CN108011862A - The mandate of mirror image warehouse, access, management method and server and client side - Google Patents
The mandate of mirror image warehouse, access, management method and server and client side Download PDFInfo
- Publication number
- CN108011862A CN108011862A CN201610978489.9A CN201610978489A CN108011862A CN 108011862 A CN108011862 A CN 108011862A CN 201610978489 A CN201610978489 A CN 201610978489A CN 108011862 A CN108011862 A CN 108011862A
- Authority
- CN
- China
- Prior art keywords
- mirror image
- authorization
- user
- warehouse
- mirror
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000007726 management method Methods 0.000 title claims abstract description 16
- 238000013475 authorization Methods 0.000 claims abstract description 271
- 238000012545 processing Methods 0.000 claims abstract description 17
- 238000013507 mapping Methods 0.000 claims abstract 7
- 238000000034 method Methods 0.000 claims description 52
- 230000009471 action Effects 0.000 claims description 18
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 238000012360 testing method Methods 0.000 description 8
- 230000004044 response Effects 0.000 description 5
- 230000003068 static effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Multimedia (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
技术领域technical field
本发明涉及通信领域,尤其涉及一种镜像仓库授权、访问、管理方法及服务器和客户端。The invention relates to the communication field, in particular to a method for authorization, access and management of a mirror warehouse, a server and a client.
背景技术Background technique
Docker是一个开源的引擎,可以轻松的为任何应用创建一个轻量级的、可移植的、自给自足的容器。Docker提供了一个公有仓库,称为Docker Hub,用于存储Docker镜像,任何上传到公用仓库的镜像资源都是用于公开免费使用。因此公有仓库不适用于企业项目等不完全对外开放的各种应用场景。因此私有镜像仓库的创建和管理使用就显得尤为重要。当前有很多私有镜像仓库的实现方式,比如Docker Registry。但是即使是私有镜像仓库,仍会涉及到不同用户角色的用户对其中存储的镜像资源进行访问,例如管理员或者研发人员或者是基础支持人员等等。而目前不管是私有镜像仓库还是公有镜像仓库,都缺少根据不同用户角色对不同用户的访问权限进行有效的管理方式,导致镜像仓库的管理缺少合理性,又存在一定的安全隐患。Docker is an open source engine that makes it easy to create a lightweight, portable, self-sufficient container for any application. Docker provides a public warehouse called Docker Hub, which is used to store Docker images, and any image resources uploaded to the public warehouse are for public and free use. Therefore, public warehouses are not suitable for various application scenarios that are not fully open to the outside world, such as enterprise projects. Therefore, the creation, management and use of private mirror warehouses is particularly important. There are currently many implementations of private mirror warehouses, such as Docker Registry. But even if it is a private image warehouse, users with different user roles still need to access the image resources stored in it, such as administrators or R&D personnel or basic support personnel, etc. At present, whether it is a private mirror warehouse or a public mirror warehouse, there is a lack of effective management methods for different user access rights according to different user roles, resulting in a lack of rationality in the management of mirror warehouses, and there are certain security risks.
发明内容Contents of the invention
本发明实施例提供的一种镜像仓库授权、访问、管理方法及服务器和客户端,主解决的技术问题是:解决现有镜像仓库没有根据不同用户角色对不同用户的访问权限进行有效控制的问题。The embodiment of the present invention provides a mirror warehouse authorization, access, management method, server and client. The main technical problem to be solved is: to solve the problem that the existing mirror warehouse does not effectively control the access rights of different users according to different user roles .
为解决上述技术问题,本发明实施例提供一种镜像仓库授权方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a mirror warehouse authorization method, including:
接收镜像仓库客户端发送的用于访问镜像仓库的认证请求,所述认证请求中至少包含用户的身份信息;receiving an authentication request for accessing the mirror repository sent by the mirror repository client, the authentication request at least including the user's identity information;
根据所述身份信息和预设身份信息与用户角色对应关系表,对所述用户进行授权认证,不同用户角色对应不同的访问权限;According to the identity information and the preset identity information and user role correspondence table, perform authorization and authentication on the user, and different user roles correspond to different access rights;
授权认证成功时,向所述镜像仓库客户端反馈授权令牌,以供所述镜像仓库客户端基于所述授权令牌对所述镜像仓库进行访问。When the authorization authentication succeeds, an authorization token is fed back to the mirror repository client, so that the mirror repository client can access the mirror repository based on the authorization token.
为解决上述技术问题,本发明实施例提供一种镜像仓库访问方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a mirror warehouse access method, including:
向镜像仓库授权服务器发送认证请求,所述认证请求中至少包含用户的身份信息;Sending an authentication request to the mirror repository authorization server, the authentication request at least including the identity information of the user;
接收所述镜像仓库授权服务器根据所述身份信息和预设身份信息与用户角色对应关系表对所述用户授权认证成功后,反馈的授权令牌;receiving the authorization token fed back by the mirror warehouse authorization server after the authorization authentication of the user is successful according to the identity information and the preset identity information and user role correspondence table;
基于所述授权令牌向镜像仓库服务器发送镜像资源访问请求。A mirror resource access request is sent to the mirror repository server based on the authorization token.
为解决上述技术问题,本发明实施例提供一种镜像仓库管理方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a mirror warehouse management method, including:
接收镜像仓库客户端发送的镜像资源访问请求;Receive the mirror resource access request sent by the mirror warehouse client;
判定该镜像资源访问请求为未授权请求时,向所述镜像仓库客户端发送授权认证指示通知,所述授权认证指示通知包含镜像仓库授权服务器地址信息;When it is determined that the mirror resource access request is an unauthorized request, an authorization authentication instruction notification is sent to the mirror warehouse client, and the authorization authentication instruction notification includes the address information of the mirror warehouse authorization server;
判定该镜像资源访问请求为已授权请求时,根据该镜像资源访问请求对应的授权令牌对该镜像资源访问请求进行访问处理。When it is determined that the mirror resource access request is an authorized request, access processing is performed on the mirror resource access request according to the authorization token corresponding to the mirror resource access request.
为解决上述技术问题,本发明实施例提供一种镜像仓库授权服务器,包括:In order to solve the above technical problems, an embodiment of the present invention provides a mirror warehouse authorization server, including:
认证接收模块,用于接收镜像仓库客户端发送的用于访问镜像仓库的认证请求,所述认证请求中至少包含用户的身份信息;An authentication receiving module, configured to receive an authentication request sent by a mirror warehouse client for accessing a mirror warehouse, wherein the authentication request at least includes the identity information of the user;
授权认证模块,用于根据所述身份信息和预设身份信息与用户角色对应关系表,对所述用户进行授权认证,不同用户角色对应不同的访问权限;An authorization authentication module, configured to perform authorization authentication on the user according to the identity information and the preset identity information and user role correspondence table, and different user roles correspond to different access rights;
认证反馈模块,用于在授权认证成功时,向所述镜像仓库客户端反馈授权令牌,以供所述镜像仓库客户端基于所述授权令牌对所述镜像仓库进行访问。The authentication feedback module is configured to feed back an authorization token to the mirror warehouse client when the authorization authentication is successful, so that the mirror warehouse client can access the mirror warehouse based on the authorization token.
为解决上述技术问题,本发明实施例提供一种镜像仓库客户端,包括:In order to solve the above technical problems, an embodiment of the present invention provides a mirror warehouse client, including:
认证处理模块,用于向镜像仓库授权服务器发送认证请求,所述认证请求中至少包含用户的身份信息,以及接收所述镜像仓库授权服务器根据所述身份信息和预设身份信息与用户角色对应关系表对所述用户授权认证成功后,反馈的授权令牌;An authentication processing module, configured to send an authentication request to the mirror warehouse authorization server, wherein the authentication request includes at least the identity information of the user, and receive the corresponding relationship between the mirror warehouse authorization server and the user role according to the identity information and the preset identity information. After the authorization and authentication of the user is successful, the authorization token is fed back;
资源访问模块,用于基于所述授权令牌向镜像仓库服务器发送镜像资源访问请求。A resource access module, configured to send a mirror resource access request to the mirror repository server based on the authorization token.
为解决上述技术问题,本发明实施例提供一种镜像仓库服务器,包括:In order to solve the above technical problems, an embodiment of the present invention provides a mirror warehouse server, including:
访问接收模块,用于接收镜像仓库客户端发送的镜像资源访问请求;The access receiving module is used to receive the mirror resource access request sent by the mirror warehouse client;
控制模块,用于判定该镜像资源访问请求为未授权请求时,向所述镜像仓库客户端发送授权认证指示通知,所述授权认证指示通知包含镜像仓库授权服务器地址信息;以及用于判定该镜像资源访问请求为已授权请求时,根据该镜像资源访问请求对应的授权令牌对该镜像资源访问请求进行访问处理。A control module, configured to send an authorization authentication instruction notification to the mirror warehouse client when determining that the mirror resource access request is an unauthorized request, and the authorization authentication indication notification includes the address information of the mirror warehouse authorization server; and is used to determine that the mirror image When the resource access request is an authorized request, access processing is performed on the mirror resource access request according to the authorization token corresponding to the mirror resource access request.
本发明实施例还提供一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行前述的镜像仓库授权、访问、管理方法。The embodiment of the present invention also provides a computer storage medium, wherein computer executable instructions are stored in the computer storage medium, and the computer executable instructions are used to execute the aforementioned mirror repository authorization, access, and management methods.
本发明的有益效果是:The beneficial effects of the present invention are:
根据本发明实施例提供的镜像仓库授权、访问、管理方法及服务器、客户端及计算机存储介质,镜像仓库客户端向镜像仓库授权服务器发送认证请求,镜像仓库授权服务器根据认证请求中的身份信息和预设身份信息与用户角色对应关系表对用户进行授权认证,其中不同用户角色对应不同的访问权限;并在所述用户授权认证成功后,向镜像仓库客户端反馈的授权令牌;进而镜像仓库客户端基于该授权令牌向镜像仓库服务器发送镜像资源访问请求,镜像仓库服务器判定该镜像资源访问请求为已授权请求时,才进一步对根据镜像资源访问请求对应的授权令牌对该镜像资源访问请求进行访问处理。因此本发明实现了根据不同用户角色对访问镜像仓库的不同用户的访问权限进行有效控制,能够给镜像仓库提供细粒度的访问控制,提升了镜像仓库的实用性、安全性以及管理的合理性。According to the mirror warehouse authorization, access, management method, server, client and computer storage medium provided by the embodiment of the present invention, the mirror warehouse client sends an authentication request to the mirror warehouse authorization server, and the mirror warehouse authorization server sends the authentication request according to the identity information and the identity information in the authentication request. The preset identity information and user role correspondence table performs authorization and authentication for users, wherein different user roles correspond to different access rights; and after the user authorization and authentication is successful, the authorization token fed back to the mirror warehouse client; and then the mirror warehouse The client sends a mirror resource access request to the mirror warehouse server based on the authorization token. When the mirror warehouse server determines that the mirror resource access request is an authorized request, it will further access the mirror resource according to the authorization token corresponding to the mirror resource access request. Request for access processing. Therefore, the present invention effectively controls the access rights of different users accessing the mirror warehouse according to different user roles, can provide fine-grained access control for the mirror warehouse, and improves the practicability, security and management rationality of the mirror warehouse.
附图说明Description of drawings
图1为本发明实施例一中的镜像仓库访问方法流程示意图;FIG. 1 is a schematic flow diagram of a mirror warehouse access method in Embodiment 1 of the present invention;
图2为本发明实施例一中的授权认证指示流程示意图;FIG. 2 is a schematic diagram of an authorization and authentication instruction flow in Embodiment 1 of the present invention;
图3为本发明实施例一中的镜像仓库授权方法流程示意图;FIG. 3 is a schematic flow diagram of a mirror warehouse authorization method in Embodiment 1 of the present invention;
图4为本发明实施例一中的镜像仓库管理方法流程示意图;FIG. 4 is a schematic flowchart of a method for managing a mirror warehouse in Embodiment 1 of the present invention;
图5为本发明实施例二中的镜像仓库客户端结构示意图;FIG. 5 is a schematic structural diagram of a mirror warehouse client in Embodiment 2 of the present invention;
图6为本发明实施例二中的镜像仓库授权服务器结构示意图;FIG. 6 is a schematic structural diagram of the mirror warehouse authorization server in Embodiment 2 of the present invention;
图7为本发明实施例二中的镜像仓库服务器结构示意图;FIG. 7 is a schematic structural diagram of a mirror warehouse server in Embodiment 2 of the present invention;
图8-1为本发明实施例三中的身份认证方法示意图;FIG. 8-1 is a schematic diagram of an identity authentication method in Embodiment 3 of the present invention;
图8-2为本发明实施例三中的授权认证方法示意图;Figure 8-2 is a schematic diagram of the authorization authentication method in Embodiment 3 of the present invention;
图9为本发明实施例三中的授权认证流程示意图;FIG. 9 is a schematic diagram of an authorization authentication process in Embodiment 3 of the present invention;
图10为本发明实施例三中的配置信息示意图。FIG. 10 is a schematic diagram of configuration information in Embodiment 3 of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例只是本发明中一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
实施例一:Embodiment one:
本实施例中的镜像仓库客户端向镜像仓库授权服务器发送认证请求,镜像仓库授权服务器根据认证请求中的身份信息和预设身份信息与用户角色对应关系表对用户进行授权认证,其中不同用户角色对应不同的访问权限,并在用户授权认证成功后,向镜像仓库客户端反馈的授权令牌;进而镜像仓库客户端基于该授权令牌向镜像仓库服务器发送镜像资源访问请求,镜像仓库服务器判定该镜像资源访问请求为已授权请求时,才进一步对根据镜像资源访问请求对应的授权令牌对该镜像资源访问请求进行访问处理。实现了根据不同用户角色对访问镜像仓库的不同用户的访问权限进行有效控制,能够给镜像仓库提供细粒度的访问控制,提升了镜像仓库的实用性、安全性以及管理的合理性。为了更好的理解本发明,本实施例对镜像仓库客户端、镜像仓库服务器以及镜像仓库授权服务器三端分别进行示意说明。The mirror warehouse client in this embodiment sends an authentication request to the mirror warehouse authorization server, and the mirror warehouse authorization server performs authorization authentication on the user according to the identity information in the authentication request and the preset identity information and user role correspondence table, where different user roles Corresponding to different access rights, and after the user authorization authentication is successful, the authorization token is fed back to the mirror warehouse client; and then the mirror warehouse client sends a mirror resource access request to the mirror warehouse server based on the authorization token, and the mirror warehouse server determines the When the mirror resource access request is an authorized request, the mirror resource access request is further processed according to the authorization token corresponding to the mirror resource access request. It realizes effective control of the access rights of different users accessing the mirror warehouse according to different user roles, can provide fine-grained access control for the mirror warehouse, and improves the practicability, security and management rationality of the mirror warehouse. In order to better understand the present invention, this embodiment schematically illustrates the three terminals of the mirror warehouse client, the mirror warehouse server, and the mirror warehouse authorization server respectively.
对于镜像仓库客户端,其可以根据用户发送的命令请求向镜像仓库服务器发送镜像资源访问请求,并根据镜像仓库服务器反馈的镜像仓库服务向镜像仓库授权服务器发送认证请求;也可以在得知镜像仓库授权服务器的地址时,直接根据用户发送的命令请求向镜像仓库授权服务器发送认证请求。具体实现方式可以根据具体应用场景灵活选择使用。本实施例提供的一种镜像仓库访问方法参见图1所示,包括:For the mirror warehouse client, it can send a mirror resource access request to the mirror warehouse server according to the command request sent by the user, and send an authentication request to the mirror warehouse authorization server according to the mirror warehouse service fed back by the mirror warehouse server; When specifying the address of the authorization server, an authentication request is sent to the mirror repository authorization server directly according to the command request sent by the user. The specific implementation method can be flexibly selected and used according to specific application scenarios. A mirror warehouse access method provided in this embodiment is shown in Figure 1, including:
S101:镜像仓库客户端向镜像仓库授权服务器发送认证请求,该认证请求中至少包含用户的身份信息。S101: The mirror warehouse client sends an authentication request to the mirror warehouse authorization server, where the authentication request at least includes user identity information.
如上所述,本实施例中的认证请求可以是镜像仓库客户端根据镜像仓库服务器的指示发送的,也可以是镜像仓库客户端直接根据用户的指示发送的。As mentioned above, the authentication request in this embodiment may be sent by the mirror repository client according to the instruction of the mirror repository server, or directly by the mirror repository client according to the instruction of the user.
S102:镜像仓库客户端接收镜像仓库授权服务器根据认证请求中的身份信息和预设身份信息与用户角色对应关系表对用户授权认证成功后,反馈的授权令牌。S102: The mirror warehouse client receives the authorization token fed back by the mirror warehouse authorization server after the user authorization authentication is successful according to the identity information in the authentication request and the preset identity information and user role correspondence table.
本实施例中身份信息和用户角色对应关系表可以是预先配置在镜像仓库授权服务器本地的,当然也可以是配置在其他镜像仓库授权服务器能够访问获取的数据库中。且本实施例中不同用户角色对应不同的访问权限,本实施例中用户角色以及对应的访问权限的设定可以根据具体应用场景灵活设定。In this embodiment, the identity information and user role correspondence table may be pre-configured locally on the mirror warehouse authorization server, or may be configured in a database accessible to other mirror warehouse authorization servers. In this embodiment, different user roles correspond to different access rights. In this embodiment, user roles and corresponding access rights can be set flexibly according to specific application scenarios.
S103:镜像仓库客户端基于授权令牌向镜像仓库服务器发送镜像资源访问请求。S103: The mirror warehouse client sends a mirror resource access request to the mirror warehouse server based on the authorization token.
应当理解的是,本实施例中的镜像仓库客户端发送认证请求以及镜像资源访问请求的方式以及所采用的具体协议都可以根据具体需求灵活设定。且实施例中的镜像仓库包括但不限于Docker镜像仓库。It should be understood that, in this embodiment, the manner in which the mirror repository client sends the authentication request and the mirror resource access request, as well as the specific protocol adopted can be flexibly set according to specific requirements. And the mirror warehouse in the embodiment includes but not limited to the Docker mirror warehouse.
如上述分析,在本实施例中,镜像仓库客户端向镜像仓库服务器发送的认证之前,还可以包括图2所示的以下步骤:As analyzed above, in this embodiment, before the authentication sent by the mirror warehouse client to the mirror warehouse server, the following steps shown in Figure 2 may also be included:
S201:镜像仓库客户端向镜像仓库服务器发送镜像资源访问请求。S201: The mirror warehouse client sends a mirror resource access request to the mirror warehouse server.
镜像仓库服务器接收到该镜像资源访问请求后,会先判断该镜像资源访问请求是否经授权认证过,如是,才执行后续访问步骤,否则提示镜像仓库客户端进行授权认证。After receiving the mirror resource access request, the mirror warehouse server will first judge whether the mirror resource access request has been authorized and authenticated, and if so, perform subsequent access steps, otherwise prompt the mirror warehouse client to perform authorization and authentication.
S202:镜像仓库客户端接收到镜像仓库服务器返回的授权认证指示通知时,根据授权认证指示通知中的镜像仓库授权服务器地址信息,向镜像仓库授权服务器发送所述认证请求。S202: When the mirror repository client receives the authorization authentication instruction notification returned by the mirror repository server, it sends the authentication request to the mirror repository authorization server according to the mirror repository authorization server address information in the authorization authentication instruction notification.
本实施例中的镜像仓库授权服务器地址信息可以预先在镜像仓库服务器上配置。The mirror repository authorization server address information in this embodiment may be pre-configured on the mirror repository server.
本实施例中,镜像仓库客户端向镜像仓库授权服务器发送的认证请求可以包含不同的信息,下面以两种示例情况进行说明。In this embodiment, the authentication request sent by the mirror repository client to the mirror repository authorization server may contain different information, which will be described below with two examples.
示例一:镜像仓库客户端发送的认证请求中可以仅包含用户的身份信息,以完成授权认证,此时的授权认证则是可以仅仅根据该身份信息是否合法进行认证,下发的授权令牌中可以包含该用户对应用户角色的所有访问权限(访问权限中包含但不限于用户角色允许访问的镜像资源范围以及允许的操作类型范围);为了进一步提升安全性,该认证请求中还可以包含用户密码,镜像仓库授权服务器根据认证请求对用户进行授权认证之前,还可先根据身份信息、用户密码和预设身份信息与用户密码对应关系配置文件,对该用户进行身份认证。Example 1: The authentication request sent by the mirror warehouse client can only contain the user's identity information to complete the authorization authentication. At this time, the authorization authentication can only be authenticated based on whether the identity information is legal. It can include all the access rights of the user corresponding to the user role (access rights include but not limited to the range of image resources allowed by the user role and the range of allowed operation types); in order to further improve security, the authentication request can also include the user password , before the mirror warehouse authorization server authorizes the user according to the authentication request, it can also first authenticate the user according to the identity information, user password, and configuration file corresponding to the preset identity information and user password.
示例二:镜像仓库客户端发送的认证请求中可以包含用户的身份信息,当前访问的镜像资源信息(可以是当前访问的镜像资源地址,也可以是当前访问的镜像资源的类型及名称)以及当前访问请求的操作类型;此时的授权认证则是可以根据该身份信息是否合法,以及当前访问的镜像资源信息以及当前访问请求的操作类型是否在该用户的用户角色允许访问的镜像资源范围内(可以是镜像资源地址范围,也可以是镜像资源的类型范围及名称)和允许的操作类型范围内来进行授权认证。当然,为了进一步提升安全性,该认证请求中也可以包含用户密码,镜像仓库授权服务器根据认证请求对用户进行授权认证之前,还可先根据身份信息、用户密码和预设身份信息与用户密码对应关系配置文件,对该用户进行身份认证。Example 2: The authentication request sent by the mirror warehouse client can include the user's identity information, the currently accessed mirror resource information (it can be the address of the currently accessed mirror resource, or the type and name of the currently accessed mirror resource), and the current The operation type of the access request; the authorization authentication at this time can be based on whether the identity information is legal, and whether the currently accessed image resource information and the operation type of the current access request are within the scope of the image resource allowed by the user role of the user ( It can be the mirror resource address range, or the mirror resource type range and name) and the allowed operation type range for authorization and authentication. Of course, in order to further improve security, the authentication request can also include the user password. Before the mirror warehouse authorization server authorizes the user according to the authentication request, it can also correspond to the user password according to the identity information, user password and preset identity information. A relational configuration file to authenticate the user.
应当理解的是,本实施例中对用户进行的授权认证和身份认证的具体实现方式并不限于上述示例方式。It should be understood that, in this embodiment, the specific implementation manners of authorization authentication and identity authentication for the user are not limited to the foregoing exemplary manners.
本实施例中,在对认证请求中的用户授权认证成功后,下发的授权令牌包含允许用户访问的镜像资源(可以是上述示例一中的该用户的用户角色对应的所有允许访问的镜像资源,也可以是上述示例二中的该用户的用户角色当前允许访问的镜像资源)、操作类型(可以是上述示例一中的该用户的用户角色对应的所有允许的操作类型,也可以是上述示例二中的该用户的用户角色当前允许的操作类型,还可进一步包括令牌有效时间,该令牌有效时间的设置可以根据具体需求灵活设定,例如设置为10分钟、30分钟等。In this embodiment, after the user in the authentication request is authorized and authenticated successfully, the issued authorization token contains the image resources that the user is allowed to access (it can be all the image resources that are allowed to be accessed corresponding to the user role of the user in the first example above) Resource, which can also be the mirror resource currently allowed to be accessed by the user role of the user in the above example 2), operation type (it can be all allowed operation types corresponding to the user role of the user in the above example 1, or the above-mentioned The type of operation currently allowed by the user role of the user in Example 2 may further include the valid time of the token, which can be flexibly set according to specific requirements, for example, set to 10 minutes, 30 minutes, etc.
镜像仓库客户端基于授权令牌向镜像仓库服务器发送镜像资源访问请求可以采用以下方式中的任意一种方式:The mirror repository client can use any of the following methods to send mirror resource access requests to the mirror repository server based on the authorization token:
方式一:先将获取到的授权令牌单独发送给镜像仓库服务器,再向镜像仓库服务器发送对应的镜像资源访问请求。Method 1: first send the obtained authorization token to the mirror warehouse server separately, and then send the corresponding mirror resource access request to the mirror warehouse server.
方式二:将包含允许用户访问的镜像资源、操作类型、以及令牌有效时间的授权令牌加入镜像资源访问请求中后,发给镜像仓库服务器。Method 2: After adding the authorization token including the mirror resource that the user is allowed to access, the type of operation, and the valid time of the token into the mirror resource access request, send it to the mirror repository server.
本实施例中,镜像仓库授权服务器侧执行的镜像仓库授权方法过程参见图3所示,包括:In this embodiment, the mirror warehouse authorization method process executed by the mirror warehouse authorization server side is shown in Figure 3, including:
S301:接收镜像仓库客户端发送的用于访问镜像仓库的认证请求,该认证请求中至少包含用户的身份信息(包括但不限于用户名);S301: Receive the authentication request for accessing the mirror warehouse sent by the mirror warehouse client, the authentication request at least includes the identity information of the user (including but not limited to the user name);
S302:根据认证请求中的身份信息和预设身份信息与用户角色对应关系表,对用户进行授权认证,不同用户角色对应不同的访问权限;S302: Authorize and authenticate the user according to the identity information in the authentication request and the preset identity information and user role correspondence table, and different user roles correspond to different access rights;
S303:授权认证成功时,向镜像仓库客户端反馈授权令牌,以供镜像仓库客户端基于所述授权令牌对所述镜像仓库进行访问。授权认证失败时,则可以向镜像仓库客户端反馈失败提示,或者不做任何反馈。S303: When the authorization authentication succeeds, feed back an authorization token to the mirror warehouse client, so that the mirror warehouse client can access the mirror warehouse based on the authorization token. When the authorization authentication fails, you can feedback the failure prompt to the mirror warehouse client, or do not give any feedback.
如上述分析,为了进一步提升安全性,本实施例中镜像仓库客户端发送的认证请求中还可以包含用户密码;镜像仓库授权服务器在对认证请求中的用户进行授权认证之前,还可以先根据身份信息以及用户密码,结合预先设置的身份信息与用户密码对应关系配置文件,对用户进行身份认证。只有在身份认证通过后,才执行后续的授权认证过程,否则不执行后续的授权认证过程,并向镜像仓库客户端反馈认证失败。As analyzed above, in order to further improve security, the authentication request sent by the mirror warehouse client in this embodiment may also include the user password; Information and user passwords, combined with the preset identity information and user password correspondence configuration file, to authenticate users. Only after the identity authentication is passed, the subsequent authorization authentication process is executed, otherwise the subsequent authorization authentication process is not executed, and the authentication failure is reported to the mirror warehouse client.
如上分析,本实施例中的授权认证方式可包括但不限于以下两种示例方式:As analyzed above, the authorization authentication methods in this embodiment may include but not limited to the following two example methods:
示例一:镜像仓库客户端发送的认证请求中可以仅包含用户的身份信息。此时镜像仓库服务器授权认证则可以仅仅根据该身份信息,结合预设身份信息与用户角色对应关系表对该用户进行授权认证,例如查看该身份信息在身份信息与用户角色对应关系表中是否存在,如是则授权认证成功,在授权认证成功后,向镜像仓库客户端下发的授权令牌中可以包含该用户对应用户角色的所有访问权限(访问权限中包含但不限于用户角色允许访问的镜像资源范围以及允许的操作类型范围)。Example 1: The authentication request sent by the mirror repository client may only contain the user's identity information. At this time, the authorization and authentication of the mirror warehouse server can only perform authorization and authentication on the user based on the identity information, combined with the preset identity information and user role correspondence table, for example, check whether the identity information exists in the identity information and user role correspondence table , if so, the authorization authentication is successful. After the authorization authentication is successful, the authorization token issued to the mirror warehouse client can contain all the access rights of the user corresponding to the user role (the access rights include but are not limited to the mirror images that the user role allows access to) resource scope and allowed operation type scope).
示例二:镜像仓库客户端发送的认证请求中可以包含用户的身份信息,当前访问的镜像资源信息(可以是当前访问的镜像资源地址,也可以是当前访问的镜像资源的类型及名称)以及当前访问请求的操作类型;此时镜像仓库服务器授权认证则是可以根据该身份信息是否合法,以及当前访问的镜像资源信息以及当前访问请求的操作类型是否在该用户的用户角色允许访问的镜像资源范围内(可以是镜像资源地址范围,也可以是镜像资源的类型范围及名称)和允许的操作类型范围内来进行授权认证。Example 2: The authentication request sent by the mirror warehouse client can include the user's identity information, the currently accessed mirror resource information (it can be the address of the currently accessed mirror resource, or the type and name of the currently accessed mirror resource), and the current The operation type of the access request; at this time, the authorization and authentication of the mirror warehouse server can be based on whether the identity information is legal, as well as the currently accessed image resource information and whether the operation type of the current access request is within the scope of the mirror resource that the user's user role allows access to Authorization and authentication are performed within the scope of the mirror resource address range, or the mirror resource type range and name) and the allowed operation type range.
本实施例中的访问权限中包括但不限于用户角色允许访问的镜像资源范围以及允许的操作类型范围,操作类型包括但不限于上传、下载、删除、查询,例如对于管理员来说,其还可具有设置用户角色以及对应的访问权限的权限。下面对用户角色对应的操作类型范围进行示例说明。参见下表1所示。The access rights in this embodiment include, but are not limited to, the range of image resources allowed by the user role and the range of allowed operation types. The types of operations include but are not limited to upload, download, delete, and query. For example, for administrators, it also Can have the permission to set user roles and corresponding access rights. The following is an example description of the range of operation types corresponding to user roles. See Table 1 below.
表1Table 1
对于镜像资源范围,可以针对不同用户角色分别设定,该镜像资源范围在一种示例中可以通过限定镜像资源地址范围(例如哪个镜像仓库中的哪些地址)进行限定,也可以通过镜像资源的类型及名称进行限定,或者结合二者进行限定。The range of mirror resources can be set separately for different user roles. In one example, the range of mirror resources can be limited by limiting the address range of mirror resources (for example, which addresses in which mirror warehouse), or by the type of mirror resources and name, or a combination of both.
基于上述表1,假设以上述示例二的认证方式进行认证,此时的镜像仓库认证服务器进行授权认证的过程包括:根据认证请求中的身份信息在预设身份信息与用户角色对应关系表中查找到所述用户对应的用户角色,判断当前访问的镜像资源信息是否在该用户角色允许访问的镜像资源范围内,且当前访问请求的操作类型是否在允许的操作类型范围内,如是,授权认证成功;否则,授权认证失败。Based on the above table 1, assuming that authentication is performed in the authentication method of the above example 2, the process of authorization authentication performed by the mirror warehouse authentication server at this time includes: according to the identity information in the authentication request, search in the preset identity information and user role correspondence table According to the user role corresponding to the user, determine whether the currently accessed image resource information is within the scope of the image resource allowed by the user role, and whether the operation type of the current access request is within the allowed operation type range, and if so, the authorization authentication is successful ; Otherwise, authorization authentication fails.
例如,假设认证请求中的身份信息为用户名4,当前的操作类型的为下载,当前访问的镜像资源信息为资源类型为repository名称为test/my-app的镜像文件。此时镜像仓库认证服务器进行授权认证的过程包括:在表1中找到用户名4对应的角色第二用户角色,判定当前操作类型下载在允许的操作类型范围内,且当前访问的镜像资源在允许访问的范围内,授权认证成功。For example, suppose the identity information in the authentication request is user name 4, the current operation type is download, and the mirror resource information currently accessed is a mirror file whose resource type is repository and name is test/my-app. At this time, the authorization authentication process of the mirror warehouse authentication server includes: find the second user role corresponding to the user name 4 in Table 1, determine that the current operation type download is within the allowed operation type range, and the mirror resource currently accessed is within the allowable range. Within the scope of access, the authorization authentication is successful.
又例如,假设认证请求中的身份信息为用户名7,当前的操作类型的为删除,当前访问的镜像资源信息为资源类型为repository名称为test/my-app的镜像文件。此时镜像仓库认证服务器进行授权认证的过程包括:在表1中找到用户名7对应的角色第四用户角色,判定当前操作类型删除不在允许的操作类型范围内,授权认证失败。For another example, assume that the identity information in the authentication request is username 7, the current operation type is delete, and the mirror resource information currently accessed is a mirror file whose resource type is repository and name is test/my-app. At this time, the process of authorization authentication by the mirror warehouse authentication server includes: find the fourth user role corresponding to the user name 7 in Table 1, determine that the current operation type deletion is not within the allowed operation type range, and the authorization authentication fails.
又例如,假设认证请求中的身份信息为用户名10,当前的操作类型的为查询,当前访问的镜像资源信息为资源类型为repository名称为test/my-app的镜像文件。此时镜像仓库认证服务器进行授权认证的过程包括:在表1中未找到用户名7,授权认证失败。For another example, assume that the identity information in the authentication request is user name 10, the current operation type is query, and the image resource information currently accessed is a mirror file whose resource type is repository and name is test/my-app. At this time, the authorization authentication process performed by the mirror warehouse authentication server includes: the user name 7 is not found in Table 1, and the authorization authentication fails.
本实施例中,镜像仓库服务器侧执行的镜像仓库管理方法过程参见图4所示,包括:In this embodiment, the process of the mirror warehouse management method executed on the mirror warehouse server side is shown in FIG. 4, including:
S401:接收镜像仓库客户端发送的镜像资源访问请求。S401: Receive a mirror resource access request sent by a mirror warehouse client.
S402:判定该镜像资源访问请求是否为授权请求,如否,转至S403;否则,转至S404。S402: Determine whether the mirror resource access request is an authorization request, if not, go to S403; otherwise, go to S404.
本实施例中,镜像仓库服务器在接收到一个包含授权令牌的镜像资源访问请求时,处理完该镜像资源访问请求后,还将该授权令牌进行存储。这样在接收到后续的不包含授权令牌的镜像资源访问请求时,可以根据本地之前存储的授权令牌来判定该镜像资源访问请求是否为授权请求。In this embodiment, when the mirror repository server receives a mirror resource access request including an authorization token, it also stores the authorization token after processing the mirror resource access request. In this way, when a subsequent image resource access request that does not contain an authorization token is received, it can be determined whether the image resource access request is an authorization request according to the authorization token previously stored locally.
S403:向镜像仓库客户端发送授权认证指示通知,授权认证指示通知包含镜像仓库授权服务器地址信息,采用上述示例二进行授权认证时,还可进一步包括当前访问的镜像资源信息以及操作类型,以供镜像仓库客户端生成认证请求时添加这些信息。S403: Send an authorization authentication instruction notification to the mirror warehouse client. The authorization authentication instruction notification includes the address information of the mirror warehouse authorization server. When using the above example 2 for authorization authentication, it can further include the currently accessed mirror resource information and operation type for Registry clients add this information when generating authentication requests.
S404:根据该镜像资源访问请求对应的授权令牌对该镜像资源访问请求进行访问处理,例如进行对应的下载、上传、删除及查询等。S404: Perform access processing on the mirror resource access request according to the authorization token corresponding to the mirror resource access request, such as performing corresponding download, upload, delete, and query.
对应上述两种示例认证方式,本实施例中根据该镜像资源访问请求对应的授权令牌对该镜像资源访问请求进行访问处理的方式也包括:Corresponding to the above two example authentication methods, in this embodiment, the method of accessing the mirror resource access request according to the authorization token corresponding to the mirror resource access request also includes:
根据镜像资源访问请求对应的令牌有效时间判断该授权令牌当前是否有效,如无效,向镜像仓库客户端发送重新授权认证指示通知;如有效,判断镜像资源访问请求当前访问的镜像资源信息是否在允许访问的镜像资源范围内,且当前访问请求的操作类型是否在允许的操作类型范围内,如是,执行访问;否则,拒绝访问或向镜像仓库客户端发送重新授权认证指示通知。Judging whether the authorization token is currently valid according to the valid time of the token corresponding to the mirror resource access request, if invalid, send a re-authorization authentication instruction notification to the mirror warehouse client; if valid, judge whether the mirror resource information currently accessed by the mirror resource access request is valid It is within the range of image resources that are allowed to be accessed, and whether the operation type of the current access request is within the range of allowed operation types, if yes, perform access; otherwise, deny access or send a re-authorization authentication instruction notification to the mirror warehouse client.
应当理解的是,本实施例中镜像仓库客户端、镜像仓库服务器以及镜像仓库授权服务器之间各种消息的交互方式可以灵活设定。本实施例实现了根据不同用户角色对访问镜像仓库的不同用户的访问权限进行有效控制,能够给镜像仓库提供细粒度的访问控制,提升了镜像仓库的实用性、安全性以及管理的合理性。It should be understood that, in this embodiment, various message interaction modes among the mirror warehouse client, the mirror warehouse server, and the mirror warehouse authorization server can be flexibly set. This embodiment realizes effective control of access rights of different users accessing the mirror warehouse according to different user roles, can provide fine-grained access control for the mirror warehouse, and improves the practicability, security and management rationality of the mirror warehouse.
实施例二:Embodiment two:
本实施例提供了一种镜像仓库客户端,参见图5所示,包括:This embodiment provides a mirror warehouse client, as shown in Figure 5, including:
认证处理模块51,用于向镜像仓库授权服务器发送认证请求,认证请求中至少包含用户的身份信息;以及用于接收镜像仓库授权服务器根据所述身份信息和预设身份信息与用户角色对应关系表对所述用户授权认证成功后,反馈的授权令牌;The authentication processing module 51 is used to send an authentication request to the mirror warehouse authorization server, and the authentication request includes at least the identity information of the user; After the user is authorized and authenticated successfully, the authorization token that is fed back;
认证处理模块51可以根据用户发送的命令请求向镜像仓库服务器发送镜像资源访问请求,并根据镜像仓库服务器反馈的镜像仓库服务向镜像仓库授权服务器发送认证请求;也可以在得知镜像仓库授权服务器的地址时,直接根据用户发送的命令请求向镜像仓库授权服务器发送认证请求。The authentication processing module 51 can send a mirror resource access request to the mirror warehouse server according to the command request sent by the user, and send an authentication request to the mirror warehouse authorization server according to the mirror warehouse service fed back by the mirror warehouse server; Address, send an authentication request to the mirror repository authorization server directly according to the command request sent by the user.
本实施例中身份信息和用户角色对应关系表可以是预先配置在镜像仓库授权服务器本地的,当然也可以是配置在其他镜像仓库授权服务器能够访问获取的数据库中。且本实施例中不同用户角色对应不同的访问权限,本实施例中用户角色以及对应的访问权限的设定可以根据具体应用场景灵活设定。In this embodiment, the identity information and user role correspondence table may be pre-configured locally on the mirror warehouse authorization server, or may be configured in a database accessible to other mirror warehouse authorization servers. In this embodiment, different user roles correspond to different access rights. In this embodiment, user roles and corresponding access rights can be set flexibly according to specific application scenarios.
资源访问模块52,用于基于授权令牌向镜像仓库服务器发送镜像资源访问请求。The resource access module 52 is configured to send a mirror resource access request to the mirror repository server based on the authorization token.
认证处理模块51向镜像仓库授权服务器发送的认证请求可以包含不同的信息,下面以两种示例情况进行说明。The authentication request sent by the authentication processing module 51 to the mirror repository authorization server may contain different information, which will be described below with two examples.
示例一:认证处理模块51发送的认证请求中可以仅包含用户的身份信息,以完成授权认证,此时的授权认证则是可以仅仅根据该身份信息是否合法进行认证,下发的授权令牌中可以包含该用户对应用户角色的所有访问权限(访问权限中包含但不限于用户角色允许访问的镜像资源范围以及允许的操作类型范围);Example 1: The authentication request sent by the authentication processing module 51 may only contain the identity information of the user to complete the authorization authentication. At this time, the authorization authentication can only be authenticated based on whether the identity information is legal. It can include all the access rights of the corresponding user role of the user (access rights include but not limited to the range of image resources allowed by the user role and the range of allowed operation types);
示例二:认证处理模块51发送的认证请求中可以包含用户的身份信息,当前访问的镜像资源信息(可以是当前访问的镜像资源地址,也可以是当前访问的镜像资源的类型及名称)以及当前访问请求的操作类型;此时的授权认证则是可以根据该身份信息是否合法,以及当前访问的镜像资源信息以及当前访问请求的操作类型是否在该用户的用户角色允许访问的镜像资源范围内(可以是镜像资源地址范围,也可以是镜像资源的类型范围及名称)和允许的操作类型范围内来进行授权认证。Example two: the authentication request sent by the authentication processing module 51 may include the identity information of the user, the currently accessed image resource information (which may be the address of the currently accessed image resource, or the type and name of the currently accessed image resource) and the current The operation type of the access request; the authorization authentication at this time can be based on whether the identity information is legal, and whether the currently accessed image resource information and the operation type of the current access request are within the scope of the image resource allowed by the user role of the user ( It can be the mirror resource address range, or the mirror resource type range and name) and the allowed operation type range for authorization and authentication.
为了进一步提升安全性,该认证请求中还可以包含用户密码,镜像仓库授权服务器根据认证请求对用户进行授权认证之前,还可先根据身份信息、用户密码和预设身份信息与用户密码对应关系配置文件,对该用户进行身份认证。In order to further improve security, the authentication request can also include the user password. Before the mirror warehouse authorization server authorizes the user according to the authentication request, it can also be configured according to the identity information, user password, and the corresponding relationship between the preset identity information and the user password. file to authenticate the user.
本实施例中,在对认证请求中的用户授权认证成功后,下发的授权令牌包含允许用户访问的镜像资源(可以是上述示例一中的该用户的用户角色对应的所有允许访问的镜像资源,也可以是上述示例二中的该用户的用户角色当前允许访问的镜像资源)、操作类型(可以是上述示例一中的该用户的用户角色对应的所有允许的操作类型,也可以是上述示例二中的该用户的用户角色当前允许的操作类型,还可进一步包括令牌有效时间,该令牌有效时间的设置可以根据具体需求灵活设定,例如设置为20分钟、30分钟等。In this embodiment, after the user in the authentication request is authorized and authenticated successfully, the issued authorization token contains the image resources that the user is allowed to access (it can be all the image resources that are allowed to be accessed corresponding to the user role of the user in the first example above) Resource, which can also be the mirror resource currently allowed to be accessed by the user role of the user in the above example 2), operation type (it can be all allowed operation types corresponding to the user role of the user in the above example 1, or the above-mentioned The type of operation currently allowed by the user role of the user in Example 2 may further include the valid time of the token, which can be flexibly set according to specific requirements, for example, set to 20 minutes, 30 minutes, etc.
资源访问模块52基于授权令牌向镜像仓库服务器发送镜像资源访问请求可以采用以下方式中的任意一种方式:The resource access module 52 can use any of the following methods to send the mirror resource access request to the mirror warehouse server based on the authorization token:
方式一:资源访问模块52先将获取到的授权令牌单独发送给镜像仓库服务器,再向镜像仓库服务器发送对应的镜像资源访问请求。Way 1: The resource access module 52 first sends the obtained authorization token to the mirror warehouse server separately, and then sends a corresponding mirror resource access request to the mirror warehouse server.
方式二:资源访问模块52将包含允许用户访问的镜像资源、操作类型、以及令牌有效时间的授权令牌加入镜像资源访问请求中后,发给镜像仓库服务器。Method 2: The resource access module 52 adds the authorization token including the mirror resource that the user is allowed to access, the operation type, and the valid time of the token into the mirror resource access request, and then sends it to the mirror repository server.
本实施例还提供了一种镜像仓库授权服务器,参见图6所示,包括:This embodiment also provides a mirror warehouse authorization server, as shown in Figure 6, including:
认证接收模块61,用于接收镜像仓库客户端发送的用于访问镜像仓库的认证请求,所述认证请求中至少包含用户的身份信息(包括但不限于用户名);The authentication receiving module 61 is used to receive the authentication request sent by the mirror warehouse client for accessing the mirror warehouse, the authentication request at least includes the identity information of the user (including but not limited to the user name);
授权认证模块62,用于根据身份信息和预设身份信息与用户角色对应关系表,对所述用户进行授权认证,不同用户角色对应不同的访问权限;The authorization authentication module 62 is used to perform authorization authentication on the user according to the identity information and the preset identity information and user role correspondence table, and different user roles correspond to different access rights;
认证反馈模块63,用于在授权认证成功时,向镜像仓库客户端反馈授权令牌,以供镜像仓库客户端基于授权令牌对所述镜像仓库进行访问。授权认证失败时,则可以向镜像仓库客户端反馈失败提示,或者不做任何反馈。The authentication feedback module 63 is configured to feed back an authorization token to the mirror warehouse client when the authorization authentication is successful, so that the mirror warehouse client can access the mirror warehouse based on the authorization token. When the authorization authentication fails, you can feedback the failure prompt to the mirror warehouse client, or do not give any feedback.
为了进一步提升安全性,本实施例中镜像仓库客户端发送的认证请求中还可以包含用户密码;参见图6所示,镜像仓库授权服务器还包括身份认证模块64,用于在对认证请求中的用户进行授权认证之前,还可以先根据身份信息以及用户密码,结合预先设置的身份信息与用户密码对应关系配置文件,对用户进行身份认证。只有在身份认证通过后,授权认证模块才执行后续的授权认证过程,否则不执行后续的授权认证过程,并向镜像仓库客户端反馈认证失败。In order to further improve security, the authentication request sent by the mirror warehouse client in this embodiment may also include a user password; referring to FIG. Before the user performs authorization authentication, the user can also be authenticated according to the identity information and user password, combined with the preset configuration file corresponding to the identity information and user password. Only after the identity authentication is passed, the authorization authentication module executes the subsequent authorization authentication process, otherwise it does not execute the subsequent authorization authentication process, and feedbacks the authentication failure to the mirror warehouse client.
如上分析,本实施例中的授权认证方式可包括但不限于以下两种示例方式:As analyzed above, the authorization authentication methods in this embodiment may include but not limited to the following two example methods:
示例一:镜像仓库客户端发送的认证请求中可以仅包含用户的身份信息。此时授权认证模块62授权认证则可以仅仅根据该身份信息,结合预设身份信息与用户角色对应关系表对该用户进行授权认证,例如查看该身份信息在身份信息与用户角色对应关系表中是否存在,如是则授权认证成功,在授权认证成功后,向镜像仓库客户端下发的授权令牌中可以包含该用户对应用户角色的所有访问权限(访问权限中包含但不限于用户角色允许访问的镜像资源范围以及允许的操作类型范围)。Example 1: The authentication request sent by the mirror repository client may only contain the user's identity information. At this time, the authorization authentication module 62 authorization authentication can only perform authorization authentication on the user based on the identity information in combination with the preset identity information and user role correspondence table, for example, check whether the identity information is in the identity information and user role correspondence table. If it exists, the authorization authentication is successful. After the authorization authentication is successful, the authorization token issued to the mirror warehouse client can contain all the access rights of the corresponding user role of the user (the access rights include but are not limited to the access rights allowed by the user role. Mirror resource scope and allowable operation type scope).
示例二:镜像仓库客户端发送的认证请求中可以包含用户的身份信息,当前访问的镜像资源信息(可以是当前访问的镜像资源地址,也可以是当前访问的镜像资源的类型及名称)以及当前访问请求的操作类型;此时授权认证模块62授权认证则是可以根据该身份信息是否合法,以及当前访问的镜像资源信息以及当前访问请求的操作类型是否在该用户的用户角色允许访问的镜像资源范围内(可以是镜像资源地址范围,也可以是镜像资源的类型范围及名称)和允许的操作类型范围内来进行授权认证。Example 2: The authentication request sent by the mirror warehouse client can include the user's identity information, the currently accessed mirror resource information (it can be the address of the currently accessed mirror resource, or the type and name of the currently accessed mirror resource), and the current The operation type of the access request; at this time, the authorization authentication module 62 authorization authentication can be based on whether the identity information is legal, and whether the mirror resource information of the current visit and the operation type of the current access request are in the mirror resource that the user role of the user allows access to Authorization and authentication are performed within the range of the mirror resource address range, or the mirror resource type range and name) and the allowed operation type range.
本实施例中的访问权限中包括但不限于用户角色允许访问的镜像资源范围以及允许的操作类型范围,操作类型包括但不限于上传、下载、删除、查询,例如对于管理员来说,其还可具有设置用户角色以及对应的访问权限的权限。The access rights in this embodiment include, but are not limited to, the range of image resources allowed by the user role and the range of allowed operation types. The types of operations include but are not limited to upload, download, delete, and query. For example, for administrators, it also Can have the permission to set user roles and corresponding access rights.
本实施例还提供了一种镜像仓库服务器,参见图7所示,包括:This embodiment also provides a mirror warehouse server, as shown in Figure 7, including:
访问接收模块71,用于接收镜像仓库客户端发送的镜像资源访问请求;The access receiving module 71 is configured to receive the mirror resource access request sent by the mirror warehouse client;
控制模块72,用于判定该镜像资源访问请求为未授权请求时,向镜像仓库客户端发送授权认证指示通知,授权认证指示通知包含镜像仓库授权服务器地址信息,采用上述示例二进行授权认证时,还可进一步包括当前访问的镜像资源信息以及操作类型,以供镜像仓库客户端生成认证请求时添加这些信息;以及用于判定该镜像资源访问请求为已授权请求时,根据该镜像资源访问请求对应的授权令牌对该镜像资源访问请求进行访问处理。The control module 72 is used to determine that the mirror resource access request is an unauthorized request, and send an authorization authentication instruction notification to the mirror warehouse client. The authorization authentication instruction notification includes the address information of the mirror warehouse authorization server. When using the above example 2 for authorization authentication, It can further include information about the currently accessed mirror resource and the type of operation for adding the information when the mirror repository client generates an authentication request; and when determining that the mirror resource access request is an authorized request, according to the corresponding The authorization token of the image resource access request is processed.
本实施例中,控制模块72在接收到一个包含授权令牌的镜像资源访问请求时,处理完该镜像资源访问请求后,还将该授权令牌进行存储。这样在接收到后续的不包含授权令牌的镜像资源访问请求时,可以根据本地之前存储的授权令牌来判定该镜像资源访问请求是否为授权请求。In this embodiment, when the control module 72 receives a mirror resource access request including an authorization token, it also stores the authorization token after processing the mirror resource access request. In this way, when a subsequent image resource access request that does not contain an authorization token is received, it can be determined whether the image resource access request is an authorization request according to the authorization token previously stored locally.
控制模块72具体用于根据所述令牌有效时间判断所述授权令牌当前是否有效,如无效,向所述镜像仓库客户端发送重新授权认证指示通知;如有效,判断所述镜像资源访问请求当前访问的镜像资源信息是否在允许访问的镜像资源范围内,且所述当前访问请求的操作类型是否在允许的操作类型范围内,如是,执行访问;否则,拒绝访问或向所述镜像仓库客户端发送重新授权认证指示通知。The control module 72 is specifically used to judge whether the authorization token is currently valid according to the valid time of the token, if invalid, send a re-authorization authentication instruction notification to the mirror warehouse client; if valid, judge the mirror resource access request Whether the currently accessed image resource information is within the scope of the image resource that is allowed to be accessed, and whether the operation type of the current access request is within the allowed operation type range, if yes, execute the access; otherwise, deny access or report to the mirror warehouse customer The terminal sends a re-authorization authentication instruction notification.
本实施例中的上述各模块的功能可以由微控制器内的电路或代码实现。且显然,也即本发明实施例的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在计算机存储介质(ROM/RAM、磁碟、光盘)中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。所以,本发明不限制于任何特定的硬件和软件结合。The functions of the above modules in this embodiment may be implemented by circuits or codes in the microcontroller. And obviously, each module or each step of the embodiment of the present invention can be implemented by a general-purpose computing device, and they can be concentrated on a single computing device, or distributed on a network composed of multiple computing devices, optionally , they can be implemented with program codes executable by a computing device, thus, they can be stored in a computer storage medium (ROM/RAM, magnetic disk, optical disk) to be executed by a computing device, and in some cases, can be The steps shown or described may be performed in a different order than here, or they may be implemented as individual integrated circuit modules, or multiple modules or steps thereof may be implemented as a single integrated circuit module. Therefore, the present invention is not limited to any specific combination of hardware and software.
实施例三:Embodiment three:
为了更好的理解本发明,下面以镜像仓库为Docker镜像仓库为示例,结合上述示例二的方式进行说明。In order to better understand the present invention, the following uses the Docker mirror warehouse as an example to describe it in combination with the second example above.
本实施例中身份认证模块的功能是接收Docker的认证请求,通过指定的认证方法进行身份认证。本实施例中的认证请求可以使用HTTPS(Hyper Text Transfer Protocolover Secure Socket Layer),用于安全的HTTP(超文本传输协议,HyperText TransferProtocol)数据传输。The function of the identity authentication module in this embodiment is to receive an authentication request from Docker, and perform identity authentication through a specified authentication method. The authentication request in this embodiment may use HTTPS (Hyper Text Transfer Protocol Secure Socket Layer), which is used for secure HTTP (HyperText Transfer Protocol, HyperText Transfer Protocol) data transmission.
如图8-1所示,身份认证模块可以支持多种认证方法,例如包括但不限于:As shown in Figure 8-1, the identity authentication module can support multiple authentication methods, including but not limited to:
静态文件配置;LDAP(轻量目录访问协议,Lightweight Directory AccessProtocol)以及多种数据库。其中:Static file configuration; LDAP (Lightweight Directory Access Protocol) and various databases. in:
静态文件配置方式即为把用户名和加密的密码放在配置的文件中,授权装置运行时载入该配置文件,配置文件配置了当前用户及密码,其中密码采用了Bcrypt(BlowfishFile Encryption,一个跨平台的文件加密工具)加密,该方式实施简单。The static file configuration method is to put the user name and encrypted password in the configuration file, and load the configuration file when the authorization device is running. The configuration file configures the current user and password, and the password adopts Bcrypt (BlowfishFile Encryption, a cross-platform file encryption tool) encryption, this method is simple to implement.
LDAP(Lightweight Directory Access Protocol,轻量目录访问协议),即以树状的层次结构来存储数据,需要启动一个运行LDAP服务器的容器,然后,授权装置通过配置文件方式,配置上述的LDAP服务器的地址及其他信息。LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol), which stores data in a tree-like hierarchical structure, needs to start a container running an LDAP server, and then, the authorization device configures the address of the above-mentioned LDAP server through a configuration file and other information.
多种数据库,在授权装置启动时,载入了配置数据库的地址端口等信息的配置文件,镜像仓库的每一次操作,通过读取数据库存储的用户数据来进行认证。For various databases, when the authorization device is started, the configuration files that configure the address and port of the database are loaded, and every operation of the mirror warehouse is authenticated by reading the user data stored in the database.
本实施例中的授权认证模块的功能是当身份认证通过,根据发认证请求中的用户和所请求的授权范围(包括访问的资源类型、名称以及具体操作类型)下发token,该token通过JWT(JSON Web Token)认证方案生成,该token包含了token类型(即JWT),token使用的签名算法,token的发行方,token的有效期等。如图8-2所示,授权认证方法包括但不限于:ACL(访问控制列表,Access Control List),LDAP,以及多种数据库。其中:The function of the authorization authentication module in this embodiment is to issue a token according to the user in the authentication request and the requested authorization scope (including the type of resource accessed, name and specific operation type) when the identity authentication is passed, and the token passes through the JWT (JSON Web Token) authentication scheme generation, the token includes the token type (ie JWT), the signature algorithm used by the token, the issuer of the token, the validity period of the token, etc. As shown in Figure 8-2, authorization authentication methods include but are not limited to: ACL (Access Control List, Access Control List), LDAP, and various databases. in:
ACL授权方法可同上面的静态文件配置配合使用,配置文件中,描述用户名和其具有的权限范围。The ACL authorization method can be used in conjunction with the above static file configuration. In the configuration file, describe the user name and its scope of authority.
LDAP的授权可配合LDAP认证使用。LDAP authorization can be used in conjunction with LDAP authentication.
数据库的授权方法,可配同上面的数据库认证是一起使用的,通过数据库存储数据进行授权具有更丰富使用场景,使用者可以根据需要自行选择数据库类型。The database authorization method can be used together with the above database authentication. Authorization through database storage data has richer usage scenarios, and users can choose the database type according to their needs.
图9展示了授权认证的完成过程,包括:Figure 9 shows the completion process of authorization authentication, including:
S901:镜像仓库客户端向镜像仓库服务器发起资源访问请求;S901: The mirror warehouse client initiates a resource access request to the mirror warehouse server;
S902:镜像仓库服务器返回授权地址和根据请求的地址生成的授权范围;S902: the mirror warehouse server returns the authorization address and the authorization range generated according to the requested address;
S903:镜像仓库客户端携带用户名和密码向镜像仓库授权服务器发送认证请求;S903: the mirror warehouse client sends an authentication request to the mirror warehouse authorization server with the user name and password;
S904:镜像仓库授权服务器首先对用户信息及请求范围进行认证,认证通过后,发送授权令牌token给镜像仓库客户端;S904: The mirror warehouse authorization server first authenticates the user information and the request range, and after passing the authentication, sends the authorization token token to the mirror warehouse client;
S905:镜像仓库客户端携带该token再次向镜像仓库服务器发起资源访问请求;S905: The mirror warehouse client carries the token and initiates a resource access request to the mirror warehouse server again;
S906:镜像仓库服务器收到资源访问请求后对请求资源进行响应。S906: After receiving the resource access request, the mirror repository server responds to the requested resource.
下面以镜像下载为例,介绍通用的Docker镜像仓库授权服务器对Docker镜像仓库服务器进行认证授权过程如下:The following takes image download as an example to introduce the general Docker mirror warehouse authorization server to authenticate and authorize the Docker mirror warehouse server as follows:
首先保证Docker镜像仓库服务器已经正常启动,其中启动载入了配置了镜像仓库授权服务器信息,如图10,包含下面的信息:包括镜像仓库授权服务器地址,镜像仓库的名称也可以称为服务名称,镜像仓库授权服务器名称即token的发行方,以及公钥的绝对路径(配合HTTPS使用)。镜像仓库授权服务器也要启动,载入包含token配置信息,其中授权装置的名称同上面Docker镜像仓库服务器配置的必须一致,还要配置token的有效期。First, ensure that the Docker mirror warehouse server has been started normally, and the startup loads and configures the mirror warehouse authorization server information, as shown in Figure 10, including the following information: including the mirror warehouse authorization server address, and the mirror warehouse name can also be called the service name, The name of the authorized server of the mirror warehouse is the issuer of the token, and the absolute path of the public key (used with HTTPS). The mirror warehouse authorization server must also be started, and the configuration information containing the token is loaded. The name of the authorization device must be consistent with the configuration of the Docker mirror warehouse server above, and the validity period of the token must also be configured.
Docker镜像仓库镜像仓库客户端接收到用户发出的命令请求。比如以DockerRegistry镜像仓库为例,镜像仓库客户端使用用户名和密码登录Docker Registry,比如当前有用户test,使用命令docker login 10.11.21.22:5000,10.11.21.22:5000即DockerRegistry的地址,The Docker mirror warehouse mirror warehouse client receives a command request from the user. For example, take the DockerRegistry mirror warehouse as an example. The mirror warehouse client uses the user name and password to log in to the Docker Registry. For example, if there is a user test currently, use the command docker login 10.11.21.22:5000,10.11.21.22:5000, which is the address of the Docker Registry.
登录成功后,执行了docker pull 10.11.21.22:5000:test/my-app命令把镜像从镜像仓库服务器下载到本地Docker。After logging in successfully, execute the docker pull 10.11.21.22:5000:test/my-app command to download the image from the mirror warehouse server to the local Docker.
Docker镜像仓库服务器因为该资源访问请求未经过授权服务器授权,返回一个状态码为401的HTTP响应,在响应头部包含了授权装置的地址,服务名称,对于DockerRegistry,服务端名称可以设置为DIS-Registry,同时,还包含了操作的范围,响应消息头里,WWW-Authenticate头域的值类似如下格式:Bearerrealm="https://ip:port/auth",service="Docker-Registry",scope="repository:test/my-app:pull"。具体的,realm即授权服务器的地址,service即服务名称,scope描述了请求的资源类型,资源名称和操作范围,当前资源类型为repository,开发者可以根据需要扩展资源类型,请求的资源名称,这里即要下载的镜像名称,为test/my-app,需要执行操作动作是下载,即pull。这里的操作包含三种类型:*(表示具有镜像操作的全部权限),push,pull(表示具有镜像上传下载权限),pull(表示具有镜像下载权限)。scope可以有多个,即能够同时对多个资源进行授权。The Docker image warehouse server returns an HTTP response with status code 401 because the resource access request is not authorized by the authorization server. The response header contains the address of the authorization device and the service name. For DockerRegistry, the server name can be set to DIS- At the same time, the Registry also includes the scope of the operation. In the response message header, the value of the WWW-Authenticate header field is similar to the following format: Bearerrealm="https://ip:port/auth",service="Docker-Registry",scope ="repository:test/my-app:pull". Specifically, realm is the address of the authorization server, service is the service name, scope describes the requested resource type, resource name and operation scope, the current resource type is repository, and developers can expand the resource type and requested resource name as needed, here That is, the name of the image to be downloaded is test/my-app, and the action to be performed is to download, that is, pull. There are three types of operations here: * (indicates full permissions for mirror operations), push, pull (indicates permissions for uploading and downloading images), and pull (indicates permissions for image downloads). There can be multiple scopes, that is, multiple resources can be authorized at the same time.
镜像仓库客户端根据上述的授权信息,发送认证请求到镜像仓库授权服务器,请求地址类似https://ip:port/auth?service=Docker-Registry&scope=repository:test/my-app:pull,同时使用HTTP基本认证输入用户名和密码,发送HTTPS请求到镜像仓库授权服务器,该镜像仓库授权服务器首先根据配置的认证方法对请求的用户名和密码进行认证,比如,认证方法使用PostgreSQL数据库,装置把请求的用户名和密码同数据库存储的用户名密码做对比,同时,对于scope里描述的资源类型,名称以及操作进行数据库内容的查询对比,一致就继续进行授权,如果不一致,即为认证不通过,返回状态码为401的响应信息,以及认证不通过的原因。The mirror warehouse client sends an authentication request to the mirror warehouse authorization server according to the above authorization information, and the request address is similar to https://ip:port/auth? service=Docker-Registry&scope=repository:test/my-app:pull, and use HTTP basic authentication to enter the username and password, and send an HTTPS request to the mirror warehouse authorization server. The mirror warehouse authorization server first checks the requesting user according to the configured authentication method For example, the authentication method uses a PostgreSQL database, and the device compares the requested user name and password with the user name and password stored in the database. At the same time, it queries and compares the database content for the resource type, name, and operation described in the scope. If they are consistent, continue to authorize. If they are not consistent, the authentication fails, and a response message with a status code of 401 and the reason for the authentication failure are returned.
镜像仓库授权服务器根据上述所需的scope返回token,表示得到访问权限。通过HTTP返回响应消息体,包含生成的token。The mirror warehouse authorization server returns a token according to the above-mentioned required scope, indicating that access rights are obtained. Return the response message body via HTTP, including the generated token.
镜像仓库客户端重试发送资源访问请求发送到Docker镜像仓库服务器,在发送的消息头里增加Authorization头域,即在token值的前面加上Bearer及一个空格。The mirror warehouse client retries to send the resource access request to the Docker mirror warehouse server, and adds the Authorization header field in the sent message header, that is, adds Bearer and a space in front of the token value.
Docker镜像仓库服务器收到含token的资源访问请求,执行镜像仓库客户端请求资源的所需操作,即下载镜像到本地Docker。The Docker mirror warehouse server receives the resource access request containing the token, and performs the required operation of the mirror warehouse client requesting resources, that is, downloads the mirror image to the local Docker.
对于镜像仓库客户端相同的请求,在token有效期内,可以直接执行,无需重新认证在保证安全性的同时提高了操作的效率。For the same request of the mirror warehouse client, it can be executed directly within the validity period of the token, without re-authentication, which improves the efficiency of the operation while ensuring security.
镜像仓库授权服务器可以快速方便的与Docker镜像仓库整合,Docker镜像仓库通过上述一系列的认证授权步骤达到了细粒度的访问控制。The mirror warehouse authorization server can be quickly and conveniently integrated with the Docker mirror warehouse. The Docker mirror warehouse has achieved fine-grained access control through the above-mentioned series of authentication and authorization steps.
综上所述,通用的Docker授权方法及装置实现了对Docker镜像仓库操作的访问控制,通过镜像方式方便的部署到Docker中,进一步提高了Docker镜像仓库开发的效率。To sum up, the general Docker authorization method and device realize the access control to the operation of the Docker mirror warehouse, and can be conveniently deployed in Docker through mirroring, which further improves the efficiency of the development of the Docker mirror warehouse.
以上内容是结合具体的实施方式对本发明实施例所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。The above content is a further detailed description of the embodiments of the present invention in conjunction with specific implementation modes, and it cannot be assumed that the specific implementation of the present invention is limited to these descriptions. For those of ordinary skill in the technical field of the present invention, without departing from the concept of the present invention, some simple deduction or replacement can be made, which should be regarded as belonging to the protection scope of the present invention.
Claims (13)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610978489.9A CN108011862A (en) | 2016-10-31 | 2016-10-31 | The mandate of mirror image warehouse, access, management method and server and client side |
| PCT/CN2017/107525 WO2018077169A1 (en) | 2016-10-31 | 2017-10-24 | Image repository authorization, access and management method, server, and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610978489.9A CN108011862A (en) | 2016-10-31 | 2016-10-31 | The mandate of mirror image warehouse, access, management method and server and client side |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108011862A true CN108011862A (en) | 2018-05-08 |
Family
ID=62024415
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610978489.9A Withdrawn CN108011862A (en) | 2016-10-31 | 2016-10-31 | The mandate of mirror image warehouse, access, management method and server and client side |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108011862A (en) |
| WO (1) | WO2018077169A1 (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108924101A (en) * | 2018-06-20 | 2018-11-30 | 北京车和家信息技术有限公司 | A kind of operating method and relevant device of database |
| CN109033774A (en) * | 2018-08-31 | 2018-12-18 | 阿里巴巴集团控股有限公司 | Acquisition, the method, apparatus of feedback user resource and electronic equipment |
| WO2019001110A1 (en) * | 2017-06-30 | 2019-01-03 | 平安科技(深圳)有限公司 | Authority authentication method, system, and device, and computer-readable storage medium |
| CN109657429A (en) * | 2018-09-27 | 2019-04-19 | 深圳壹账通智能科技有限公司 | Video resource management method, equipment, system and computer readable storage medium |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110120979A (en) * | 2019-05-20 | 2019-08-13 | 华为技术有限公司 | A kind of dispatching method, device and relevant device |
| CN111190738A (en) * | 2019-12-31 | 2020-05-22 | 北京仁科互动网络技术有限公司 | User mirroring method, device and system under multi-tenant system |
| CN111966868A (en) * | 2020-09-07 | 2020-11-20 | 航天云网数据研究院(广东)有限公司 | Data management method based on identification analysis and related equipment |
| CN112182522A (en) * | 2019-07-05 | 2021-01-05 | 北京地平线机器人技术研发有限公司 | Access control method and device |
| CN112363806A (en) * | 2020-11-23 | 2021-02-12 | 北京信安世纪科技股份有限公司 | Cluster management method and device, electronic equipment and storage medium |
| CN112506613A (en) * | 2020-12-11 | 2021-03-16 | 四川长虹电器股份有限公司 | Method for automatically identifying Maven change submodule and pushing docker mirror image by Gitlab-ci |
| CN112639783A (en) * | 2018-08-31 | 2021-04-09 | 美光科技公司 | Simultaneous mirror measurement and execution |
| CN112667998A (en) * | 2020-12-08 | 2021-04-16 | 中国科学院信息工程研究所 | Safe access method and system for container mirror image warehouse |
| CN113190609A (en) * | 2021-05-28 | 2021-07-30 | 腾讯科技(深圳)有限公司 | Data warehouse management method, system, device, storage medium and electronic equipment |
| CN113296875A (en) * | 2020-05-29 | 2021-08-24 | 阿里巴巴集团控股有限公司 | Mirror image file processing method and system |
| CN113688409A (en) * | 2021-08-05 | 2021-11-23 | 浪潮云信息技术股份公司 | A fine-grained allocation method based on container image permissions |
| CN115114608A (en) * | 2021-03-23 | 2022-09-27 | 中移(苏州)软件技术有限公司 | An authentication method and system, and storage medium |
| CN115460022A (en) * | 2022-11-11 | 2022-12-09 | 广州中长康达信息技术有限公司 | Resource management method for intelligent auxiliary platform |
| CN115987558A (en) * | 2022-11-29 | 2023-04-18 | 北京淘友天下技术有限公司 | Request processing method and system |
| CN116318859A (en) * | 2023-02-03 | 2023-06-23 | 深圳市联软科技股份有限公司 | System, method and system for secure access to application data |
| CN117034233A (en) * | 2023-10-09 | 2023-11-10 | 统信软件技术有限公司 | Application management method and device based on permission, computing equipment and storage medium |
| CN117118751A (en) * | 2023-10-23 | 2023-11-24 | 城云科技(中国)有限公司 | OAuth 2-based access control model expansion method and application thereof |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109783076A (en) * | 2018-12-14 | 2019-05-21 | 深圳壹账通智能科技有限公司 | Code administration method, apparatus, equipment and storage medium based on git |
| CN111130852A (en) * | 2019-12-04 | 2020-05-08 | 上海交通大学包头材料研究院 | A method for automatic deployment of cloud application network based on Docker |
| CN111241503A (en) * | 2020-01-16 | 2020-06-05 | 上海上实龙创智慧能源科技股份有限公司 | Js frame-based page button authorization method |
| CN113452652A (en) * | 2020-03-24 | 2021-09-28 | 深圳法大大网络科技有限公司 | Multi-system-based data interaction method and device, electronic equipment and storage medium |
| CN115174162B (en) * | 2022-06-17 | 2023-10-24 | 青岛海尔科技有限公司 | Authorization method, device, system and storage medium based on OAuth protocol |
| CN115174174B (en) * | 2022-06-24 | 2024-04-12 | 百融至信(北京)科技有限公司 | Method and device for controlling electronic management platform |
| CN117852005B (en) * | 2024-03-08 | 2024-05-14 | 杭州悦数科技有限公司 | Safety verification method and system between graph database and client |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506628A (en) * | 2014-12-25 | 2015-04-08 | 深圳市科漫达智能管理科技有限公司 | Plugin repository management method and system |
| US20160105402A1 (en) * | 2014-07-22 | 2016-04-14 | Harsh Kupwade-Patil | Homomorphic encryption in a healthcare network environment, system and methods |
| CN105653901A (en) * | 2015-12-29 | 2016-06-08 | 深圳市科漫达智能管理科技有限公司 | Component repository management method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106845183A (en) * | 2017-01-24 | 2017-06-13 | 郑州云海信息技术有限公司 | A kind of application container engine management method and system |
| CN107239688B (en) * | 2017-06-30 | 2019-07-23 | 平安科技(深圳)有限公司 | The purview certification method and system in Docker mirror image warehouse |
-
2016
- 2016-10-31 CN CN201610978489.9A patent/CN108011862A/en not_active Withdrawn
-
2017
- 2017-10-24 WO PCT/CN2017/107525 patent/WO2018077169A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160105402A1 (en) * | 2014-07-22 | 2016-04-14 | Harsh Kupwade-Patil | Homomorphic encryption in a healthcare network environment, system and methods |
| CN104506628A (en) * | 2014-12-25 | 2015-04-08 | 深圳市科漫达智能管理科技有限公司 | Plugin repository management method and system |
| CN105653901A (en) * | 2015-12-29 | 2016-06-08 | 深圳市科漫达智能管理科技有限公司 | Component repository management method and system |
Non-Patent Citations (1)
| Title |
|---|
| 杨霆: "隔离公共数据库及分级安全管理方法", 《微计算机应用(2006年04期)》 * |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019001110A1 (en) * | 2017-06-30 | 2019-01-03 | 平安科技(深圳)有限公司 | Authority authentication method, system, and device, and computer-readable storage medium |
| CN108924101A (en) * | 2018-06-20 | 2018-11-30 | 北京车和家信息技术有限公司 | A kind of operating method and relevant device of database |
| CN112639783A (en) * | 2018-08-31 | 2021-04-09 | 美光科技公司 | Simultaneous mirror measurement and execution |
| CN109033774A (en) * | 2018-08-31 | 2018-12-18 | 阿里巴巴集团控股有限公司 | Acquisition, the method, apparatus of feedback user resource and electronic equipment |
| CN109033774B (en) * | 2018-08-31 | 2020-08-07 | 阿里巴巴集团控股有限公司 | Method and device for acquiring and feeding back user resources and electronic equipment |
| CN109657429A (en) * | 2018-09-27 | 2019-04-19 | 深圳壹账通智能科技有限公司 | Video resource management method, equipment, system and computer readable storage medium |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110120979A (en) * | 2019-05-20 | 2019-08-13 | 华为技术有限公司 | A kind of dispatching method, device and relevant device |
| CN110120979B (en) * | 2019-05-20 | 2023-03-10 | 华为云计算技术有限公司 | A scheduling method, device and related equipment |
| CN112182522A (en) * | 2019-07-05 | 2021-01-05 | 北京地平线机器人技术研发有限公司 | Access control method and device |
| CN111190738A (en) * | 2019-12-31 | 2020-05-22 | 北京仁科互动网络技术有限公司 | User mirroring method, device and system under multi-tenant system |
| CN111190738B (en) * | 2019-12-31 | 2023-09-08 | 北京仁科互动网络技术有限公司 | User mirroring method, device and system under multi-tenant system |
| CN113296875A (en) * | 2020-05-29 | 2021-08-24 | 阿里巴巴集团控股有限公司 | Mirror image file processing method and system |
| CN111966868A (en) * | 2020-09-07 | 2020-11-20 | 航天云网数据研究院(广东)有限公司 | Data management method based on identification analysis and related equipment |
| CN112363806A (en) * | 2020-11-23 | 2021-02-12 | 北京信安世纪科技股份有限公司 | Cluster management method and device, electronic equipment and storage medium |
| CN112363806B (en) * | 2020-11-23 | 2023-09-22 | 北京信安世纪科技股份有限公司 | Cluster management method and device, electronic equipment and storage medium |
| CN112667998A (en) * | 2020-12-08 | 2021-04-16 | 中国科学院信息工程研究所 | Safe access method and system for container mirror image warehouse |
| CN112667998B (en) * | 2020-12-08 | 2024-03-01 | 中国科学院信息工程研究所 | Safe access method and system for container mirror image warehouse |
| CN112506613A (en) * | 2020-12-11 | 2021-03-16 | 四川长虹电器股份有限公司 | Method for automatically identifying Maven change submodule and pushing docker mirror image by Gitlab-ci |
| CN115114608A (en) * | 2021-03-23 | 2022-09-27 | 中移(苏州)软件技术有限公司 | An authentication method and system, and storage medium |
| CN113190609A (en) * | 2021-05-28 | 2021-07-30 | 腾讯科技(深圳)有限公司 | Data warehouse management method, system, device, storage medium and electronic equipment |
| CN113190609B (en) * | 2021-05-28 | 2023-11-03 | 腾讯科技(深圳)有限公司 | Data warehouse management method, system, device, storage medium and electronic equipment |
| CN113688409A (en) * | 2021-08-05 | 2021-11-23 | 浪潮云信息技术股份公司 | A fine-grained allocation method based on container image permissions |
| CN115460022B (en) * | 2022-11-11 | 2023-03-07 | 广州中长康达信息技术有限公司 | Resource management method for intelligent auxiliary platform |
| CN115460022A (en) * | 2022-11-11 | 2022-12-09 | 广州中长康达信息技术有限公司 | Resource management method for intelligent auxiliary platform |
| CN115987558A (en) * | 2022-11-29 | 2023-04-18 | 北京淘友天下技术有限公司 | Request processing method and system |
| CN116318859A (en) * | 2023-02-03 | 2023-06-23 | 深圳市联软科技股份有限公司 | System, method and system for secure access to application data |
| CN117034233A (en) * | 2023-10-09 | 2023-11-10 | 统信软件技术有限公司 | Application management method and device based on permission, computing equipment and storage medium |
| CN117034233B (en) * | 2023-10-09 | 2024-01-23 | 统信软件技术有限公司 | Application management method and device based on permission, computing equipment and storage medium |
| CN117118751A (en) * | 2023-10-23 | 2023-11-24 | 城云科技(中国)有限公司 | OAuth 2-based access control model expansion method and application thereof |
| CN117118751B (en) * | 2023-10-23 | 2024-01-30 | 城云科技(中国)有限公司 | OAuth 2-based access control model expansion method and application thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018077169A1 (en) | 2018-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108011862A (en) | The mandate of mirror image warehouse, access, management method and server and client side | |
| US10897464B2 (en) | Device registration, authentication, and authorization system and method | |
| US11750609B2 (en) | Dynamic computing resource access authorization | |
| US10505929B2 (en) | Management and authentication in hosted directory service | |
| US11362900B2 (en) | Systems, methods, and storage media for controlling identity information across multiple identity domains in a distributed identity infrastructure | |
| US20210390170A1 (en) | Systems, methods, and storage media for migrating identity information across identity domains in an identity infrastructure | |
| US10303871B2 (en) | System and method for controlling state tokens | |
| US8387136B2 (en) | Role-based access control utilizing token profiles | |
| US8387137B2 (en) | Role-based access control utilizing token profiles having predefined roles | |
| JP6263537B2 (en) | LDAP-based multi-tenant in-cloud identity management system | |
| US9215232B2 (en) | Certificate renewal | |
| US8627409B2 (en) | Framework for automated dissemination of security metadata for distributed trust establishment | |
| US9432353B2 (en) | Serialized authentication and authorization services | |
| US11063930B1 (en) | Resource access provisioning for on-premises network client devices | |
| US11818114B2 (en) | Systems, methods, and storage media for synchronizing identity information across identity domains in an identity infrastructure | |
| US9871778B1 (en) | Secure authentication to provide mobile access to shared network resources | |
| JP2016201149A (en) | Safe mobile framework | |
| US20130312068A1 (en) | Systems and methods for administrating access in an on-demand computing environment | |
| CN116707849A (en) | Method for setting cloud service access rights and cloud management platform for enclave instances | |
| WO2023160632A1 (en) | Method for setting cloud service access permissions of enclave instance, and cloud management platform | |
| CN118611936B (en) | Login control method, application client, device, medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180508 |