CN112580006A - Access right control method and device of multi-cloud system and authentication server - Google Patents
Access right control method and device of multi-cloud system and authentication server Download PDFInfo
- Publication number
- CN112580006A CN112580006A CN202011554144.3A CN202011554144A CN112580006A CN 112580006 A CN112580006 A CN 112580006A CN 202011554144 A CN202011554144 A CN 202011554144A CN 112580006 A CN112580006 A CN 112580006A
- Authority
- CN
- China
- Prior art keywords
- target
- user
- information
- cloud system
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
本申请公开了一种多云系统的访问权限控制方法、装置及认证服务器,方法应用于认证服务器,认证服务器对应于多个云系统,云系统中包含有多个被访问对象,所述方法包括:接收客户端发送的对象访问请求,所述对象访问请求至少包含目标用户的用户标识和目标对象的对象标识,所述目标对象为所述多个云系统中的目标云系统内的被访问对象;在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略,所述权限策略集合中包含有多条权限策略信息,每条所述权限策略信息对应于一个用户以及一个被访问对象;根据所述目标权限策略,获得鉴权结果,所述鉴权结果表征所述目标用户是否具有对所述目标云系统内的所述目标对象进行访问的权限。
The present application discloses an access authority control method, device and authentication server for a multi-cloud system. The method is applied to an authentication server, the authentication server corresponds to multiple cloud systems, and the cloud system includes multiple accessed objects. The method includes: receiving an object access request sent by the client, where the object access request at least includes a user identifier of a target user and an object identifier of a target object, and the target object is an accessed object in a target cloud system among the multiple cloud systems; In a permission policy set, a target permission policy matching the user ID and the object ID is obtained, the permission policy set includes multiple pieces of permission policy information, each piece of permission policy information corresponds to a user and An accessed object; according to the target authority policy, an authentication result is obtained, and the authentication result indicates whether the target user has the right to access the target object in the target cloud system.
Description
技术领域technical field
本申请涉及权限管理技术领域,尤其涉及一种多云系统的访问权限控制方法、装置及认证服务器。The present application relates to the technical field of authority management, and in particular, to a method, device and authentication server for access authority control of a multi-cloud system.
背景技术Background technique
随着技术的发展,越来越多的云服务提供上为用户提供不同功能的云服务。对于不同的云服务提供商,可以通过统一认证中心对用户访问各个云系统的资源或功能的权限进行管理。With the development of technology, more and more cloud services provide cloud services that provide users with different functions. For different cloud service providers, the user's access rights to the resources or functions of each cloud system can be managed through a unified authentication center.
目前对多云系统的访问权限的管理中,通常是按照云系统进行权限管理,例如,某个用户具有对某一个或多个云系统的访问权限,另一个用户没有对某一个云系统的访问权限,基于此,在对用户提出的访问请求进行鉴权时,只能确定出用户是否具有对某个云系统的资源或功能进行访问的权限,而无法确定用户是否具有对云系统中不同的资源或功能的访问权限。In the current management of access rights to multi-cloud systems, rights management is usually carried out according to cloud systems. For example, a user has access rights to one or more cloud systems, while another user does not have access rights to a certain cloud system. , based on this, when authenticating the access request made by the user, it can only be determined whether the user has the right to access the resources or functions of a certain cloud system, but it cannot be determined whether the user has access to different resources or functions in the cloud system. Access rights to functions.
因此,在对用户的访问权限进行管理时,无法权限粒度上的细分,导致对用户的访问权限管理的灵活性较差。Therefore, when the user's access rights are managed, the granularity of the rights cannot be subdivided, resulting in poor flexibility in the management of the user's access rights.
发明内容SUMMARY OF THE INVENTION
有鉴于此,本申请提供一种多云系统的访问权限控制方法、装置及认证服务器,用于解决现有技术中对用户的访问权限管理的灵活性较差的技术问题。In view of this, the present application provides an access authority control method, device and authentication server for a multi-cloud system, which are used to solve the technical problem of poor flexibility in user access authority management in the prior art.
本申请提供了一种多云系统的访问权限控制方法,应用于认证服务器,所述认证服务器对应于多个云系统,所述云系统中包含有多个被访问对象,所述方法包括:The present application provides an access authority control method for a multi-cloud system, which is applied to an authentication server, where the authentication server corresponds to a plurality of cloud systems, and the cloud system includes a plurality of accessed objects, and the method includes:
接收客户端发送的对象访问请求,所述对象访问请求至少包含目标用户的用户标识和目标对象的对象标识,所述目标对象为所述多个云系统中的目标云系统内的被访问对象;Receive an object access request sent by the client, where the object access request includes at least the user ID of the target user and the object ID of the target object, and the target object is the accessed object in the target cloud system in the multiple cloud systems;
在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略,所述权限策略集合中包含有多条权限策略信息,每条所述权限策略信息对应于一个用户以及一个被访问对象;In a permission policy set, a target permission policy matching the user ID and the object ID is obtained, the permission policy set contains multiple pieces of permission policy information, each piece of permission policy information corresponds to a user and a visited object;
根据所述目标权限策略,获得鉴权结果,所述鉴权结果表征所述目标用户是否具有对所述目标云系统内的所述目标对象进行访问的权限。According to the target authority policy, an authentication result is obtained, and the authentication result represents whether the target user has the authority to access the target object in the target cloud system.
上述方法,优选的,在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略,包括:In the above method, preferably, in a permission policy set, obtaining a target permission policy matching the user ID and the object ID, including:
在权限策略集合中,筛选与所述用户标识和/或所述用户标识对应的用户组标识相匹配的初始策略信息;所述用户组标识为所述目标用户所属的目标用户组的标识;所述目标用户组中还包含有一个或多个其他用户;In the permission policy set, filter initial policy information that matches the user ID and/or the user group ID corresponding to the user ID; the user group ID is the ID of the target user group to which the target user belongs; The target user group also includes one or more other users;
在所述初始策略信息中,筛选出与所述对象标识相匹配的目标权限策略。In the initial policy information, a target permission policy matching the object identifier is filtered out.
上述方法,优选的,在权限策略集合中,筛选与所述用户标识和/或所述用户标识对应的用户组标识相匹配的初始策略信息,包括:In the above method, preferably, in the permission policy set, screening initial policy information that matches the user ID and/or the user group ID corresponding to the user ID, including:
在权限策略集合中,筛选与所述用户标识相匹配的第一策略信息;In the permission policy set, filter the first policy information that matches the user identifier;
在所述权限策略集合中,筛选与所述用户组标识相匹配的第二策略信息,所述第一策略信息和/或所述第二策略信息组成初始策略信息。In the permission policy set, the second policy information matching the user group identifier is screened, and the first policy information and/or the second policy information constitute initial policy information.
上述方法,优选的,还包括:The above method, preferably, also includes:
将所述鉴权结果传输给所述目标云系统。The authentication result is transmitted to the target cloud system.
上述方法,优选的,所述对象访问请求中还包含所述目标用户的身份验证标识;In the above method, preferably, the object access request also includes the authentication identifier of the target user;
其中,所述身份验证标识在所述目标用户登录到所述目标云系统时生成,所述身份验证标识表征所述目标用户成功登录所述目标。The identity verification identifier is generated when the target user logs in to the target cloud system, and the identity verification identifier indicates that the target user successfully logs in to the target.
上述方法,优选的,所述方法还包括:Above-mentioned method, preferably, described method also comprises:
接收所述客户端发送的用户登录请求,所述用户登录请求至少包含所述目标用户的验证信息和所述目标云系统的系统标识;receiving a user login request sent by the client, where the user login request at least includes the verification information of the target user and the system identifier of the target cloud system;
根据所述系统标识,对所述验证信息进行验证,以得到验证结果,所述验证结果表征所述目标用户是否通过所述目标云系统的身份验证;According to the system identification, the verification information is verified to obtain a verification result, and the verification result represents whether the target user has passed the identity verification of the target cloud system;
在所述验证结果表征所述目标用户通过所述目标云系统的身份验证的情况下,获得所述目标用户的身份验证标识。In the case that the verification result indicates that the target user has passed the identity verification of the target cloud system, the identity verification identifier of the target user is obtained.
上述方法,优选的,根据所述系统标识,对所述验证信息进行验证,以得到验证结果,包括:In the above method, preferably, according to the system identifier, the verification information is verified to obtain a verification result, including:
获得所述验证信息对应的验证签名信息;obtaining the verification signature information corresponding to the verification information;
将所述系统标识对应的标准签名信息与所述验证签名信息进行比对,以得到验证结果。The standard signature information corresponding to the system identifier is compared with the verification signature information to obtain a verification result.
上述方法,优选的,获得所述验证信息对应的验证签名信息,包括:The above method, preferably, obtains the verification signature information corresponding to the verification information, including:
利用签名算法,对所述验证信息中的用户名和密码进行签名,以得到验证签名信息;Using a signature algorithm, the user name and password in the verification information are signed to obtain verification signature information;
或者,or,
利用签名算法,对所述验证信息中的访问秘钥进行签名,以得到验证签名信息。Using a signature algorithm, the access key in the verification information is signed to obtain verification signature information.
本申请还提供了一种多云系统的访问权限控制装置,应用于认证服务器,所述认证服务器对应于多个云系统,所述云系统中包含有多个被访问对象,所述装置包括:The present application also provides an access authority control device for a multi-cloud system, which is applied to an authentication server, where the authentication server corresponds to a plurality of cloud systems, and the cloud system includes a plurality of accessed objects, and the device includes:
请求接收单元,用于接收客户端发送的对象访问请求,所述对象访问请求至少包含目标用户的用户标识和目标对象的对象标识,所述目标对象为所述多个云系统中的目标云系统内的被访问对象;A request receiving unit, configured to receive an object access request sent by the client, where the object access request at least includes the user ID of the target user and the object ID of the target object, and the target object is the target cloud system in the multiple cloud systems the accessed object within;
策略获得单元,用于在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略,所述权限策略集合中包含有多条权限策略信息,每条所述权限策略信息对应于一个用户以及一个被访问对象;a policy obtaining unit, configured to obtain a target permission policy matching the user ID and the object ID in a permission policy set, where the permission policy set includes multiple pieces of permission policy information, and each permission policy Information corresponds to a user and an accessed object;
结果获得单元,用于根据所述目标权限策略,获得鉴权结果,所述鉴权结果表征所述目标用户是否具有对所述目标云系统内的所述目标对象进行访问的权限。A result obtaining unit, configured to obtain an authentication result according to the target authority policy, where the authentication result represents whether the target user has the authority to access the target object in the target cloud system.
本申请还提供了一种认证服务器,所述认证服务器对应于多个云系统,所述云系统中包含有多个被访问对象,所述认证服务器包括:The present application also provides an authentication server, where the authentication server corresponds to multiple cloud systems, and the cloud system includes multiple visited objects, and the authentication server includes:
传输模块,用于接收客户端发送的对象访问请求,所述对象访问请求至少包含目标用户的用户标识和目标对象的对象标识,所述目标对象为所述多个云系统中的目标云系统内的被访问对象;The transmission module is configured to receive an object access request sent by the client, where the object access request at least includes the user ID of the target user and the object ID of the target object, and the target object is in the target cloud system in the multiple cloud systems. the visited object;
处理器,用于在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略,所述权限策略集合中包含有多条权限策略信息,每条所述权限策略信息对应于一个用户以及一个被访问对象;根据所述目标权限策略,获得鉴权结果,所述鉴权结果表征所述目标用户是否具有对所述目标云系统内的所述目标对象进行访问的权限。a processor, configured to obtain a target permission policy matching the user ID and the object ID in a permission policy set, where the permission policy set includes multiple pieces of permission policy information, each piece of permission policy information Corresponding to a user and an accessed object; according to the target authority policy, an authentication result is obtained, and the authentication result represents whether the target user has the authority to access the target object in the target cloud system .
本申请还提供了一种存储介质,其上存储有程序,该程序被处理器执行时实现上述任一项所述的多云系统的访问权限控制方法。The present application further provides a storage medium on which a program is stored, and when the program is executed by a processor, implements the access authority control method for a multi-cloud system described in any one of the above.
本申请还提供了一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行上述任一项所述的多云系统的访问权限控制方法。The present application further provides a processor for running a program, wherein when the program runs, the access authority control method for a multi-cloud system described in any one of the above is executed.
从上述技术方案可以看出,本申请公开的一种多云系统的访问权限控制方法、装置及认证服务器中,在接收到客户端发送的对象访问请求之后,可以在权限策略集合中获得到与对象访问请求相匹配的目标权限策略,进而就可以得到表征对象访问请求中的目标用户是否能够对目标云系统中的目标对象进行访问的鉴权结果。可见,本申请中通过对多个云系统的访问权限粒度细分到每个云系统中的被访问对象,就可以在用户通过客户端对云系统进行访问时,实现对用户访问云系统中的被访问对象的权限控制,从而提高权限管理的灵活性。It can be seen from the above technical solutions that, in the access authority control method, device and authentication server of a multi-cloud system disclosed in the present application, after receiving the object access request sent by the client, it is possible to obtain the corresponding object in the authority policy set The access request matches the target permission policy, and then an authentication result representing whether the target user in the object access request can access the target object in the target cloud system can be obtained. It can be seen that in the present application, by subdividing the access rights of multiple cloud systems into the accessed objects in each cloud system, when the user accesses the cloud system through the client, it is possible to realize the user access to the cloud system. Permission control of the accessed object, thereby improving the flexibility of permission management.
附图说明Description of drawings
为了更清楚地说明本申请实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.
图1为本申请实施例一提供的一种多云系统的访问权限管理方法的流程图;1 is a flowchart of a method for managing access rights of a multi-cloud system according to
图2-图5分别为本申请实施例的应用示例图;2 to 5 are respectively application example diagrams of the embodiments of the present application;
图6为本申请实施例一提供的一种多云系统的访问权限管理方法的部分流程图;6 is a partial flowchart of a method for managing access rights of a multi-cloud system according to
图7-图8分别为本申请实施例一提供的一种多云系统的访问权限管理方法的另一流程图;7-8 are another flowchart of a method for managing access rights of a multi-cloud system according to
图9为本申请实施例的另一应用示例图;FIG. 9 is another application example diagram of the embodiment of the present application;
图10为本申请实施例一提供的一种多云系统的访问权限管理方法的另一部分流程图;10 is another partial flowchart of a method for managing access rights of a multi-cloud system according to
图11为本申请实施例二提供的一种多云系统的访问权限管理装置的结构示意图;11 is a schematic structural diagram of an apparatus for managing access rights of a multi-cloud system according to
图12为本申请实施例二提供的一种多云系统的访问权限管理装置的另一结构示意图;12 is another schematic structural diagram of an apparatus for managing access rights of a multi-cloud system according to
图13为本申请实施例三提供的一种认证服务器的结构示意图;13 is a schematic structural diagram of an authentication server according to
图14-图16分别为本申请实施例适用于金融行业进行用户身份认证和权限管理的示例图。FIG. 14 to FIG. 16 are respectively exemplary diagrams of the embodiments of the present application applied to the financial industry for user identity authentication and authority management.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
参考图1,为本申请实施例一提供的一种多云系统的访问权限管理方法的实现流程图,该方法适用于能够进行数据处理的认证服务器中,如计算机或服务器等设备,需要说明的是,认证服务器对应于多个云系统,如图2中所示,每个云系统为部署在云端的电子设备所实现,在每个云系统中均包含有多个被访问对象,如可以被访问的数据资源或者功能组件等对象。本实施例中的技术方案主要用于实现对用户访问云系统中的被访问对象的权限控制,从而提高权限管理的灵活性。Referring to FIG. 1 , a flow chart of the implementation of a method for managing access rights of a multi-cloud system provided in
具体的,本实施例中的方法可以包含以下步骤:Specifically, the method in this embodiment may include the following steps:
步骤101:接收客户端发送的对象访问请求。Step 101: Receive an object access request sent by the client.
其中,对象访问请求中至少包含有目标用户的用户标识和目标对象的对象标识,目标用户即为需要对目标对象进行访问的用户,而目标对象为多个云系统中的某个或多个目标云系统内的被访问对象,如某张图片资源或者某个计算功能等。The object access request contains at least the user ID of the target user and the object ID of the target object, the target user is the user who needs to access the target object, and the target object is one or more targets in multiple cloud systems Accessed objects in the cloud system, such as a picture resource or a computing function.
需要说明的是,对象访问请求可以是在目标用户登录到目标云系统之后,在目标用户的客户端上所呈现的目标云系统的操作界面上对目标对象如资源或功能等对应的控件进行点击或选中等操作所生成的请求,以表征目标用户需要对目标对象进行访问。此时,目标用户的用户标识可以为能够唯一表征目标用户的用户名称、编码或者标号等信息,而目标对象的对象标识可以为能够唯一表征目标对象的对象名称、编码或者存储路径等信息。It should be noted that the object access request may be after the target user logs in to the target cloud system, on the operation interface of the target cloud system presented on the target user's client terminal, clicks on the corresponding controls of the target object such as resources or functions. or a request generated by operations such as selection to indicate that the target user needs to access the target object. At this time, the user identifier of the target user may be information such as a user name, code or label that can uniquely characterize the target user, and the object identifier of the target object may be information such as an object name, code, or storage path that can uniquely characterize the target object.
另外需要特别说明的是,由于本实施例中为了实现多云系统的访问权限的统一管理,将访问权限的管理控制集中在本实施例中的认证服务器中,因此,在对象访问请求在客户端上被生成并发送给目标云系统后,客户端上根据目标云系统所返回的需要对对象访问请求进行鉴权的回复信息将对象访问请求通过重定向发送给本实施例中的认证服务器,由此,本实施例中的认证服务器能够通过与客户端之间的通信连接接收到客户端发送的对象访问请求,如图3中所示。In addition, it should be noted that, in order to realize the unified management of the access rights of the multi-cloud system in this embodiment, the management and control of the access rights are centralized in the authentication server in this embodiment. Therefore, when the object access request is made on the client After being generated and sent to the target cloud system, the client sends the object access request to the authentication server in this embodiment through redirection according to the reply information returned by the target cloud system that needs to authenticate the object access request. , the authentication server in this embodiment can receive the object access request sent by the client through the communication connection with the client, as shown in FIG. 3 .
而目标用户所对应的客户端可以为手机、pad或计算机等终端或设备。The client corresponding to the target user may be a terminal or device such as a mobile phone, a pad, or a computer.
步骤102:在权限策略集合中,获得与用户标识和对象标识相匹配的目标权限策略。Step 102: In the permission policy set, obtain the target permission policy matching the user ID and the object ID.
其中,权限策略集合为预先配置的集合,在权限策略集合中可以包含有多条权限策略信息,每条权限策略信息对应于一个用户以及一个被访问对象,每个权限策略信息中包含有用户是否具有对被访问对象的访问权限的信息。例如,权限策略集合以包含多个字段的表格来实现,如图4中所示,表格中包含有多行字段,每一行字段包含有用户列、对象列和权限列,在用户列中记录用户的标识,在对象列中记录对象的标识,在权限列中记录是否具有访问权限的信息,基于此,每一行字段中的权限列中的信息表征用户列中的用户是否具有对象列中的对象进行访问的权限,例如,以allow表示用户A对被访问对象B具有访问权限,以deny表示用户A对被访问对象C不具有访问权限。需要说明的是,表格中可以包含有对应于同一用户的多行字段,对应于同一用户的多行字段分别用于记录该用户分别对不同的被访问对象是否具有访问权限。需要说明的是,表格中可以包含有对应于同一被访问对象的多行字段,对应于同一被访问对象的多行字段分别用于记录不同的用户分别对该被访问对象是否具有访问权限。The permission policy set is a pre-configured set, and the permission policy set may contain multiple pieces of permission policy information, each piece of permission policy information corresponds to a user and an accessed object, and each permission policy information includes whether the user is Information about access rights to the object being accessed. For example, the permission policy set is implemented as a table containing multiple fields, as shown in Figure 4, the table contains multiple rows of fields, each row of fields contains a user column, an object column and a permission column, and the user column is recorded in the user column. The identity of the object is recorded in the object column, and the information of whether it has access rights is recorded in the permission column. Based on this, the information in the permission column in each row of fields represents whether the user in the user column has the object in the object column. The access authority, for example, allow to indicate that user A has access authority to the accessed object B, and use deny to indicate that user A does not have access authority to the accessed object C. It should be noted that the table may contain multiple rows of fields corresponding to the same user, and the multiple rows of fields corresponding to the same user are respectively used to record whether the user has access rights to different accessed objects. It should be noted that the table may contain multiple rows of fields corresponding to the same accessed object, and the multiple rows of fields corresponding to the same accessed object are respectively used to record whether different users respectively have access rights to the accessed object.
进一步的,在多云系统中,两个甚至更多个用户可以被绑定到同一个用户组中,如图5中所示,而同一用户组中的用户具有相同的访问权限,如对同一个或多个被访问对象具有相同的访问权限。另外,一个用户可以只单独存在并不绑定在任意用户组中,或者,也可以只被绑定到用户组中,或者,也可以同时单独存在且被绑定到某一个或多个用户组中。Further, in a multi-cloud system, two or more users can be bound to the same user group, as shown in Figure 5, and users in the same user group have the same access rights, such as access to the same user group. or multiple accessed objects have the same access rights. In addition, a user can exist alone and not be bound to any user group, or it can only be bound to a user group, or it can exist alone and be bound to one or more user groups at the same time. middle.
基于此,在权限策略集合中的权限策略信息还可以是对应于用户组和被访问对象的权限策略信息,用户组对应的权限策略信息中包含该用户组中的用户是否具有对被访问对象的访问权限的信息。例如,如图4中所示,表格中的行字段的用户列还可以对应于用户组,此时,在用户列中记录用户组的标识,在对象列中记录对象的标识,在权限列中记录是否具有访问权限的信息,基于此,每一行字段中的权限列中的信息表征用户列中的用户组中的用户是否具有对象列中的对象进行访问的权限,例如,以allow表示用户组X中的用户A和D对被访问对象B具有访问权限,以deny表示用户组Y中的用户A和D对被访问对象C不具有访问权限。需要说明的是,表格中可以包含有对应于同一用户组的多行字段,对应于同一用户组的多行字段分别用于记录该用户组分别对不同的被访问对象是否具有访问权限。需要说明的是,表格中可以包含有对应于同一被访问对象的多行字段,对应于同一被访问对象的多行字段分别用于记录不同的用户组分别对该被访问对象是否具有访问权限。Based on this, the permission policy information in the permission policy set may also be the permission policy information corresponding to the user group and the accessed object, and the permission policy information corresponding to the user group includes whether the users in the user group have access to the accessed object. Access rights information. For example, as shown in FIG. 4, the user column of the row field in the table may also correspond to the user group. In this case, the user group ID is recorded in the user column, the object ID is recorded in the object column, and the permission column is recorded in the permission column. Record whether the information has access permissions. Based on this, the information in the permission column in each row field represents whether the user in the user group in the user column has the permission to access the object in the object column, for example, the user group is represented by allow Users A and D in X have access rights to the accessed object B, and deny means that users A and D in user group Y do not have access rights to the accessed object C. It should be noted that the table may contain multi-line fields corresponding to the same user group, and the multi-line fields corresponding to the same user group are respectively used to record whether the user group has access rights to different accessed objects. It should be noted that the table may contain multi-line fields corresponding to the same accessed object, and the multi-line fields corresponding to the same accessed object are respectively used to record whether different user groups have access rights to the accessed object.
需要说明的是,区别于一个用户只能对应于一个云系统的访问权限管理,本实施例中通过将访问权限细分到被访问对象的粒度,由此,每条权限策略信息能够对应于被访问对象而不是多个被访问对象所属的云系统。It should be noted that, different from the access rights management that a user can only correspond to one cloud system, in this embodiment, the access rights are subdivided into the granularity of the accessed object, so that each piece of permission policy information can correspond to the access rights of the accessed object. Accessing objects rather than the cloud system to which multiple accessed objects belong.
基于此,本实施例中在获得到用户标识和对象标识之后,在权限策略集合中进行权限策略信息的筛选,从而获得到与对象访问请求中的用户标识和对象标识均匹配的目标权限策略,在该目标权限策略中包含有目标用户是否具有对目标对象的访问权限的信息。Based on this, in this embodiment, after the user ID and the object ID are obtained, the permission policy information is filtered in the permission policy set, so as to obtain the target permission policy that matches both the user ID and the object ID in the object access request, The target permission policy contains information about whether the target user has the access right to the target object.
步骤103:根据目标权限策略,获得鉴权结果。Step 103: Obtain an authentication result according to the target authority policy.
其中,鉴权结果表征目标用户是否具有对目标云系统内的目标对象进行访问的权限。The authentication result represents whether the target user has the right to access the target object in the target cloud system.
具体的,本实施例中可以对目标权限策略中的目标用户是否具有对目标对象的访问权限的信息进行分析判断,由此解析出目标用户是否具有对目标云系统内的目标对象进行访问的权限,由此生成鉴权结果。Specifically, in this embodiment, it is possible to analyze and determine whether the target user in the target authority policy has the access authority to the target object, thereby analysing whether the target user has the authority to access the target object in the target cloud system. , thereby generating the authentication result.
其中,鉴权结果中可以使用标识来表征目标用户是否具有对目标云系统内的目标对象进行访问的权限,例如,以allow表征目标用户具有对目标云系统内的目标对象进行访问的权限,以deny表征目标用户不具有对目标云系统内的目标对象进行访问的权限。Wherein, the identification can be used in the authentication result to represent whether the target user has the right to access the target object in the target cloud system. deny indicates that the target user does not have the right to access the target object in the target cloud system.
由上述方案可知,本申请实施例一提供的一种多云系统的访问权限管理方法中,在接收到客户端发送的对象访问请求之后,可以在权限策略集合中获得到与对象访问请求相匹配的目标权限策略,进而就可以得到表征对象访问请求中的目标用户是否能够对目标云系统中的目标对象进行访问的鉴权结果。可见,本实施例中通过对多个云系统的访问权限粒度细分到每个云系统中的被访问对象,就可以在用户通过客户端对云系统进行访问时,实现对用户访问云系统中的被访问对象的权限控制,从而提高权限管理的灵活性。It can be seen from the above solution that, in the access rights management method for a multi-cloud system provided in the first embodiment of the present application, after receiving the object access request sent by the client, the access rights matching the object access request can be obtained in the permission policy set. According to the target permission policy, an authentication result representing whether the target user in the object access request can access the target object in the target cloud system can be obtained. It can be seen that in this embodiment, by subdividing the access rights of multiple cloud systems into the accessed objects in each cloud system, the user can access the cloud system when the user accesses the cloud system through the client. Permission control of the accessed object, thereby improving the flexibility of permission management.
在一种实现方式中,步骤102中在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略时,具体可以通过以下步骤实现,如图6中所示:In an implementation manner, in the permission policy set in
步骤601:在权限策略集合中,筛选与用户标识和/或用户标识对应的用户组标识相匹配的初始策略信息。Step 601: In the permission policy set, filter initial policy information that matches the user ID and/or the user group ID corresponding to the user ID.
其中,用户组标识为目标用户所属的目标用户组的标识,目标用户组中除了包含有目标用户,还可以包含有一个或多个其他用户,处于该目标用户组中的所有用户对被访问对象的访问权限是相同的。The user group identifier is the identifier of the target user group to which the target user belongs. In addition to the target user, the target user group may also include one or more other users. The access rights are the same.
具体的,本实施例中可以只在权限策略集合中筛选与用户标识相匹配的初始策略信息;Specifically, in this embodiment, only the initial policy information matching the user ID may be filtered in the permission policy set;
或者,只在权限策略集合中筛选与用户标识对应的用户组标识相匹配的初始策略信息;Or, filter only the initial policy information matching the user group ID corresponding to the user ID in the permission policy set;
或者,同时在权限策略集合中筛选与用户标识相匹配的第一策略信息以及与用户标识对应的用户组标识相匹配的第二策略信息,筛选出来的第一策略信息和/或第二策略信息组成初始策略信息;Or, at the same time, the first policy information matching the user ID and the second policy information matching the user group ID corresponding to the user ID are screened in the permission policy set, and the screened first policy information and/or second policy information Form the initial policy information;
或者,本实施例中先在权限策略集合中筛选与用户标识相匹配的第一策略信息,如果在权限策略集合中没有筛选出与用户标识相匹配的第一策略信息,再在权限策略集合中筛选与用户标识对应的用户组标识相匹配的第二策略信息,以作为初始策略信息。Alternatively, in this embodiment, the first policy information matching the user ID is first screened in the permission policy set. If the first policy information matching the user ID is not screened out in the permission policy set, then the first policy information matching the user ID is The second policy information that matches the user group identifier corresponding to the user identifier is filtered to serve as the initial policy information.
具体的,以筛选与用户标识相匹配的权限策略信息为例,本实施例中可以将用户标识与权限策略集合中的每条权限策略信息中的用户进行比对,进而筛选出与用户标识相匹配的初始策略信息。例如,本实施例中在权限策略集合的表格中,将用户标识与表格中的用户列中的用户进行比对,进而筛选出与用户标识相匹配的一行或多行字段,筛选出的每行字段分别对应于一条权限策略信息,即与用户标识相匹配的初始策略信息。筛选与用户组标识相匹配的权限策略信息的实现方式可以参考以上方式,此处不再详述。Specifically, taking the screening of the permission policy information matching the user ID as an example, in this embodiment, the user ID can be compared with the user in each permission policy information in the permission policy set, and then the user ID matching the user ID can be filtered out. Matching initial policy information. For example, in this embodiment, in the table of the permission policy set, the user ID is compared with the user in the user column in the table, and then one or more rows of fields matching the user ID are filtered out. The fields respectively correspond to a piece of permission policy information, that is, the initial policy information matched with the user ID. For an implementation manner of filtering the permission policy information matching the user group identifier, reference may be made to the above manner, which will not be described in detail here.
需要说明的是,与用户标识相匹配的初始策略信息可以有一条或多条。It should be noted that there may be one or more pieces of initial policy information matching the user ID.
步骤602:在初始策略信息中,筛选出与对象标识相匹配的目标权限策略。Step 602: In the initial policy information, filter out the target permission policy matching the object identifier.
其中,本实施例中可以将对象标识与初始策略信息进行比对,进而筛选出与对象标识相匹配的目标权限策略。例如,本实施例中在筛选出的与用户标识相匹配的一行或多行字段中,将对象标识对这些字段中的对象列中的被访问对象进行比对,进而筛选出与用户标识以及对象标识均相匹配的一行或多个字段,筛选出的每行字段分别于一条权限策略信息,即目标权限策略。Wherein, in this embodiment, the object identifier and the initial policy information can be compared, and then the target authority policy matching the object identifier can be screened out. For example, in this embodiment, in the filtered one or more rows of fields matching the user ID, the object ID is compared with the accessed objects in the object column in these fields, and then the user ID and the object are filtered out. Identifies one or more fields that all match, and each filtered field corresponds to a piece of permission policy information, that is, the target permission policy.
在一种实现方式中,在步骤103之后,本实施例中的方法还可以包括以下步骤,如图7中所示:In an implementation manner, after
步骤104:将鉴权结果传输给目标云系统。Step 104: Transmit the authentication result to the target cloud system.
其中,本实施例中的认证服务器将鉴权结果传输给目标云系统之后,目标云系统就可以基于鉴权结果中目标用户是否具有对被访问对象的访问权限的信息来允许或禁止目标用户对目标对象的访问。例如,在鉴权结果表征目标用户具有对目标对象如图片的访问权限的情况下,目标云系统允许目标用户对图片进行查看或者允许目标用户对图片进行下载;再如,在鉴权结果表征目标用户不具有对图片的访问权限的情况下,目标云系统禁止目标用户对目标对象如图片进行查看。Wherein, after the authentication server in this embodiment transmits the authentication result to the target cloud system, the target cloud system may allow or prohibit the target user from accessing the object based on the information in the authentication result whether the target user has access authority to the accessed object. access to the target object. For example, when the authentication result indicates that the target user has access rights to the target object such as pictures, the target cloud system allows the target user to view the picture or allows the target user to download the picture; for another example, when the authentication result indicates that the target If the user does not have access rights to the picture, the target cloud system prohibits the target user from viewing the target object such as the picture.
进一步的,本实施例中在获得到鉴权结果之后,还可以将鉴权结果传输给客户端,以提示目标用户。另外,可以在目标用户对目标对象没有访问权限时,进一步提示目标用户可以通过获得访问权限后再进行对象访问。Further, in this embodiment, after the authentication result is obtained, the authentication result may also be transmitted to the client to prompt the target user. In addition, when the target user does not have the access right to the target object, the target user can be further prompted that the target user can access the object after obtaining the access right.
在一种实现方式中,对象访问请求中还可以包含有目标用户的身份验证标识,该身份验证标识在目标用户登录到目标云系统时生成,且该身份验证标识用于表征目标用户成功登录到目标云系统,即目标用户在登录目标云系统时被认证服务器进行身份验证且验证通过。In an implementation manner, the object access request may also include an authentication identifier of the target user, the authentication identifier is generated when the target user logs in to the target cloud system, and the authentication identifier is used to indicate that the target user successfully logs in to the target cloud system. The target cloud system, that is, the target user is authenticated by the authentication server when logging in to the target cloud system, and the verification is passed.
其中,身份验证标识可以用字符串来表示。Among them, the authentication identifier can be represented by a string.
具体的,在目标用户需要登录到目标云系统时,在认证服务器上对目标用户进行身份验证。基于此,在步骤101之前,本实施例中的方法还可以包含如下对目标用户进行身份验证的步骤,如图8中所示:Specifically, when the target user needs to log in to the target cloud system, the target user is authenticated on the authentication server. Based on this, before
步骤105:接收客户端发送的用户登录请求。Step 105: Receive a user login request sent by the client.
其中,用户登录请求至少包含目标用户的验证信息和目标云系统的系统标识。The user login request includes at least the authentication information of the target user and the system identifier of the target cloud system.
具体的,目标用户的验证信息可以根据目标用户登录目标云系统的方式有不同的实现:在目标用户通过页面登录目标云系统时,目标用户的验证信息中包含有目标用户在页面上输入的用户名和密码等信息;在目标用户通过接口如执行程序等方式登录目标云系统时,目标用户的验证信息包含有执行程序中所包含的目标用户的访问密钥等信息。Specifically, the verification information of the target user can be implemented in different ways according to the way the target user logs in to the target cloud system: when the target user logs in to the target cloud system through the page, the verification information of the target user includes the user entered by the target user on the page. information such as name and password; when the target user logs in to the target cloud system through the interface such as executing the program, the authentication information of the target user includes the information such as the access key of the target user contained in the execution program.
需要说明的是,在目标用户在客户端上进行目标云系统的登录操作如输入用户名和密码或者触发执行程序开始运行等操作时,客户端将登录操作所生成的初始的用户登录请求发送给目标云系统,此时初始的用户登录请求中可以只包含有目标用户的验证信息,由于本实施例中为了实现多云系统的访问权限的统一管理,将访问权限的管理控制集中在本实施例中的认证服务器中,因此,在用户登录请求在客户端上被生成并发送给目标云系统之后,客户端上根据目标云系统所返回的需要对目标用户进行身份验证的回复信息将用户登录请求通过重定向发送给本实施例中的认证服务器,此时,认证服务器所接收到的用户登录请求中还包含有目标云系统的系统标识,以表征需要对目标用户登录目标云系统进行身份验证。由此,本实施例中的认证服务器能够通过与客户端之间的通信连接接收到客户端发送的用户登录请求,如图9中所示。It should be noted that when the target user performs the login operation of the target cloud system on the client, such as inputting the user name and password or triggering the execution of the program to start running, the client sends the initial user login request generated by the login operation to the target. In the cloud system, at this time, the initial user login request may only include the verification information of the target user. Since in this embodiment, in order to realize the unified management of the access rights of the multi-cloud system, the management and control of the access rights are centralized in this embodiment. In the authentication server, therefore, after the user login request is generated on the client and sent to the target cloud system, the client sends the user login request through the re-pass according to the reply information returned by the target cloud system that needs to authenticate the target user. It is directed and sent to the authentication server in this embodiment. At this time, the user login request received by the authentication server also includes the system identifier of the target cloud system to indicate that the target user needs to be authenticated to log in to the target cloud system. Therefore, the authentication server in this embodiment can receive the user login request sent by the client through the communication connection with the client, as shown in FIG. 9 .
步骤106:根据系统标识,对验证信息进行验证,以得到验证结果。Step 106: Verify the verification information according to the system identification to obtain a verification result.
其中,验证结果表征目标用户是否通过目标云系统的身份验证。The verification result represents whether the target user has passed the identity verification of the target cloud system.
具体的,本实施例中在对验证信息进行验证时,可以通过以下方式实现,如图10中所示:Specifically, when verifying the verification information in this embodiment, it can be implemented in the following manner, as shown in FIG. 10 :
步骤1001:获得验证信息对应的验证签名信息。Step 1001: Obtain verification signature information corresponding to the verification information.
具体的,本实施例中可以通过对验证信息使用签名算法进行加密或编码处理,以得到验证签名信息。Specifically, in this embodiment, the verification signature information may be obtained by encrypting or encoding the verification information using a signature algorithm.
在一种实现方式中,本实施例中可以利用签名算法如加密算法等对验证信息中的用户名和密码进行签名,以得到验证签名信息;In an implementation manner, in this embodiment, a signature algorithm such as an encryption algorithm can be used to sign the username and password in the verification information to obtain verification signature information;
在另一种实现方式中,本实施例中可以利用签名算法对验证信息中的访问秘钥进行签名,以得到验证签名信息。In another implementation manner, in this embodiment, a signature algorithm may be used to sign the access key in the verification information to obtain the verification signature information.
以上两种实现方式分别对应于这里的两种访问方式:一种为目标用户在页面上通过用户名和密码登录的方式,此时,利用签名算法对用户名和密码进行签名,得到验证签名信息,以便于验证用户身份;另一种为使用程序调用产品服务的方式,此时,将密钥对如AccessKeyID和AccessKeySecret作为程序的输入参数,利用签名算法对密钥对进行签名,得到验证签名信息,以便于验证用户身份。The above two implementation methods respectively correspond to the two access methods here: one is for the target user to log in through the user name and password on the page. At this time, the user name and password are signed with the signature algorithm to obtain the verification signature information, so that It is used to verify the identity of the user; the other is to use the program to call the product service. At this time, the key pair such as AccessKeyID and AccessKeySecret are used as the input parameters of the program, and the key pair is signed with the signature algorithm to obtain the verification signature information, so that to verify user identity.
步骤1002:将系统标识对应的标准签名信息与验证签名信息进行比对,以得到验证结果。Step 1002: Compare the standard signature information corresponding to the system identifier with the verification signature information to obtain a verification result.
例如,本实施例中可以先在认证服务器中预先存储有各个云系统的标准签名信息的签名库中获得目标云系统的标准签名信息,再将目标云系统的标准签名信息与利用签名算法对验证信息进行签名所得到的验证签名信息进行比对,以得到验证结果。For example, in this embodiment, the standard signature information of the target cloud system may be obtained from a signature library in which the standard signature information of each cloud system is pre-stored in the authentication server, and then the standard signature information of the target cloud system may be verified by using a signature algorithm. The verification signature information obtained by signing the information is compared to obtain the verification result.
其中,在系统标识对应的标准签名信息与验证签名信息相一致的情况下,表征验证结果表征目标用户通过目标云系统的身份验证;在系统标识对应的标准签名信息与验证签名信息不一致的情况下,验证结果表征目标用户没有通过目标云系统的身份验证。Among them, in the case that the standard signature information corresponding to the system identifier is consistent with the verification signature information, the verification result represents the identity verification of the target user through the target cloud system; in the case that the standard signature information corresponding to the system identifier is inconsistent with the verification signature information , the verification result indicates that the target user has not passed the authentication of the target cloud system.
步骤107:判断验证结果是否表征目标用户通过目标云系统的身份验证,在验证结果表征目标用户通过目标云系统的身份验证的情况下,执行步骤108。Step 107: Determine whether the verification result indicates that the target user has passed the identity verification of the target cloud system, and if the verification result indicates that the target user has passed the identity verification of the target cloud system,
具体的,本实施例中可以对验证结果中的内容进行判断,例如,在验证结果为1时,验证结果表征目标用户通过目标云系统的身份验证,在验证结果为0时,验证结果表征目标用户没有通过目标云系统的身份验证。Specifically, in this embodiment, the content in the verification result can be judged. For example, when the verification result is 1, the verification result represents the identity verification of the target user through the target cloud system, and when the verification result is 0, the verification result represents the target The user is not authenticated to the target cloud system.
步骤108:获得目标用户的身份验证标识。Step 108: Obtain the authentication identifier of the target user.
其中,本实施例中可以按照验证标识的生成规则,为目标用户生成身份验证标识,也可以称为访问票据,以表征目标用户通过目标云系统的身份验证。Wherein, in this embodiment, an identity verification identifier, which may also be called an access ticket, may be generated for the target user according to the generation rule of the verification identifier, so as to represent the identity verification of the target user through the target cloud system.
另外,本实施例中认证服务器在对目标用户进行身份验证时,可以为目标用户登录到目标云系统提供全局票据、服务票据和全局会话等标识信息,以表征目标用户通过客户端登录目标云系统的登录状态,以便于在目标用户通过其他终端如手机等再次登录目标云系统时,控制目标用户退出在客户端上对目标云系统的登录状态。In addition, when the authentication server in this embodiment authenticates the target user, it can provide identification information such as a global ticket, a service ticket, and a global session for the target user to log in to the target cloud system, so as to indicate that the target user logs in to the target cloud system through the client In order to control the target user to log out of the login status of the target cloud system on the client when the target user logs in to the target cloud system again through other terminals such as mobile phones.
参考图11,为本申请实施例二提供的一种多云系统的访问权限管理装置的结构示意图,该装置可以配置在能够进行数据处理的认证服务器中,如计算机或服务器等设备,需要说明的是,认证服务器对应于多个云系统,如图2中所示,每个云系统为部署在云端的电子设备所实现,在每个云系统中均包含有多个被访问对象,如可以被访问的数据资源或者功能组件等对象。本实施例中的技术方案主要用于实现对用户访问云系统中的被访问对象的权限控制,从而提高权限管理的灵活性。11 is a schematic structural diagram of an apparatus for managing access rights of a multi-cloud system provided in
具体的,本实施例中的装置可以包括以下单元:Specifically, the apparatus in this embodiment may include the following units:
请求接收单元1101,用于接收客户端发送的对象访问请求,所述对象访问请求至少包含目标用户的用户标识和目标对象的对象标识,所述目标对象为所述多个云系统中的目标云系统内的被访问对象;A
策略获得单元1102,用于在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略,所述权限策略集合中包含有多条权限策略信息,每条所述权限策略信息对应于一个用户以及一个被访问对象;A
结果获得单元1103,用于根据所述目标权限策略,获得鉴权结果,所述鉴权结果表征所述目标用户是否具有对所述目标云系统内的所述目标对象进行访问的权限。The
由上述方案可知,本申请实施例二提供的一种多云系统的访问权限控制装置中,在接收到客户端发送的对象访问请求之后,可以在权限策略集合中获得到与对象访问请求相匹配的目标权限策略,进而就可以得到表征对象访问请求中的目标用户是否能够对目标云系统中的目标对象进行访问的鉴权结果。可见,本实施例中通过对多个云系统的访问权限粒度细分到每个云系统中的被访问对象,就可以在用户通过客户端对云系统进行访问时,实现对用户访问云系统中的被访问对象的权限控制,从而提高权限管理的灵活性。It can be seen from the above solution that, in the access authority control device for a multi-cloud system provided in the second embodiment of the present application, after receiving the object access request sent by the client, the access authority matching the object access request can be obtained in the authority policy set. According to the target permission policy, an authentication result representing whether the target user in the object access request can access the target object in the target cloud system can be obtained. It can be seen that in this embodiment, by subdividing the access rights of multiple cloud systems into the accessed objects in each cloud system, the user can access the cloud system when the user accesses the cloud system through the client. Permission control of the accessed object, thereby improving the flexibility of permission management.
在一种实现方式中,策略获得单元1102具体用于:在权限策略集合中,筛选与所述用户标识和/或所述用户标识对应的用户组标识相匹配的初始策略信息;所述用户组标识为所述目标用户所属的目标用户组的标识;所述目标用户组中还包含有一个或多个其他用户;在所述初始策略信息中,筛选出与所述对象标识相匹配的目标权限策略。In an implementation manner, the
可选的,策略获得单元1102在权限策略集合中,筛选与所述用户标识和/或所述用户标识对应的用户组标识相匹配的初始策略信息时,具体用于:在权限策略集合中,筛选与所述用户标识相匹配的第一策略信息;在所述权限策略集合中,筛选与所述用户组标识相匹配的第二策略信息,所述第一策略信息和/或所述第二策略信息组成初始策略信息。Optionally, when the
在一种实现方式中,结果获得单元1103还用于:将所述鉴权结果传输给所述目标云系统。In an implementation manner, the
在一种实现方式中,所述对象访问请求中还包含所述目标用户的身份验证标识;其中,所述身份验证标识在所述目标用户登录到所述目标云系统时生成,所述身份验证标识表征所述目标用户成功登录所述目标。In an implementation manner, the object access request further includes an identity verification identifier of the target user; wherein the identity verification identifier is generated when the target user logs in to the target cloud system, and the identity verification identifier is generated when the target user logs in to the target cloud system. The identification signifies that the target user successfully logged into the target.
在一种实现方式中,本实施例中的装置还可以包括以下单元,如图12中所示:In an implementation manner, the apparatus in this embodiment may further include the following units, as shown in FIG. 12 :
身份验证单元1104,用于在请求接收单元1101接收所述客户端发送的用户登录请求之后,所述用户登录请求至少包含所述目标用户的验证信息和所述目标云系统的系统标识;根据所述系统标识,对所述验证信息进行验证,以得到验证结果,所述验证结果表征所述目标用户是否通过所述目标云系统的身份验证;在所述验证结果表征所述目标用户通过所述目标云系统的身份验证的情况下,获得所述目标用户的身份验证标识。The
在一种实现方式中,身份验证单元1104在根据所述系统标识,对所述验证信息进行验证,以得到验证结果时,具体用于:获得所述验证信息对应的验证签名信息;例如,利用签名算法,对所述验证信息中的用户名和密码进行签名,以得到验证签名信息;或者,利用签名算法,对所述验证信息中的访问秘钥进行签名,以得到验证签名信息;之后,将所述系统标识对应的标准签名信息与所述验证签名信息进行比对,以得到验证结果。In an implementation manner, when the
需要说明的是,本实施例中各单元的具体实现可以参考前文中的相应内容,此处不再详述。It should be noted that, for the specific implementation of each unit in this embodiment, reference may be made to the corresponding content in the foregoing, which will not be described in detail here.
参考图13,为本申请实施例三提供的一种认证服务器的结构示意图,该认证服务器可以对应于多个云系统,如图2中所示,每个云系统为部署在云端的电子设备所实现,在每个云系统中均包含有多个被访问对象,如可以被访问的数据资源或者功能组件等对象。本实施例中的技术方案主要用于实现对用户访问云系统中的被访问对象的权限控制,从而提高权限管理的灵活性。Referring to FIG. 13, it is a schematic structural diagram of an authentication server provided in
具体的,本实施例中的认证服务器可以包括以下结构:Specifically, the authentication server in this embodiment may include the following structure:
传输模块1301,用于接收客户端发送的对象访问请求,所述对象访问请求至少包含目标用户的用户标识和目标对象的对象标识,所述目标对象为所述多个云系统中的目标云系统内的被访问对象;The
处理器1302,用于在权限策略集合中,获得与所述用户标识和所述对象标识相匹配的目标权限策略,所述权限策略集合中包含有多条权限策略信息,每条所述权限策略信息对应于一个用户以及一个被访问对象;根据所述目标权限策略,获得鉴权结果,所述鉴权结果表征所述目标用户是否具有对所述目标云系统内的所述目标对象进行访问的权限。The
当然,本实施例中的认证服务器中还可以包含有存储器,用于存储应用程序和应用程序运行所产生的数据,在处理器1302执行存储器所存储的应用程序时,可以实现处理器1302的以上功能。Of course, the authentication server in this embodiment may also include a memory for storing the application program and data generated by the running of the application program. Function.
由上述方案可知,本申请实施例三提供的一种认证服务器中,在接收到客户端发送的对象访问请求之后,可以在权限策略集合中获得到与对象访问请求相匹配的目标权限策略,进而就可以得到表征对象访问请求中的目标用户是否能够对目标云系统中的目标对象进行访问的鉴权结果。可见,本实施例中通过对多个云系统的访问权限粒度细分到每个云系统中的被访问对象,就可以在用户通过客户端对云系统进行访问时,实现对用户访问云系统中的被访问对象的权限控制,从而提高权限管理的灵活性。It can be seen from the above solution that, in the authentication server provided in the third embodiment of the present application, after receiving the object access request sent by the client, the target permission policy that matches the object access request can be obtained in the permission policy set, and then An authentication result indicating whether the target user in the object access request can access the target object in the target cloud system can be obtained. It can be seen that in this embodiment, by subdividing the access rights of multiple cloud systems into the accessed objects in each cloud system, the user can access the cloud system when the user accesses the cloud system through the client. Permission control of the accessed object, thereby improving the flexibility of permission management.
本申请实施例还提供了一种存储介质,其上存储有程序,该程序被处理器执行时实现上述任一实施例所述的多云系统的访问权限控制方法。An embodiment of the present application further provides a storage medium on which a program is stored, and when the program is executed by a processor, implements the access authority control method for a multi-cloud system described in any of the foregoing embodiments.
本申请实施例还提供了一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行上述任一实施例所述的多云系统的访问权限控制方法。An embodiment of the present application further provides a processor, where the processor is configured to run a program, wherein when the program runs, the method for controlling access rights of a multi-cloud system described in any of the foregoing embodiments is executed.
以金融行业在云端配置的多个云系统的用户与权限管理为例,对本申请中的技术方案进行举例说明:Taking the user and authority management of multiple cloud systems configured in the cloud in the financial industry as an example, the technical solutions in this application are illustrated as an example:
本申请的发明人在多云生态下对用户的身份认证以及权限进行管理时发现,目前有多种不同的实现方案,但均有一定的缺陷,如下:The inventor of the present application found that there are many different implementation schemes while managing the user's identity authentication and authority under the multi-cloud ecology, but they all have certain defects, as follows:
在一种实现方案中,不同应用系统分别维护着一套用户身份认证系统,这对于管理不同系统的管理员来说,需要分别录入自己的用户名和密码进行登录,授权,操作等,使用和管理及其不方便,后期形成单点登录的解决方案,认证过程由系统自动完成。以基于cookie的单点登录为例,其主要原理是将用户名和密码加密之后存储在cookie中,之后用户访问网站过程中校验用户目前登录态,若校验不通过则在cookie中取出用户名和密码进行登录,从用户角度来看,认为只进行了一次输入用户名和密码的登录操作,实际上已经经过多次传送用户名和密码,增加了被盗风险,且该统一登录方案不能跨域访问,每一个系统都有一套登录认证体系,增加了代码复杂性,局限性较大。In one implementation scheme, different application systems maintain a set of user identity authentication systems. For administrators who manage different systems, they need to enter their own user names and passwords for login, authorization, operation, etc., use and management. It is inconvenient, and a single sign-on solution is formed in the later stage, and the authentication process is automatically completed by the system. Taking cookie-based single sign-on as an example, the main principle is to encrypt the user name and password and store them in a cookie. Then, when the user accesses the website, the current login status of the user is verified. If the verification fails, the user name and password are retrieved from the cookie. From the user's point of view, it is believed that the login operation of entering the user name and password is only performed once. In fact, the user name and password have been transmitted many times, which increases the risk of theft, and the unified login scheme cannot be accessed across domains. Each system has a set of login authentication system, which increases the complexity of the code and has great limitations.
而对于基于CAS的统一认证中心登录方式,是单独部署一个独立的认证中心,用来提供认证服务,但是由于本身权限控制的复杂度,单独的CAS认证无法满足权限粒度的细分。For the CAS-based unified authentication center login method, an independent authentication center is deployed to provide authentication services. However, due to the complexity of its own authority control, a single CAS authentication cannot meet the subdivision of authority granularity.
基于以上缺陷,本申请的发明人为了解决企业在多云生态(多云系统的场景)下对用户的身份认证、权限管理的统一管理的问题,提供一种多云生态下统一用户全生命周期管理的身份访问与控制体系,有效较少权限管控的成本,为多云生态提供更加灵活便捷的控制台访问方式。例如,可以基于统一认证中心CAS(Central Authentication Server)的统一认证体系,将用户全生命周期的管理与用户权限管理单独作为一套认证系统,实现多云生态下使用同一用户与相同权限登录操作云平台。Based on the above defects, in order to solve the problem of unified management of user's identity authentication and authority management in the multi-cloud ecosystem (multi-cloud system scenario), the inventor of the present application provides an identity for unified user life-cycle management in the multi-cloud ecosystem. The access and control system effectively reduces the cost of authority management and control, and provides a more flexible and convenient console access method for the multi-cloud ecosystem. For example, based on the unified authentication system of the unified authentication center CAS (Central Authentication Server), the management of the user's entire life cycle and the management of user rights can be regarded as a separate authentication system, so that the same user and the same rights can be used to log in and operate the cloud platform in a multi-cloud ecosystem. .
具体设计方案如下:The specific design scheme is as follows:
本申请中搭建单独的一套统一认证中心,即前文中的认证服务器,多云生态下,各云管理体系不再管理单独的用户身份访问与权限控制模块,通过单独的统一认证中心,单独管理用户新建、授权、登录、鉴权以及删除等全生命周期的账号管理,并能对资源和操作提供安全的访问方式。访问管理主要通过用户、用户组绑定授权策略的方式实现,访问密钥由用户名和密码组成,或者由AccessKeyID和AccessKeySecret组成,用于云服务API请求的身份认证。用户在发生功能或者资源访问时,首先认证身份,然后是访问权限验证,以上两步通过后才能访问资源,否则访问会被拒绝。In this application, a separate set of unified authentication center is built, namely the authentication server mentioned above. In the multi-cloud ecosystem, each cloud management system no longer manages separate user identity access and authority control modules, and manages users independently through a separate unified authentication center. Create, authorize, log in, authenticate, and delete accounts throughout the life cycle, and provide secure access to resources and operations. Access management is mainly implemented by binding authorization policies to users and user groups. The access key consists of a user name and password, or an AccessKeyID and AccessKeySecret, which are used for authentication of cloud service API requests. When users access functions or resources, they first authenticate their identity, and then verify their access rights. Only after passing the above two steps can they access resources, otherwise the access will be denied.
首先,多云形态下统一用户生命周期管理的单点登录设计:First, the single sign-on design for unified user lifecycle management in a multi-cloud form:
一、统一身份访问与权限控制体系数据库设计:1. Database design of unified identity access and authority control system:
如图14中所示,本申请所提出的统一身份认证方案中,用专属的用户信息数据库来存储用户信息,包括用户名,密码,手机号,邮箱以及所属用户组,用户对应的访问密钥等信息。基于CAS的原理,CAS Server是统一身份认证中心(即认证服务器),用户信息存储在数据库DB(database)中,在用户认证时通过查询DB鉴权验证。CAS Client部署在客户端的应用系统中(即客户端),设置一个URL将用户身份认证请求重定向到CAS Server,从而实现登录、验证和注销的操作。As shown in Figure 14, in the unified identity authentication scheme proposed in this application, a dedicated user information database is used to store user information, including user name, password, mobile phone number, email address, and user group to which they belong, and the access key corresponding to the user. and other information. Based on the principle of CAS, CAS Server is a unified identity authentication center (that is, an authentication server), and user information is stored in the database DB (database), which is authenticated by querying the DB during user authentication. The CAS Client is deployed in the application system of the client (ie, the client), and a URL is set to redirect the user authentication request to the CAS Server, so as to realize the operations of login, verification and logout.
二、统一身份访问与权限控制体系方案设计:2. Design of unified identity access and authority control system:
当用户首次通过域名登录系统时,先将网页重定向到统一身份认证服务器,进行首次登录,根据用户输入的用户名、口令等用户信息凭证进行身份验证,如果验证通过,则生成一个访问认证证据,即前文中的身份验证标识,当用户访问该云系统下其他资源或功能时,将会携带该访问票据提交CAS统一身份认证服务器后进行验证,此时管理员打开该系统时便不再需要再次提交登录信息。When the user logs in to the system through the domain name for the first time, the web page is redirected to the unified identity authentication server for the first login, and authentication is performed according to the user information credentials such as the user name and password entered by the user. If the authentication is passed, an access authentication evidence is generated. , that is, the authentication identifier in the preceding paragraph. When the user accesses other resources or functions under the cloud system, the user will carry the access ticket and submit it to the CAS unified identity authentication server for verification. At this time, the administrator no longer needs to open the system. Submit your login information again.
为了实现单点登录功能,CAS提供了全局票据TGT(ticket granting ticket)、服务票据ST(service ticket)和全局会话(ticket granting cookies)。基于CAS单点登录的统一身份认证方案的工作流程如图14中所示:In order to realize the single sign-on function, CAS provides a global ticket TGT (ticket granting ticket), a service ticket ST (service ticket) and a global session (ticket granting cookies). The workflow of the unified identity authentication scheme based on CAS single sign-on is shown in Figure 14:
具体描述:specific description:
1、用户以Web方式访问云系统001;1. The user accesses the
2、系统001发现用户尚未进行身份认证,将页面请求重定向到CAS Server;2.
3、用户输入相关认证信息并验证通过;3. The user enters the relevant authentication information and passes the verification;
4、认证通过后认证中心为用户带着相关认证跳转到相应的云系统001进行登录;4. After the authentication is passed, the authentication center will jump to the
5、认证通过后认证中心为用户带着相关认证跳转到相应的云系统002进行登录(或);5. After the authentication is passed, the authentication center jumps to the
6、认证通过后认证中心为用户带着相关认证跳转到相应的云系统004进行登录(或);到不同的云系统,如云系统001;6. After the authentication is passed, the authentication center will jump to the
7、云系统返回客户端用户登录云系统的信息。7. The cloud system returns the information of the client user logging in to the cloud system.
其次,多云形态下统一用户生命周期管理的权限管理控制:Secondly, the permission management control of unified user life cycle management in the multi-cloud form:
用户在进行统一单点登录后,由于本身权限控制粒度不够细致,在登录平台后可操作的功能与资源需要进一步认证。如图15中所示,当用户通过浏览器点击云平台上的某一资源或者某一接口级别的功能时,浏览器会带着该用户信息与统一认证中心的权限控制模块进行校验,若身份校验通过,用户可以操作平台对应的功能和资源,若鉴权失败,则返回无权限操作,联系管理员授权的提示信息。After users perform unified single sign-on, due to the insufficient granularity of their own authority control, the functions and resources that can be operated after logging in to the platform need further authentication. As shown in Figure 15, when a user clicks on a certain resource or a function of a certain interface level on the cloud platform through the browser, the browser will carry the user information to verify with the authority control module of the unified authentication center. If the identity verification is passed, the user can operate the corresponding functions and resources of the platform. If the authentication fails, it will return to the operation without permission, and contact the administrator for authorization prompt information.
一、统一身份访问与权限控制体系数据库设计:1. Database design of unified identity access and authority control system:
前文提到本申请提出的统一身份认证方案中,用专属的用户信息数据库来存储用户信息。此外,为对用户权限进行进一步的管理,在数据库设计上单独用来存放平台的策略数据。权限控制方案基于IAM基础上实现,策略是组成该方案的关键要素:基于用户与用户组绑定策略,实现鉴权,确认用户是否有操作平台某一功能或资源的权限。鉴权流程如图15所示。As mentioned above, in the unified identity authentication solution proposed in this application, a dedicated user information database is used to store user information. In addition, in order to further manage user rights, the database is designed to store the platform's policy data separately. The permission control scheme is implemented on the basis of IAM, and the policy is the key element of the scheme: based on the binding policy between the user and the user group, the authentication is realized to confirm whether the user has the authority to operate a certain function or resource of the platform. The authentication process is shown in Figure 15.
二、统一身份访问与权限控制体系方案设计2. Design of unified identity access and authority control system
IAM权限管理体系是一种更精细的访问控制,达到多用户不同角色管理整个云平台的目的。当用户已经登录系统后,在平台操作某一资源时,浏览器会将该操作向统一认证中心鉴权。用户在发起访问请求时,系统根据用户被授权的访问策略中的action进行鉴权判断,检查规则如图15所示:The IAM permission management system is a more refined access control, which achieves the purpose of managing the entire cloud platform for multiple users and different roles. When a user has logged in to the system and operates a certain resource on the platform, the browser will authenticate the operation to the unified authentication center. When a user initiates an access request, the system performs authentication and judgment according to the action in the user's authorized access policy. The inspection rules are shown in Figure 15:
1、用户发起访问请求;1. The user initiates an access request;
2、系统将请求重定向到CAS Server;2. The system redirects the request to the CAS Server;
3、系统在被授予的访问权限中,优先寻找基于IAM项目授权的权限,即在权限策略集合中筛选相匹配的权限策略信息action,在权限中寻找请求对应的action;3. Among the granted access permissions, the system firstly searches for permissions based on IAM project authorization, that is, it filters the matching permission policy information action in the permission policy set, and searches for the action corresponding to the request in the permissions;
4、如果找到匹配的Allow或者Deny的action,云系统001进行访问控制,并返回请求的鉴权决定,Allow或者Deny,鉴权结束;4. If a matching Allow or Deny action is found, the
5、如果找到匹配的Allow或者Deny的action,云系统002进行访问控制,并返回请求的鉴权决定,Allow或者Deny,鉴权结束;5. If a matching Allow or Deny action is found, the
6、如果找到匹配的Allow或者Deny的action,云系统004进行访问控制,并返回请求的鉴权决定,Allow或者Deny,鉴权结束;6. If a matching Allow or Deny action is found, the
7、云系统向用户返回请求对应的内容,如资源或功能等。7. The cloud system returns the content corresponding to the request to the user, such as resources or functions.
以下参考图16,对鉴权结果的获取过程进行说明:Below with reference to Figure 16, the acquisition process of the authentication result will be described:
首先,在获得到访问请求之后,查找有没有与访问请求对应的IAM权限策略信息,如果有,那么直接可以得到鉴权结果,Allow或者Deny,鉴权结束;First, after obtaining the access request, find out whether there is any IAM permission policy information corresponding to the access request. If there is, then the authentication result can be directly obtained, Allow or Deny, the authentication is over;
如果没有与访问请求对应的IAM权限策略信息,那么判断用户是否被加入到用户组,如果有,查找有没有与用户组对应的IAM权限策略信息,如果有直接可以得到鉴权结果,Allow或者Deny,鉴权结束;If there is no IAM permission policy information corresponding to the access request, then determine whether the user is added to the user group. If so, find out whether there is IAM permission policy information corresponding to the user group. If there is, the authentication result can be directly obtained, Allow or Deny , the authentication is over;
而如果该用户没有被加入到用户组或者没有与用户所加入的用户组对应的IAM权限策略信息,那么也得到鉴权结果,即Deny,鉴权结束。And if the user is not added to the user group or there is no IAM permission policy information corresponding to the user group to which the user is added, then the authentication result is also obtained, that is, Deny, and the authentication ends.
综上,多云模式下企业多采取不同云下分别使用一套用户与权限控制体系存在很大缺陷,有鉴于此,本申请中通过设置单独的一套用户全生命周期管理的身份访问与权限控制体系,来解决多云生态下多种身份认证,单独权限控制的现状,从而降低用户注册,登录,权限控制的管理成本。而且统一身份访问与权限控制体系同时能够减少系统冗余,方便各系统管理员管理自己的产品,如CVM管理员在不同朵云下拥有相同的管理权限。相较于传统的用户模式,该模式更适应于现企业中面临的实际痛点,能够为企业提升管理效率。To sum up, in the multi-cloud mode, enterprises often use a set of user and authority control systems under different clouds, which has great drawbacks. In view of this, in this application, a separate set of identity access and authority control for user life cycle management is set up. System to solve the status quo of multiple identity authentication and individual authority control in the multi-cloud ecosystem, thereby reducing the management cost of user registration, login, and authority control. Moreover, the unified identity access and authority control system can reduce system redundancy and facilitate system administrators to manage their own products. For example, CVM administrators have the same management authority under different clouds. Compared with the traditional user mode, this mode is more suitable for the actual pain points faced by existing enterprises, and can improve management efficiency for enterprises.
可见,本申请中的技术方案可以有效解决多云部署形态下平台用户的管理。从用户的角度来讲,同一用户(云平台上的产品管理员角色)只需通过一套认证体系即可方便管理自己所运维的产品;对于平台管理端来讲,独立的用户认证体系,摆脱了平台端管理的复杂架构与冗余,各个平台不再需要单独维护一套管理用户的模块,能够更专注于自身产品的开发;此外,在维护用户信息数据字段,用户全生命周期的管理,用户统一授权,权限管控等方面能够有更好的可操作性,不会造成多个平台多个用户管理模块的不易管理性,或者某个平台用户缺失,造成产品管理员角色缺失,影响产品的管理与运维。It can be seen that the technical solution in the present application can effectively solve the management of platform users in a multi-cloud deployment form. From the user's point of view, the same user (the product administrator role on the cloud platform) can easily manage the products they operate and maintain through a set of authentication systems; for the platform management side, an independent user authentication system, Get rid of the complex architecture and redundancy of platform-side management, each platform no longer needs to maintain a separate set of user management modules, and can focus more on the development of its own products; in addition, in maintaining user information data fields, the management of the user's full life cycle , user unified authorization, permission management and other aspects can have better operability, and will not cause the unmanageability of multiple user management modules on multiple platforms, or the lack of a platform user, resulting in the lack of product administrator roles and affecting products. management and operation.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals may further realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, the above description has generally described the components and steps of each example in terms of functionality. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of a method or algorithm described in conjunction with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. A software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the present application. Therefore, this application is not intended to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011554144.3A CN112580006B (en) | 2020-12-24 | 2020-12-24 | Access permission control method, device and authentication server for multi-cloud system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011554144.3A CN112580006B (en) | 2020-12-24 | 2020-12-24 | Access permission control method, device and authentication server for multi-cloud system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112580006A true CN112580006A (en) | 2021-03-30 |
| CN112580006B CN112580006B (en) | 2024-11-26 |
Family
ID=75139682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011554144.3A Active CN112580006B (en) | 2020-12-24 | 2020-12-24 | Access permission control method, device and authentication server for multi-cloud system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580006B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113420275A (en) * | 2021-07-19 | 2021-09-21 | 北京百度网讯科技有限公司 | Data connection processing method, related device and computer program product |
| CN113505353A (en) * | 2021-07-09 | 2021-10-15 | 绿盟科技集团股份有限公司 | Authentication method, device, equipment and storage medium |
| CN113515732A (en) * | 2021-06-30 | 2021-10-19 | 中国科学院电子学研究所苏州研究院 | Cross-domain unified user authentication system and method |
| CN113645249A (en) * | 2021-08-17 | 2021-11-12 | 杭州时趣信息技术有限公司 | Server password control method, system and storage medium |
| CN113938477A (en) * | 2021-09-07 | 2022-01-14 | 西安电子科技大学 | Cross-domain picture spreading access control method and system based on block chain |
| CN114254289A (en) * | 2021-12-17 | 2022-03-29 | 青岛海尔科技有限公司 | Cloud platform access method and device |
| CN114386009A (en) * | 2021-12-30 | 2022-04-22 | 广州鲁邦通智能科技有限公司 | A multi-cloud deployment authentication method and system |
| CN114611098A (en) * | 2022-03-24 | 2022-06-10 | 联想(北京)有限公司 | Information processing method and device and electronic equipment |
| CN114980095A (en) * | 2021-05-08 | 2022-08-30 | 中移互联网有限公司 | Data access method and data access device |
| CN115378622A (en) * | 2021-07-16 | 2022-11-22 | 中国移动通信集团有限公司 | Access control method, device, equipment and computer program product |
| WO2023024057A1 (en) * | 2021-08-27 | 2023-03-02 | 京东方科技集团股份有限公司 | Cross-domain authorization processing method and cross-domain call processing method |
| WO2023109782A1 (en) * | 2021-12-17 | 2023-06-22 | 北京字跳网络技术有限公司 | Data processing method and apparatus based on cloud document component |
| CN116668100A (en) * | 2023-05-19 | 2023-08-29 | 中国平安财产保险股份有限公司 | Security protection access method, device, equipment and storage medium |
| TWI820961B (en) * | 2022-10-11 | 2023-11-01 | 中華電信股份有限公司 | Electronic device and method for processing intelligence based on microservice and public cloud component |
| TWI825525B (en) * | 2021-12-14 | 2023-12-11 | 中華電信股份有限公司 | Identity and access management system and method for multi-cloud integrated application service and computer readable medium therefor |
| CN118842632A (en) * | 2024-07-22 | 2024-10-25 | 中移(苏州)软件技术有限公司 | Cloud system access method and device, electronic equipment and readable storage medium |
| CN118965388A (en) * | 2024-07-24 | 2024-11-15 | 中国建设银行股份有限公司 | Access processing method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101042699A (en) * | 2007-04-28 | 2007-09-26 | 华中科技大学 | Safety search engine system based on accessing control |
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| WO2015108538A1 (en) * | 2014-01-20 | 2015-07-23 | Hewlett-Packard Development Company, L.P. | Controlling replication of identity informaton |
| CN105577665A (en) * | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control management system and method in cloud environment |
| CN105978933A (en) * | 2016-04-25 | 2016-09-28 | 青岛海信电器股份有限公司 | Webpage request method, webpage response method, terminal, server, and webpage request and response system |
| CN108900483A (en) * | 2018-06-13 | 2018-11-27 | 江苏物联网研究发展中心 | Cloud storage fine-grained access control method, data upload and data access method |
| CN111241523A (en) * | 2020-01-08 | 2020-06-05 | 中国联合网络通信集团有限公司 | Authentication processing method, apparatus, device and storage medium |
-
2020
- 2020-12-24 CN CN202011554144.3A patent/CN112580006B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101042699A (en) * | 2007-04-28 | 2007-09-26 | 华中科技大学 | Safety search engine system based on accessing control |
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| WO2015108538A1 (en) * | 2014-01-20 | 2015-07-23 | Hewlett-Packard Development Company, L.P. | Controlling replication of identity informaton |
| CN105577665A (en) * | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control management system and method in cloud environment |
| CN105978933A (en) * | 2016-04-25 | 2016-09-28 | 青岛海信电器股份有限公司 | Webpage request method, webpage response method, terminal, server, and webpage request and response system |
| CN108900483A (en) * | 2018-06-13 | 2018-11-27 | 江苏物联网研究发展中心 | Cloud storage fine-grained access control method, data upload and data access method |
| CN111241523A (en) * | 2020-01-08 | 2020-06-05 | 中国联合网络通信集团有限公司 | Authentication processing method, apparatus, device and storage medium |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114980095A (en) * | 2021-05-08 | 2022-08-30 | 中移互联网有限公司 | Data access method and data access device |
| CN114980095B (en) * | 2021-05-08 | 2023-10-27 | 中移互联网有限公司 | Data access method and data access device |
| CN113515732A (en) * | 2021-06-30 | 2021-10-19 | 中国科学院电子学研究所苏州研究院 | Cross-domain unified user authentication system and method |
| CN113505353A (en) * | 2021-07-09 | 2021-10-15 | 绿盟科技集团股份有限公司 | Authentication method, device, equipment and storage medium |
| CN115378622A (en) * | 2021-07-16 | 2022-11-22 | 中国移动通信集团有限公司 | Access control method, device, equipment and computer program product |
| CN113420275A (en) * | 2021-07-19 | 2021-09-21 | 北京百度网讯科技有限公司 | Data connection processing method, related device and computer program product |
| CN113420275B (en) * | 2021-07-19 | 2023-07-28 | 北京百度网讯科技有限公司 | Data connection processing method, related device and computer program product |
| CN113645249A (en) * | 2021-08-17 | 2021-11-12 | 杭州时趣信息技术有限公司 | Server password control method, system and storage medium |
| US12393665B2 (en) | 2021-08-27 | 2025-08-19 | Boe Technology Group Co., Ltd. | Method of processing cross-domain authorization and method of processing cross-domain call |
| WO2023024057A1 (en) * | 2021-08-27 | 2023-03-02 | 京东方科技集团股份有限公司 | Cross-domain authorization processing method and cross-domain call processing method |
| CN113938477B (en) * | 2021-09-07 | 2022-10-21 | 西安电子科技大学 | A block chain-based access control method and system for cross-domain image dissemination |
| CN113938477A (en) * | 2021-09-07 | 2022-01-14 | 西安电子科技大学 | Cross-domain picture spreading access control method and system based on block chain |
| TWI825525B (en) * | 2021-12-14 | 2023-12-11 | 中華電信股份有限公司 | Identity and access management system and method for multi-cloud integrated application service and computer readable medium therefor |
| CN114254289A (en) * | 2021-12-17 | 2022-03-29 | 青岛海尔科技有限公司 | Cloud platform access method and device |
| WO2023109782A1 (en) * | 2021-12-17 | 2023-06-22 | 北京字跳网络技术有限公司 | Data processing method and apparatus based on cloud document component |
| US12278858B2 (en) | 2021-12-17 | 2025-04-15 | Beijing Zitiao Network Technology Co., Ltd. | Method and apparatus for data processing based on a cloud document component |
| CN114386009A (en) * | 2021-12-30 | 2022-04-22 | 广州鲁邦通智能科技有限公司 | A multi-cloud deployment authentication method and system |
| CN114611098A (en) * | 2022-03-24 | 2022-06-10 | 联想(北京)有限公司 | Information processing method and device and electronic equipment |
| TWI820961B (en) * | 2022-10-11 | 2023-11-01 | 中華電信股份有限公司 | Electronic device and method for processing intelligence based on microservice and public cloud component |
| CN116668100A (en) * | 2023-05-19 | 2023-08-29 | 中国平安财产保险股份有限公司 | Security protection access method, device, equipment and storage medium |
| CN118842632A (en) * | 2024-07-22 | 2024-10-25 | 中移(苏州)软件技术有限公司 | Cloud system access method and device, electronic equipment and readable storage medium |
| CN118965388A (en) * | 2024-07-24 | 2024-11-15 | 中国建设银行股份有限公司 | Access processing method, device, equipment and storage medium |
| CN118965388B (en) * | 2024-07-24 | 2025-11-14 | 中国建设银行股份有限公司 | Access processing methods, apparatus, devices and storage media |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112580006B (en) | 2024-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112580006B (en) | Access permission control method, device and authentication server for multi-cloud system | |
| US12294650B2 (en) | Dynamic authorization and access management | |
| JP6426189B2 (en) | System and method for biometric protocol standard | |
| US8474017B2 (en) | Identity management and single sign-on in a heterogeneous composite service scenario | |
| US8800003B2 (en) | Trusted device-specific authentication | |
| US8209394B2 (en) | Device-specific identity | |
| CN107172054B (en) | Authority authentication method, device and system based on CAS | |
| US8387136B2 (en) | Role-based access control utilizing token profiles | |
| KR100920871B1 (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
| US8387137B2 (en) | Role-based access control utilizing token profiles having predefined roles | |
| US11277398B2 (en) | System and methods for performing distributed authentication using a bridge computer system | |
| CN109815656A (en) | Login authentication method, apparatus, device, and computer-readable storage medium | |
| Sharma et al. | Identity and access management-a comprehensive study | |
| US9332433B1 (en) | Distributing access and identification tokens in a mobile environment | |
| WO2019060018A1 (en) | System and method for application session monitoring and control | |
| US12061686B2 (en) | Pre-registration of authentication devices | |
| Karie et al. | Hardening SAML by integrating SSO and multi-factor authentication (MFA) in the cloud | |
| Baker | OAuth2 | |
| EP2585968A2 (en) | Consigning authentication method | |
| CN110869928A (en) | Authentication system and method | |
| EP4446912A1 (en) | Controlling authorization through licensing and policy enforcement of attributes | |
| CAMERONI | Providing Login and Wi-Fi Access Services With the eIDAS Network: A Practical Approach | |
| KR101066729B1 (en) | Method and system for user authentication of sub-location of network location | |
| CN119210820A (en) | Data transmission processing method and device based on zero trust, and computer program product | |
| Kivinen | OpenID Connect Provider Certification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |