[go: up one dir, main page]

CN109150863B - Desktop cloud access control method and device and desktop cloud terminal equipment - Google Patents

Desktop cloud access control method and device and desktop cloud terminal equipment Download PDF

Info

Publication number
CN109150863B
CN109150863B CN201810882540.5A CN201810882540A CN109150863B CN 109150863 B CN109150863 B CN 109150863B CN 201810882540 A CN201810882540 A CN 201810882540A CN 109150863 B CN109150863 B CN 109150863B
Authority
CN
China
Prior art keywords
desktop cloud
usbkey
virtual machine
login module
desktop
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810882540.5A
Other languages
Chinese (zh)
Other versions
CN109150863A (en
Inventor
刘新保
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Huawei Cloud Computing Technology Co ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201810882540.5A priority Critical patent/CN109150863B/en
Publication of CN109150863A publication Critical patent/CN109150863A/en
Application granted granted Critical
Publication of CN109150863B publication Critical patent/CN109150863B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本申请提供了一种桌面云的访问控制方法、装置和桌面云终端设备,该方法包括:桌面云的安全登录模块检测到USBkey移除事件,USBkey移除事件用于指示登录桌面云所需的USBkey从桌面云终端设备上移除;安全登录模块确定USBkey映射至提供桌面云的虚拟机中;安全登录模块控制桌面云处于可以被桌面云用户访问的可访问状态。本申请实施例的方法,安全登录模块可以通过USBkey的状态,确定USBkey移除事件的触发是由于USBkey被映射至虚拟机,从而控制桌面云处于可访问状态,有利于提高用户体验。

Figure 201810882540

The present application provides a desktop cloud access control method, device, and desktop cloud terminal device. The method includes: a security login module of the desktop cloud detects a USB key removal event, and the USB key removal event is used to indicate the required login to the desktop cloud. The USB key is removed from the desktop cloud terminal device; the secure login module determines that the USB key is mapped to the virtual machine that provides the desktop cloud; the secure login module controls the desktop cloud to be in an accessible state that can be accessed by desktop cloud users. In the method of the embodiment of the present application, the secure login module can determine that the USBkey removal event is triggered because the USBkey is mapped to the virtual machine through the state of the USBkey, thereby controlling the desktop cloud to be in an accessible state, which is beneficial to improve user experience.

Figure 201810882540

Description

桌面云的访问控制方法、装置和桌面云终端设备Access control method and device for desktop cloud, and desktop cloud terminal device

技术领域technical field

本申请涉及信息技术领域,并且更具体地,涉及桌面云的访问控制方法、装置和桌面云终端设备。The present application relates to the field of information technology, and more particularly, to a desktop cloud access control method, apparatus, and desktop cloud terminal device.

背景技术Background technique

桌面云是基于云计算平台的一种虚拟桌面应用,通过在云平台上部署软、硬件,使得用户通过瘦客户端(thin client,TC)或者其他任何与网络相连的设备来访问跨平台的应用程序,以及整个客户桌面。桌面云可以替代传统的个人电脑(personal computer,PC)办公。目前,桌面云也广泛应用于政府、军队、银行等安全等级较高的行业中,并且,为了满足上述这些行业在安全等级方面的需求,用户需要使用USBkey进行身份认证并登录桌面云。Desktop cloud is a virtual desktop application based on cloud computing platform. By deploying software and hardware on the cloud platform, users can access cross-platform applications through thin client (TC) or any other device connected to the network. programs, and the entire client desktop. The desktop cloud can replace the traditional personal computer (personal computer, PC) for office work. At present, the desktop cloud is also widely used in industries with high security levels such as the government, the military, and banks. In order to meet the security level requirements of these industries, users need to use USBkey for identity authentication and log in to the desktop cloud.

在通过USBkey登录桌面云的过程中,需要将USBkey从桌面云客户端映射至提供桌面云的虚拟机中,进行身份认证,以获取访问虚拟机的权限,从而通过访问虚拟机访问桌面云。During the process of logging in to the desktop cloud through a USB key, you need to map the USB key from the desktop cloud client to the virtual machine that provides the desktop cloud, perform identity authentication, and obtain the permission to access the virtual machine, so as to access the desktop cloud by accessing the virtual machine.

然而,在上述登录桌面云的过程中,为了获取访问虚拟机的权限,需要将USBkey从桌面云客户端映射至虚拟机中,此时,对于桌面云客户端而言,由于检测不到USBkey,认为USBkey被移除,则会控制桌面云处于禁止访问状态,以控制桌面云用户无法再访问桌面云客户端。However, in the above process of logging in to the desktop cloud, in order to obtain the permission to access the virtual machine, it is necessary to map the USB key from the desktop cloud client to the virtual machine. At this time, for the desktop cloud client, since the USB key cannot be detected, If the USB key is considered to be removed, the desktop cloud will be controlled to be in a prohibited access state, so that the desktop cloud users can no longer access the desktop cloud client.

发明内容SUMMARY OF THE INVENTION

本申请提供一种桌面云的访问控制方法、装置和桌面云终端设备,以提高用户体验。The present application provides a desktop cloud access control method, device and desktop cloud terminal device to improve user experience.

第一方面,提供了一种桌面云的访问控制方法,其特征在于,包括:桌面云的安全登录模块检测到USBkey移除事件,所述USBkey移除事件用于指示登录桌面云所需的USBkey从桌面云终端设备上移除;所述安全登录模块确定所述USBkey映射至提供所述桌面云的虚拟机中;所述安全登录模块控制所述桌面云处于可以被桌面云用户访问的可访问状态。In a first aspect, an access control method for a desktop cloud is provided, which is characterized in that: the security login module of the desktop cloud detects a USB key removal event, and the USB key removal event is used to indicate the USB key required for logging in to the desktop cloud. removed from the desktop cloud terminal device; the secure login module determines that the USB key is mapped to the virtual machine that provides the desktop cloud; the secure login module controls the desktop cloud to be accessible by desktop cloud users state.

在本申请实施例中,安全登录模块在检测到USBkey移除事件后,并该USBkey移除事件是由于USBkey被映射至桌面云的虚拟机触发的,则安全登录模块控制桌面云处于可访问的状态,避免了传统的桌面云的访问控制方式中,在通过USBkey登录桌面云的过程中,USBkey被映射至虚拟机后,安全登录模块误认为USBkey被移除,导致控制桌面云处于禁止访问状态,有利于提高桌面云的用户体验。In the embodiment of the present application, after the security login module detects a USB key removal event, and the USB key removal event is triggered by the USB key being mapped to the virtual machine of the desktop cloud, the security login module controls the desktop cloud to be accessible In the process of logging in to the desktop cloud through the USB key, after the USB key is mapped to the virtual machine, the security login module mistakenly thinks that the USB key has been removed, resulting in the control of the desktop cloud being in a prohibited access state. , which is beneficial to improve the user experience of the desktop cloud.

在一种可能的实现方式中,所述方法还包括:所述安全登录模块接收所述桌面云客户端发送的第一指示信息,所述第一指示信息用于指示所述USBkey从所述虚拟机中移除;所述安全登录模块控制所述桌面云处于禁止被所述桌面云用户访问的禁止访问状态。In a possible implementation manner, the method further includes: receiving, by the secure login module, first indication information sent by the desktop cloud client, where the first indication information is used to instruct the USB key from the virtual The security login module controls the desktop cloud to be in a prohibited access state that is prohibited from being accessed by the desktop cloud user.

上述禁止访问状态可以包括中断桌面云的桌面协议,和/或控制桌面云的终端处于锁屏状态。当然,仅仅中断桌面云的桌面协议后,用户依然可以操作桌面云终端设备,但是无法登陆桌面云,此时,桌面云终端设备类似传统的PC机。The aforementioned access prohibited state may include interrupting the desktop protocol of the desktop cloud, and/or the terminal controlling the desktop cloud being in a locked screen state. Of course, after only interrupting the desktop protocol of the desktop cloud, the user can still operate the desktop cloud terminal device, but cannot log in to the desktop cloud. At this time, the desktop cloud terminal device is similar to a traditional PC.

在本申请实施例中,安全登录模块通过与桌面云客户端进行通信,在获知USBkey从虚拟机中移除后,控制桌面云处于禁止访问状态,有利于提高桌面云的安全性能。In the embodiment of the present application, the secure login module communicates with the desktop cloud client and controls the desktop cloud to be in a forbidden access state after learning that the USB key is removed from the virtual machine, which is beneficial to improve the security performance of the desktop cloud.

在一种可能的实现方式中,所述安全登录模块确定所述USBkey映射至提供所述桌面云的虚拟机中,包括:所述安全登录模块获取所述USBkey的状态,所述USBkey的状态为映射至所述虚拟机中。In a possible implementation manner, the secure login module determining that the USB key is mapped to the virtual machine that provides the desktop cloud includes: the secure login module obtains the status of the USB key, and the status of the USB key is: mapped to the virtual machine.

在一种可能的实现方式中,在所述安全登录模块获取所述USBkey的状态之前,所述方法还包括:所述安全登录模块接收所述桌面云的客户端发送的第二指示信息,所述第二指示信息用于指示所述USBkey从所述桌面云终端设备映射至所述虚拟机;所述安全登录模块根据所述指示信息修改所述USBkey的状态。In a possible implementation manner, before the security login module acquires the state of the USB key, the method further includes: the security login module receives the second indication information sent by the client of the desktop cloud, The second indication information is used to instruct the USBkey to be mapped from the desktop cloud terminal device to the virtual machine; the security login module modifies the state of the USBkey according to the indication information.

需要说明的是,上述安全登录模块修改USBkey的状态还可以发生在所述桌面云的安全登录模块检测到USBkey移除事件之前,以提高安全登录模块获取USBkey的准确性,避免了安全登录模块还未修改USBkey的状态时,已经检测到USBkey移除事件,有利于提高安全登录模块控制桌面云访问的准确性。It should be noted that the above-mentioned security login module modifies the status of the USBkey before the security login module of the desktop cloud detects the USBkey removal event, so as to improve the accuracy of the security login module to obtain the USBkey and avoid the security login module When the status of the USBkey is not modified, the USBkey removal event has been detected, which is beneficial to improve the accuracy of the security login module to control desktop cloud access.

在一种可能的实现方式中,所述安全登录模块确定所述USBkey通过USB映射映射至提供所述桌面云的虚拟机中,包括:所述安全登录模块查询所述桌面云终端设备记录的设备目录下,记录有访问所述USBkey的端口;所述安全登录模块确定所述USBkey映射至所述虚拟机中。In a possible implementation manner, the secure login module determines that the USB key is mapped to the virtual machine that provides the desktop cloud through USB mapping, including: the secure login module queries the device recorded by the desktop cloud terminal device In the directory, the port for accessing the USBkey is recorded; the security login module determines that the USBkey is mapped to the virtual machine.

在一种可能的实现方式中,所述方法还包括:所述安全登录模块确定所述USBkey从所述虚拟机映射至所述桌面云终端设备;所述安全登录模块控制所述桌面云处于禁止被所述桌面云用户访问的禁止访问状态。In a possible implementation manner, the method further includes: the secure login module determines that the USB key is mapped from the virtual machine to the desktop cloud terminal device; the secure login module controls the desktop cloud to be disabled Access prohibited status accessed by the desktop cloud user.

在本申请实施例中,安全登录模块确定USBkey从虚拟机映射至桌面云终端设备,则控制桌面云处于禁止访问的状态,以提高桌面云的安全性。In the embodiment of the present application, the security login module determines that the USB key is mapped from the virtual machine to the desktop cloud terminal device, and controls the desktop cloud to be in a state of forbidden access, so as to improve the security of the desktop cloud.

第二方面,提供了一种桌面云的访问控制装置,该装置包括用于执行上述方法的各个模块。In a second aspect, an access control apparatus for a desktop cloud is provided, and the apparatus includes various modules for executing the above method.

第三方面,提供一种桌面云终端设备,包括处理器和存储器。该存储器用于存储计算机程序,该处理器用于从存储器中调用并运行该计算机程序,使得该控制器执行上述方法。In a third aspect, a desktop cloud terminal device is provided, including a processor and a memory. The memory is used to store a computer program, and the processor is used to call and execute the computer program from the memory, so that the controller executes the above method.

第四方面,提供一种计算机程序产品,所述计算机程序产品包括:计算机程序代码,当所述计算机程序代码在计算机上运行时,使得计算机执行上述各方面中的方法。In a fourth aspect, a computer program product is provided, the computer program product comprising: computer program code, when the computer program code is run on a computer, causing the computer to perform the methods in the above aspects.

需要说明的是,上述计算机程序代码可以全部或者部分存储在第一存储介质上,其中第一存储介质可以与处理器封装在一起的,也可以与处理器单独封装,本申请对此不作具体限定。It should be noted that the above computer program codes may be stored in whole or in part on the first storage medium, wherein the first storage medium may be packaged with the processor or separately packaged with the processor, which is not specifically limited in this application .

第五方面,提供一种计算机可读介质,所述计算机可读介质存储有程序代码,当所述计算机程序代码在计算机上运行时,使得计算机执行上述各方面中的方法。In a fifth aspect, a computer-readable medium is provided, and the computer-readable medium stores program code, which, when the computer program code is executed on a computer, causes the computer to execute the methods in the above-mentioned aspects.

附图说明Description of drawings

图1是本申请实施例使用的桌面云系统的示意图。FIG. 1 is a schematic diagram of a desktop cloud system used in an embodiment of the present application.

图2是本申请实施例的一种桌面云的访问控制方法的示意性流程图。FIG. 2 is a schematic flowchart of an access control method for a desktop cloud according to an embodiment of the present application.

图3是本申请实施例的桌面云的访问控制装置的示意图。FIG. 3 is a schematic diagram of an access control apparatus for a desktop cloud according to an embodiment of the present application.

图4是本申请实施例的桌面云终端设备的示意性框图。FIG. 4 is a schematic block diagram of a desktop cloud terminal device according to an embodiment of the present application.

具体实施方式Detailed ways

下面将结合附图,对本申请中的技术方案进行描述。The technical solutions in the present application will be described below with reference to the accompanying drawings.

图1是本申请实施例使用的桌面云系统的示意图。图1所示的桌面云系统100包括桌面云终端设备110,以及桌面云平台120。FIG. 1 is a schematic diagram of a desktop cloud system used in an embodiment of the present application. The desktop cloud system 100 shown in FIG. 1 includes a desktop cloud terminal device 110 and a desktop cloud platform 120 .

桌面云终端设备110,用于为桌面云用于提供用户界面。桌面云终端设备中可以是设置有安全登录模块111和桌面云客户端112。The desktop cloud terminal device 110 is used to provide a user interface for the desktop cloud. The desktop cloud terminal device may be provided with a secure login module 111 and a desktop cloud client 112 .

例如,桌面云终端设备110可以是瘦客户端或者其他任何与网络相连的设备。瘦客户端(或者瘦终端)对内置的存储进行了硬件级别的转码,转码算法与硬件的唯一信息绑定。TC系统可以采用精简加固Linux嵌入OS或Windows嵌入OS,TC无本地存储。For example, the desktop cloud terminal device 110 may be a thin client or any other device connected to the network. The thin client (or thin terminal) performs hardware-level transcoding on the built-in storage, and the transcoding algorithm is bound to the unique information of the hardware. The TC system can be embedded in a simplified Linux OS or Windows embedded in the OS, and the TC has no local storage.

安全登录模块111,用于控制桌面云的访问状态,其中,访问状态包括处于可以被桌面云用户访问的可访问状态和禁止桌面云用户访问的禁止访问状态。The secure login module 111 is configured to control the access state of the desktop cloud, wherein the access state includes an accessible state that can be accessed by the desktop cloud user and an access forbidden state that prohibits the desktop cloud user from accessing.

桌面云客户端112,又称桌面协议客户端,用于与桌面云平台的桌面协议服务端进行通信,建立桌面协议通道。The desktop cloud client 112, also known as the desktop protocol client, is used to communicate with the desktop protocol server of the desktop cloud platform to establish a desktop protocol channel.

桌面云平台120,用于对桌面云资源进行管理和调度。例如可以是云管理FusionManager,统一集成桌面云业务维护系统的界面、虚拟化平台的界面以及硬件管理系统的界面。以华为桌面云平台为例,桌面云平台可以包括网页接口(web interface,WI)、华为桌面控制器(Huawei desktop controller)、GaussDB、ITA节点、License节点等。The desktop cloud platform 120 is used to manage and schedule desktop cloud resources. For example, the cloud management FusionManager can be used to uniformly integrate the interface of the desktop cloud service maintenance system, the interface of the virtualization platform, and the interface of the hardware management system. Taking the Huawei desktop cloud platform as an example, the desktop cloud platform may include a web interface (WI), a Huawei desktop controller (Huawei desktop controller), GaussDB, an ITA node, a license node, and the like.

WI:为用户提供Web登录界面,在用户发起登录请求时,将用户的登录信息(加密后的用户名和密码)转发给HDC,WI将HDC提供的虚拟机列表呈现给用户,为用户访问虚拟机提供入口。WI: Provides a web login interface for users. When a user initiates a login request, it forwards the user's login information (encrypted user name and password) to the HDC. The WI presents the virtual machine list provided by the HDC to the user and provides access to the virtual machine for the user. Provide entrance.

华为桌面控制器(HDC):是桌面云管理系统的核心组件,完成虚拟桌面业务发放,虚拟桌面管理,虚拟桌面登录管理,虚拟机的策略管理功能。Huawei Desktop Controller (HDC): It is the core component of the desktop cloud management system. It provides virtual desktop service provisioning, virtual desktop management, virtual desktop login management, and virtual machine policy management functions.

GaussDB:为ITA、HDC提供数据库,用于存储数据信息,例如,虚拟机与用户的关联、桌面组、虚拟机命名规则、定时任务信息。GaussDB: Provides a database for ITA and HDC to store data information, such as the association between virtual machines and users, desktop groups, virtual machine naming rules, and scheduled task information.

ITA节点:ITA为用户管理虚拟IT资产提供接口与Portal功能,实现虚拟机创建与分配、虚拟机状态管理、虚拟机镜像管理、虚拟桌面系统操作维护等功能。ITA node: ITA provides interfaces and Portal functions for users to manage virtual IT assets, and realizes functions such as virtual machine creation and allocation, virtual machine state management, virtual machine image management, and operation and maintenance of virtual desktop systems.

License节点:桌面云License的管理与发放系统,License服务器用于控制器接入桌面云的用户数。License node: The system for managing and issuing desktop cloud licenses. The license server is used for the number of users connected to the desktop cloud by the controller.

TC管理:对瘦终端进行集中管理,包括版本升级、状态管理、信息监控、日志管理等。TC management: Centralized management of thin terminals, including version upgrade, status management, information monitoring, log management, etc.

在传统的基于USBkey登录桌面云的过程中,为了获取访问虚拟机的权限,需要将USBkey从桌面云客户端映射至虚拟机中,此时,对于桌面云客户端而言,由于检测不到USBkey则会对桌面云客户端进行锁屏操作,以控制桌面云用户无法再访问桌面云客户端。但这种实际将USBkey映射至虚拟机的情况,仅仅是为了在虚拟机中进行身份认证,以便用户可以选择虚拟机进行桌面云的访问。这种将USBkey映射至虚拟机的情况与由于物理拔出USBkey,退出登录桌面云的情况不同,在这种场景中,用户依然需要访问桌面云,并且该用户有访问桌面云的权限(USBkey依然插在桌面云客户端中)。In the traditional process of logging in to the desktop cloud based on the USB key, in order to obtain the permission to access the virtual machine, it is necessary to map the USB key from the desktop cloud client to the virtual machine. At this time, for the desktop cloud client, since the USB key cannot be detected The desktop cloud client will be locked, so that desktop cloud users can no longer access the desktop cloud client. However, this situation of actually mapping the USB key to the virtual machine is only for authentication in the virtual machine, so that the user can select the virtual machine to access the desktop cloud. This situation of mapping the USB key to the virtual machine is different from the situation of logging out of the desktop cloud due to physically pulling out the USB key. In this scenario, the user still needs to access the desktop cloud, and the user has permission to access the desktop cloud (the USB key still inserted in the desktop cloud client).

因此,为了避免在上述场景中,由于USBkey映射至虚拟机,而导致桌面云处于禁止访问状态,本申请提供了一种桌面云的访问控制方法,根据USBkey是否被映射至虚拟机进行登录认证,从而控制桌面云的状态为可访问状态还是禁止访问状态。Therefore, in order to prevent the desktop cloud from being in a forbidden access state due to the USBkey being mapped to the virtual machine in the above scenario, the present application provides an access control method for the desktop cloud, which performs login authentication according to whether the USBkey is mapped to the virtual machine, In this way, the state of the desktop cloud is controlled to be accessible or forbidden.

下文结合图2描述本申请实施例的方法。图2是本申请实施例的一种桌面云的访问控制方法的示意性流程图。应理解,图2所示的方法可以由图1所示的安全登录模块111执行。The method of the embodiment of the present application is described below with reference to FIG. 2 . FIG. 2 is a schematic flowchart of an access control method for a desktop cloud according to an embodiment of the present application. It should be understood that the method shown in FIG. 2 may be executed by the secure login module 111 shown in FIG. 1 .

210,桌面云的安全登录模块检测到USBkey移除事件,所述USBkey移除事件用于指示登录桌面云所需的USBkey从桌面云终端设备上移除。210. The secure login module of the desktop cloud detects a USB key removal event, where the USB key removal event is used to instruct that the USB key required for logging in to the desktop cloud is removed from the desktop cloud terminal device.

需要说明的是,桌面云终端设备中使用的USB设备多种多样,包括U盘、USBkey等,为了区分,USBkey移除事件以及其他USB设备的移除事件,可以通过USBkey的PID/VID信息确定当前移除事件是USBkey移除事件还是USB移除事件。It should be noted that there are various USB devices used in desktop cloud terminal devices, including U disk, USBkey, etc. In order to distinguish, the USBkey removal event and the removal event of other USB devices can be determined by the PID/VID information of the USBkey Whether the current removal event is a USBkey removal event or a USB removal event.

220,所述安全登录模块确定所述USBkey映射至提供所述桌面云的虚拟机中,其中,映射可以是PC/SC映射,或者USB映射等映射方式。220. The secure login module determines that the USB key is mapped to the virtual machine that provides the desktop cloud, where the mapping may be PC/SC mapping, or a mapping manner such as USB mapping.

上述USBkey映射至提供桌面云的虚拟机中,可以理解为,将USBkey中的身份认证信息提供给虚拟机,以便虚拟机根据身份认证信息确定用户是否有使用虚拟机的权限。The above USBkey is mapped to the virtual machine that provides the desktop cloud, which can be understood as providing the identity authentication information in the USBkey to the virtual machine, so that the virtual machine can determine whether the user has the right to use the virtual machine according to the identity authentication information.

可选地,上述步骤220包括:所述安全登录模块获取所述USBkey的状态,所述USBkey的状态为映射至所述虚拟机中。Optionally, the above step 220 includes: the security login module obtains the status of the USB key, and the status of the USB key is mapped to the virtual machine.

安全登录模块可以记录USBkey的状态,通过USBkey的状态判断检测到上述USBkey移除事件时,USBkey是被从桌面云终端设备上物理拔出,还是USBkey被映射至虚拟机。相应的,上述用于指示USBkey被映射至虚拟机时,USBkey的状态可以称为位于虚拟机。The secure login module can record the status of the USBkey, and determine whether the USBkey is physically pulled out from the desktop cloud terminal device or the USBkey is mapped to the virtual machine when the above-mentioned USBkey removal event is detected based on the status of the USBkey. Correspondingly, when the above is used to indicate that the USBkey is mapped to the virtual machine, the state of the USBkey may be referred to as being in the virtual machine.

上述记录USBkey的状态的功能可以由安全登录模块实现,但是将USBkey映射至虚拟机的相关操作主要是由桌面云的客户端执行的,也就是说,需要桌面云客户端通知安全登录模块当前USBkey的状态,以便安全登录模块记录USBkey的状态。The above function of recording the status of the USBkey can be implemented by the secure login module, but the operations related to mapping the USBkey to the virtual machine are mainly performed by the desktop cloud client. That is to say, the desktop cloud client needs to notify the security login module of the current USBkey. status so that the secure login module records the status of the USBkey.

即,在所述桌面云的安全登录模块检测到USBkey移除事件之前,所述方法还包括:所述安全登录模块接收所述桌面云的客户端发送的第二指示信息,所述第二指示信息用于指示所述USBkey从所述桌面云终端设备映射至所述虚拟机;所述安全登录模块根据所述指示信息修改所述USBkey的状态。That is, before the security login module of the desktop cloud detects the USB key removal event, the method further includes: the security login module receives the second indication information sent by the client of the desktop cloud, the second indication The information is used to instruct the USBkey to be mapped from the desktop cloud terminal device to the virtual machine; the security login module modifies the state of the USBkey according to the indication information.

需要说明的是,上述桌面云客户端通知安全登录模块记录USBkey的状态,可以是在桌面云客户端将USBkey映射至虚拟机之前,避免桌面云客户端将USBkey映射至虚拟机之后,还未来得及通知安全登录模块记录USBkey的状态时,安全登录模块已经检测到上述USBkey移除事件,此时,安全登录模块因为无法获知准确的USBkey的状态,控制桌面云处于禁止访问状态。当然,本申请实施例中通知安全登录模块USBkey的状态也可以在桌面云客户端将USBkey映射至虚拟机之后进行,就是这种执行顺序有可能会让安全登录模块产生误判。It should be noted that the above-mentioned desktop cloud client notifies the security login module to record the status of the USBkey, which may be before the desktop cloud client maps the USBkey to the virtual machine, so as to prevent the desktop cloud client from mapping the USBkey to the virtual machine before it is too late. When the security login module is notified to record the status of the USBkey, the security login module has detected the above USBkey removal event. At this time, the security login module controls the desktop cloud to be in a prohibited access state because it cannot know the exact status of the USBkey. Of course, in the embodiment of the present application, the notification of the status of the USB key to the security login module can also be performed after the desktop cloud client maps the USB key to the virtual machine, and this execution sequence may cause the security login module to misjudge.

上述桌面云客户端通知安全登录模块记录USBkey的状态的通信机制,可以复用操作系统中的系统事件处理机制,即桌面云客户端生成USBkey移除事件,根据该USBkey移除事件生成上述第二指示信息,通知安全登录模块记录USBkey的状态。具体地,上述用于指示USBkey映射至虚拟机的系统事件可以命令为USBkey从桌面云客户端映射至虚拟机事件(USBkey FROM TC TO VM EVT)。The above-mentioned communication mechanism of the desktop cloud client notifying the security login module to record the status of the USBkey can reuse the system event processing mechanism in the operating system, that is, the desktop cloud client generates a USBkey removal event, and generates the above-mentioned second USBkey removal event according to the USBkey removal event. Indication information to notify the secure login module to record the status of the USBkey. Specifically, the above-mentioned system event for instructing the mapping of the USBkey to the virtual machine may be instructed to map the USBkey from the desktop cloud client to the virtual machine event (USBkey FROM TC TO VM EVT).

可选地,作为一个实施例,步骤220包括:所述安全登录模块查询所述桌面云终端设备记录的设备目录下,记录有访问所述USBkey的端口;所述安全登录模块确定所述USBkey映射至所述虚拟机中。Optionally, as an embodiment, step 220 includes: the security login module queries the device directory recorded by the desktop cloud terminal device to record the port for accessing the USBkey; the security login module determines the USBkey mapping into the virtual machine.

在其他操作系统,例如Linux操作系统中,还可以通过查询操作系统中的设备目录(例如,dev/bus/usb)下还记录有USBkey的端口信息,区分USBkey是被映射至虚拟机中,还是从桌面云终端设备上被拔除。即,若设备目录中无法查询到USBkey的端口信息,说明USBkey被从桌面云终端设备上拔除;若设备目录中可以查询到USBkey的端口信息,说明USBkey是被映射至虚拟机中。In other operating systems, such as Linux operating systems, it is also possible to distinguish whether the USBkey is mapped to the virtual machine or whether the USBkey is mapped to the virtual machine by querying the device directory (for example, dev/bus/usb) in the operating system that also records the port information of the USBkey. Unplugged from the desktop cloud terminal device. That is, if the port information of the USBkey cannot be queried in the device directory, it means that the USBkey has been removed from the desktop cloud terminal device; if the port information of the USBkey can be queried in the device directory, it means that the USBkey is mapped to the virtual machine.

230,所述安全登录模块控制所述桌面云处于可以被桌面云用户访问的可访问状态。230. The secure login module controls the desktop cloud to be in an accessible state that can be accessed by desktop cloud users.

上述桌面云处于可访问状态,可以包括桌面云的桌面协议可以进行正常通信,并且桌面云的终端设备的显示屏未被锁屏。The above-mentioned desktop cloud is in an accessible state, the desktop protocol that may include the desktop cloud can communicate normally, and the display screen of the terminal device of the desktop cloud is not locked.

在本申请实施例中,安全登录模块在检测到USBkey移除事件后,并该USBkey移除事件是由于USBkey被映射至桌面云的虚拟机触发的,则安全登录模块控制桌面云处于可访问的状态,避免了传统的桌面云的访问控制方式中,在通过USBkey登录桌面云的过程中,USBkey被映射至虚拟机后,安全登录模块误认为USBkey被移除,导致控制桌面云处于禁止访问状态,有利于提高桌面云的用户体验。In the embodiment of the present application, after the security login module detects a USB key removal event, and the USB key removal event is triggered by the USB key being mapped to the virtual machine of the desktop cloud, the security login module controls the desktop cloud to be accessible In the process of logging in to the desktop cloud through the USB key, after the USB key is mapped to the virtual machine, the security login module mistakenly thinks that the USB key has been removed, resulting in the control of the desktop cloud being in a prohibited access state. , which is beneficial to improve the user experience of the desktop cloud.

可选地,作为一个实施例,所述方法还包括:所述安全登录模块接收所述桌面云客户端发送的第一指示信息,所述第一指示信息用于指示所述USBkey从所述虚拟机中移除;所述安全登录模块控制所述桌面云处于禁止被所述桌面云用户访问的禁止访问状态。Optionally, as an embodiment, the method further includes: receiving, by the secure login module, first indication information sent by the desktop cloud client, where the first indication information is used to instruct the USB key from the virtual The security login module controls the desktop cloud to be in a prohibited access state that is prohibited from being accessed by the desktop cloud user.

若USBkey被映射至虚拟机之后,安全登录模块又接收到桌面云客户端发送的第一指示信息,指示USBkey被从虚拟机上移除,此时,安全登录模块可以控制桌面云处于禁止访问状态。If the USBkey is mapped to the virtual machine, the secure login module receives the first instruction information sent by the desktop cloud client, indicating that the USBkey is removed from the virtual machine. At this time, the secure login module can control the desktop cloud to be in a prohibited access state. .

上述禁止访问状态可以包括中断桌面云的桌面协议,进一步的,还可以控制桌面云的终端处于锁屏状态。当然,仅仅中断桌面云的桌面协议后,用户依然可以操作桌面云终端设备,但是无法登陆桌面云,此时,桌面云终端设备类似传统的PC机。The above access prohibited state may include interrupting the desktop protocol of the desktop cloud, and further, the terminal of the desktop cloud may be controlled to be in a locked screen state. Of course, after only interrupting the desktop protocol of the desktop cloud, the user can still operate the desktop cloud terminal device, but cannot log in to the desktop cloud. At this time, the desktop cloud terminal device is similar to a traditional PC.

需要说明的是,上述桌面云客户端向安全登录模块发送第一指示信息的机制,与上文中桌面云客户端向安全登录模块发送第二指示信息的机制相同,都可以复用现有的操作系统中的事件处理机制。当然,触发第二指示信息的系统事件可以命名为USBkey从虚拟机上移除事件(USBkey REMOVE FROM VM EVT)。It should be noted that the above-mentioned mechanism for the desktop cloud client to send the first indication information to the security login module is the same as the mechanism for the desktop cloud client to send the second indication information to the security login module above, and existing operations can be reused. The event handling mechanism in the system. Of course, the system event that triggers the second indication information can be named as USBkey REMOVE FROM VM EVT.

在本申请实施例中,安全登录模块通过与桌面云客户端进行通信,在获知USBkey从虚拟机中移除后,控制桌面云处于禁止访问状态,有利于提高桌面云的安全性能。In the embodiment of the present application, the secure login module communicates with the desktop cloud client and controls the desktop cloud to be in a forbidden access state after learning that the USB key is removed from the virtual machine, which is beneficial to improve the security performance of the desktop cloud.

可选地,作为一个实施例,所述方法还包括:所述安全登录模块确定所述USBkey从所述虚拟机映射至所述桌面云终端设备;所述安全登录模块控制所述桌面云处于禁止被所述桌面云用户访问的禁止访问状态。Optionally, as an embodiment, the method further includes: the security login module determines that the USB key is mapped from the virtual machine to the desktop cloud terminal device; the security login module controls the desktop cloud to be disabled Access prohibited status accessed by the desktop cloud user.

上述安全登录模块确定USBkey从虚拟机映射至桌面云终端设备的方式,与上述安全登录模块确定USBkey从桌面云终端设备映射至虚拟机的方式相同,为了简洁,在此不作具体介绍。The way that the above-mentioned secure login module determines that the USB key is mapped from the virtual machine to the desktop cloud terminal device is the same as the way that the above-mentioned security login module determines that the USB key is mapped from the desktop cloud terminal device to the virtual machine.

上述用于指示USBkey从虚拟机映射至所述桌面云终端设备的系统事件的命名可以是USBkey从虚拟机映射至所述桌面云终端设备的系统事件(USBkey FROM VM TO TCEVT)。The naming of the above-mentioned system event for instructing the mapping of the USBkey from the virtual machine to the desktop cloud terminal device may be the system event (USBkey FROM VM TO TCEVT) of the USBkey mapping from the virtual machine to the desktop cloud terminal device.

上述USBkey从所述虚拟机映射至所述桌面云终端设备的系统事件,可以是在桌面云用户希望退出虚拟机时,此时,上述禁止访问状态可以仅仅是断开桌面云的桌面协议,使得用于无法在桌面云终端设备上登录虚拟机,但是用户还是可以按照操作PC的方式操作桌面云客户端。当然,安全登录模块也可以同时锁定桌面云终端设备,本申请实施例对此不作具体限定。The system event that the above-mentioned USB key is mapped from the virtual machine to the desktop cloud terminal device may be when the desktop cloud user wishes to exit the virtual machine, and at this time, the above-mentioned forbidden access state may only be to disconnect the desktop protocol of the desktop cloud, so that It is used to log in to the virtual machine on the desktop cloud terminal device, but the user can still operate the desktop cloud client in the same way as operating a PC. Of course, the secure login module can also lock the desktop cloud terminal device at the same time, which is not specifically limited in this embodiment of the present application.

在本申请实施例中,安全登录模块确定USBkey从虚拟机映射至桌面云终端设备,则控制桌面云处于禁止访问的状态,以提高桌面云的安全性。In the embodiment of the present application, the security login module determines that the USB key is mapped from the virtual machine to the desktop cloud terminal device, and controls the desktop cloud to be in a state of forbidden access, so as to improve the security of the desktop cloud.

可选地,作为一个实施例,在登录桌面云终端设备时,桌面云终端设备向桌面云平台发送登录请求时,位于桌面云平台的WI可以随机生成一个登录密码,返回给桌面云控制器缓存,以便后续用户登录虚拟机使用。上述随机生成的密码的有效次数可以设置为1次,也就是,每个登录请求都需要对应一个新的登录密码,以提高用户登录虚拟的安全性。Optionally, as an embodiment, when logging in to the desktop cloud terminal device, when the desktop cloud terminal device sends a login request to the desktop cloud platform, the WI located on the desktop cloud platform can randomly generate a login password and return it to the desktop cloud controller cache. , so that subsequent users can log in to the virtual machine for use. The valid times of the above randomly generated password can be set to 1 time, that is, each login request needs to correspond to a new login password, so as to improve the security of the user login virtual.

上文结合图1和图2详细介绍了本发明实施例的桌面云的访问控制方法,下文结合图3和图4详细地描述本发明实施例的装置。需要说明的是,图3至图4所示的装置可以实现上述方法中各个步骤,为了简洁,在此不再赘述。The access control method for the desktop cloud according to the embodiment of the present invention is described in detail above with reference to FIG. 1 and FIG. 2 , and the apparatus of the embodiment of the present invention is described in detail below with reference to FIG. 3 and FIG. 4 . It should be noted that the apparatuses shown in FIG. 3 to FIG. 4 can implement each step in the above method, which is not repeated here for brevity.

图3是本申请实施例的桌面云的访问控制装置的示意图。图3所述的装置300包括检测模块310,处理模块320和控制模块330。FIG. 3 is a schematic diagram of an access control apparatus for a desktop cloud according to an embodiment of the present application. The apparatus 300 shown in FIG. 3 includes a detection module 310 , a processing module 320 and a control module 330 .

检测模块310,用于检测到USBkey移除事件,所述USBkey移除事件用于指示登录桌面云所需的USBkey从桌面云终端设备上移除;The detection module 310 is configured to detect a USBkey removal event, where the USBkey removal event is used to instruct the USBkey required for logging in to the desktop cloud to be removed from the desktop cloud terminal device;

处理模块320,用于确定所述USBkey映射至提供所述桌面云的虚拟机中;a processing module 320, configured to determine that the USB key is mapped to the virtual machine that provides the desktop cloud;

控制模块330,用于控制所述桌面云处于可以被桌面云用户访问的可访问状态。The control module 330 is configured to control the desktop cloud to be in an accessible state that can be accessed by desktop cloud users.

可选地,作为一个实施例,所述控制模块,还用于:接收所述桌面云客户端发送的第一指示信息,所述第一指示信息用于指示所述USBkey从所述虚拟机中移除;控制所述桌面云处于禁止被所述桌面云用户访问的禁止访问状态。Optionally, as an embodiment, the control module is further configured to: receive first indication information sent by the desktop cloud client, where the first indication information is used to instruct the USBkey to delete from the virtual machine Remove; control the desktop cloud to be in a prohibited access state that is prohibited from being accessed by the desktop cloud user.

可选地,作为一个实施例,所述处理模块用于:获取所述USBkey的状态,所述USBkey的状态为映射至所述虚拟机中。Optionally, as an embodiment, the processing module is configured to: acquire the state of the USB key, where the state of the USB key is mapped to the virtual machine.

可选地,作为一个实施例,所述处理模块还用于:接收所述桌面云的客户端发送的第二指示信息,所述第二指示信息用于指示所述USBkey从所述桌面云终端设备映射至所述虚拟机;根据所述指示信息修改所述USBkey的状态。Optionally, as an embodiment, the processing module is further configured to: receive second indication information sent by the client of the desktop cloud, where the second indication information is used to instruct the USBkey to download from the desktop cloud terminal. The device is mapped to the virtual machine; the state of the USB key is modified according to the indication information.

可选地,作为一个实施例,所述处理模块还用于:查询所述桌面云终端设备记录的设备目录下,记录有访问所述USBkey的端口;确定所述USBkey映射至所述虚拟机中。Optionally, as an embodiment, the processing module is further configured to: query the device directory recorded by the desktop cloud terminal device to record the port for accessing the USBkey; determine that the USBkey is mapped to the virtual machine .

可选地,作为一个实施例,所述控制模块还用于:确定所述USBkey从所述虚拟机映射至所述桌面云终端设备;控制所述桌面云处于禁止被所述桌面云用户访问的禁止访问状态。Optionally, as an embodiment, the control module is further configured to: determine that the USB key is mapped from the virtual machine to the desktop cloud terminal device; control the desktop cloud to be in a state that is prohibited from being accessed by the desktop cloud user. Access forbidden state.

在可选的实施例中,上述装置300还可以是桌面云终端设备400,具体地,所述检测模块310、所述处理模块320和所述控制模块330可以为处理器420,所述装置还可以包括存储器410和输入/输出接口430,具体如图4所示。In an optional embodiment, the above-mentioned apparatus 300 may also be a desktop cloud terminal device 400. Specifically, the detection module 310, the processing module 320 and the control module 330 may be the processor 420, and the apparatus may also be A memory 410 and an input/output interface 430 may be included, as shown in FIG. 4 .

图4是本申请实施例的桌面云终端设备的示意性框图。图4所示的桌面云终端设备400可以包括:存储器410、处理器420和输入/输出接口430。其中,存储器410、处理器420和输入/输出接口430通过内部连接通路相连,该存储器410用于存储程序指令,该处理器420用于执行该存储器420存储的程序指令,以控制输入/输出接口430接收输入的数据和信息,输出操作结果等数据。FIG. 4 is a schematic block diagram of a desktop cloud terminal device according to an embodiment of the present application. The desktop cloud terminal device 400 shown in FIG. 4 may include: a memory 410 , a processor 420 and an input/output interface 430 . The memory 410, the processor 420 and the input/output interface 430 are connected through an internal connection path, the memory 410 is used for storing program instructions, and the processor 420 is used for executing the program instructions stored in the memory 420 to control the input/output interface 430 receives input data and information, and outputs data such as operation results.

应理解,在本申请实施例中,该处理器420可以采用通用的中央处理器(CentralProcessing Unit,CPU),微处理器,应用专用集成电路(Application SpecificIntegrated Circuit,ASIC),或者一个或多个集成电路,用于执行相关程序,以实现本申请实施例所提供的技术方案。It should be understood that, in this embodiment of the present application, the processor 420 may adopt a general central processing unit (Central Processing Unit, CPU), a microprocessor, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits The circuit is used to execute the relevant program to realize the technical solutions provided by the embodiments of the present application.

该存储器410可以包括只读存储器和随机存取存储器,并向处理器420提供指令和数据。处理器420的一部分还可以包括非易失性随机存取存储器。例如,处理器420还可以存储设备类型的信息。The memory 410 , which may include read-only memory and random access memory, provides instructions and data to the processor 420 . A portion of processor 420 may also include non-volatile random access memory. For example, the processor 420 may also store device type information.

在实现过程中,上述方法的各步骤可以通过处理器420中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器410,处理器420读取存储器410中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above-mentioned method may be completed by an integrated logic circuit of hardware in the processor 420 or an instruction in the form of software. The methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory 410, and the processor 420 reads the information in the memory 410, and completes the steps of the above method in combination with its hardware. To avoid repetition, detailed description is omitted here.

应理解,本申请实施例中,该处理器可以为中央处理单元(central processingunit,CPU),该处理器还可以是其它通用处理器、数字信号处理器(digital signalprocessor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其它可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that in this embodiment of the present application, the processor may be a central processing unit (central processing unit, CPU), and the processor may also be other general-purpose processors, digital signal processors (digital signal processors, DSP), application-specific integrated circuits ( application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution, and the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, removable hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (14)

1. An access control method of a desktop cloud, comprising:
the method comprises the steps that a security login module of the desktop cloud detects a USBKey removal event, wherein the USBKey removal event is used for indicating that the USBKey required for logging in the desktop cloud is removed from the desktop cloud terminal equipment;
the security login module determines that the USBKey is mapped to a virtual machine providing the desktop cloud;
the security login module controls the desktop cloud to be in an accessible state which can be accessed by a desktop cloud user.
2. The method of claim 1, wherein the method further comprises:
the security login module receives first indication information sent by a client of the desktop cloud, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine;
the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
3. The method of claim 1 or 2, wherein the secure login module determining that the USBKey maps into a virtual machine that provides the desktop cloud comprises:
and the security login module acquires the state of the USBKey, and the state of the USBKey is mapped to the virtual machine.
4. The method of claim 3, wherein prior to the secure login module obtaining the status of the USBKey,
the method further comprises the following steps:
the security login module receives second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating the USBKey to be mapped to the virtual machine from the desktop cloud terminal equipment;
and the safety login module modifies the state of the USBKey according to the indication information.
5. The method of claim 1 or 2, wherein the secure login module determining that the USBKey is mapped into a virtual machine providing the desktop cloud via a USB mapping comprises:
the security login module inquires the device directory recorded by the desktop cloud terminal device, and records a port for accessing the USBKey;
and the safety login module determines that the USBKey is mapped to the virtual machine.
6. The method of claim 1 or 2, wherein the method further comprises:
the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine;
the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
7. An access control apparatus of a desktop cloud, comprising:
the detection module is used for detecting a USBKey removal event, wherein the USBKey removal event is used for indicating that the USBKey required by logging in the desktop cloud is removed from the desktop cloud terminal equipment;
the processing module is used for determining that the USBKey is mapped to a virtual machine providing the desktop cloud;
and the control module is used for controlling the desktop cloud to be in an accessible state which can be accessed by a desktop cloud user.
8. The apparatus of claim 7, wherein the control module is further to:
receiving first indication information sent by a client of the desktop cloud, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine;
and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
9. The apparatus of claim 7 or 8, wherein the processing module is to:
and acquiring the state of the USBKey, wherein the state of the USBKey is mapped to the virtual machine.
10. The apparatus of claim 9, wherein the processing module is further to:
receiving second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating that the USBKey is mapped to the virtual machine from the desktop cloud terminal equipment;
and modifying the state of the USBKey according to the indication information.
11. The apparatus of claim 7 or 8, wherein the processing module is further to:
inquiring an equipment directory recorded by the desktop cloud terminal equipment, wherein a port for accessing the USBKey is recorded;
determining that the USBKey is mapped into the virtual machine.
12. The apparatus of claim 7 or 8, wherein the control module is further to:
determining that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine;
and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
13. A desktop cloud terminal device, characterized in that the desktop cloud terminal device comprises a secure login module of a desktop cloud and a desktop cloud client, the secure login module performing the method of any one of claims 1-6.
14. A computer-readable medium, characterized in that the computer-readable medium has stored program code which, when run on a computer, causes the computer to perform the method according to any one of claims 1-6.
CN201810882540.5A 2018-07-31 2018-07-31 Desktop cloud access control method and device and desktop cloud terminal equipment Active CN109150863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810882540.5A CN109150863B (en) 2018-07-31 2018-07-31 Desktop cloud access control method and device and desktop cloud terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810882540.5A CN109150863B (en) 2018-07-31 2018-07-31 Desktop cloud access control method and device and desktop cloud terminal equipment

Publications (2)

Publication Number Publication Date
CN109150863A CN109150863A (en) 2019-01-04
CN109150863B true CN109150863B (en) 2020-10-09

Family

ID=64791621

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810882540.5A Active CN109150863B (en) 2018-07-31 2018-07-31 Desktop cloud access control method and device and desktop cloud terminal equipment

Country Status (1)

Country Link
CN (1) CN109150863B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120062969A (en) * 2010-12-07 2012-06-15 한국과학기술연구원 Security apparatus and method for desktop virtualization
CN103533034A (en) * 2013-09-28 2014-01-22 福建星网锐捷软件有限公司 Method for seamlessly using cloud terminal local camera in VDI (Virtual Device Interface) virtual desktop
CN103544453A (en) * 2013-10-23 2014-01-29 成都卫士通信息产业股份有限公司 USB (universal serial bus) KEY based virtual desktop file protection method and device
CN104881315A (en) * 2014-10-27 2015-09-02 深圳市京华科讯科技有限公司 Desktop virtualization technology based storage device mapping method and system
CN105069383A (en) * 2015-05-21 2015-11-18 中国科学院计算技术研究所 Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system
CN105404544A (en) * 2015-11-10 2016-03-16 中国电子科技集团公司第三十研究所 Method and system for device mapping between cloud terminal and cloud desktop
CN106060029A (en) * 2016-05-24 2016-10-26 杭州华三通信技术有限公司 Access control method and device of virtual desktop
WO2016183261A1 (en) * 2015-05-12 2016-11-17 Citrix Systems, Inc. Delegated authentication through peripheral device linked to authentication server
WO2017053539A1 (en) * 2015-09-22 2017-03-30 Amazon Technologies, Inc. Connection-based resource management for virtual desktop instances
CN108205504A (en) * 2016-12-16 2018-06-26 广州杰赛科技股份有限公司 Terminal USB mapping methods, virtual machine USB mapping methods and system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120062969A (en) * 2010-12-07 2012-06-15 한국과학기술연구원 Security apparatus and method for desktop virtualization
CN103533034A (en) * 2013-09-28 2014-01-22 福建星网锐捷软件有限公司 Method for seamlessly using cloud terminal local camera in VDI (Virtual Device Interface) virtual desktop
CN103544453A (en) * 2013-10-23 2014-01-29 成都卫士通信息产业股份有限公司 USB (universal serial bus) KEY based virtual desktop file protection method and device
CN104881315A (en) * 2014-10-27 2015-09-02 深圳市京华科讯科技有限公司 Desktop virtualization technology based storage device mapping method and system
WO2016183261A1 (en) * 2015-05-12 2016-11-17 Citrix Systems, Inc. Delegated authentication through peripheral device linked to authentication server
CN105069383A (en) * 2015-05-21 2015-11-18 中国科学院计算技术研究所 Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system
WO2017053539A1 (en) * 2015-09-22 2017-03-30 Amazon Technologies, Inc. Connection-based resource management for virtual desktop instances
CN105404544A (en) * 2015-11-10 2016-03-16 中国电子科技集团公司第三十研究所 Method and system for device mapping between cloud terminal and cloud desktop
CN106060029A (en) * 2016-05-24 2016-10-26 杭州华三通信技术有限公司 Access control method and device of virtual desktop
CN108205504A (en) * 2016-12-16 2018-06-26 广州杰赛科技股份有限公司 Terminal USB mapping methods, virtual machine USB mapping methods and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Private desktop cloud architecture with instant-start virtual machines;X Chen;《Journal of Computer Applications》;20150617;全文 *
虚拟化环境下的USB设备访问方法;王继刚;《计算机应用》;20110531;全文 *

Also Published As

Publication number Publication date
CN109150863A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
EP3376378B1 (en) Container license management method, and apparatus
EP2860657B1 (en) Determining a security status of potentially malicious files
CN105122260B (en) Context-based switching to a secure operating system environment
CN109831419A (en) The determination method and device of shell program authority
CN110390184B (en) Method, apparatus and computer program product for executing applications in the cloud
US9928365B1 (en) Automated mechanism to obtain detailed forensic analysis of file access
CN104735091A (en) Linux system-based user access control method and device
CN104169939B (en) Method and system realizing virtualization safety
US20170003993A1 (en) File Based License Management System in Virtualization Environment
US20250005128A1 (en) Trusted Cloud Device Lifecycle Management
CN113297595A (en) Method and device for processing right-offering, storage medium and electronic equipment
KR101478801B1 (en) System and method for providing cloud computing service using virtual machine
WO2015039562A1 (en) Method and device for account information processing
CN117193940A (en) Data access method, device, electronic equipment and computer readable medium
US20150058926A1 (en) Shared Page Access Control Among Cloud Objects In A Distributed Cloud Environment
CN115033930A (en) User mode file integrity measurement method, apparatus, device and medium
CN114861160A (en) Method and device, device, and storage medium for enhancing authority of non-administrator account
KR102357715B1 (en) Method to management operating system image for security and internet server using the methods
CN109150863B (en) Desktop cloud access control method and device and desktop cloud terminal equipment
US20240372871A1 (en) Dynamic and secure permission role generation for cloud computing environments
CN119830061A (en) Function management method and related equipment
JP5814138B2 (en) Security setting system, security setting method and program
US12476969B2 (en) Dynamic SBOM based secure docking of edge capacity to existing computing systems
JP6010672B2 (en) Security setting system, security setting method and program
US10089261B2 (en) Discriminating dynamic connection of disconnectable peripherals

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220209

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee after: Huawei Cloud Computing Technologies Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20221207

Address after: 518129 Huawei Headquarters Office Building 101, Wankecheng Community, Bantian Street, Longgang District, Shenzhen, Guangdong

Patentee after: Shenzhen Huawei Cloud Computing Technology Co.,Ltd.

Address before: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee before: Huawei Cloud Computing Technologies Co.,Ltd.

TR01 Transfer of patent right