machine-based resource processing device further comprises: and the synchronizing module is used for synchronizing the identity mark and the resource processing authority to the target fort machine.
In some embodiments, the resource processing module 704 is further configured to send a resource processing request to the target enclave machine, so that the target enclave machine obtains a login identifier and a resource processing instruction included in the resource processing request, and if it is determined that the login identifier and the identity identifier pass login verification and it is determined that a target resource corresponding to the resource processing instruction is within a scope of resource processing authority, the target server corresponding to the target enclave machine is logged in through an object account number included in the resource processing request, so that the target resource of the target server is processed through the target enclave machine.
In some embodiments, the bastion machine-based resource processing device further comprises: the recording module is used for receiving the resource processing record which is sent by the target fort machine and is associated with the identity identifier; a resource processing record associated with the identity identification is maintained.
The various modules in the bastion machine-based resource processing device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In some embodiments, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 8. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing relevant data of the resource processing method based on the fort machine. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a resource processing method based on a fort machine.
In some embodiments, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:
responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
In some embodiments, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
In some embodiments, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
responding to the authority application request, and searching for a target fort machine according to the identity of the target object in the authority application request; determining a resource processing authority according to verification information included in the authority application request; determining page data according to the resource processing permission, and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data; and responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing the target resource within the range of the resource processing authority through the target fort machine.
It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use, and processing of the related data are required to meet the related regulations.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (10)
1. A resource processing method based on a fort machine, the method comprising:
responding to a permission application request, and searching a target fort machine according to the identity of a target object in the permission application request;
determining resource processing permission according to verification information included in the permission application request;
determining page data according to the resource processing permission, and sending the page data to a terminal so that the terminal displays a resource processing page based on the page data;
responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing target resources within the resource processing authority range through the target fort machine.
2. The method of claim 1, wherein the searching for the target fort machine based on the identity of the target object in the rights application request comprises:
acquiring the identity of a target object in the permission application request;
searching a fort machine identifier corresponding to the identity identifier in a permission list;
and taking the fort machine corresponding to the fort machine identifier as a target fort machine.
3. The method of claim 1, wherein the determining the resource processing rights based on the authentication information included in the rights application request comprises:
acquiring a request source identifier included in verification information in the authority application request;
searching an initial processing authority corresponding to the request source identifier;
when the verification information further comprises user biological information, acquiring a first processing authority from the initial processing authority as a resource processing authority;
and when the verification information does not comprise the user biological information, acquiring a second processing authority from the initial processing authority as a resource processing authority.
4. The method according to claim 1, wherein after determining the resource processing rights according to the authentication information included in the rights application request, further comprising:
synchronizing the identity and the resource processing authority to the target fort machine.
5. The method of claim 4, wherein logging in, by the target bastion machine, the corresponding target server to process, by the target bastion machine, the target resource within the resource processing authority range, comprising:
and sending the resource processing request to the target fort machine, so that the target fort machine obtains a login identifier and a resource processing instruction included in the resource processing request, and when the login identifier and the identity identifier are based on determining that the target resource corresponding to the resource processing instruction is in the range of the resource processing authority, logging in a target server corresponding to the target fort machine through an object account included in the resource processing request to process the target resource of the target server through the target fort machine.
6. The method according to claim 1, wherein the method further comprises:
receiving a resource processing record which is sent by the target fort machine and is associated with the identity identifier;
a resource handling record associated with the identity is saved.
7. A resource handling device for a fort machine, the device comprising:
the system comprises a target fort machine determining module, a fort machine determining module and a fort machine determining module, wherein the target fort machine determining module is used for responding to a permission application request and searching for a target fort machine according to the identity of a target object in the permission application request;
the resource processing permission determining module is used for determining the resource processing permission according to the verification information included in the permission application request;
the page data determining module is used for determining page data according to the resource processing permission and sending the page data to the terminal so that the terminal displays a resource processing page based on the page data;
and the resource processing module is used for responding to a resource processing request sent based on the resource processing page, logging in a corresponding target server through the target fort machine, and processing target resources within the resource processing authority range through the target fort machine.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311838923.XA CN117828565A (en) | 2023-12-28 | 2023-12-28 | Resource processing method and device based on fort machine and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311838923.XA CN117828565A (en) | 2023-12-28 | 2023-12-28 | Resource processing method and device based on fort machine and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117828565A true CN117828565A (en) | 2024-04-05 |
Family
ID=90512794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311838923.XA Pending CN117828565A (en) | 2023-12-28 | 2023-12-28 | Resource processing method and device based on fort machine and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117828565A (en) |
-
2023
- 2023-12-28 CN CN202311838923.XA patent/CN117828565A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102514325B1 (en) | Model training system and method, storage medium | |
| WO2021003980A1 (en) | Blacklist sharing method and apparatus, computer device and storage medium | |
| CN111488598A (en) | Access control method, device, computer equipment and storage medium | |
| US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
| CN107948152B (en) | Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment | |
| CN109510840B (en) | Method and device for sharing unstructured data, computer equipment and storage medium | |
| WO2021003977A1 (en) | Default information query method and apparatus, and computer device and storage medium | |
| CN111291394B (en) | False information management method, false information management device and storage medium | |
| AU2012266675A1 (en) | Access control to data stored in a cloud | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| CN112311830B (en) | Cloud storage-based Hadoop cluster multi-tenant authentication system and method | |
| CN114222288A (en) | Equipment identifier generation method, equipment identifier verification method and device | |
| CN114048453A (en) | User feature generation method and device, computer equipment and storage medium | |
| CN111147235B (en) | Object access method and device, electronic equipment and machine-readable storage medium | |
| US20230325517A1 (en) | Securing data in multitenant environment | |
| US20140215607A1 (en) | Threat exchange information protection | |
| Prasadreddy et al. | A threat free architecture for privacy assurance in cloud computing | |
| CN117828565A (en) | Resource processing method and device based on fort machine and computer equipment | |
| CN115048672A (en) | Data auditing method and device based on block chain, processor and electronic equipment | |
| CN116567008A (en) | Business privacy data transmission method and device, computer equipment and storage medium | |
| CN114238914A (en) | Digital certificate application system, method, device, computer equipment and storage medium | |
| CN107517177B (en) | Interface authorization method and device | |
| Raja et al. | An enhanced study on cloud data services using security technologies | |
| CN114826777B (en) | Identity authentication method, identity authentication device, computer equipment and storage medium | |
| CN113946864B (en) | Confidential information acquisition method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |