CN117992172A - Method for processing authorization policy and cloud management platform - Google Patents

Method for processing authorization policy and cloud management platform Download PDF

Info

Publication number
CN117992172A
CN117992172A CN202211345132.9A CN202211345132A CN117992172A CN 117992172 A CN117992172 A CN 117992172A CN 202211345132 A CN202211345132 A CN 202211345132A CN 117992172 A CN117992172 A CN 117992172A
Authority
CN
China
Prior art keywords
authorization
attribute
authorization policy
cloud
tenant
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211345132.9A
Other languages
Chinese (zh)
Inventor
张少杰
李俊
孙智喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Priority to CN202211345132.9A priority Critical patent/CN117992172A/en
Publication of CN117992172A publication Critical patent/CN117992172A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the application relates to the field of cloud computing, and provides an authorization policy processing method based on a cloud computing technology and a cloud management platform. The cloud management platform receives an instruction of executing a first operation aiming at a first authorization policy of at least one cloud service in a plurality of cloud services, which is input by a tenant; the cloud management platform executes a first operation on the first authorization policy according to the instruction so as to modify the first authorization policy to obtain a second authorization policy; and the cloud management platform determines whether the second authorization strategy is effective according to the attribute configuration file. According to the method, the attribute detection is carried out on the new authorization strategy before the new authorization strategy is effective, so that the security of operation of authorization personnel of tenants on the authorization strategy can be improved.

Description

Method for processing authorization policy and cloud management platform
Technical Field
The embodiment of the application relates to the field of cloud service, in particular to an authorization policy processing method and a cloud management platform based on a cloud computing technology.
Background
Resources of a cloud service (such as related resources of an object storage service, an elastic computing service, a virtual private cloud, etc., or may be simply referred to as a cloud service resource or a cloud resource) are generally private, that is, only an owner of the cloud resource (such as a tenant who rents the cloud resource) can access the related cloud resource, and other users have no access authority of the cloud resource under the condition of no authorization. The tenant can grant part or all of the access rights of the cloud resources to other users through an authorization policy.
However, as the documents of the authorization policies are various and the writing is complex, personnel maintaining the same resource authorization policy may also change, so that the operation of the authorization policy is easy to have risks, and the security of using cloud resources by tenants is reduced. Therefore, how to improve the security of the operation of the authorization policy is a technical problem to be solved.
Disclosure of Invention
The embodiment of the application provides an authorization policy processing method and a cloud management platform based on a cloud computing technology, which can detect security compliance attributes before a new authorization policy takes effect, so that the security of operating the authorization policy is improved.
In a first aspect, there is provided an authorization policy processing method based on a cloud computing technology, the method being applied to a cloud management platform for managing an infrastructure providing a plurality of cloud services, the infrastructure including a plurality of cloud data centers, the method comprising: the cloud management platform receives an instruction of executing a first operation aiming at a first authorization policy of at least one cloud service in a plurality of cloud services, which is input by a tenant; the cloud management platform executes a first operation on the first authorization policy according to the instruction so as to modify the first authorization policy to obtain a second authorization policy; and the cloud management platform determines whether the second authorization policy is effective or not according to an attribute configuration file, wherein the attribute configuration file is used for setting a safety compliance attribute, and the safety compliance attribute is used for indicating the effective condition of the second authorization policy required by the tenant.
According to the technical scheme provided by the application, the new authorization strategy is prevented from being validated by detecting the attribute of the new authorization strategy before the new authorization strategy is validated, so that the security of operating the authorization strategy is improved.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: and receiving an attribute configuration file uploaded by the tenant, wherein the attribute configuration file comprises security compliance attributes set according to the needs of the tenant.
According to the technical scheme, the tenant can freely set the detected attribute type and the specific definition of the attribute through uploading the customized attribute configuration file, so that different attribute detection requirements of different tenants are met.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: sending at least one preset attribute configuration option to the tenant; receiving a selection indication of all or part of at least one attribute configuration options by the tenant; and generating or updating the attribute configuration file according to the whole or part of the attribute configuration options.
According to the technical scheme, the mode of providing the predefined attribute configuration file provides a plurality of commonly used attribute detection modes for the selection of the tenant, so that the tenant can use the attribute detection function more conveniently.
With reference to the first aspect, in certain implementation manners of the first aspect, the attribute configuration file includes a requirement for determining whether the authorization policy is not authorized sufficiently according to a history access record, where the history access record includes a record of at least one event that at least one cloud service is accessed in a period of time, and determining whether the second authorization policy is effective according to the attribute configuration file includes: and preventing the second authorization policy from being validated when the second authorization policy results in the first event in the history access record not being executable.
According to the technical scheme, the novel authorization strategy which can cause the history operation which is performed in a period of time to be impossible is prevented through the attribute configuration file, and the function of avoiding the risk of insufficient authorization is provided.
With reference to the first aspect, in certain implementation manners of the first aspect, in a case where it is determined that the second authorization policy results in the first event in the history access record not being executable, before the second authorization policy is blocked from being validated, the method further includes: transmitting a warning message indicating that the second authorization policy is at risk of resulting in insufficient authorization; acknowledgement of the cancellation of the first operation is received.
According to the technical scheme, the authorization personnel of the tenant can be required to confirm when the risk of insufficient authorization exists, so that the new authorization strategy can be validated when the authorization personnel of the tenant really needs to reduce the authorization strategy.
With reference to the first aspect, in some implementations of the first aspect, the attribute configuration file sets a preset permission boundary, and determining whether the second authorization policy is valid according to the attribute configuration file includes: and when the authorization range of the second authorization strategy is larger than the preset authority boundary, preventing the second authorization strategy from being effective.
According to the technical scheme, the preset authority boundary is set through the attribute configuration file, and the function of avoiding excessive authorization of the new authorization strategy is provided.
With reference to the first aspect, in certain implementation manners of the first aspect, determining whether the second authorization policy is valid according to the attribute configuration file includes: determining a change in the authorization scope of the second authorization policy relative to the authorization scope of the first authorization policy; and when the change does not meet the security compliance attribute set by the attribute configuration file, preventing the second authorization policy from being validated.
According to the technical scheme, only the permission range of the new authorization strategy, which is changed relative to the original authorization strategy, can be detected, so that the operand is reduced, and the attribute detection efficiency is improved; in addition, the attribute detection can be carried out on the new authorization policy on the basis of the trust original authorization policy, so that the authorization scope of the new authorization policy which is unchanged relative to the original authorization policy does not need to be confirmed again by the authorization personnel of the tenant, and the use experience of the tenant is improved.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: analysis information is sent indicating a reason for preventing the second authorization policy from being validated.
According to the technical scheme, the specific reason that the authorization policy is blocked can be shown to the authorization personnel of the tenant, so that the authorization personnel of the tenant can modify the authorization policy conveniently.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the tenant is provided with syntax reference information for the domain-specific language used to write the attribute configuration file.
According to the technical scheme, the custom attribute configuration file is simple in language, complete in function and easy to expand, and tenants can write the custom attribute configuration file conveniently.
In a second aspect, a cloud management platform for managing an infrastructure providing a plurality of cloud services, the infrastructure including a plurality of cloud data centers, the cloud management platform comprising: the receiving and transmitting module is used for receiving an instruction of executing a first operation aiming at a first authorization strategy of at least one cloud service in a plurality of cloud services, which is input by a tenant; the execution module is used for executing a first operation on the first authorization strategy according to the instruction so as to modify the first authorization strategy to obtain a second authorization strategy; and the attribute detection module is used for determining whether the second authorization strategy is effective or not according to an attribute configuration file, wherein the attribute configuration file is used for setting a safety compliance attribute, and the safety compliance attribute is used for indicating the effective condition of the second authorization strategy required by the tenant.
With reference to the second aspect, in certain implementations of the second aspect, the transceiver module is further configured to: and receiving an attribute configuration file uploaded by the tenant, wherein the attribute configuration file comprises security compliance attributes set according to the needs of the tenant.
With reference to the second aspect, in certain implementations of the second aspect, the transceiver module is further configured to: sending at least one preset attribute configuration option to the tenant; receiving a selection indication of all or part of at least one attribute configuration options by the tenant; and the execution module is also used for generating or updating the attribute configuration file according to the whole or part of attribute configuration options.
With reference to the second aspect, in some implementations of the second aspect, the attribute configuration file includes a requirement for determining whether the authorization policy is not authorized sufficiently according to a history access record, where the history access record includes a record of at least one event that at least one cloud service is accessed in a period of time, and the attribute detection module is specifically configured to: and preventing the second authorization policy from being validated when the second authorization policy results in the first event in the history access record not being executable.
With reference to the second aspect, in some implementations of the second aspect, in a case where it is determined that the second authorization policy results in the first event in the historical access record not being executable, before the second authorization policy is blocked from being validated, the transceiver module is further configured to: transmitting a warning message indicating that the second authorization policy is at risk of resulting in insufficient authorization; acknowledgement of the cancellation of the first operation is received.
With reference to the second aspect, in some implementations of the second aspect, the attribute configuration file includes a preset authority boundary, and the attribute detection module is specifically configured to: and when the authorization range of the second authorization strategy is larger than the preset authority boundary, preventing the second authorization strategy from being effective.
With reference to the second aspect, in certain implementations of the second aspect, the cloud management platform further includes an authorization policy analysis module configured to determine a change in an authorization scope of the second authorization policy relative to an authorization scope of the first authorization policy; the attribute detection module is used for preventing the second authorization policy from being validated when the change does not meet the security compliance attribute set by the attribute configuration file.
With reference to the second aspect, in certain implementations of the second aspect, the transceiver module is further configured to: analysis information is sent indicating a reason for preventing the second authorization policy from being validated.
With reference to the second aspect, in certain implementations of the second aspect, the transceiver module is further configured to: the tenant is provided with syntax reference information for the domain-specific language used to write the attribute configuration file.
In a third aspect, a cluster of computing devices is provided, comprising at least one computing device, each computing device comprising a processor and a memory, wherein the memory is for storing instructions, the processor is for invoking and executing the instructions from the memory, such that the cluster of computing devices performs the method of the first aspect or any one of the possible implementations of the first aspect.
In the alternative, the processor may be a general purpose processor, and may be implemented in hardware or in software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor, implemented by reading software code stored in a memory, which may be integrated in the processor, or may exist separately from the processor.
In a fourth aspect, a chip is provided, which obtains instructions and executes the instructions to implement the method of the first aspect or any one of the possible implementation manners of the first aspect.
Optionally, as an implementation manner, the chip includes a processor and a data interface, where the processor reads instructions stored on a memory through the data interface, and performs the method in the first aspect or any one of the possible implementation manners of the first aspect.
Optionally, as an implementation manner, the chip may further include a memory, where the memory stores instructions, and the processor is configured to execute the instructions stored on the memory, where the instructions, when executed, are configured to perform the method in the first aspect or any one of the possible implementation manners of the first aspect.
In a fifth aspect, there is provided a computer program product comprising instructions which, when executed by a cluster of computing devices, cause the cluster of computing devices to perform the method of the first aspect or any one of the possible implementations of the first aspect.
In a sixth aspect, a computer readable storage medium is provided, comprising computer program instructions which, when executed by a cluster of computing devices, cause the cluster of computing devices to perform the method of the first aspect or any one of the possible implementations of the first aspect.
By way of example, such computer-readable storage media include, but are not limited to, one or more of the following: read-only memory (ROM), programmable ROM (PROM), erasable PROM (erasable PROM, EPROM), flash memory, electrically EPROM (EEPROM), and hard disk drive (HARD DRIVE).
Alternatively, as an implementation manner, the storage medium may be a nonvolatile storage medium.
Drawings
FIG. 1 is a schematic system diagram of an embodiment of the present application.
Fig. 2 is a schematic diagram of an example of an application scenario of an embodiment of the present application.
Fig. 3 is a schematic diagram of an authorization policy management procedure according to an embodiment of the present application.
Fig. 4 is a schematic flow diagram of a method for processing an authorization policy according to an embodiment of the present application.
Fig. 5 is a schematic diagram of another authorization policy management procedure according to an embodiment of the present application.
Fig. 6 is a schematic flow chart diagram of another method for processing an authorization policy provided by an embodiment of the application.
Fig. 7 is a schematic diagram of another authorization policy management procedure according to an embodiment of the present application.
Fig. 8 is a schematic flow chart diagram of another method for processing authorization policies provided by an embodiment of the application.
Fig. 9 is a schematic block diagram of a cloud management platform according to an embodiment of the present application.
FIG. 10 is a schematic block diagram of a computing device provided by an embodiment of the present application.
FIG. 11 is a schematic block diagram of a computing device cluster provided by an embodiment of the application.
FIG. 12 is a schematic block diagram of another cluster of computing devices provided by an embodiment of the application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.
The present application will present various aspects, embodiments, or features about a system comprising a plurality of devices, components, modules, etc. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, combinations of these schemes may also be used.
In addition, in the embodiments of the present application, words such as "exemplary," "for example," and the like are used to indicate an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion.
In embodiments of the present application, "corresponding (corresponding, relevant)" and "corresponding (corresponding)" may sometimes be used in combination, and it should be noted that the meaning of their intended expression is consistent when de-emphasizing their distinction.
The network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network architecture and the appearance of the new service scenario, the technical solution provided by the embodiments of the present application is applicable to similar technical problems.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
In the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: including the case where a alone exists, both a and B together, and B alone, where a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
For ease of understanding, related terms and concepts that may be involved in embodiments of the present application are described below.
1. Cloud service: the cloud service provider provides cloud service resources to tenants through the Internet, so that the tenants can manage and use technical services provided by the provider without purchasing, owning and maintaining a physical data center and a server.
2. Cloud service resources: the relevant resources, such as computing capacity, storage capacity, databases, etc., of technical services provided to tenants through the internet by providers of cloud services according to tenant demands may be simply referred to as cloud resources.
3. Tenant: an organization or individual renting cloud service resources to a provider of cloud services, the organization or individual being able to use and manage its rented cloud service resources, e.g., users (e.g., users within the organization or other users) may be authorized to use some or all of the cloud service resources as desired.
4. The user: an organization or individual accessing the cloud service resource may include the tenant itself, or may include other organizations or individuals to whom the tenant grants access rights to the cloud service resource.
5. Authorization policy: a set of statements that "allow" or "deny" control access requests to cloud service resources. For example, the user a is allowed to perform operation a on the cloud service resource a, or the user B is allowed to perform operations other than operation B on the cloud service resource B, or the cloud service resource C is denied to be performed with operation C, or the like. All sentences in one authorization policy act together to form a set of access rights of a user to cloud service resources, and tenants authorize the access to the cloud service resources by using the authorization policy through cloud account numbers. The validated authorization policies are stored in the cloud server, and multiple validated authorization policies may exist for the same tenant at the same time.
The provider of the cloud service allows the tenant to use and manage the corresponding cloud service resources through the cloud account. Under the default condition, the resources of the cloud account are private, namely, only the tenant with the cloud account has permission to access the resources in the cloud account. In order to enable other users to access the cloud service resources, the tenant can authorize part or all of access rights of the resources in the cloud account to the other users through an authorization policy.
In the traditional scheme, any grammar uploaded by the tenant through the cloud account can be valid for the authorization policy of the cloud resource in the cloud account. However, in an actual application scenario, according to the needs of the tenant, there is generally an overall requirement for the authorization of the cloud service resource, where all authorization policies are expected to be satisfied, and the overall requirement is personalized according to the types of the tenant. In order to meet the use requirements, the tenant can consider to perform security compliance detection on the authorization policy. However, for complex authorization scenarios, the above-described security compliance is not effective. For example, when there are a large number of resources in a cloud account that are in turn authorized to a large number of different other users, when a policy authorizer modifies the permissions of some of the resources or some of the users, it is difficult to determine the impact of the modification on the overall authorization scope, resulting in an inability to determine whether the new authorization policy has security implications. For another example, the same cloud account may be used by multiple different authorized personnel in different time periods, so that each authorized personnel needs to know the customized security compliance requirement of the tenant, and the authorized personnel needs to be familiar with the security compliance requirement again when the authorized personnel changes or the security compliance requirement changes, which results in low authorization efficiency.
FIG. 1 is a schematic system diagram of an embodiment of the present application. As shown in fig. 1, the cloud management platform 10 is configured to manage an infrastructure that provides a plurality of cloud services, where the infrastructure includes a plurality of cloud data centers, each cloud data center includes a plurality of servers, each server includes a cloud service resource, and provides a corresponding cloud service for a tenant.
The cloud management platform 10 provides an access interface (such as an interface or an application program interface (application program interface, API)), the tenant can operate the client to remotely register a cloud account number and a password in the cloud management platform through the Cheng Jieru access interface, log in the cloud management platform, after the cloud management platform successfully authenticates the cloud account number and the password, the tenant can further pay for selecting and purchasing a virtual machine with a specific specification (a processor, a memory and a disk) in the cloud management platform, after the pay purchase is successful, the cloud management platform provides a remote login account number password of the purchased virtual machine, and the client can remotely log in the virtual machine, and install and operate an application of the tenant in the virtual machine.
The functions of the cloud management platform 30 include, but are not limited to, user consoles, computing management services, network management services, storage management services, authentication services, mirror management services. The user console provides interfaces or APIs to interact with tenants, the computing management service is used for managing servers running virtual machines and containers and bare metal servers, the network management service is used for managing network services (such as gateways, firewalls and the like), the storage management service is used for managing storage services (such as data bucket services), the authentication service is used for managing account passwords of tenants, and the mirror image management service is used for managing virtual machine mirrors.
The tenant uses the client 30, and can log in to the cloud management platform 10 through the internet 20 to manage the rented cloud service. For example, a policy authority of the tenant may modify an authorization policy of the cloud service resource through the cloud management platform 10, or a security compliance person of the tenant may perform security compliance detection on the authorization policy through the cloud management platform 10.
Fig. 2 is a schematic diagram of an example of an application scenario of an embodiment of the present application. As shown in fig. 2, the application scenario includes an organization 10, where the organization 10 is a tenant of a cloud service, such as a person, an enterprise, a school, a hospital, an administrative office, and the like. The organization 10 is subordinate to a department 11, a department 12 and a security compliance department 13. The departments 11 and 12 each have respective cloud service resources, such as related resources of an object storage service (object storage service, OBS), an elastic cloud server (elastic cloud server, ECS), a virtual private cloud (virtual private cloud, VPC), and the like. In addition, both departments 11 and 12 have at least one cloud account for managing and authorizing cloud service resources of the respective departments and deciding which rights of the cloud service resources are authorized to which users, for example, department 11 has cloud account 1 for authorizing and controlling object storage service a, object storage service B and virtual private cloud a, and grants access rights of part or all of the cloud service resources to users 1 and 2 respectively through authorization policies; the department 12 has a cloud account 2 for authorizing the control object storage service C, the elastic cloud server a, the elastic cloud server B and the virtual private cloud B, and grants part or all of access rights of the cloud service resources to the user 3, the user 4 and the user 5 respectively through an authorization policy. The organization 10 hopes that the authorization policies formulated by the subordinate departments 11 and 12 meet the unified requirement according to the use requirement of the organization on cloud services, so that the security compliance department 13 is responsible for supervising the operation of all cloud account numbers in the organization 10 on the authorization policies, thereby avoiding potential safety hazards.
In view of this, an embodiment of the present application provides a method for processing an authorization policy, which allows a tenant to configure, according to its own needs, attribute requirements that need to be met by the authorization policy through an attribute configuration file, so as to perform attribute detection on a new authorization policy before the new authorization policy takes effect, and prevent the new authorization policy that does not meet the requirements of security compliance attributes from taking effect, thereby improving security of operating the authorization policy.
The application scenario of fig. 2 is merely exemplary, and the scenario to which the embodiments of the present application may be applied is not limited to the specific division manner shown in fig. 2, nor to the authorization policy inside the organization. For example, in the embodiment of fig. 2, the security compliance department 13 implements centralized management of the attribute configuration files, but in other applicable scenarios, the security compliance department may not be a separate department, or may be set by each department itself, and implement consistency management of the attribute configuration files through negotiation or interaction, that is, implement distributed management of the attribute configuration files. For brevity, some embodiments of the application are described below by taking the scenario of fig. 2 as an example, but it will be clear to those skilled in the art that this description does not constitute a limitation on the scope of the application.
In this case, fig. 3 is a schematic diagram of an authorization policy management procedure according to an embodiment of the present application. As shown in fig. 3, the security compliance department 210 of the tenant in the application scenario sets, through the attribute configuration file 211, security compliance attribute requirements that need to be satisfied for the new authorization policy 242 to take effect. Alternatively, the security compliance department in fig. 3 may correspond to the security compliance department 13 in the scenario shown in fig. 2. When the tenant's authorizer 220 operates on the original authorization policy 241, the cloud management platform 230 performs attribute detection on the new authorization policy 242 based on the attribute profile. Alternatively, the cloud management platform 230 may correspond to the cloud management platform 10 in the system schematic of fig. 1. Optionally, the authorizing person 220 of the tenant may operate the authorization policy of the corresponding cloud service resource through the cloud account as shown in fig. 2. Optionally, the cloud management platform 230 can obtain other data 250 (e.g., snapshot data of the cloud service resource status, historical access record data of the cloud service resource being accessed, time data of the cloud service resource being created, network address of a device that authorizes a person to operate the authorization policy, etc.) needed for attribute detection. When the cloud management platform 230 determines that the new authorization policy 242 does not meet the security compliance attributes required by the attribute profile 211, the new authorization policy 242 is prevented from being validated and analysis information is output, otherwise the new authorization policy 242 is validated.
Optionally, cloud management platform 230 may provide a specific API for tenants to implement attribute detection for new authorization policies 242 based on the attribute profile. For example, the cloud management platform 230 may provide a set-with-detection (put-policy-with-detect) API through which an authorized person of a tenant performs an operation on an authorization policy, where before a new authorization policy is validated, the cloud management platform 230 performs attribute detection on the new authorization policy according to requirements of a security compliance person of the tenant, if the new authorization policy satisfies the security compliance attribute, the new authorization policy can be validated, and at this time, a use effect for the tenant is the same as that of a conventional set-up (put-policy) API; if the new authorization policy does not satisfy the security compliance attribute, the new authorization policy is blocked. The implementation through a specific API is only one implementation of the present application, and the cloud management platform 230 may also implement custom attribute detection of the authorization policy through other types of access interfaces, for example through a conventional policy setting (put-policy) API, or through a specific user interaction interface, which is not specifically limited by the present application.
Note that in the embodiment of the present application, the security compliance attribute is not satisfied, which may mean that the statement of the security compliance attribute is violated, or that the statement of the security compliance attribute is consistent. For example, when the security compliance attribute is that only certain operations are allowed (or agreed upon), and the new authorization policy 242 wants to perform operations other than those allowed, then it is determined that the new authorization policy 242 does not satisfy the security compliance attribute; for another example, when the security compliance attribute is rejecting (or prohibiting) certain operations and the new authorization policy 242 wants to perform the rejecting operations, then it is also determined that the new authorization policy 242 does not satisfy the security compliance attribute; as another example, the security compliance attribute may also be a combination of the permission class and denial class attributes described above.
Fig. 4 shows a schematic flow chart of a method for processing an authorization policy according to an embodiment of the application. Alternatively, the method of fig. 4 may be performed by the cloud management platform 230 of fig. 3.
As shown in fig. 4, the method includes the following steps.
S310: an instruction to perform a first operation on a first authorization policy on a cloud server is received.
For example, in step S310, the cloud management platform 230 may receive an instruction of a first operation for a first authorization policy of at least one cloud service of the plurality of cloud services input by a tenant. The first operation may be that the authorizer 220 of the tenant changes, through the cloud account, an authorization policy of a cloud service resource in the cloud account, for example, adds an authorization policy, modifies an authorization policy, deletes an authorization policy, and the like.
Optionally, the tenant may input an instruction to perform the first operation on the first authorization policy through a band-detect-policy setting (put-policy-with-detect) API provided by the cloud management platform 230.
S320: and executing a first operation on the first authorization policy to obtain a second authorization policy.
For example, in step S320, the cloud management platform 230 may perform a first operation on the first authorization policy according to the instruction to modify the first operation to obtain the second authorization policy. Specifically, the second authorization policy may be an authorization policy that may be generated after the first operation is performed, and may also be referred to as a new authorization policy, for example, may correspond to the new authorization policy 242 in the application scenario shown in fig. 3. Correspondingly, the first authorization policy may be an object indicated by the instruction to execute the first operation, that is, an existing authorization policy (may be an active authorization policy or a dead authorization policy) on the cloud server before the first operation is executed, or may be referred to as an original authorization policy, for example, may correspond to the new authorization policy 241 in the application scenario shown in fig. 3.
S330: and determining whether the second authorization strategy is effective according to the attribute configuration file.
For example, in step S330, the cloud management platform 230 may perform attribute detection on the second authorization policy before validating the second authorization policy to determine whether the second authorization policy meets the requirements of the security compliance attribute set according to the attribute profile 211. Specifically, when it is determined that the second authorization policy does not meet the security compliance attribute set by the attribute configuration file 211, the cloud management platform 230 may prevent the second authorization policy from being validated, and the first authorization policy continues to be validated; correspondingly, if the second authorization policy meets the security compliance attribute set by the attribute configuration file 211, the second authorization policy may take effect, and at this time, the authorization policy in the cloud server is changed from the first authorization policy to the second authorization policy, and the new authorization policy is successfully authorized, so that the tenant may not perceive that the attribute detection is performed, and the use experience of the tenant is improved.
The security compliance attribute may be an attribute requirement that the cloud management platform 230 needs to satisfy in order for a new authorization policy defined according to the needs of the tenant to take effect. Alternatively, the attribute profile 211 may set the value of the security compliance attribute for which the new authorization policy is allowed, or may set the value of the security compliance attribute for which the authorization policy is blocked. It may be appreciated that, in the case where the attribute configuration file 211 sets a value of a security compliance attribute for which a new authorization policy is allowed, the value of the corresponding attribute is consistent with the value of the security compliance attribute when the authorization policy is operated, and the new authorization policy may be validated; correspondingly, in the case where the attribute configuration file 211 sets a value of a security compliance attribute for which the new authorization policy is blocked, the new authorization policy may be blocked from being validated if the value of the corresponding attribute coincides with the value of the security compliance attribute when the authorization policy is operated. The security compliance attributes include, but are not limited to, at least one of: cloud resource data attributes, authorization policy rules, and rule-generated effects. Specifically, the cloud resource data attribute may be information of the cloud resource data, including, but not limited to, a state of the cloud resource data, an access state of the cloud resource data, a creation time of the cloud resource data, and the like. For example, if the cloud resource data attribute required by the security compliance attribute is that the state of the bucket is empty, the operation performed on the authorization policy of the bucket cannot be validated when the object is stored in the bucket. The cloud resource data attribute may be obtained by snapshot data of the cloud resource, which may be a form of data 250 required for attribute detection in fig. 3. For example, the security compliance attribute requires that the bucket be empty, and upon receiving an instruction to operate on the authorization policy, the cloud management platform 230 obtains snapshot data of the bucket, and if the snapshot data indicates that the state of the bucket is non-empty, then the new authorization policy is prevented from being validated. The authorization policy attribute may be information of the authorization policy including, but not limited to, a creation time of the authorization policy, a creation account of the authorization policy, a creation network address of the authorization policy, and the like. For example, the authorization policy may be restricted to be operated only for a specific period of time by the creation time of the authorization policy, or may be restricted to be operated only using a specific device by the creation network address of the authorization policy. The authorization policy rules may be contents of an authorization policy, through which specific contents of the authorization policy may be restricted. The effect produced by the rule may be a specific definition of the effects of "allow", "reject", "public", etc. in the authorization policy, for example, all cloud service resources that the tenant wants to rent are limited to use inside the organization, and the effect "public" produced by the rule may be defined as accessible through a network address inside the organization, so that any authorization policy will not grant rights to users outside the organization by mistake.
The attribute profile 211 may be the basis for the cloud management platform 230 to define security compliance attributes that the authorization policy needs to satisfy. The attribute profile 211 may be written using JavaScript object notation (JavaScript object notation, JSON), YAML non-markup language (YAML ain't a makeup language, YAML) or any other language suitable for writing profiles, the application not being particularly limited. Each tenant may set a respective attribute profile 211, and the content of the attribute profile 211 may be different for different tenants. The attribute configuration file 211 can be stored in a cloud server, when a tenant operates an authorization policy through a cloud account, the cloud management platform 230 can automatically perform attribute detection on the authorization policy based on the attribute configuration file 211 corresponding to the tenant, so that the tenant can perform attribute detection on all the authorization policies after the tenant can configure the attribute configuration file 211 only once, thereby improving the authorization efficiency and reducing the security risk.
Alternatively, the attribute profile 211 may include a predefined attribute profile. The predefined attribute configuration file may be a written attribute configuration file provided by the cloud management platform 230 and available for the tenant to select, which is used for providing some optional commonly used attribute detection functions for the tenant, so that the tenant can directly select without writing the attribute configuration file by himself when the tenant has a corresponding use requirement, and the tenant can use the attribute configuration file conveniently. It should be appreciated that at least one predefined attribute profile may be provided in the cloud management platform 230, and that a tenant may select some or all of the attribute configuration options provided by the at least one predefined attribute profile, the attribute configuration options of the predefined attribute profile selected by the tenant may be used to set corresponding security compliance attributes, thereby performing corresponding attribute detection functions, and that the predefined attribute profile not selected by the tenant may not be validated. Specific functions that can be implemented by the predefined attribute profile will be described below in connection with specific examples of embodiments, and are not described in detail herein.
Alternatively, the attribute profile 211 may include a custom attribute profile. The custom attribute configuration file may be an attribute configuration file uploaded to the cloud management platform 230 by the tenant, and is used for setting the required security compliance attribute according to the personalized requirement of the tenant. In some possible implementations, the tenant may write a custom attribute profile through a visual console, in which case, when the tenant selects a desired security compliance attribute and sets the value of the security compliance attribute, the cloud management platform 230 may help the tenant generate the custom attribute profile that meets its needs. By the technical scheme of the embodiment of the application, even if a tenant is unfamiliar with the grammar rule of the attribute configuration file, the right custom attribute configuration file can be obtained. In other possible implementations, for more complex use needs of the tenant, the tenant may write the custom attribute profile using a programming language, in which case the cloud management platform may provide the tenant with syntax rules for the custom attribute profile that enable the cloud management platform 230 to identify the custom attribute profile written by the tenant. In this case, in some possible embodiments, the custom attribute configuration file may be written in a domain-specific language (domain specific language, DSL), so that the language of the custom attribute configuration file is simple, the function is complete and easy to expand, and the tenant can write the custom attribute configuration file conveniently. In some possible implementations, to further facilitate the tenant writing of the correct custom attribute profile, the cloud management platform 230 may also provide the tenant with syntax reference information for the DSL used to write the custom attribute profile. By way of example and not limitation, the grammar reference information may be an exemplary program fragment, or may be a predefined attribute profile as previously described written using the same grammar.
In some possible implementations, because the original authorization policy 241 meets the requirements of security compliance attributes, the cloud management platform 230 may only perform attribute detection for the scope of authorization of the new authorization policy 242 as a function of the original authorization policy 241. Specifically, the authorization policy may be a set of authorization ranges of the cloud service resource access rights, and the change of the authorization ranges includes both a reduced set range of the original authorization policy 241 relative to the new authorization policy 242 and an increased set range of the new authorization policy 242 relative to the original authorization policy 241. For example, the scope of authority of the original authority policy 241 is denoted as set A, the scope of authority of the new authority policy 242 is denoted as set B, the scope of the reduced set of the original authority policy 241 relative to the new authority policy 242 is denoted as the relative complement of B in A, A-B, the scope of the increased set of the new authority policy 242 relative to the original authority policy 241 is denoted as the relative complement of A in B, B-A, and the scope of varying authority is the union of A-B and B-A. By the technical scheme of the embodiment of the application, the operand of attribute detection is reduced under the condition that the new authorization strategy is not changed much relative to the original authorization strategy, so that the efficiency of attribute detection is improved; in addition, the attribute detection can be carried out on the new authorization policy on the basis of the trust original authorization policy, so that the authorization range part of the new authorization policy, which is unchanged relative to the original authorization policy, does not need the authorization personnel of the tenant to confirm again, redundant repeated confirmation is avoided, and the use experience of the tenant is improved.
In some possible embodiments, when it is determined in step S230 that the new authorization policy does not meet the security compliance attribute set by the attribute configuration file, the cloud management platform 230 may further send analysis information to the tenant, indicating a specific reason why the new authorization policy cannot be validated, so as to facilitate the modification of the authorization policy by an authorized person.
By adopting the technical scheme of the embodiment of the application, the new authorization strategy which does not meet the requirement of the security compliance attribute is prevented from being validated by carrying out attribute detection on the new authorization strategy before the new authorization strategy is validated, so that the cloud service resource cannot be normally used after the wrong authorization strategy is validated, and the security of operation of authorization personnel of tenants on the authorization strategy is improved.
The method for processing the authorization policy provided by the embodiment of the present application is described above with reference to fig. 2 to fig. 4, and two specific attribute detections that can be implemented by the attribute configuration file according to two embodiments of the present application are described below with reference to fig. 5 to fig. 8.
Fig. 5 and 6 illustrate one type of attribute detection that can be implemented by an attribute profile to prevent the validation of a new authorization policy for excessive authorization in accordance with an embodiment of the present application. It should be understood that, although the embodiments of the present application are given by way of example only as being implemented by predefined attribute profiles, tenants may also implement the same or similar attribute detection effect by custom attribute profiles, and the present application is not limited to the specific form of attribute profile used.
Fig. 5 is a schematic diagram of another authorization policy management procedure according to an embodiment of the present application. As shown in fig. 5, the attribute configuration file 211 in the application scenario includes a preset authority boundary 212. When the tenant's authorizer 220 operates on the original authorization policy 241, the cloud management platform 230 detects whether the new authorization policy 242 is over-authorized based on the preset rights boundary 212 in the attribute profile. When cloud management platform 230 determines that the authorization scope of new authorization policy 242 is greater than the authorization scope of preset permission boundary 212, new authorization policy 242 is prevented from validating, otherwise new authorization policy 242 is validated.
Fig. 6 is a schematic flow chart of another method for processing authorization policies provided by an embodiment of the application. Alternatively, the method shown in FIG. 6 is a specific implementation of the method shown in FIG. 4. Alternatively, the method of fig. 6 may be performed by the cloud management platform 230 of fig. 5.
As shown in fig. 6, the method includes the following steps.
S510: an instruction to perform a first operation on a first authorization policy is received.
S520: and executing a first operation on the first authorization policy to obtain a second authorization policy.
Alternatively, the specific implementation of the steps S510 and S520 may be referred to the descriptions of the corresponding steps S310 and S320 in the above embodiments, which are not repeated herein.
S531: and determining that the authorization range of the second authorization strategy is larger than a preset authority boundary.
S532: the second authorization policy is prevented from being validated.
Alternatively, the steps S531 and S532 are a specific implementation of the step S330 in the above embodiment.
In step S531, the cloud management platform 230 may determine whether the authorization scope of the second authorization policy is not greater than the preset authority boundary 212, wherein the preset authority boundary 212 may be determined according to the attribute profile 211. Specifically, the second authorization policy and the preset authority boundary 212 may both be a set of authorization ranges of access authority of the cloud service resource, so when the preset authority boundary 212 is not null and a relative complement of the preset authority boundary 212 in the second authorization policy is not null, that is, there is an authority not included in the preset authority boundary 212 in the second authorization policy, it may be determined that the authorization range of the second authorization policy is greater than the preset authority boundary, thereby preventing the second authorization policy from being effective.
To facilitate understanding, as an example, where a tenant wishes that an OBS service, even if public, cannot be granted permission beyond anonymous user reading, the permission of an anonymous user to the OBS service in preset permission boundary 212 may be set to read by attribute profile 211. When the new authorization policy 242 after the operation of the authorizer 220 includes the write-in authority of the anonymous user to the OBS service, the new authorization policy 242 is prevented from being validated due to the exceeding of the preset authority boundary 212, so as to avoid undesirable modification of the object stored in the OBS service by the anonymous user after the new authorization policy 242 with excessive authorization is validated.
For the example case, the preset permission boundaries in the attribute profile may be set as follows:
/>
It should be understood that the above code is merely an example given for more intuitively exposing the representation of the property profile and is not meant to limit the programming language used for the property profile in embodiments of the present application.
By the technical scheme of the embodiment of the application, the preset authority boundary can be set to detect the authorization strategy, so that potential safety hazards caused by the fact that a user incorrectly obtains the authority exceeding the due range of the user due to the excessive authorization of the new authorization strategy are avoided.
It should be appreciated that the preset authority boundaries 212 in the above examples are merely exemplary, and may be set accordingly as needed in practical applications. In addition, the preset authority boundary 212 is not limited to the maximum authorization range including the authorization policy, but may also include the range of other authorization policies, such as the minimum authorization range of the authorization policy, which is not specifically limited. For example, preset permission boundary 212 may include that user a's lowest permission for OBS service is read, and then authorization policies that prevent user a from reading OBS service or that do not grant user a permission to read OBS service may be prevented from being validated by cloud management platform 230.
Fig. 7 and 8 illustrate another attribute detection that can be implemented by the attribute profile according to an embodiment of the present application, to prevent the validation of a new authorization policy with insufficient authorization. It should be understood that, although the embodiments of the present application are given by way of example only as being implemented by predefined attribute profiles, tenants may also implement the same or similar attribute detection effect by custom attribute profiles, and the present application is not limited to the specific form of attribute profile used.
Fig. 7 is a schematic diagram of another authorization policy management procedure according to an embodiment of the present application. As shown in fig. 5, the attribute configuration file 211 in the application scenario includes a requirement for determining whether the new authorization policy 242 is not authorized sufficiently according to the history access record 251. When the tenant's authorizer 220 operates on the original authorization policy 241, the cloud management platform 230 detects whether the new authorization policy 242 is at risk of insufficient authorization from the historical access record 251 read from the cloud audit service. When the cloud management platform 230 determines that the event in the history access record 251 cannot be executed, a warning is sent to the authorizer 220 of the tenant and confirmation is requested to confirm whether to continue authorization, if the authorizer 220 of the tenant confirms to cancel the operation of the original authorization policy, the new authorization policy 242 is prevented from being validated, otherwise the new authorization policy 242 is prevented from being validated.
Fig. 8 is a schematic flow chart of another method 700 of processing authorization policies provided by an embodiment of the application. Alternatively, the method shown in FIG. 8 is a specific implementation of the method shown in FIG. 4. Alternatively, the method of fig. 8 may be performed by the cloud management platform 230 of fig. 7.
As shown in fig. 8, the method includes the following steps.
S710: an instruction to perform a first operation on a first authorization policy is received.
S720: and executing a first operation on the first authorization policy to obtain a second authorization policy.
Alternatively, the specific implementation of the steps S710 and S720 may be referred to the descriptions corresponding to the steps S310 and S320 in the above embodiments, which are not repeated herein.
S731: determining that the second authorization policy results in the first event in the historical access record being unexecutable.
S732: the second authorization policy is prevented from being validated.
Alternatively, the steps S731 and S732 are a specific implementation of the step S330 in the above embodiment.
In step S730, the cloud management platform 230 may determine whether the event in the obtained history access record 251 can be executed under the second authorization policy, and if at least one first event exists in the event in the obtained history access record 251, such that the first event cannot be executed under the second authorization policy, it is indicated that the second authorization policy has a risk of insufficient authorization. Specifically, the history access record 251 may be another form of data 250 required for performing attribute detection in the application scenario shown in fig. 3, including a record that the cloud service resource is accessed in a period of time. The history access record 251 may be obtained through a cloud audit service (CTS). The CTS is an access record to a cloud service resource, and is used for recording an event that a user operates the cloud service resource. The content recorded by the history access record 251 may include, but is not limited to, event name, event type, resource name, resource type, user name, event time, etc. Specifically, the period of time may refer to one or more periods of time before the attribute detection of the new authorization policy 242, where the period of time may be set according to the needs of the tenant, and embodiments of the present application are not limited in detail. Acquiring the history access record 251 allows the tenant to learn event data of which users performed which access operations on which cloud service resources in a specific history period, so as to determine which rights are required by the users. Optionally, the historical access record 251 may also be filtered according to the resource name and/or the user name, so as to obtain the historical access record 251 related to the resource and/or the user related to the new authorization policy for attribute detection.
In some possible embodiments, the cloud management platform 230 may use the content of the new authorization policy 242 (including the "allowed" rights and the "denied" rights) as a constraint on the problem, solve the problem using the satisfaction modulo theory (satisfiability modulo theories, SMT), and substitute the events in the history access record 251 into the SMT one by one to verify whether the events are solutions to the problem corresponding to the new authorization policy 242, thereby determining whether the obtained events in the history access record 251 can be executed under the second authorization policy. Alternatively, only the reduced authority of the second authorization strategy relative to the first authorization strategy may be used as a constraint for solving the problem by SMT. The reduced rights of the second authorization policy relative to the first authorization policy may include "allowed" rights of the first authorization policy relative to the second authorization policy and "denied" rights of the second authorization policy relative to the first authorization policy, where the "allowed" rights may be rights of the cloud resource to allow access, and the "denied" rights may be rights of the cloud resource to deny access. The operation of the set of rights corresponding to the authorization policy may be implemented by a logical operation of the SMT, i.e. the "intersection", "union" and "complement" operations of the set correspond to the "and", "or" and "not" of the constraint conditions in the SMT, respectively.
To facilitate understanding, as an example, where a tenant wishes to preserve access rights to a cloud service resource that has been used by a user for 90 days, attribute analysis may be performed by setting, via attribute profile 211, historical access records 251 over the first 90 days of operating on original authorization policies 241. When receiving an instruction of the authorizing person 220 to operate the original authorizing policy 241, the cloud management platform 230 obtains a history of access 251 of the user to the cloud service resource in a period from 90 days before receiving the operating instruction to the moment of receiving the operating instruction. If at least one event in the history access record 251 does not have permission to execute under the new authorization policy 242, the new authorization policy 242 is prevented from being validated, thereby avoiding interruption of normal access by the user once the new authorization policy 242 with insufficient authorization is validated.
For this example case, the property profile may have the following manifestation:
/>
It should be understood that the above code is merely an example given for more intuitively exposing the representation of the property profile and is not meant to limit the programming language used for the property profile in embodiments of the present application.
By the technical scheme of the embodiment of the application, the new authorization strategy which can cause that the history operation performed in a period of time cannot be performed can be prevented, so that the risk caused by service interruption of normal use of a user due to insufficient authorization of the new authorization strategy is avoided.
Since the detection of insufficient authorization is based on the user's historical access record 251, there may be situations where some tenants do need to reduce the authorization policy, such as: work of staff in a company is mobilized, and the authorization of resources related to the staff and the original work needs to be stopped immediately; or that a published web site needs to be shut down, etc. In this case, the predefined attribute profile of the embodiment of the present application also provides the functionality of requesting tenant validation.
In some possible embodiments, after the above step S731, before S732, when the cloud management platform 230 determines that the new authorization policy 242 results in the first event in the history access record not being able to be executed, a warning message may be sent to the authorizer 220 of the tenant, where the warning message is used to indicate that the tenant has a risk of having insufficient authorization for the operation of the original authorization policy 241 and ask the tenant to confirm whether to continue authorization; if the confirmation information of the tenant cancel operation is received, the new authorization policy 242 can be prevented from being validated, and the original authorization policy 241 is enabled to be validated continuously; if confirmation information of continued authorization of the tenant is received, the new authorization policy 242 is not prevented from being validated, and the new authorization policy 242 can be validated instead of the original authorization policy 241.
The method embodiment of processing the authorization policy provided by the present application is described above with reference to fig. 3 to 8, and the apparatus embodiment of processing the authorization policy provided by the present application is described below with reference to fig. 9. It should be understood that apparatus embodiments and method embodiments correspond with each other and that similar descriptions may refer to the method embodiments.
Fig. 9 shows a schematic block diagram of a cloud management platform 800 according to an embodiment of the present application.
As shown in fig. 9, the cloud management platform 800 includes: transceiver module 810, execution module 820, attribute detection module 830.
Specifically, the transceiver module 810 is configured to receive an instruction to operate an authorization policy. In some possible embodiments, the transceiver module 810 is further configured to receive or transmit other information, such as: sending alert information, receiving acknowledgement information, sending analysis information, providing a grammatical reference to a custom property profile, etc.
Specifically, the execution module 820 is configured to operate on the original authorization policy according to the instruction to obtain the new authorization policy.
Specifically, the attribute detection module 830 is configured to perform attribute detection on the authorization policy according to the attribute configuration file, so as to determine whether the new authorization policy meets the security compliance attribute set by the attribute configuration file.
Optionally, in some possible embodiments, the cloud management platform further includes a data acquisition module, configured to acquire data required for performing attribute detection, for example: historical access records of cloud service resources in a period of time, snapshot data of the cloud service resources, attribute data of an authorization policy and the like.
Optionally, in some possible embodiments, the cloud management platform further comprises an authorization policy analysis module for determining an authorization scope of the new authorization policy relative to the change of the original authorization policy.
The modules can be implemented by software or hardware. Illustratively, the implementation of the attribute detection module 830 is described next using the attribute detection module 830 as an example. Similarly, the implementation of the transceiver module 810, the execution module 820, the data acquisition module, and the authorization policy analysis module may refer to the implementation of the attribute detection module 830.
Module as an example of a software functional unit, the attribute detection module 830 may include code running on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, and a container, among others. Further, the above-described computing examples may be one or more. For example, the attribute detection module 830 may include code running on multiple hosts/virtual machines/containers. It should be noted that, multiple hosts/virtual machines/containers for running the code may be distributed in the same region (region), or may be distributed in different regions. Further, multiple hosts/virtual machines/containers for running the code may be distributed in the same availability zone (availability zone, AZ) or may be distributed in different AZs, each AZ comprising one data center or multiple geographically close data centers. Wherein typically a region may comprise a plurality of AZs.
Also, multiple hosts/virtual machines/containers for running the code may be distributed in the same virtual private cloud (virtual private cloud, VPC) or may be distributed in multiple VPCs. In general, one VPC is disposed in one region, and a communication gateway is disposed in each VPC for implementing inter-connection between VPCs in the same region and between VPCs in different regions.
Module as an example of a hardware functional unit, the attribute detection module 830 may include at least one computing device, such as a server or the like. Alternatively, the attribute detection module 830 may be a device implemented using an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD), or the like. The PLD may be implemented as a complex program logic device (complex programmable logical device, CPLD), a field-programmable gate array (FPGA) GATE ARRAY, a general-purpose array logic (GENERIC ARRAY logic, GAL), or any combination thereof.
Multiple computing devices included in the attribute detection module 830 may be distributed in the same region or may be distributed in different regions. The plurality of computing devices included in the attribute detection module 830 may be distributed in the same AZ or may be distributed in different AZ. Likewise, multiple computing devices included in the attribute detection module 830 may be distributed in the same VPC or may be distributed among multiple VPCs. Wherein the plurality of computing devices may be any combination of computing devices such as servers, ASIC, PLD, CPLD, FPGA, and GAL.
It should be noted that, in other embodiments, the transceiver module 810, the executing module 820, the attribute detecting module 830, the data obtaining module, and the authorization policy analyzing module may be respectively configured to execute any step in the method for processing the authorization policy, and the steps that the transceiver module 810, the executing module 820, the attribute detecting module 830, the data obtaining module, and the authorization policy analyzing module are responsible for implementing may be specified according to needs, and all functions of the cloud management platform are implemented by different steps in the method for processing the authorization policy, which are respectively implemented by the transceiver module 810, the executing module 820, the attribute detecting module 830, the data obtaining module, and the authorization policy analyzing module.
The present application also provides a computing device 100. As shown in fig. 10, the computing device 100 includes: bus 102, processor 104, memory 106, and communication interface 108. Communication between the processor 104, the memory 106, and the communication interface 108 is via the bus 102. Computing device 100 may be a server or a terminal device. It should be understood that the present application is not limited to the number of processors, memories in computing device 100.
Bus 102 may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one line is shown in fig. 4, but not only one bus or one type of bus. Bus 102 may include a path to transfer information between various components of computing device 100 (e.g., memory 106, processor 104, communication interface 108).
The processor 104 may include any one or more of a central processing unit (central processing unit, CPU), a graphics processor (graphics processing unit, GPU), a Microprocessor (MP), or a digital signal processor (DIGITAL SIGNAL processor, DSP).
The memory 106 may include volatile memory (RAM), such as random access memory (random access memory). The processor 104 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, mechanical hard disk (HARD DISK DRIVE, HDD) or Solid State Disk (SSD).
The memory 106 stores executable program codes, and the processor 104 executes the executable program codes to implement the functions of the foregoing transceiver module, attribute detection module, execution module, data acquisition module, and authorization policy analysis module, respectively, so as to implement the foregoing method for processing an authorization policy. That is, the memory 106 has stored thereon instructions for performing the method of processing authorization policies described above.
Communication interface 108 enables communication between computing device 100 and other devices or communication networks using a transceiver module such as, but not limited to, a network interface card, transceiver, or the like.
The embodiment of the application also provides a computing device cluster. The cluster of computing devices includes at least one computing device. The computing device may be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device may also be a terminal device such as a desktop, notebook, or smart phone.
As shown in fig. 11, the cluster of computing devices includes at least one computing device 100. The same instructions for performing the above-described method of processing authorization policies may be stored in memory 106 in one or more computing devices 100 in the computing device cluster.
In some possible implementations, some instructions of the method for performing the above-described processing authorization policy may also be stored separately in the memory 106 of one or more computing devices 100 in the computing device cluster. In other words, a combination of one or more computing devices 100 may collectively execute instructions for performing the above-described methods of processing authorization policies.
It should be noted that, the memories 106 in different computing devices 100 in the computing device cluster may store different instructions for performing part of the functions of the cloud management platform. That is, the instructions stored by the memory 106 in the different computing devices 100 may implement the functionality of one or more of a transceiver module, an attribute detection module, an execution module, a data acquisition module, and an authorization policy analysis module.
In some possible implementations, one or more computing devices in a cluster of computing devices may be connected through a network. Wherein the network may be a wide area network or a local area network, etc. Fig. 12 shows one possible implementation. As shown in fig. 12, two computing devices 100A and 100B are connected by a network. Specifically, the connection to the network is made through a communication interface in each computing device. In this type of possible implementation, instructions to perform the functions of the attribute detection module are stored in memory 106 in computing device 100A. Meanwhile, the memory 106 in the computing device 100B stores therein instructions for performing the functions of the transceiver module and the execution module.
It should be appreciated that the functionality of computing device 100A shown in fig. 12 may also be performed by multiple computing devices 100. Likewise, the functionality of computing device 100B may also be performed by multiple computing devices 100.
The embodiment of the application also provides a chip which comprises a processor and a data interface, wherein the processor reads the instructions stored in the memory through the data interface so as to execute the method for processing the authorization strategy.
Embodiments of the present application also provide a computer program product comprising instructions. The computer program product may be software or a program product containing instructions capable of running on a computing device or stored in any useful medium. The computer program product, when run on at least one computing device, causes the at least one computing device to perform the method of processing authorization policies described above.
The embodiment of the application also provides a computer readable storage medium. The computer readable storage medium may be any available medium that can be stored by a computing device or a data storage device such as a data center containing one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), etc. The computer-readable storage medium includes instructions that instruct a computing device to perform the method of processing an authorization policy described above.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; these modifications or substitutions do not depart from the essence of the corresponding technical solutions from the protection scope of the technical solutions of the embodiments of the present invention.

Claims (20)

1. An authorization policy processing method based on a cloud computing technology, wherein the method is applied to a cloud management platform, the cloud management platform is used for managing an infrastructure for providing a plurality of cloud services, the infrastructure comprises a plurality of cloud data centers, and the method comprises:
the cloud management platform receives an instruction of executing a first operation aiming at a first authorization policy of at least one cloud service in the plurality of cloud services, wherein the instruction is input by a tenant;
The cloud management platform executes the first operation on the first authorization policy according to the instruction so as to modify the first authorization policy to obtain a second authorization policy;
The cloud management platform determines whether the second authorization policy is effective according to an attribute configuration file, wherein the attribute configuration file is used for setting a security compliance attribute, and the security compliance attribute is used for indicating the effective condition of the second authorization policy required by the tenant.
2. The method according to claim 1, wherein the method further comprises:
and receiving the attribute configuration file uploaded by the tenant, wherein the attribute configuration file comprises the security compliance attribute set according to the requirement of the tenant.
3. The method according to claim 1 or 2. Characterized in that the method further comprises:
sending at least one preset attribute configuration option to the tenant;
Receiving a selection indication of all or part of the attribute configuration options from the tenant;
and generating or updating the attribute configuration file according to the whole or part of attribute configuration options.
4. A method according to any one of claims 1 to 3, wherein the attribute profile includes a requirement to determine whether an authorization policy is not authorized sufficiently based on a historical access record, the historical access record including a record of at least one event for which the at least one cloud service was accessed over a period of time, the determining whether the second authorization policy is effective based on the attribute profile comprising:
and when the second authorization policy causes the first event in the history access record to be unable to be executed, preventing the second authorization policy from being validated.
5. The method of claim 4, wherein prior to blocking the second authorization policy from being validated, the method further comprises:
Transmitting a warning message indicating that the second authorization policy is at risk of causing insufficient authorization;
And receiving confirmation information for canceling the first operation.
6. A method according to any one of claims 1 to 3, wherein the attribute profile includes a preset authority boundary, and wherein determining whether the second authorization policy is valid based on the attribute profile includes:
And when the authorization range of the second authorization strategy is larger than the preset authority boundary, preventing the second authorization strategy from being effective.
7. The method of any of claims 1 to 6, wherein determining whether the second authorization policy is valid based on a profile of attributes comprises:
determining a change in the authorization scope of the second authorization policy relative to the authorization scope of the first authorization policy;
and when the change does not meet the security compliance attribute set by the attribute configuration file, preventing the second authorization policy from being validated.
8. The method according to any one of claims 1 to 7, further comprising:
And sending analysis information, wherein the analysis information is used for indicating the reason for preventing the second authorization strategy from being effective.
9. The method according to claim 2, wherein the method further comprises:
Providing the tenant with syntax reference information of a domain-specific language for writing the attribute profile.
10. A cloud management platform for managing an infrastructure providing a plurality of cloud services, the infrastructure including a plurality of cloud data centers, the cloud management platform comprising:
The receiving and transmitting module is used for receiving an instruction of executing a first operation aiming at a first authorization strategy of at least one cloud service in the plurality of cloud services, which is input by a tenant;
the execution module is used for executing the first operation on the first authorization strategy according to the instruction so as to modify the first authorization strategy to obtain a second authorization strategy;
And the attribute detection module is used for determining whether the second authorization policy is effective or not according to an attribute configuration file, wherein the attribute configuration file is used for setting a safety compliance attribute, and the safety compliance attribute is used for indicating the effective condition of the second authorization policy required by the tenant.
11. The cloud management platform of claim 10, wherein said transceiver module is further configured to:
and receiving the attribute configuration file uploaded by the tenant, wherein the attribute configuration file comprises the security compliance attribute set according to the requirement of the tenant.
12. The cloud management platform of claim 10 or 11, wherein the transceiver module is further configured to:
sending at least one preset attribute configuration option to the tenant;
Receiving a selection indication of all or part of the attribute configuration options from the tenant;
the execution module is further configured to generate or update the attribute configuration file according to the all or part of attribute configuration options.
13. The cloud management platform of any of claims 10 to 12, wherein the attribute profile comprises a requirement to determine whether an authorization policy is under-authorized based on a historical access record, the historical access record comprising a record of at least one event that the at least one cloud service was accessed over a period of time, the attribute detection module to:
and when the second authorization policy causes the first event in the history access record to be unable to be executed, preventing the second authorization policy from being validated.
14. The cloud management platform of claim 13, wherein prior to blocking said second authorization policy from being validated, said transceiver module is further to:
Transmitting a warning message indicating that the second authorization policy is at risk of causing insufficient authorization;
And receiving confirmation information for canceling the first operation.
15. The cloud management platform of any of claims 10 to 12, wherein the attribute profile comprises a preset permission boundary, and the attribute detection module is configured to:
And when the authorization range of the second authorization strategy is larger than the preset authority boundary, preventing the second authorization strategy from being effective.
16. The cloud management platform of any of claims 10 to 15, further comprising:
An authorization policy analysis module configured to determine a change in an authorization scope of the second authorization policy relative to an authorization scope of the first authorization policy;
And the attribute detection module is used for preventing the second authorization policy from being effective when the change does not meet the security compliance attribute set by the attribute configuration file.
17. The cloud management platform of any of claims 10 to 16, wherein the transceiver module is further to:
And sending analysis information, wherein the analysis information is used for indicating the reason for preventing the second authorization strategy from being effective.
18. The cloud management platform of claim 11, wherein said transceiver module is further configured to:
Providing the tenant with syntax reference information of a domain-specific language for writing the attribute profile.
19. A cluster of computing devices, comprising at least one computing device, each computing device comprising a processor and a memory;
The processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device to cause the cluster of computing devices to perform the method of any one of claims 1 to 10.
20. A computer readable storage medium comprising computer program instructions which, when executed by a cluster of computing devices, cause the cluster of computing devices to perform the method of any of claims 1 to 10.
CN202211345132.9A 2022-10-31 2022-10-31 Method for processing authorization policy and cloud management platform Pending CN117992172A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211345132.9A CN117992172A (en) 2022-10-31 2022-10-31 Method for processing authorization policy and cloud management platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211345132.9A CN117992172A (en) 2022-10-31 2022-10-31 Method for processing authorization policy and cloud management platform

