[go: up one dir, main page]

CN115801833A - Enterprise-level public cloud resource management method and system - Google Patents

Enterprise-level public cloud resource management method and system Download PDF

Info

Publication number
CN115801833A
CN115801833A CN202211434481.8A CN202211434481A CN115801833A CN 115801833 A CN115801833 A CN 115801833A CN 202211434481 A CN202211434481 A CN 202211434481A CN 115801833 A CN115801833 A CN 115801833A
Authority
CN
China
Prior art keywords
resource
data
account
organization
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211434481.8A
Other languages
Chinese (zh)
Other versions
CN115801833B (en
Inventor
李冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang 99Cloud Information Service Co Ltd
Original Assignee
Zhejiang 99Cloud Information Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang 99Cloud Information Service Co Ltd filed Critical Zhejiang 99Cloud Information Service Co Ltd
Priority to CN202211434481.8A priority Critical patent/CN115801833B/en
Publication of CN115801833A publication Critical patent/CN115801833A/en
Application granted granted Critical
Publication of CN115801833B publication Critical patent/CN115801833B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a method and a system for managing enterprise-level public cloud resources, wherein the method for managing the enterprise-level public cloud resources comprises the following steps: the management platform processes the resource data in a unified login account and third party storage mode by combining with STS service provided by the cloud platform; a resource timing synchronization mode is adopted; a thread pool technology is adopted, and a plurality of account resources are synchronized simultaneously; introducing a NoSql database, and storing large-data-volume resource data; introducing an organization relation of enterprise tenant isolation; the management platform analyzes the resource utilization rate according to the statistical condition of the resource utilization and generates a resource optimization scheme; and integrating various resource cost data of different cloud platforms. Promote enterprise's public cloud resource management fortune dimension efficiency, the expenditure of using manpower sparingly reduces fortune dimension cost, promotes resource utilization, improves the security, provides unified resource data simultaneously, makes things convenient for the function demand to expand, optimizes resource and expense input.

Description

一种企业级公有云资源管理方法及系统An enterprise-level public cloud resource management method and system

技术领域technical field

本发明涉及数据监管领域,尤其涉及一种企业级公有云资源管理方法及系统。The invention relates to the field of data supervision, in particular to an enterprise-level public cloud resource management method and system.

背景技术Background technique

企业中使用公有云时,往往会使用组织管理服务管理多个账号,如AWSOrganizations、阿里云资源管理(Resource Management)服务、腾讯企业组织(TencentCloud Organization)服务、华为云企业管理服务等。对于大型企业可能会拥有上百甚至几百个账号,每个账号分配给某个用户使用,用户会频繁对常用资源进行操作,主要包括基本的计算资源(云服务器、镜像、资源编排等)、存储资源(数据卷、文件存储、对象存储等)、网络资源(VPC、安全组、公网IP、路由器、负载均衡等),以及数据库、容器与中间件、安全、监控告警等服务资源,通常企业资源数量如下:云主机1000台以上、云数据卷1000个以上、网络500个以上、存储/数据库等服务按需不定量使用。对于终端使用用户,操作这些资源需要单独登录到公有云平台,如果企业有使用多个云平台,如AWS、阿里云、腾讯云等,需要分别登录对应云平台执行操作;对于部门或企业运维管理员,统计部门或企业下整体资源、费用使用情况时,需要先将每个账号资源与费用进行手动统计,然后再统一汇总。这种资源管理方式需要运维人员记录大量账号信息,手动维护每个账号资源,重复性工作量大,操作繁琐,且存在账号密码批量泄露的风险。When an enterprise uses a public cloud, it often uses organization management services to manage multiple accounts, such as AWSOrganizations, Alibaba Cloud Resource Management (Resource Management) service, Tencent Cloud Organization (TencentCloud Organization) service, Huawei Cloud Enterprise Management service, etc. For a large enterprise, there may be hundreds or even hundreds of accounts, and each account is assigned to a certain user, who will frequently operate common resources, mainly including basic computing resources (cloud server, mirroring, resource orchestration, etc.), Storage resources (data volumes, file storage, object storage, etc.), network resources (VPC, security groups, public network IP, routers, load balancing, etc.), and service resources such as databases, containers and middleware, security, monitoring and alarms, etc., usually The number of enterprise resources is as follows: more than 1,000 cloud hosts, more than 1,000 cloud data volumes, more than 500 networks, storage/database and other services are used indefinitely as needed. For end users, to operate these resources, they need to log in to the public cloud platform separately. If the enterprise uses multiple cloud platforms, such as AWS, Alibaba Cloud, Tencent Cloud, etc., they need to log in to the corresponding cloud platform to perform operations; for department or enterprise operation and maintenance Administrators need to manually count the resources and expenses of each account before collecting statistics on the overall resource and expense usage of the department or enterprise. This resource management method requires operation and maintenance personnel to record a large number of account information and manually maintain each account resource. The repetitive workload is heavy, the operation is cumbersome, and there is a risk of account password leakage in batches.

发明内容Contents of the invention

鉴于上述问题,提出了本发明以便提供克服上述问题或者至少部分地解决上述问题的一种企业级公有云资源管理方法及系统。In view of the above problems, the present invention is proposed to provide an enterprise-level public cloud resource management method and system that overcomes the above problems or at least partially solves the above problems.

根据本发明的一个方面,提供了一种企业级公有云资源管理方法,所述管理方法包括:According to one aspect of the present invention, an enterprise-level public cloud resource management method is provided, the management method comprising:

管理平台结合云平台提供的STS服务,采用统一登陆账号+第三方存储的方式处理资源数据;The management platform combines the STS service provided by the cloud platform, and uses a unified login account + third-party storage to process resource data;

采用资源定时同步方式;Using resource timing synchronization;

采用线程池技术,同时同步多个账号资源;Use thread pool technology to synchronize multiple account resources at the same time;

引入NoSql数据库,保存大数据量资源数据;Introduce NoSql database to save large amount of resource data;

引入企业租户隔离的组织关系;Introducing organizational relationships for enterprise tenant isolation;

管理平台根据资源使用统计情况,分析资源使用率,生成资源优化方案;The management platform analyzes the resource usage rate according to the resource usage statistics and generates a resource optimization plan;

整合不同云平台各种资源费用数据。Integrate various resource cost data of different cloud platforms.

可选的,所述引入企业租户隔离的组织关系具体包括:建立自上而下的管理方式,自动与云平台组织关系对应,根据云平台用户组织自动创建部门、用户信息,自动绑定资源所属组织与用户。Optionally, the introduction of the organizational relationship of enterprise tenant isolation specifically includes: establishing a top-down management method, automatically corresponding to the organizational relationship of the cloud platform, automatically creating department and user information according to the cloud platform user organization, and automatically binding resources to which they belong organizations and users.

可选的,所述整合不同云平台各种资源费用数据具体包括:根据不同需求,从不同维度统计各组织、各资源类型的费用使用情况,为资源优化、资源分配、费用预测提供数据依据。Optionally, the integration of various resource cost data on different cloud platforms specifically includes: according to different needs, counting the cost usage of each organization and each resource type from different dimensions, so as to provide data basis for resource optimization, resource allocation, and cost prediction.

可选的,所述管理方法还包括:云平台上创建统一登录账号并授权策略,具体包括:Optionally, the management method also includes: creating a unified login account on the cloud platform and authorizing policies, specifically including:

选择云平台组织下的主账号登录,在所述主账号下创建子用户,并生成AccessKeyId和AccessKeySecret,所述主账号作为组织统一登录账号使用;Select the main account under the cloud platform organization to log in, create a sub-user under the main account, and generate AccessKeyId and AccessKeySecret, and use the main account as the unified login account of the organization;

在所述组织统一登录账号下新建自定义策略,授权访问STS的AssumeRole;Create a custom policy under the unified login account of the organization and authorize access to the AssumeRole of the STS;

将所述自定义策略授权给所述组织统一登录账号的子账号。Authorize the custom policy to a sub-account of the unified login account of the organization.

可选的,所述管理方法还包括:验证配置;Optionally, the management method further includes: verifying the configuration;

登录所述组织统一登录账号的子账号后,使用其余成员账号和角色执行切换角色操作,验证是否可正常切换。After logging in to the sub-account of the organization's unified login account, use the remaining member accounts and roles to switch roles to verify whether the switch can be performed normally.

可选的,所述资源统一管理具体包括:Optionally, the unified management of resources specifically includes:

使用AccessKeyId和AccessKeySecret及STS服务,调用云平台提供的API获取资源信息,保存到本地数据库,对资源进行二次处理,通过管理系统功能实现资源统一管理。Use AccessKeyId, AccessKeySecret and STS services, call the API provided by the cloud platform to obtain resource information, save it in the local database, perform secondary processing on resources, and realize unified management of resources through the management system function.

本发明还提供了一种企业级公有云资源管理系统,所述管理系统包括:The present invention also provides an enterprise-level public cloud resource management system, the management system comprising:

资源管理模块,用于管理平台结合云平台提供的STS服务,采用统一登陆账号+第三方存储的方式处理资源数据;The resource management module is used to manage the platform combined with the STS service provided by the cloud platform, and use the unified login account + third-party storage to process resource data;

数据同步模块,用于采用资源定时同步方式进行数据同步;A data synchronization module, configured to perform data synchronization in a resource timing synchronization manner;

账号资源同步模块,用于采用线程池技术,同时同步多个账号资源;The account resource synchronization module is used to synchronize multiple account resources at the same time using thread pool technology;

资源数据保存模块,用于引入NoSql数据库,保存大数据量资源数据;The resource data storage module is used to introduce the NoSql database and save large amount of resource data;

组织关系引入模块,用于引入企业租户隔离的组织关系;The organization relationship import module is used to introduce the organization relationship isolated by enterprise tenants;

优化方案生成模块,用于管理平台根据资源使用统计情况,分析资源使用率,生成资源优化方案;The optimization plan generation module is used for the management platform to analyze the resource utilization rate and generate a resource optimization plan according to the resource usage statistics;

数据整合模块,用于整合不同云平台各种资源费用数据。The data integration module is used to integrate various resource cost data of different cloud platforms.

本发明提供的一种企业级公有云资源管理方法及系统,所述管理方法包括:管理平台结合云平台提供的STS服务,采用统一登陆账号+第三方存储的方式处理资源数据;采用资源定时同步方式;采用线程池技术,同时同步多个账号资源;引入NoSql数据库,保存大数据量资源数据;引入企业租户隔离的组织关系;管理平台根据资源使用统计情况,分析资源使用率,生成资源优化方案;整合不同云平台各种资源费用数据。提升企业公有云资源管理运维效率,节省人力支出,降低运维成本,提升资源利用率,提高安全性,同时提供统一资源数据,方便功能需求拓展,优化资源与费用投入。An enterprise-level public cloud resource management method and system provided by the present invention, the management method includes: the management platform combines the STS service provided by the cloud platform, adopts a unified login account + third-party storage method to process resource data; adopts resource timing synchronization Method; use thread pool technology to synchronize multiple account resources at the same time; introduce NoSql database to save large amount of resource data; introduce organization relationship of enterprise tenant isolation; management platform analyzes resource usage rate according to resource usage statistics, and generates resource optimization plan ; Integrate various resource cost data on different cloud platforms. Improve the efficiency of enterprise public cloud resource management and operation and maintenance, save labor expenses, reduce operation and maintenance costs, improve resource utilization, improve security, and provide unified resource data to facilitate the expansion of functional requirements and optimize resource and cost investment.

上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without making creative efforts.

图1为本发明实施例提供的公有云STS基本配置说明示意图;FIG. 1 is a schematic diagram illustrating the basic configuration of the public cloud STS provided by the embodiment of the present invention;

图2为本发明实施例提供的公有云组织资源统一管理系统。FIG. 2 is a unified management system for public cloud organization resources provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

本发明的说明书实施例和权利要求书及附图中的术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元。The terms "comprising" and "having" and any variations thereof in the description, embodiments, claims and drawings of the present invention are intended to cover non-exclusive inclusion, for example, including a series of steps or units.

下面结合附图和实施例,对本发明的技术方案做进一步的详细描述。The technical solutions of the present invention will be described in further detail below in conjunction with the accompanying drawings and embodiments.

如图1所示,管理平台结合云平台提供的STS服务,采用统一登陆账号+第三方存储的方式处理资源数据,以提升平台运维效率与安全性;使用资源定时同步方式,保障管理平台资源状态与云资源实际状态的同步性,减少云平台API接口的调用频率,节省带宽使用量;采用线程池技术,同时同步多个账号资源,提升数据拉取效率与存库效率;引入NoSql数据库,保存大数据量资源数据,提升数据存储与读取性能;引入企业租户隔离的组织关系,建立自上而下的管理方式,自动与云平台组织关系对应,根据云平台用户组织自动创建部门、用户信息,自动绑定资源所属组织与用户,减少大量人工运维工作量,提升运维效率;管理平台可根据资源使用统计情况,分析资源使用率,生成资源优化方案,提升企业资源利用率,减少成本;可整合不同云平台各种资源费用数据,根据不同需求,从不同维度统计各组织、各资源类型的费用使用情况,为资源优化、资源分配、费用预测提供数据依据。采用以上方式建立资源管理平台系统,提升云平台企业级运维效率,通过整合不同云平台数据,进行企业资源统一、高效、快捷管理,并根据统一数据进行功能扩展,提升资源利用率。As shown in Figure 1, the management platform combines the STS service provided by the cloud platform, and uses a unified login account + third-party storage to process resource data to improve the efficiency and security of platform operation and maintenance; use resource timing synchronization to ensure management platform resources The synchronization between the state and the actual state of the cloud resources reduces the calling frequency of the cloud platform API interface and saves bandwidth usage; the thread pool technology is used to synchronize multiple account resources at the same time, improving the efficiency of data fetching and storage; the introduction of NoSql database, Save large amount of resource data, improve data storage and reading performance; introduce the organizational relationship of enterprise tenant isolation, establish a top-down management method, automatically correspond to the organizational relationship of the cloud platform, and automatically create departments and users according to the cloud platform user organization Information, automatically binds the organizations and users to which resources belong, reduces a large amount of manual operation and maintenance workload, and improves operation and maintenance efficiency; the management platform can analyze resource usage according to resource usage statistics, generate resource optimization plans, improve enterprise resource utilization, and reduce Cost: It can integrate various resource cost data of different cloud platforms, and count the cost usage of each organization and resource type from different dimensions according to different needs, and provide data basis for resource optimization, resource allocation, and cost forecasting. The above method is used to establish a resource management platform system to improve the efficiency of cloud platform enterprise-level operation and maintenance. By integrating data from different cloud platforms, enterprise resources can be managed in a unified, efficient and fast manner, and functions can be expanded based on unified data to improve resource utilization.

本发明是在公有云现有技术的基础上,设计的一种快捷、高效、方便、统一、安全的,改进企业级公有云资源管理的解决方法,用以提升企业公有云资源管理运维效率,节省人力支出,降低运维成本,提升资源利用率,提高安全性,同时提供统一资源数据,方便功能需求拓展,优化资源与费用投入等。该方案适用于所有支持STS服务的云平台。The present invention is a fast, efficient, convenient, unified and safe solution to improve enterprise-level public cloud resource management based on the existing technology of public cloud, so as to improve the efficiency of enterprise public cloud resource management operation and maintenance , save manpower expenses, reduce operation and maintenance costs, improve resource utilization, improve security, and provide unified resource data to facilitate the expansion of functional requirements, optimize resources and cost inputs, etc. This solution is applicable to all cloud platforms that support STS services.

本发明提供的工作原理The working principle provided by the present invention

云平台上创建统一登陆账号并授权策略Create a unified login account and authorize policies on the cloud platform

选择某一云平台组织下的主账号登录,在此账号下创建子用户,并生成AccessKeyId和AccessKeySecret,此账号作为组织统一登陆账号(以下简称OUA(Organization unified login account))使用;Select the main account of a cloud platform organization to log in, create a sub-user under this account, and generate AccessKeyId and AccessKeySecret, this account is used as the unified login account of the organization (hereinafter referred to as OUA (Organization unified login account));

在OUA子账号下新建自定义策略,授权访问STS的AssumeRole;Create a custom policy under the OUA sub-account and authorize access to the AssumeRole of the STS;

将步骤2的策略授权给OUA子账号。Authorize the policy in step 2 to the OUA sub-account.

配置组织下除OUA账号外的其他账号具体包括:Configure other accounts under the organization except the OUA account, including:

在除OUA账号外的所有成员账号下创建策略,为此策略授权供OUA账号委托管理的策略权限(即通过OUA账号可以管理指定账号下的哪些资源);或者使用现有符合需求的策略;Create a policy under all member accounts except the OUA account, and authorize the policy authority for the entrusted management of the OUA account (that is, which resources under the specified account can be managed through the OUA account); or use an existing policy that meets the requirements;

在步骤1对应的账号下创建角色(这里对所有账号下创建的角色做统一命名,如AssumeRoleForCmp),将步骤1创建的策略授权给该角色;Create a role under the account corresponding to step 1 (here, uniformly name the roles created under all accounts, such as AssumeRoleForCmp), and authorize the policy created in step 1 to this role;

为步骤2创建的角色添加信任策略,使其信任OUA账号的委托管理。Add a trust policy to the role created in step 2 to make it trust the delegated management of the OUA account.

验证配置,登录OUA子账号后,使用其他成员账号和角色(AssumeRoleForCmp)执行切换角色操作,验证是否可正常切换。Verify the configuration. After logging in to the OUA sub-account, use other member accounts and roles (AssumeRoleForCmp) to perform role switch operations to verify whether the switch can be performed normally.

资源统一管理具体包括:使用AccessKeyId和AccessKeySecret及STS服务,调用云平台提供的API获取资源信息,保存到本地数据库,对资源进行二次处理,通过管理系统功能实现资源统一管理。系统提供两种资源同步方式:手动同步与自动同步,自动同步为每天闲时定时同步,可配置同步时间。The unified management of resources specifically includes: using AccessKeyId, AccessKeySecret and STS services, calling the API provided by the cloud platform to obtain resource information, saving it to the local database, performing secondary processing on resources, and realizing unified resource management through management system functions. The system provides two resource synchronization methods: manual synchronization and automatic synchronization. Automatic synchronization is scheduled synchronization every day when you are free, and the synchronization time can be configured.

使用AccessKeyId+AccessKeySecret+组织管理账号ID+委托管理角色(AssumeRoleForCmp)进行临时令牌安全认证,调用组织与账号API接口,查询组织信息与账号列表,将其数据与关系保存到本地数据库,后续维护查询账号直接从本地数据库选择获取,不需要人工维护;Use AccessKeyId + AccessKeySecret + organization management account ID + entrusted management role (AssumeRoleForCmp) to perform temporary token security authentication, call the organization and account API interface, query the organization information and account list, save its data and relationships to the local database, and follow-up maintenance query account directly Select and obtain from the local database, no manual maintenance is required;

使用AccessKeyId+AccessKeySecret+组织成员账号ID+委托管理角色(AssumeRoleForCmp)进行特定账号的临时令牌安全认证,调用资源查询接口,将所需要的资源查询出来保存到本地数据库,并保存资源与账号的对应关系。将资源保存到本地数据库是为了减少对云平台接口的调用频率,若不考虑此问题,可以实时查询资源信息;同步资源主要包括组织信息、账号、VPC、子网、网卡、公网IP、路由器、负载均衡、安全组、实例类型、镜像、密钥对、云主机、数据卷、数据卷快照、RDS数据库、文件存储、对象存储、容器服务、监控告警、费用信息等常用资源。Use AccessKeyId+AccessKeySecret+organization member account ID+delegate management role (AssumeRoleForCmp) to perform temporary token security authentication for a specific account, call the resource query interface, query the required resources and save them in the local database, and save the corresponding relationship between resources and accounts. Saving resources to the local database is to reduce the frequency of calling the cloud platform interface. If this problem is not considered, resource information can be queried in real time; synchronization resources mainly include organization information, account, VPC, subnet, network card, public network IP, router , load balancing, security group, instance type, image, key pair, cloud host, data volume, data volume snapshot, RDS database, file storage, object storage, container service, monitoring alarm, cost information and other common resources.

使用AccessKeyId+AccessKeySecret+资源所属账号ID+委托管理角色(AssumeRoleForCmp)进行临时令牌安全认证,使用临时安全令牌进行资源管理,如云主机开关机等。管理本地数据库现有资源时,资源所属账号已与资源绑定,不需要手动指定账号信息;创建资源时,从数据库拉取账号信息供操作人员选择,不需要手动填写。Use AccessKeyId + AccessKeySecret + account ID to which the resource belongs + delegate management role (AssumeRoleForCmp) for temporary token security authentication, and use temporary security tokens for resource management, such as switching on and off the cloud host. When managing existing resources in the local database, the account to which the resource belongs has been bound to the resource, and there is no need to manually specify the account information; when creating a resource, the account information is pulled from the database for the operator to choose, and no manual filling is required.

基于保存到本地的数据,根据具体需要,进行灵活的可视化开发,将组织下的所有资源展示在管理平台,方便资源统一管理,节省运维成本。Based on the data saved locally, flexible visual development is carried out according to specific needs, and all resources under the organization are displayed on the management platform, which facilitates the unified management of resources and saves operation and maintenance costs.

数据同步采用线程池技术,以账号为维度,多线程并发同步。因主要涉及资源的网络请求与数据保存,所以这里核心线程数以IO密集型计算方式而定,即线程数=cpu核数/(1-0.8),如4核服务器运行系统,就设置线程数为20。假设有200个账号,采用逐个同步方式,同步花费时间在40分钟左右(同步时间与资源量有关,资源多花费时间就越多);采用多线程并发方式进行同步,只需要花费5分钟左右即可完成,很大程度提高了资源读取效率。Data synchronization adopts thread pool technology, with account as the dimension, and multi-thread concurrent synchronization. Because it mainly involves resource network requests and data storage, the number of core threads here is determined by the IO-intensive calculation method, that is, the number of threads = the number of cpu cores/(1-0.8), such as the 4-core server running system, set the number of threads for 20. Assuming there are 200 accounts, using one-by-one synchronization, the synchronization takes about 40 minutes (the synchronization time is related to the amount of resources, the more resources the more time it takes); the multi-threaded concurrent synchronization only takes about 5 minutes. It can be completed, which greatly improves the resource reading efficiency.

以AWS公有云为例,配置STS服务,并通过STS认证信息获取公有云资源。Taking the AWS public cloud as an example, configure STS services and obtain public cloud resources through STS authentication information.

本发明基于公有云目前的技术进行资源管理方式改进,通过API接口获取组织所有账号下的资源,将其存储到本地数据库进行统一管理,并可根据需求对资源数据进行整合,提取资源优化需要的数据,从而提升运维效率,减少手动维护资源成本,提升资源利用率。The present invention improves the resource management method based on the current technology of the public cloud, obtains the resources under all accounts of the organization through the API interface, stores them in the local database for unified management, and can integrate the resource data according to the requirements, extracting resources needed for resource optimization Data, thereby improving operation and maintenance efficiency, reducing manual maintenance resource costs, and improving resource utilization.

云平台STS配置,如图1所示,需要对组织账号进行预配置,具体如下:Cloud platform STS configuration, as shown in Figure 1, needs to pre-configure the organization account, as follows:

登录组织管理账号,进入组织管理服务,选择某一账号为统一登录账号;Log in to the organization management account, enter the organization management service, and select an account as the unified login account;

登录OUA主账号,创建STS的AssuleRole权限策略;Log in to the OUA main account and create an AssuleRole permission policy for STS;

A.定位策略菜单,点击“创建策略”按钮;A. Locate the policy menu and click the "Create Policy" button;

B.选择配置:STS服务、写入AssumeRole、所有资源;B. Select configuration: STS service, write AssumeRole, all resources;

C.设置标签(可选);C. Set the label (optional);

D.设置名称,确认创建策略;D. Set the name and confirm the creation strategy;

E.查看创建好的策略,确认是否正确。E. Check the created policy to confirm whether it is correct.

创建子用户(统一登陆子用户),生成AccessKeyId与AccessKeySecret,并授权STS的AssumeRole;Create a sub-user (unified login sub-user), generate AccessKeyId and AccessKeySecret, and authorize the AssumeRole of STS;

进入IAM用户列表,点击“添加用户”按钮;设置用户名,勾选(必选)访问密钥-编程访问,控制台选项按需勾选;设置权限,直接附加现有策略,即使用步骤2)创建的AssumeRole策略;添加标签;确认创建子用户。Enter the IAM user list, click the "Add User" button; set the user name, check (required) access key - programming access, check the console option as needed; set permissions, directly attach the existing policy, that is, use step 2 ) created the AssumeRole policy; add tags; confirm the creation of sub-users.

在所有非统一登陆成员账号下统一创建一个角色,命名AssumeRoleForCmp,为角色授权相应的权限(测试可只授权所有资源的读取权限),并为角色配置统一登录账号的信任关系;Create a role under all non-unified login member accounts, name it AssumeRoleForCmp, authorize the corresponding permissions for the role (the test can only authorize the read permission of all resources), and configure the trust relationship of the unified login account for the role;

进入角色服务,点击“创建角色”按钮;Enter the role service, click the "Create role" button;

选择可信任实体,这里使用账户选项,信任另一个账户即“统一登陆账号”;添加权限,按需设置资源管理权限策略;设置名称AssumeRoleForCmp,确认信息;确认创建角色。Select a trusted entity, use the account option here, trust another account, that is, "unified login account"; add permissions, set resource management permission policies as needed; set the name AssumeRoleForCmp, confirm the information; confirm the creation of the role.

验证配置,即在云平台验证“切换角色”功能是否正确;Verify the configuration, that is, verify whether the "switch role" function is correct on the cloud platform;

云平台右上角账号信息处点出下拉框,点击“切换角色”;Click the drop-down box in the upper right corner of the account information on the cloud platform, and click "Switch Role";

输入需要切换的账号和角色(AssumeRoleForCmp);Enter the account and role to be switched (AssumeRoleForCmp);

切换成功后右上角显示跳转填写的名称。After the switch is successful, the name filled in by the jump is displayed in the upper right corner.

资源统一管理,图2所示已经配置的云组织账号进行资源统一管理。Unified management of resources. The configured cloud organization accounts shown in Figure 2 perform unified management of resources.

将OUA账号的AccessKeyId、AccessKeySecret,以及组织管理账号ID、委托信授权角色信息保存到管理系统;由于账号信息为敏感信息,需要进行数据加密存储。系统采用RSA+AES+Base64多重加密方式,保障账号安全性。Save the AccessKeyId and AccessKeySecret of the OUA account, as well as the organization management account ID and authorization role information of the entrustment letter to the management system; since the account information is sensitive information, data encryption is required for storage. The system adopts RSA+AES+Base64 multiple encryption methods to ensure account security.

根据OUA账号的AccessKeyId、AccessKeySecret与组织管理账号ID、授权角色,通过STS服务获取组织管理账号的临时安全访问令牌。According to the AccessKeyId and AccessKeySecret of the OUA account, the organization management account ID, and the authorization role, obtain the temporary security access token of the organization management account through the STS service.

使用临时安全令牌获取所有组织成员账号,将其保存到本地数据库。Use temporary security tokens to get all organization member accounts and save them to the local database.

对每个成员账号,使用对应临时安全令牌调用相关资源服务的API来获取资源。采用线程池技术,以IO密集型任务为参考,线程数=CPU核心数/(1-0.8),对每个账号单独开启一条线程,多线程并发拉取数据,大幅度提高资源同步效率。For each member account, use the corresponding temporary security token to call the API of the relevant resource service to obtain resources. Using thread pool technology, taking IO-intensive tasks as a reference, the number of threads = number of CPU cores/(1-0.8), a separate thread is opened for each account, and multiple threads pull data concurrently, which greatly improves resource synchronization efficiency.

对同步到管理系统的数据进行处理。Process the data synchronized to the management system.

以企业、多级部门、用户的组织关系模型建立组织管理模块,将资源划分所属组织,实现资源租户隔离管理;Establish an organization management module based on the organizational relationship model of enterprises, multi-level departments, and users, divide resources into organizations, and realize resource tenant isolation management;

采用资源权限配置+角色授权,实现资源的访问权限管理,对不同角色用户设置不同权限,实现资源分级分层管理;Use resource permission configuration + role authorization to realize resource access permission management, set different permissions for users with different roles, and realize hierarchical and hierarchical management of resources;

将资源按照类型划分模块,主要分为计算、存储、网路、容器、数据库服务等资源,以及资源总览、申请管理等拓展功能;Divide resources into modules by type, mainly divided into computing, storage, network, container, database services and other resources, as well as extended functions such as resource overview and application management;

系统提供计量审计信息,主要包括任务执行记录、审计列表(资源访问记录)、登录日志、资源计量统计等;The system provides metering audit information, mainly including task execution records, audit lists (resource access records), login logs, resource metering statistics, etc.;

计费管理模块根据同步到的费用账单数据,结合组织关系,进行多维度统计展现,统计企业费用账单、部门费用账单,以及单账号费用账单,查看费用收支明细,根据历史费用信息预测费用使用趋势。The billing management module performs multi-dimensional statistical display based on the synchronized expense bill data, combined with organizational relationships, counts enterprise expense bills, department expense bills, and single-account expense bills, checks expense income and expenditure details, and predicts expense usage based on historical expense information trend.

定时任务模块主要对云主机设置定时开机、关机、重启,对数据卷、云主机进行数据备份等操作,可大幅度减少人工运维成本。The scheduled task module mainly sets the scheduled startup, shutdown, and restart of the cloud host, and performs data backup and other operations on the data volume and cloud host, which can greatly reduce the cost of manual operation and maintenance.

监控告警模块采用ElasticSearch作为时序数据库,存储从云平台获取的监控数据,加快检索效率,方便数据聚合统计。The monitoring and alarm module uses ElasticSearch as a time-series database to store monitoring data obtained from the cloud platform, speed up retrieval efficiency, and facilitate data aggregation and statistics.

日志服务主要记录系统运行日志,主要包括系统自动打印的日志、系统错误日志等信息,用以系统问题跟踪维护。The log service mainly records system operation logs, mainly including the logs automatically printed by the system, system error logs and other information, which are used for system problem tracking and maintenance.

功能拓展说明Function Expansion Description

由于公有云资源与服务类别繁多,且每个类别或服务数据结构不同,数量级也不同,这里针对这种情况提出一些实践性建议。Since there are many categories of public cloud resources and services, and each category or service has a different data structure and magnitude, here are some practical suggestions for this situation.

针对一般常用资源,如云主机、云硬盘、网络等信息,从数量级考虑,使用关系型数据库(如MySql)进行数据存储,方便业务拓展;For general common resources, such as cloud hosts, cloud hard disks, networks and other information, from the perspective of order of magnitude, use relational databases (such as MySql) for data storage to facilitate business expansion;

针对对象存储之类的服务类资源,由于对象数量级可能会很大,若使用关系型数据库,需考虑分库分表存储;考虑使用非关系型数据库(如Hbase、MongoDB等)存储,提升数据存储与读取性能;For service resources such as object storage, since the number of objects may be large, if you use a relational database, you need to consider sub-database and sub-table storage; consider using non-relational databases (such as Hbase, MongoDB, etc.) for storage to improve data storage and read performance;

针对监控数据,建议考虑使用时序数据库存储,如InfluxDB、Prometheus、ElasticSearch等,便于数据高性能查询展示。For monitoring data, it is recommended to consider using time-series database storage, such as InfluxDB, Prometheus, ElasticSearch, etc., to facilitate high-performance query and display of data.

有益效果:使用组织资源统一化管理方式,可自动化管理组织多账号信息,减少人工维护组织多账号的重复工作,降低账号密钥信息泄露的风险,提升资源管理效率与安全性;Beneficial effects: Using the unified management method of organizational resources, it can automatically manage the information of multiple accounts of the organization, reduce the repetitive work of manually maintaining multiple accounts of the organization, reduce the risk of leakage of account key information, and improve the efficiency and security of resource management;

将组织下的资源同步整合到本地数据库,可对资源数据进行灵活的定制化功能拓展,通过组织下资源使用情况进行资源使用优化,有效提升资源利用率;The resources under the organization are synchronously integrated into the local database, and the resource data can be flexibly customized and expanded, and resource usage can be optimized through the use of resources under the organization to effectively improve resource utilization;

组织资源统一化处理后,不需要一一登录云控制台进行资源管理,可简化运维人员对资源操作的步骤,操作上更加方便快捷,提高运维效率。假如有100个企业账号,需要为每个账号下的云主机执行关机,使用传统管理方式,登陆每个账号执行关机操作,需要花费50分钟左右的时间;使用管理平台可对不同账号下的云主机批量执行开关机操作,只需大概1分钟甚至更短的时间完成所有操作。After the unified processing of organizational resources, there is no need to log in to the cloud console one by one for resource management, which can simplify the steps of operation and maintenance personnel to operate resources, make the operation more convenient and fast, and improve the efficiency of operation and maintenance. If there are 100 enterprise accounts, it is necessary to shut down the cloud hosts under each account. Using the traditional management method, it takes about 50 minutes to log in to each account to perform the shutdown operation; The host performs power-on/off operations in batches, and it only takes about 1 minute or less to complete all operations.

公有云平台存在强制安全策略,如每90天必须更换一次密码或密钥,若每个账号均更换一次,则每个账号需要花费1分钟左右的时间完成操作;管理平台通过STS方式管理资源,只需要关心统一登陆账号,更改一个账号信息即可,很大程度上降低了维护成本。There is a mandatory security policy on the public cloud platform. For example, the password or key must be changed every 90 days. If each account is changed once, it will take about 1 minute for each account to complete the operation; the management platform manages resources through STS. You only need to care about the unified login account and change the information of one account, which greatly reduces the maintenance cost.

以上的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above specific implementation manners have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific implementation modes of the present invention, and are not used to limit the protection scope of the present invention. Within the spirit and principles of the present invention, any modifications, equivalent replacements, improvements, etc., shall be included in the protection scope of the present invention.

Claims (7)

1. An enterprise-level public cloud resource management method, the management method comprising:
the management platform processes the resource data in a unified login account and third party storage mode by combining with STS service provided by the cloud platform;
a resource timing synchronization mode is adopted;
a thread pool technology is adopted, and a plurality of account resources are synchronized simultaneously;
introducing a NoSql database, and storing large-data-volume resource data;
introducing an organization relation of enterprise tenant isolation;
the management platform analyzes the resource utilization rate according to the statistical condition of the resource utilization and generates a resource optimization scheme;
and integrating various resource cost data of different cloud platforms.
2. The method according to claim 1, wherein the introducing of the organization relationship of enterprise tenant isolation specifically comprises: and establishing a top-down management mode, automatically corresponding to the organization relation of the cloud platform, and automatically binding the organization and the user to which the resource belongs according to the information of automatically creating departments and users of the user organization of the cloud platform.
3. The method according to claim 1, wherein the integrating of the resource charge data of different cloud platforms specifically comprises: according to different requirements, the cost use conditions of each organization and each resource type are counted from different dimensions, and data bases are provided for resource optimization, resource allocation and cost prediction.
4. The method of claim 1, wherein the method further comprises: the method for creating the unified login account and authorizing the strategy on the cloud platform specifically comprises the following steps:
selecting a primary account number under a cloud platform organization for login, creating a sub-user under the primary account number, and generating an Access KeyId and an Access KeySecret, wherein the primary account number is used as an organization unified login account number;
establishing a custom strategy under the organization unified login account, and authorizing access to the AssumeRole of the STS;
and authorizing the custom strategy to a sub-account of the organization unified login account.
5. The method of claim 4, wherein the method further comprises: verifying the configuration;
and after logging in the sub account of the organization unified login account, using other member accounts and roles to execute role switching operation, and verifying whether normal switching can be performed or not.
6. The method according to claim 1, wherein the unified resource management specifically comprises:
and calling an API (application programming interface) provided by the cloud platform to acquire resource information by using the Access KeyId, the Access KeySecret and the STS (service specification) service, storing the resource information into a local database, performing secondary processing on the resources, and realizing unified management of the resources through the functions of the management system.
7. An enterprise-level public cloud resource management system, the management system comprising:
the resource management module is used for processing resource data by combining the STS service provided by the cloud platform and the management platform in a unified login account and third party storage mode;
the data synchronization module is used for synchronizing data in a resource timing synchronization mode;
the account resource synchronization module is used for synchronizing a plurality of account resources simultaneously by adopting a thread pool technology;
the resource data storage module is used for introducing a NoSql database and storing large-data-volume resource data;
the organization relation introduction module is used for introducing an organization relation isolated by the enterprise tenants;
the optimization scheme generation module is used for analyzing the resource utilization rate and generating a resource optimization scheme by the management platform according to the resource utilization statistical condition;
and the data integration module is used for integrating various resource cost data of different cloud platforms.
CN202211434481.8A 2022-11-16 2022-11-16 Enterprise-level public cloud resource management method and system Active CN115801833B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211434481.8A CN115801833B (en) 2022-11-16 2022-11-16 Enterprise-level public cloud resource management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211434481.8A CN115801833B (en) 2022-11-16 2022-11-16 Enterprise-level public cloud resource management method and system

Publications (2)

Publication Number Publication Date
CN115801833A true CN115801833A (en) 2023-03-14
CN115801833B CN115801833B (en) 2024-06-21

Family

ID=85438163

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211434481.8A Active CN115801833B (en) 2022-11-16 2022-11-16 Enterprise-level public cloud resource management method and system

Country Status (1)

Country Link
CN (1) CN115801833B (en)

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105323282A (en) * 2014-07-28 2016-02-10 神州数码信息系统有限公司 Enterprise application deployment and management system for multiple tenants
CN106055967A (en) * 2016-05-24 2016-10-26 福建星海通信科技有限公司 SAAS platform user organization permission management method and system
CN106067119A (en) * 2016-06-03 2016-11-02 成都镜杰科技有限责任公司 Client relation management method based on privately owned cloud
CN107181808A (en) * 2017-06-01 2017-09-19 安徽祥云科技有限公司 A kind of privately owned cloud system and operation method
WO2017196774A1 (en) * 2016-05-11 2017-11-16 Oracle International Corporation Multi-tenant identity and data security management cloud service
US20170331812A1 (en) * 2016-05-11 2017-11-16 Oracle International Corporation Microservices based multi-tenant identity and data security management cloud service
US20180063143A1 (en) * 2016-08-31 2018-03-01 Oracle International Corporation Data management for a multi-tenant identity cloud service
CN109067756A (en) * 2018-08-20 2018-12-21 国云科技股份有限公司 User synchronization and authority control method suitable for multi-cloud management
WO2020019839A1 (en) * 2018-07-25 2020-01-30 华为技术有限公司 Method for creating enterprise cloud and management platform
CN111835820A (en) * 2020-05-21 2020-10-27 上海灏拓智能科技有限公司 System and method for realizing cloud management
CN112182100A (en) * 2020-09-22 2021-01-05 烽火通信科技股份有限公司 Cloud management platform state data synchronization method and system
CN112235133A (en) * 2020-09-28 2021-01-15 建信金融科技有限责任公司 Design method of universal cloud pipe platform and universal cloud pipe platform
CN112637214A (en) * 2020-12-24 2021-04-09 北京金山云网络技术有限公司 Resource access method and device and electronic equipment
CN112995112A (en) * 2019-12-17 2021-06-18 江苏太湖慧云数据系统有限公司 Resource management method of cross-cloud management platform
CN113515350A (en) * 2021-07-29 2021-10-19 广州高维网络科技有限公司 Hybrid cloud computing management platform
CN114123468A (en) * 2021-11-25 2022-03-01 江苏晨昕闳达电力科技有限公司 Pickup energy storage shelter and multi-scene application method thereof
US11310238B1 (en) * 2019-03-26 2022-04-19 FireEye Security Holdings, Inc. System and method for retrieval and analysis of operational data from customer, cloud-hosted virtual resources
CN114862277A (en) * 2022-07-01 2022-08-05 锐盈云科技(天津)有限公司 Enterprise hybrid cloud management system

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105323282A (en) * 2014-07-28 2016-02-10 神州数码信息系统有限公司 Enterprise application deployment and management system for multiple tenants
WO2017196774A1 (en) * 2016-05-11 2017-11-16 Oracle International Corporation Multi-tenant identity and data security management cloud service
US20170331812A1 (en) * 2016-05-11 2017-11-16 Oracle International Corporation Microservices based multi-tenant identity and data security management cloud service
CN106055967A (en) * 2016-05-24 2016-10-26 福建星海通信科技有限公司 SAAS platform user organization permission management method and system
CN106067119A (en) * 2016-06-03 2016-11-02 成都镜杰科技有限责任公司 Client relation management method based on privately owned cloud
US20180063143A1 (en) * 2016-08-31 2018-03-01 Oracle International Corporation Data management for a multi-tenant identity cloud service
CN107181808A (en) * 2017-06-01 2017-09-19 安徽祥云科技有限公司 A kind of privately owned cloud system and operation method
WO2020019839A1 (en) * 2018-07-25 2020-01-30 华为技术有限公司 Method for creating enterprise cloud and management platform
CN109067756A (en) * 2018-08-20 2018-12-21 国云科技股份有限公司 User synchronization and authority control method suitable for multi-cloud management
US11310238B1 (en) * 2019-03-26 2022-04-19 FireEye Security Holdings, Inc. System and method for retrieval and analysis of operational data from customer, cloud-hosted virtual resources
CN112995112A (en) * 2019-12-17 2021-06-18 江苏太湖慧云数据系统有限公司 Resource management method of cross-cloud management platform
CN111835820A (en) * 2020-05-21 2020-10-27 上海灏拓智能科技有限公司 System and method for realizing cloud management
CN112182100A (en) * 2020-09-22 2021-01-05 烽火通信科技股份有限公司 Cloud management platform state data synchronization method and system
CN112235133A (en) * 2020-09-28 2021-01-15 建信金融科技有限责任公司 Design method of universal cloud pipe platform and universal cloud pipe platform
CN112637214A (en) * 2020-12-24 2021-04-09 北京金山云网络技术有限公司 Resource access method and device and electronic equipment
CN113515350A (en) * 2021-07-29 2021-10-19 广州高维网络科技有限公司 Hybrid cloud computing management platform
CN114123468A (en) * 2021-11-25 2022-03-01 江苏晨昕闳达电力科技有限公司 Pickup energy storage shelter and multi-scene application method thereof
CN114862277A (en) * 2022-07-01 2022-08-05 锐盈云科技(天津)有限公司 Enterprise hybrid cloud management system

Also Published As

Publication number Publication date
CN115801833B (en) 2024-06-21

Similar Documents

Publication Publication Date Title
CN111190730B (en) Heterogeneous cloud management platform
CN116055283B (en) Multi-platform unified cloud management system supporting global tenant application resource quota setting
US11023148B2 (en) Predictive forecasting and data growth trend in cloud services
US9577952B2 (en) Secure metering and accounting for cloud services
US20220094600A1 (en) Managed remediation of non-compliant resources
US20070288275A1 (en) It services architecture planning and management
US20060155738A1 (en) Monitoring method and system
CN112801607A (en) Management service platform and construction method
US20140101005A1 (en) Self-service interface for policy control in the cloud
CN105515963A (en) Data gateway device and big data system
JP2012137931A (en) Information processing device, authority management method, program and storage medium
CN112153014B (en) Business operation system and business operation method based on digital middling station
US20180097849A1 (en) Cognitive authentication with employee onboarding
CN112235133A (en) Design method of universal cloud pipe platform and universal cloud pipe platform
CN106503983A (en) A kind of integration payment access management system
CN110868322B (en) Network management method, system, device and storage medium for distributed message service
CN116389486A (en) Method and system for realizing operation analysis of multiple cloud resources
CN115801833A (en) Enterprise-level public cloud resource management method and system
CN112468319A (en) Hybrid cloud management system and management method
US20200167717A1 (en) Systems and methods for outputting resource allocation records
CN114862277A (en) Enterprise hybrid cloud management system
CN110322155A (en) A kind of office resource allocation method, device, equipment and readable storage medium storing program for executing
CN112328903B (en) User information pushing system and method
Sun et al. Design of authority control service for the two-level comprehensive management system
Liu et al. Electronic management of enterprise accounting files under the condition of informatisation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Floor 9c-2, Huzhou multimedia Industrial Park, No. 999, Wuxing Avenue, Huzhou City, Zhejiang Province 313000

Applicant after: Zhejiang Jiuzhou Future Information Technology Co.,Ltd.

Address before: Floor 9c-2, Huzhou multimedia Industrial Park, No. 999, Wuxing Avenue, Huzhou City, Zhejiang Province 313000

Applicant before: Zhejiang Jiuzhou cloud Mdt InfoTech Ltd.

GR01 Patent grant
GR01 Patent grant