Publications (1)

Publication Number Publication Date
CN117992172A true CN117992172A (en) 2024-05-07

Family

ID=90888183

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211345132.9A Pending CN117992172A (en) 2022-10-31 2022-10-31 Method for processing authorization policy and cloud management platform

Country Status (1)

Country Link
CN (1) CN117992172A (en)

Similar Documents

Publication Publication Date Title
US9571506B2 (en) Dynamic enterprise security control based on user risk factors
US10609031B2 (en) Private consolidated cloud service architecture
US10262149B2 (en) Role access to information assets based on risk model
US8943415B2 (en) Third party control of location information access
US9779257B2 (en) Orchestrated interaction in access control evaluation
US8621554B1 (en) User privacy framework
US20120167167A1 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
US20150180853A1 (en) Extensible mechanism for securing objects using claims
US20220247753A1 (en) Systems and methods for controlling third-party access of a protected data resource
WO2002044888A1 (en) Workflow access control
US11494518B1 (en) Method and apparatus for specifying policies for authorizing APIs
US11741254B2 (en) Privacy centric data security in a cloud environment
US11665155B2 (en) Systems and methods for controlling third-party access of a protected data resource
US9026456B2 (en) Business-responsibility-centric identity management
US11558390B2 (en) System to control access to web resources based on an internet of things authorization mechanism
US11310280B2 (en) Implementation of selected enterprise policies
US20230135054A1 (en) System and Methods for Agentless Managed Device Identification as Part of Setting a Security Policy for a Device
US10248796B2 (en) Ensuring compliance regulations in systems with dynamic access control
CN117992172A (en) Method for processing authorization policy and cloud management platform
US11575665B2 (en) Authorizing uses of goods or services using bonding agreement
Kazmi Access control process for a saas provider
CN118035982A (en) User authority management method
JP2022150815A (en) Information processing device and program
Kaisler et al. Cloud Computing: Security Issues for Dynamic Service Migration
WO2012173599A1 (en) System and method for controlling access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication