WO2011147361A1 - Method, device and system for implementing resource management in cloud computing - Google Patents
Method, device and system for implementing resource management in cloud computing Download PDFInfo
- Publication number
- WO2011147361A1 WO2011147361A1 PCT/CN2011/075341 CN2011075341W WO2011147361A1 WO 2011147361 A1 WO2011147361 A1 WO 2011147361A1 CN 2011075341 W CN2011075341 W CN 2011075341W WO 2011147361 A1 WO2011147361 A1 WO 2011147361A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- digital certificate
- authorized
- resource
- role
- user equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Definitions
- a cloud computing network includes a "cloud” and a user terminal with powerful computing capabilities.
- the core concept of cloud computing is to continuously improve the processing power of the "cloud”, thereby reducing the processing load of the user terminal, and finally simplifying the user terminal into one. Simple input and output devices, and can enjoy the powerful computing power of "cloud” on demand.
- the cloud network can assign a security authentication certificate to the user, and the user uses the security authentication certificate to access the cloud network.
- the existing security certificate can only perform security authentication for users and cannot implement decentralized and domain management. Summary of the invention
- the embodiments of the present invention provide a method, a device, and a system for implementing resource management in cloud computing, which are used to implement decentralized and domain-based management of resources in cloud computing.
- the embodiment of the invention provides a method for implementing resource management in cloud computing, including:
- the operation on the request is allowed.
- An embodiment of the present invention provides a device for implementing resource management in a cloud computing, including:
- the receiving module is configured to receive a first message that is sent by the user equipment and is used to operate the resource, where the first message carries the digital certificate and the requested operation;
- An obtaining module configured to acquire an operation list corresponding to the digital certificate according to a correspondence between a pre-recorded digital certificate and a role and a correspondence between a role and an operation;
- an execution module configured to allow an operation on the request if the requested operation belongs to the operation list.
- the embodiment of the invention provides a system for implementing resource management in cloud computing, including:
- the UPF is configured to receive a second message that is sent by the user equipment for registration, where the second message carries the requested role, and allocates a digital certificate to the user equipment according to a corresponding relationship between the pre-configured role and the digital certificate, and Recording a correspondence between the digital certificate and the role; sending the assigned digital certificate to the user equipment, so that the user equipment uses the digital certificate to request an operation;
- a cloud management device configured to receive a first message sent by the user equipment for operating on a resource, where the first message carries a digital certificate and a request operation; according to a correspondence between a digital certificate and a role recorded in the UPF, and a role Corresponding to the operation, obtaining an operation list corresponding to the digital certificate; if the requested operation belongs to the operation list, allowing an operation on the request.
- the digital certificate is used in the accessing cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can be used to have different rights or different areas. Different users can perform different operations to achieve decentralized domain management of users.
- FIG. 1 is a schematic flow chart of a method according to a first embodiment of the present invention
- FIG. 2 is a schematic structural diagram of a system corresponding to a second embodiment of the present invention.
- FIG. 3 is a schematic flow chart of a method corresponding to a second embodiment of the present invention.
- FIG. 4 is a schematic diagram of a certificate system in an embodiment of the present invention.
- FIG. 5 is a schematic flowchart of a method according to a third embodiment of the present invention.
- FIG. 6 is a schematic flow chart of a method according to a fourth embodiment of the present invention.
- FIG. 7 is a schematic flow chart of a method according to a fifth embodiment of the present invention.
- FIG. 8 is a schematic diagram of an application scenario in an embodiment of the present invention
- FIG. 9 is a schematic diagram of a resource before and after resource sharing according to an embodiment of the present invention
- FIG. 10 is a schematic structural diagram of a device according to a sixth embodiment of the present invention.
- FIG. 11 is a schematic structural diagram of a system according to a seventh embodiment of the present invention.
- the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention.
- the embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
- FIG. 1 is a schematic flowchart of a method according to a first embodiment of the present invention, including:
- Step 11 The system for implementing resource management in the cloud computing receives a first message sent by the user equipment for operating the resource, where the first message carries a digital certificate and an operation of the request;
- Step 12 The system for implementing resource management in the cloud computing obtains an operation list corresponding to the digital certificate according to the correspondence between the pre-recorded digital certificate and the role and the correspondence between the role and the operation;
- Step 13 If the requested operation belongs to the operation list, the operation on the request is allowed.
- a digital certificate is used in accessing a cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can enable different users with different rights or different regions to perform different operations. , to achieve decentralized domain management of users.
- FIG. 2 is a schematic structural diagram of a system corresponding to a second embodiment of the present invention, including a user equipment (USER) 21, a Provisioning Orchestration Engine (POE) 22, a User Profile Function (UPF) entity 23, and a virtual Machine desktop (VDESKTOP) 24 and cloud resource management device 25.
- the user equipment 21 can correspond to a company, a home, or an individual, for example, a terminal device used by an enterprise as a user equipment.
- the POE 22 is the user's account opening. For example, when the user registers, the user equipment can send a message for registration to the UPF through the POE, and complete the user registration at the UPF.
- UPF 23 is used to assign digital certificates and resources to users who apply for registration, and to save each other's correspondence.
- the virtual machine desktop 24 is an access interface of the user.
- the user device requests a specified operation of the specified resource from the cloud resource management device through the virtual machine desktop.
- the cloud resource management device 25 is configured to receive a message for the resource operation sent by the user equipment through the virtual machine desktop, and then perform authentication from the UPF according to the related information carried in the message. If the authentication is performed, the user equipment is allowed to perform the corresponding operating.
- FIG. 3 is a schematic flowchart of a method corresponding to a second embodiment of the present invention, including:
- Step 31 The user equipment sends a second message for registration to the POE, where the second message carries the requested role.
- different digital certificates may be assigned different roles, different roles have different rights, and different rights may perform different operations.
- the role may include an admin operation guest. Among them, admin can perform all operations, operation can be viewed and modified, and guests can only view.
- the user who uses the digital certificate corresponding to the admin can create, delete, modify, and view the user.
- the user who uses the digital certificate corresponding to the operation can modify and view the user who can use the digital certificate corresponding to the guest.
- Step 32 The POE forwards the second message to the UPF.
- Step 33 After receiving the second message, the UPF allocates a digital certificate to the user equipment, and records a correspondence between the user equipment and the digital certificate and the role.
- the UPF can assign different digital certificates to different roles in a random manner, and it is necessary to ensure that different roles correspond to different digital certificates.
- FIG. 4 is a schematic diagram of a certificate system according to an embodiment of the present invention.
- a certificate system may be saved in the UPF, and the certificate system includes an operation list (PriInfo), a role list (RoleInfo), and a user list (UserInfo) operation.
- the list includes n operations (Pri), the role list includes n roles (Role), and the user list includes n users (User). It can be understood that the number of operations, roles, and users can be different.
- composition of each operation see Table 1.
- the composition of each role can be found in Table 2.
- the composition of each user can be found in Table 3.
- the operation list and the role list may be pre-configured, and the user list may be continuously updated as the user equipment requests a digital certificate.
- the UPF can randomly assign a digital certificate to it (the randomly assigned digital certificate is different from the digital certificate of other roles), and record the ID number of its digital certificate in Table 3.
- the certificate ID item. SP assuming that the number corresponding to the role ⁇ 1 is the certificate ⁇ 1, User ⁇ l corresponds to the resource owner in Table 3 is User ⁇ l, the certificate ID is certificate ⁇ 1, and the role ID is role ⁇ 1.
- the creation time is the time when the digital certificate is created.
- the content of the certificate refers to the public-private key pair that the user performs authentication.
- the certificate content of the certificate can be generated according to the preset (including the user name, time stamp, etc.).
- the certificate status can be active or inactive. When the certificate is invalid, the status of the certificate is set to inactive.
- one user equipment can request multiple roles to obtain multiple digital certificates correspondingly, and then the multiple digital certificates can be allocated to different users using the user equipment.
- one Enterprises can apply for digital certificates corresponding to different roles such as admin and operation ⁇ guest, and then assign digital certificates corresponding to different roles to different people.
- Step 34 The UPF returns the assigned digital certificate to the user equipment through the POE.
- the user is opened, and then the user equipment can request the required operation using the assigned digital certificate.
- Step 35 The user equipment requests an operation using the assigned digital certificate.
- FIG. 5 is a schematic flowchart of a method according to a third embodiment of the present invention.
- a user equipment is requested to create a virtual machine as an example.
- this embodiment includes:
- Step 51 The user equipment obtains a digital certificate. See steps 31-34 for details.
- Step 52 The user equipment sends a first message for operating the resource to the cloud resource management device by using the virtual machine desktop, where the first message carries the digital certificate and the requested operation.
- Step 53 The cloud resource management device authenticates the first message.
- the cloud resource management device needs to decrypt.
- the cloud resource management device may also obtain user information from the UPF, and determine whether the digital certificate is owned by the user device to verify the legitimacy of the user.
- the encryption and decryption algorithm and the user legality verification process can be implemented by a usual method.
- Step 54 The cloud resource management device acquires an operation list corresponding to the digital certificate from the UPF.
- the role ID corresponding to the digital certificate may be obtained according to Table 3, and the permission ID corresponding to the role ID is obtained according to Table 2, and then the operation name corresponding to the permission ID is obtained according to Table 1.
- All the operation names corresponding to the digital certificate can form an operation list. For example, if the role corresponding to the digital certificate is admin, the corresponding operation list includes creation, deletion, modification, and viewing; if the role corresponding to the digital certificate is operation, the corresponding operation list includes modification and viewing; if the role corresponding to the digital certificate For guest, the corresponding operation only includes viewing.
- Step 55 If the requested operation belongs to the operation list, allow operations on the request, for example, create a virtual machine.
- this embodiment may further include:
- Step 56 The cloud resource management device records the correspondence between the digital certificate and the virtual machine.
- mutual authorization between digital certificates may be required.
- resources under digital certificates ⁇ 1 need to be assigned to digital certificates ⁇ 2 for resource sharing.
- the cloud resource management device is accessed by using a digital certificate, and different digital certificates have different roles, and different operations can be performed, so that decentralized domain management can be implemented.
- FIG. 6 is a schematic flowchart of a method according to a fourth embodiment of the present invention. This embodiment uses an example of assigning a virtual machine under a digital certificate to another digital certificate as an example. Referring to FIG. 6, this embodiment includes:
- Step 61 The user equipment obtains a digital certificate.
- step 51 For details, see step 51.
- Step 62 The user equipment sends a first message for operating the resource to the cloud resource management device through the virtual machine desktop, where the first message carries the digital certificate and the requested operation.
- the digital certificate acquired by the user equipment is a certificate ⁇ 1
- the requested operation is to allocate the virtual machine corresponding to the certificate ⁇ 1 to the certificate ⁇ 2 for use.
- Step 63 The cloud resource management device authenticates the first message.
- Step 64 The cloud resource management device acquires an operation list corresponding to the digital certificate from the UPF.
- steps 63-64 For details of steps 63-64, refer to steps 53-54.
- Step 65 If the requested operation belongs to the operation list, allow operations on the request, such as allocating a virtual machine. When the virtual machine is allocated, the correspondence between the resource and the certificate ID may be added in the cloud resource management device.
- the cloud resource management device in this embodiment may assign the virtual machine corresponding to the certificate ⁇ 1 to the certificate ⁇ 2.
- Step 66 The cloud resource management device updates the correspondence between the digital certificate and the virtual machine.
- the original virtual machine ⁇ 1 corresponds to the certificate ⁇ 1, but after the above processing, the certificate corresponding to the virtual machine ⁇ 1 includes the certificate ⁇ 1 and the certificate ⁇ 2.
- the certificate ⁇ 2 may have the operation authority for the resource to which the certificate ⁇ 1 belongs, for example, the virtual machine ⁇ 1 may be operated by using the certificate ⁇ 2, specifically the next embodiment.
- the cloud resource management device is accessed by using a digital certificate, and different digital certificates have different roles, and different operations can be performed, so that decentralized domain management can be implemented.
- resource sharing can be realized by allocating resources under one digital certificate to another digital certificate.
- FIG. 7 is a schematic flowchart of a method according to a fifth embodiment of the present invention.
- an authorized digital certificate is used.
- the resource of the digital certificate with the authorized authority is operated.
- the embodiment includes:
- Step 71 The user equipment obtains a digital certificate.
- Step 72 The user equipment sends a first message for operating the resource to the cloud resource management device by using the virtual machine desktop, where the first message carries the digital certificate and the requested operation.
- Step 73 The cloud resource management device authenticates the first message.
- Step 74 The cloud resource management device acquires an operation list corresponding to the digital certificate from the UPF.
- Step 75 If the requested operation belongs to the operation list, allow the operation of the request, for example, restart the virtual machine.
- steps 71-75 are similar to steps 61-65.
- the digital certificate used in the embodiment shown in FIG. 6 is a digital certificate with authorization authority (such as certificate ⁇ 1).
- the digital certificate used in this embodiment is an authorized digital certificate (such as certificate ⁇ 2).
- the operation of the certificate ⁇ 2 can be performed on the virtual machine ⁇ 1 by using the certificate ⁇ 2, for example, for example, The certificate ⁇ 2 has the right to restart the virtual machine.
- the requested operation is to restart the virtual machine.
- the virtual machine can be restarted by using the certificate ⁇ 2.
- resource sharing is realized by accessing a resource to which a digital certificate having an authorized authority belongs by using an authorized digital certificate.
- Enterprise-level application The system is applied to enterprises.
- the enterprise manager is equivalent to USER.
- the certificate can be applied for.
- the role of the certificate and the function corresponding to the certificate role can be requested by the enterprise administrator.
- USER can assign certificates to employees at different levels within the enterprise and perform corresponding operations.
- personnel changes or internal structure rectification only need to dynamically modify the certificate role held by the sub-users, the decentralized domain of the entire enterprise can be completed. .
- Home-level applications For home-level applications, resource sharing can play a bigger role. As a USER in the family, different certificate roles can be applied according to users in the family, so that in a family, all family members can perform different permission operations on the same resource. Resource sharing can be achieved between family members to maximize resource savings.
- the embodiment of the present invention is not limited to the above application, and can be applied to various applications, and can be provided. State of the deployment to meet the needs of users.
- each user equipment can correspond to multiple certificates.
- FIG. 8 is a schematic diagram of an application scenario according to an embodiment of the present invention.
- each user equipment can correspond to a certificate.
- the certificate set includes multiple certificates, and different certificates have different rights, wherein the user equipment is, for example, a business, a family, and an individual. Since certificates have different permissions, different operations can be performed when different certificates are used, so decentralized and domain-based management can be implemented.
- FIG. 9 is a schematic diagram of the resource sharing before and after the resource sharing in the embodiment of the present invention.
- USER 1 corresponding digital certificate is certificate ⁇ 1
- the resources that can be accessed are VM ⁇ 1, USER-2 (corresponding digital certificate is certificate ⁇ 2)
- the resources that can be accessed are VM ⁇ 2;
- certificate ⁇ 2 is authorized to certificate ⁇ 1
- the resources that USER-1 corresponding digital certificate is certificate ⁇ 1
- USER-2 the corresponding digital certificate is certificate ⁇ 2
- the resources that can be accessed are VM ⁇ 2.
- the digital certificate in the embodiment of the present invention can not only implement the authentication function, but also authorize the digital certificate by authorizing the operation and resources, and can perform decentralized domain management and resource sharing through the digital certificate, so that the decentralization is performed.
- the domain operation is more reasonable.
- By adopting a digital certificate with decentralized and decentralized functions it is possible to complete common authentication and service authentication when accessing a user request, so that the management hierarchy of the entire system is more distinct.
- resource sharing can avoid waste of resources in the whole system, and the overall demand of resources for users will also shrink, thereby saving user resource efficiency, and at the same time, resource operation is more flexible.
- FIG. 10 is a schematic structural diagram of a device according to a sixth embodiment of the present invention, including a receiving module 101, an obtaining module 102, and an executing module 103.
- the receiving module 101 is configured to receive a first message sent by a user equipment for operating a resource, where The first message carries the operation of the digital certificate and the request;
- the obtaining module 102 is configured to obtain an operation list corresponding to the digital certificate according to the correspondence between the pre-recorded digital certificate and the role and the correspondence between the role and the operation; For allowing the operation of the request if the requested operation belongs to the operation list.
- the execution module is specifically configured to create a virtual machine corresponding to the digital certificate having the created permission, when the digital certificate is a digital certificate having the right to create a virtual machine, and the operation of the request is to create a virtual machine. And record the correspondence between the digital certificate and the virtual machine.
- the executing module is specifically used to Assigning, to the authorized digital certificate, the virtual machine corresponding to the digital certificate with the assigned authority; updating the correspondence between the recorded digital certificate and the resource, so that the resource corresponding to the digital certificate with the authorized authority is And a source, associated with the authorized digital certificate, so that the user equipment can operate the resource corresponding to the authorized digital certificate by using the authorized digital certificate.
- the executing module is specifically configured to use the digital certificate with the authorized authority according to the authority of the authorized digital certificate.
- the corresponding resource operates.
- a digital certificate is used in accessing a cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can enable different users with different rights or different regions to perform different operations. , to achieve decentralized domain management of users.
- FIG. 11 is a schematic structural diagram of a system according to a seventh embodiment of the present invention, including a UPF 111 and a cloud management device 112.
- the UPF 111 is configured to receive a second message sent by the user equipment for registration, where the second message carries the requested role.
- the cloud management device 112 is configured to receive a first message sent by the user equipment for operating on the resource, where the first message carries a digital certificate and a request operation; according to the digital certificate recorded in the UPF Corresponding relationship with the role and a correspondence between the role and the operation, obtaining an operation list corresponding to the digital certificate; if the requested operation belongs to the operation list, allowing the operation of the request.
- a digital certificate is used in accessing a cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can enable different users with different rights or different regions to perform different operations. , to achieve decentralized domain management of users.
- the foregoing program may be stored in a computer readable storage medium, and when executed, the program includes The foregoing steps of the method embodiment; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
Description
云计算中实现资源管理的方法、 设备及系统 Method, device and system for realizing resource management in cloud computing
本申请要求于 2010年 12月 23日提交中国专利局、 申请号为 201010604779.X、 发明名称为"云计算中实现资源管理的方法、设备及系统"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及网络通信技术, 尤其涉及一种云计算中实现资源管理的方法、设备及 系统。 背景技术 云计算网络中包括具有强大计算能力的 "云"和用户终端, 云计算的核心理念就 是通过不断提高"云"的处理能力, 进而减少用户终端的处理负担, 最终使用户终端 简化成一个单纯的输入输出设备, 并能按需享受 "云" 的强大计算处理能力。 This application claims the priority of the Chinese patent application filed on December 23, 2010, the Chinese Patent Office, the application number is 201010604779.X, and the invention is entitled "Method, Equipment and System for Realizing Resource Management in Cloud Computing". This is incorporated herein by reference. TECHNICAL FIELD The present invention relates to network communication technologies, and in particular, to a method, device, and system for implementing resource management in cloud computing. BACKGROUND A cloud computing network includes a "cloud" and a user terminal with powerful computing capabilities. The core concept of cloud computing is to continuously improve the processing power of the "cloud", thereby reducing the processing load of the user terminal, and finally simplifying the user terminal into one. Simple input and output devices, and can enjoy the powerful computing power of "cloud" on demand.
现有云计算网络中, 云网络可以为用户分配安全认证证书, 用户采用该安全认证 证书访问云网络。但是, 现有的安全认证证书只是能够对用户进行安全认证, 不能实 现分权分域管理。 发明内容 In the existing cloud computing network, the cloud network can assign a security authentication certificate to the user, and the user uses the security authentication certificate to access the cloud network. However, the existing security certificate can only perform security authentication for users and cannot implement decentralized and domain management. Summary of the invention
本发明实施例是提供一种云计算中实现资源管理的方法、设备及系统, 用以实现 云计算中对资源的分权分域管理。 The embodiments of the present invention provide a method, a device, and a system for implementing resource management in cloud computing, which are used to implement decentralized and domain-based management of resources in cloud computing.
本发明实施例提供了一种云计算中实现资源管理的方法, 包括: The embodiment of the invention provides a method for implementing resource management in cloud computing, including:
接收用户设备发送的用于对资源进行操作的第一消息,所述第一消息中携带数字 证书及请求的操作; Receiving, by the user equipment, a first message for operating on a resource, where the first message carries a digital certificate and an operation of the request;
根据预先记录的数字证书与角色的对应关系以及角色与操作的对应关系,获取与 所述数字证书对应的操作列表; Acquiring an operation list corresponding to the digital certificate according to a correspondence between a pre-recorded digital certificate and a role and a correspondence between a role and an operation;
如果所述请求的操作属于所述操作列表, 则允许对所述请求的操作。 If the requested operation belongs to the operation list, then the operation on the request is allowed.
本发明实施例提供了一种云计算中实现资源管理的设备, 包括: An embodiment of the present invention provides a device for implementing resource management in a cloud computing, including:
接收模块, 用于接收用户设备发送的用于对资源进行操作的第一消息, 所述第一 消息中携带数字证书及请求的操作; 获取模块,用于根据预先记录的数字证书与角色的对应关系以及角色与操作的对 应关系, 获取与所述数字证书对应的操作列表; The receiving module is configured to receive a first message that is sent by the user equipment and is used to operate the resource, where the first message carries the digital certificate and the requested operation; An obtaining module, configured to acquire an operation list corresponding to the digital certificate according to a correspondence between a pre-recorded digital certificate and a role and a correspondence between a role and an operation;
执行模块, 用于如果所述请求的操作属于所述操作列表, 则允许对所述请求的操 作。 And an execution module, configured to allow an operation on the request if the requested operation belongs to the operation list.
本发明实施例提供了一种云计算中实现资源管理的系统, 包括: The embodiment of the invention provides a system for implementing resource management in cloud computing, including:
UPF, 用于接收用户设备发送的用于注册的第二消息, 所述第二消息中携带请求 的角色;根据预先配置的角色与数字证书的对应关系,为所述用户设备分配数字证书, 并记录数字证书与角色的对应关系; 将分配的数字证书发送给所述用户设备, 以便所 述用户设备采用所述数字证书请求操作; The UPF is configured to receive a second message that is sent by the user equipment for registration, where the second message carries the requested role, and allocates a digital certificate to the user equipment according to a corresponding relationship between the pre-configured role and the digital certificate, and Recording a correspondence between the digital certificate and the role; sending the assigned digital certificate to the user equipment, so that the user equipment uses the digital certificate to request an operation;
云管理设备, 用于接收用户设备发送的用于对资源进行操作的第一消息, 所述第 一消息中携带数字证书及请求的操作; 根据 UPF中记录的数字证书与角色的对应关 系以及角色与操作的对应关系, 获取与所述数字证书对应的操作列表; 如果所述请求 的操作属于所述操作列表, 则允许对所述请求的操作。 a cloud management device, configured to receive a first message sent by the user equipment for operating on a resource, where the first message carries a digital certificate and a request operation; according to a correspondence between a digital certificate and a role recorded in the UPF, and a role Corresponding to the operation, obtaining an operation list corresponding to the digital certificate; if the requested operation belongs to the operation list, allowing an operation on the request.
由上述技术方案可知, 本发明实施例通过在访问云资源中采用数字证书, 该数字 证书对应不同的角色, 不同的角色对应不同的操作, 因此, 通过该数字证书可以使得 具有不同权限或者不同区域的用户能够执行的操作不同, 实现对用户的分权分域管 理。 附图说明 为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使 用的附图作一简单地介绍, 显而易见地, 下面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附 图获得其他的附图。 According to the foregoing technical solution, the digital certificate is used in the accessing cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can be used to have different rights or different areas. Different users can perform different operations to achieve decentralized domain management of users. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. Obviously, the drawings in the following description are some of the present invention. For the embodiments, other drawings may be obtained from those skilled in the art without any inventive labor.
图 1为本发明第一实施例的方法流程示意图; 1 is a schematic flow chart of a method according to a first embodiment of the present invention;
图 2为本发明第二实施例对应的系统结构示意图; 2 is a schematic structural diagram of a system corresponding to a second embodiment of the present invention;
图 3为本发明第二实施例对应的方法流程示意图; 3 is a schematic flow chart of a method corresponding to a second embodiment of the present invention;
图 4为本发明实施例中证书系统的示意图; 4 is a schematic diagram of a certificate system in an embodiment of the present invention;
图 5为本发明第三实施例的方法流程示意图; FIG. 5 is a schematic flowchart of a method according to a third embodiment of the present invention; FIG.
图 6为本发明第四实施例的方法流程示意图; 6 is a schematic flow chart of a method according to a fourth embodiment of the present invention;
图 7为本发明第五实施例的方法流程示意图; 7 is a schematic flow chart of a method according to a fifth embodiment of the present invention;
图 8为本发明实施例中应用场景的示意图; 图 9为本发明实施例中资源共享前后的示意图; FIG. 8 is a schematic diagram of an application scenario in an embodiment of the present invention; FIG. 9 is a schematic diagram of a resource before and after resource sharing according to an embodiment of the present invention;
图 10为本发明第六实施例的设备结构示意图; FIG. 10 is a schematic structural diagram of a device according to a sixth embodiment of the present invention; FIG.
图 11为本发明第七实施例的系统结构示意图。 具体实施方式 为使本发明实施例的目的、技术方案和优点更加清楚, 下面将结合本发明实施例 中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实 施例是本发明一部分实施例, 而不是全部的实施例。基于本发明中的实施例, 本领域 普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明 保护的范围。 FIG. 11 is a schematic structural diagram of a system according to a seventh embodiment of the present invention. The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图 1为本发明第一实施例的方法流程示意图, 包括: FIG. 1 is a schematic flowchart of a method according to a first embodiment of the present invention, including:
步骤 11 : 云计算中实现资源管理的系统接收用户设备发送的用于对资源进行操 作的第一消息, 所述第一消息中携带数字证书及请求的操作; Step 11: The system for implementing resource management in the cloud computing receives a first message sent by the user equipment for operating the resource, where the first message carries a digital certificate and an operation of the request;
步骤 12: 云计算中实现资源管理的系统根据预先记录的数字证书与角色的对应 关系以及角色与操作的对应关系, 获取与所述数字证书对应的操作列表; Step 12: The system for implementing resource management in the cloud computing obtains an operation list corresponding to the digital certificate according to the correspondence between the pre-recorded digital certificate and the role and the correspondence between the role and the operation;
步骤 13 : 如果所述请求的操作属于所述操作列表, 则允许对所述请求的操作。 本实施例通过在访问云资源中采用数字证书, 该数字证书对应不同的角色, 不同 的角色对应不同的操作, 因此,通过该数字证书可以使得具有不同权限或者不同区域 的用户能够执行的操作不同, 实现对用户的分权分域管理。 Step 13: If the requested operation belongs to the operation list, the operation on the request is allowed. In this embodiment, a digital certificate is used in accessing a cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can enable different users with different rights or different regions to perform different operations. , to achieve decentralized domain management of users.
图 2为本发明第二实施例对应的系统结构示意图, 包括用户设备 (USER) 21、 发放工作流引擎 (Provisioning Orchestration Engine, POE) 22、 用户数据功能 (User Profile Function, UPF) 实体 23、 虚拟机桌面 (VDESKTOP) 24和云资源管理设备 25。 其中, 用户设备 21可以对应企业、 家庭、 个人, 例如, 将一个企业所使用的终 端设备作为一个用户设备。 POE 22是用户的开户入口, 例如, 用户在注册时, 用户 设备可以通过该 POE向 UPF发送用于注册的消息, 在 UPF完成用户注册。 UPF 23 用于为申请注册的用户分配数字证书和资源, 并保存相互的对应关系。 虚拟机桌面 24 是用户的访问接口, 例如, 用户设备通过该虚拟机桌面向云资源管理设备请求对 指定资源的指定操作。 云资源管理设备 25用于接收用户设备通过虚拟机桌面发送的 用于对资源操作的消息, 之后, 根据该消息中携带的相关信息从 UPF进行认证, 如 果通过认证, 则允许用户设备执行相应的操作。 2 is a schematic structural diagram of a system corresponding to a second embodiment of the present invention, including a user equipment (USER) 21, a Provisioning Orchestration Engine (POE) 22, a User Profile Function (UPF) entity 23, and a virtual Machine desktop (VDESKTOP) 24 and cloud resource management device 25. The user equipment 21 can correspond to a company, a home, or an individual, for example, a terminal device used by an enterprise as a user equipment. The POE 22 is the user's account opening. For example, when the user registers, the user equipment can send a message for registration to the UPF through the POE, and complete the user registration at the UPF. UPF 23 is used to assign digital certificates and resources to users who apply for registration, and to save each other's correspondence. The virtual machine desktop 24 is an access interface of the user. For example, the user device requests a specified operation of the specified resource from the cloud resource management device through the virtual machine desktop. The cloud resource management device 25 is configured to receive a message for the resource operation sent by the user equipment through the virtual machine desktop, and then perform authentication from the UPF according to the related information carried in the message. If the authentication is performed, the user equipment is allowed to perform the corresponding operating.
对于上述的各设备之间的具体交互内容可以参见下述的方法实施例。 图 3为本发明第二实施例对应的方法流程示意图, 包括: For the specific interaction content between the above devices, refer to the following method embodiments. FIG. 3 is a schematic flowchart of a method corresponding to a second embodiment of the present invention, including:
步骤 31 : 用户设备向 POE发送用于注册的第二消息, 该第二消息中携带请求的 角色。 Step 31: The user equipment sends a second message for registration to the POE, where the second message carries the requested role.
本实施例中, 为了实现分权分域管理, 可以为不同的数字证书分配不同的角色, 不同的角色具有不同的权限, 不同的权限可以执行不同的操作, 例如, 角色可以包括 admin operation guest, 其中, admin可以进行所有操作, operation可以进行查看 和修改操作, guest仅可以查看。 则采用 admin对应的数字证书的用户可以创建、 删 除、 修改和查看, 采用 operation对应的数字证书的用户可以修改和查看, 采用 guest 对应的数字证书的用户仅可以查看。 In this embodiment, in order to implement decentralized domain management, different digital certificates may be assigned different roles, different roles have different rights, and different rights may perform different operations. For example, the role may include an admin operation guest. Among them, admin can perform all operations, operation can be viewed and modified, and guests can only view. The user who uses the digital certificate corresponding to the admin can create, delete, modify, and view the user. The user who uses the digital certificate corresponding to the operation can modify and view the user who can use the digital certificate corresponding to the guest.
步骤 32: POE将该第二消息转发给 UPF。 Step 32: The POE forwards the second message to the UPF.
步骤 33 : UPF接收到该第二消息后, 为该用户设备分配数字证书, 并记录用户 设备与数字证书及角色的对应关系。 Step 33: After receiving the second message, the UPF allocates a digital certificate to the user equipment, and records a correspondence between the user equipment and the digital certificate and the role.
其中, UPF可以采用随机的方式, 为不同的角色分配不同的数字证书, 需要保证 不同的角色对应不同的数字证书。 Among them, the UPF can assign different digital certificates to different roles in a random manner, and it is necessary to ensure that different roles correspond to different digital certificates.
例如, 图 4为本发明实施例中证书系统的示意图, 参见图 4, 在 UPF中可以保存 证书系统, 该证书系统包括操作列表 (PriInfo )、 角色列表 (Rolelnfo) 和用户列表 (Userlnfo)o 操作列表中包括 n个操作(Pri), 角色列表中包括 n个角色(Role), 用 户列表中包括 n个用户 (User)。 可以理解的是, 操作、 角色、 用户的个数可以是不 一样的。 For example, FIG. 4 is a schematic diagram of a certificate system according to an embodiment of the present invention. Referring to FIG. 4, a certificate system may be saved in the UPF, and the certificate system includes an operation list (PriInfo), a role list (RoleInfo), and a user list (UserInfo) operation. The list includes n operations (Pri), the role list includes n roles (Role), and the user list includes n users (User). It can be understood that the number of operations, roles, and users can be different.
其中, 每个操作的组成可以参见表 1, 每个角色的组成可以参见表 2, 每个用户 的组成可以参见表 3。 For the composition of each operation, see Table 1. The composition of each role can be found in Table 2. The composition of each user can be found in Table 3.
表 1 Table 1
ROLEDESC 角色描述 ROLEDESC role description
ROLEID 角色 ID ROLEID role ID
ROLENAME 角色名称 ROLENAME role name
PRIVID 权限 ID PRIVID permission ID
数据 描述 Data description
CERTCONTENT 证书内容 CERTCONTENT certificate content
CERTID 证书 ID CERTID certificate ID
CREATEDTIME 创建时间 CREATEDTIME creation time
STATUS 证书状态 STATUS certificate status
ROLEID 角色 IDROLEID role ID
RESOWNER 资源拥有者 RESOWNER resource owner
上述三个列表中, 操作列表和角色列表可以是预先配置的, 用户列表可以是随着 用户设备申请数字证书而不断更新的。 例如, 当 User l请求角色〜 1时, UPF可以为 其随机分配一个数字证书 (该随机分配的数字证书与其他角色的数字证书不相同), 并将其数字证书的 ID号记录在表 3中的证书 ID项中。 SP, 假设角色〜 1对应的数字 证书为证书〜 1, 则 User~l对应表 3中的资源拥有者为 User~l, 证书 ID为证书〜 1, 角色 ID为角色〜 1。 另外, 创建时间是创建数字证书时的时间, 证书内容是是指用户 进行认证的公私密钥对, 在生成证书时可以根据预置(包括用户名、 时间戳等)条件 生成证书的证书内容, 证书状态可以为 active或则 inactive, 当证书失效时, 证书的 状态就会被置为 inactive。 In the above three lists, the operation list and the role list may be pre-configured, and the user list may be continuously updated as the user equipment requests a digital certificate. For example, when User l requests role ~ 1, the UPF can randomly assign a digital certificate to it (the randomly assigned digital certificate is different from the digital certificate of other roles), and record the ID number of its digital certificate in Table 3. In the certificate ID item. SP, assuming that the number corresponding to the role ~ 1 is the certificate ~ 1, User~l corresponds to the resource owner in Table 3 is User~l, the certificate ID is certificate~1, and the role ID is role~1. In addition, the creation time is the time when the digital certificate is created. The content of the certificate refers to the public-private key pair that the user performs authentication. When generating the certificate, the certificate content of the certificate can be generated according to the preset (including the user name, time stamp, etc.). The certificate status can be active or inactive. When the certificate is invalid, the status of the certificate is set to inactive.
另外, 可以理解的是, 一个用户设备可以请求多个角色, 以对应获取多个数字证 书, 之后, 可以将该多个数字证书分配给使用该用户设备的不同用户使用。 例如, 一 个企业可以申请对应 admin、 operation^ guest等不同角色的数字证书, 之后, 将不同 角色对应的数字证书分配给不同的人员使用。 In addition, it can be understood that one user equipment can request multiple roles to obtain multiple digital certificates correspondingly, and then the multiple digital certificates can be allocated to different users using the user equipment. For example, one Enterprises can apply for digital certificates corresponding to different roles such as admin and operation^ guest, and then assign digital certificates corresponding to different roles to different people.
步骤 34: UPF将分配的数字证书通过 POE返回给用户设备。 Step 34: The UPF returns the assigned digital certificate to the user equipment through the POE.
至此, 完成了用户开户, 之后, 用户设备可以采用分配的数字证书请求需要的操 作。 At this point, the user is opened, and then the user equipment can request the required operation using the assigned digital certificate.
步骤 35: 用户设备采用分配的数字证书请求操作。 Step 35: The user equipment requests an operation using the assigned digital certificate.
本实施例通过为用户分配数字证书, 且不同的数字证书具有不同的角色, 可以执 行不同的操作, 因此可以实现分权分域管理。 In this embodiment, by assigning a digital certificate to a user, and different digital certificates have different roles, different operations can be performed, and thus decentralized domain management can be implemented.
下面以操作为创建虚拟机为例, 具体流程可以参见图 5。 The following takes the operation to create a virtual machine as an example. For the specific process, see Figure 5.
图 5为本发明第三实施例的方法流程示意图,本实施例以用户设备请求创建虚拟 机为例, 参见图 5, 本实施例包括: FIG. 5 is a schematic flowchart of a method according to a third embodiment of the present invention. In this embodiment, a user equipment is requested to create a virtual machine as an example. Referring to FIG. 5, this embodiment includes:
步骤 51 : 用户设备获取数字证书。 具体内容可以参见步骤 31-34。 Step 51: The user equipment obtains a digital certificate. See steps 31-34 for details.
步骤 52: 用户设备通过虚拟机桌面向云资源管理设备发送用于对资源进行操作 的第一消息, 所述第一消息中携带数字证书及请求的操作。 Step 52: The user equipment sends a first message for operating the resource to the cloud resource management device by using the virtual machine desktop, where the first message carries the digital certificate and the requested operation.
步骤 53 : 云资源管理设备对该第一消息进行认证。 Step 53: The cloud resource management device authenticates the first message.
例如, 如果第一消息在发送时经过了加密处理, 则云资源管理设备需要解密。 另 夕卜, 云资源管理设备还可以向 UPF获取用户信息, 判断该数字证书是否对该用户设 备所有以验证用户合法性。具体地加解密算法以及用户合法性验证过程可以采用通常 方法实现。 For example, if the first message is encrypted at the time of transmission, the cloud resource management device needs to decrypt. In addition, the cloud resource management device may also obtain user information from the UPF, and determine whether the digital certificate is owned by the user device to verify the legitimacy of the user. Specifically, the encryption and decryption algorithm and the user legality verification process can be implemented by a usual method.
特别地, 本实施例在经过上述验证后, 还需要进行权限验证, 具体如下: 步骤 54: 云资源管理设备从 UPF中获取与该数字证书对应的操作列表。 In particular, after the foregoing verification, the privilege verification is performed, as follows: Step 54: The cloud resource management device acquires an operation list corresponding to the digital certificate from the UPF.
具体地, 可以首先根据表 3获取与数字证书对应的角色 ID, 再根据表 2获取与 角色 ID对应的权限 ID, 之后根据表 1获取与权限 ID对应的操作名称。 该数字证书 对应的所有操作名称则可以组成操作列表。例如,如果数字证书对应的角色为 admin, 则对应的操作列表包括创建、 删除、 修改和查看; 如果数字证书对应的角色为 operation, 则对应的操作列表包括修改和查看; 如果数字证书对应的角色为 guest, 则对应的操作仅包括查看。 Specifically, the role ID corresponding to the digital certificate may be obtained according to Table 3, and the permission ID corresponding to the role ID is obtained according to Table 2, and then the operation name corresponding to the permission ID is obtained according to Table 1. All the operation names corresponding to the digital certificate can form an operation list. For example, if the role corresponding to the digital certificate is admin, the corresponding operation list includes creation, deletion, modification, and viewing; if the role corresponding to the digital certificate is operation, the corresponding operation list includes modification and viewing; if the role corresponding to the digital certificate For guest, the corresponding operation only includes viewing.
步骤 55: 如果所述请求的操作属于所述操作列表, 则允许对所述请求的操作, 例如, 创建虚拟机。 Step 55: If the requested operation belongs to the operation list, allow operations on the request, for example, create a virtual machine.
例如, 本实施例中假设该用户采用的数字证书可以执行创建操作, 并且请求的操 作为创建虚拟机, 则云资源管理设备创建虚拟机。 为了进一步实现数据共享, 本实施例还可以包括: For example, in this embodiment, it is assumed that the digital certificate adopted by the user can perform a creation operation, and the requested operation is to create a virtual machine, and the cloud resource management device creates a virtual machine. In order to further implement data sharing, this embodiment may further include:
步骤 56: 云资源管理设备记录数字证书与虚拟机的对应关系。 Step 56: The cloud resource management device records the correspondence between the digital certificate and the virtual machine.
在某些场景下可能需要数字证书之间的互相授权, 例如需要将数字证书〜 1 下的 资源分配给数字证书〜 2使用, 以实现资源共享。 In some scenarios, mutual authorization between digital certificates may be required. For example, resources under digital certificates ~ 1 need to be assigned to digital certificates ~ 2 for resource sharing.
本实施例通过采用数字证书访问云资源管理设备,且不同的数字证书具有不同的 角色, 可以执行不同的操作, 因此可以实现分权分域管理。 In this embodiment, the cloud resource management device is accessed by using a digital certificate, and different digital certificates have different roles, and different operations can be performed, so that decentralized domain management can be implemented.
图 6为本发明第四实施例的方法流程示意图,本实施例以将某一数字证书下的虚 拟机分配给另一数字证书使用为例, 参见图 6, 本实施例包括: FIG. 6 is a schematic flowchart of a method according to a fourth embodiment of the present invention. This embodiment uses an example of assigning a virtual machine under a digital certificate to another digital certificate as an example. Referring to FIG. 6, this embodiment includes:
步骤 61 : 用户设备获取数字证书。 Step 61: The user equipment obtains a digital certificate.
具体内容可以参见步骤 51。 For details, see step 51.
步骤 62: 用户设备通过用户设备通过虚拟机桌面向云资源管理设备发送用于对 资源进行操作的第一消息, 该第一消息中携带数字证书及请求的操作。 Step 62: The user equipment sends a first message for operating the resource to the cloud resource management device through the virtual machine desktop, where the first message carries the digital certificate and the requested operation.
其中,本实施例中假设用户设备获取的数字证书为证书〜 1,请求的操作是将证书 ~1对应的虚拟机分配给证书〜 2使用。 In this embodiment, it is assumed that the digital certificate acquired by the user equipment is a certificate 〜1, and the requested operation is to allocate the virtual machine corresponding to the certificate ~1 to the certificate ~2 for use.
步骤 63 : 云资源管理设备对该第一消息进行认证。 Step 63: The cloud resource management device authenticates the first message.
步骤 64: 云资源管理设备从 UPF中获取与该数字证书对应的操作列表。 Step 64: The cloud resource management device acquires an operation list corresponding to the digital certificate from the UPF.
其中, 步骤 63-64的具体内容可以参见步骤 53-54。 For details of steps 63-64, refer to steps 53-54.
步骤 65: 如果所述请求的操作属于所述操作列表, 则允许对所述请求的操作, 例如分配虚拟机。 在分配虚拟机时可以是在云资源管理设备中增加资源和证书 ID的 对应关系。 Step 65: If the requested operation belongs to the operation list, allow operations on the request, such as allocating a virtual machine. When the virtual machine is allocated, the correspondence between the resource and the certificate ID may be added in the cloud resource management device.
例如, 如果证书〜 1 对应的操作包括分配资源, 则本实施例中云资源管理设备可 以将证书〜 1对应的虚拟机分配给证书〜 2。 For example, if the operation corresponding to the certificate 〜1 includes allocating resources, the cloud resource management device in this embodiment may assign the virtual machine corresponding to the certificate ~1 to the certificate ~2.
步骤 66: 云资源管理设备更新数字证书与虚拟机的对应关系。 Step 66: The cloud resource management device updates the correspondence between the digital certificate and the virtual machine.
例如, 原有的是虚拟机〜 1对应证书〜 1, 但是经过上述处理, 则虚拟机〜 1对应的 证书包括证书 ~1和证书 ~2。 For example, the original virtual machine ~ 1 corresponds to the certificate ~ 1, but after the above processing, the certificate corresponding to the virtual machine ~ 1 includes the certificate ~1 and the certificate ~2.
通过图 6所示的流程,证书〜 2可以具有对证书〜 1所属的资源的操作权限,例如, 采用证书〜 2也可以对虚拟机〜 1进行操作, 具体下一个实施例。 Through the flow shown in FIG. 6, the certificate 〜2 may have the operation authority for the resource to which the certificate ~1 belongs, for example, the virtual machine ~1 may be operated by using the certificate ~2, specifically the next embodiment.
本实施例通过采用数字证书访问云资源管理设备,且不同的数字证书具有不同的 角色, 可以执行不同的操作, 因此可以实现分权分域管理。 另外, 本实施例通过将一 数字证书下的资源分配给另一数字证书使用, 可以实现资源共享。 In this embodiment, the cloud resource management device is accessed by using a digital certificate, and different digital certificates have different roles, and different operations can be performed, so that decentralized domain management can be implemented. In addition, in this embodiment, resource sharing can be realized by allocating resources under one digital certificate to another digital certificate.
图 7为本发明第五实施例的方法流程示意图,本实施例以被授权的数字证书对具 有授权权限的数字证书的资源进行操作为例, 参见图 7, 本实施例包括: FIG. 7 is a schematic flowchart of a method according to a fifth embodiment of the present invention. In this embodiment, an authorized digital certificate is used. For example, the resource of the digital certificate with the authorized authority is operated. Referring to FIG. 7, the embodiment includes:
步骤 71 : 用户设备获取数字证书。 Step 71: The user equipment obtains a digital certificate.
步骤 72: 用户设备通过虚拟机桌面向云资源管理设备发送用于对资源进行操作 的第一消息, 所述第一消息中携带数字证书及请求的操作。 Step 72: The user equipment sends a first message for operating the resource to the cloud resource management device by using the virtual machine desktop, where the first message carries the digital certificate and the requested operation.
步骤 73 : 云资源管理设备对该第一消息进行认证。 Step 73: The cloud resource management device authenticates the first message.
步骤 74: 云资源管理设备从 UPF中获取与该数字证书对应的操作列表。 Step 74: The cloud resource management device acquires an operation list corresponding to the digital certificate from the UPF.
步骤 75: 如果所述请求的操作属于所述操作列表, 则允许对所述请求的操作, 例如, 重启虚拟机。 Step 75: If the requested operation belongs to the operation list, allow the operation of the request, for example, restart the virtual machine.
其中, 步骤 71-75的具体内容类似于步骤 61-65, 与步骤 61-65不同的是, 图 6 所示的实施例中采用的数字证书是具有授权权限的数字证书 (如证书〜 1 ), 而本实施 例中采用的数字证书是被授权的数字证书 (如证书〜 2)。 The specific content of steps 71-75 is similar to steps 61-65. Unlike steps 61-65, the digital certificate used in the embodiment shown in FIG. 6 is a digital certificate with authorization authority (such as certificate ~ 1). The digital certificate used in this embodiment is an authorized digital certificate (such as certificate ~ 2).
另外, 通过图 6所示的流程, 云资源管理设备中已经更新了资源与数字证书的对 应关系,所以,采用证书〜 2也可以对虚拟机〜 1进行证书〜 2具有的权限的操作,例如, 证书〜 2 具有重启虚拟机的权限, 请求的操作是重启虚拟机, 则本实施例中采用证书 ~2可以重启虚拟机。 In addition, through the process shown in FIG. 6, the correspondence between the resource and the digital certificate has been updated in the cloud resource management device. Therefore, the operation of the certificate ~2 can be performed on the virtual machine ~1 by using the certificate ~2, for example, for example, The certificate ~ 2 has the right to restart the virtual machine. The requested operation is to restart the virtual machine. In this embodiment, the virtual machine can be restarted by using the certificate ~2.
本实施例通过采用被授权的数字证书访问具有授权权限的数字证书所属的资源, 实现了资源共享。 In this embodiment, resource sharing is realized by accessing a resource to which a digital certificate having an authorized authority belongs by using an authorized digital certificate.
本发明实施例的上述方法可以应用于如下场景: The above method of the embodiment of the present invention can be applied to the following scenarios:
企业级应用: 该系统应用于企业中, 企业管理者相当于 USER, 对于企业内部不 通层次的员工可以申请不通的证书,证书的角色以及证书角色对应的操作的功能可以 由企业管理者要求, 系统在初始化时提供。 USER可以将证书分配给企业内部不同 层次的员工, 执行相应的操作, 在人事变更或者企业内部结构整改时, 只需要动态修 改子用户持有的证书角色, 即可完成整个企业的分权分域。 Enterprise-level application: The system is applied to enterprises. The enterprise manager is equivalent to USER. For employees whose internal level is not available, the certificate can be applied for. The role of the certificate and the function corresponding to the certificate role can be requested by the enterprise administrator. Provided at initialization time. USER can assign certificates to employees at different levels within the enterprise and perform corresponding operations. When personnel changes or internal structure rectification, only need to dynamically modify the certificate role held by the sub-users, the decentralized domain of the entire enterprise can be completed. .
这样, 整个企业内部的管理完全由证书来管理, 操作灵活、 简单, 管理高效。 资 源共享可以实现企业内部的工作委托, 例如: A因出差将资源委托为 B, 那么 B便可 完成 B持有证书的权限对于 A资源的操作。 In this way, the management of the entire enterprise is completely managed by certificates, which is flexible, simple, and efficient. Resource sharing can realize the work entrustment within the enterprise. For example: A. Dedicating the resource to B due to business trip, then B can complete the operation of the B holding certificate authority for the A resource.
家庭级应用: 对于家庭级应用, 资源共享能起到更大的作用。 以家庭为单位作为 USER, 可根据家庭中的用户来申请不同的证书角色, 这样, 在一个家庭中, 所有家 庭成员可对同一资源进行不同权限操作。家庭成员之间可以实现资源共享, 从而最大 限度的节省资源。 Home-level applications: For home-level applications, resource sharing can play a bigger role. As a USER in the family, different certificate roles can be applied according to users in the family, so that in a family, all family members can perform different permission operations on the same resource. Resource sharing can be achieved between family members to maximize resource savings.
当然, 本发明实施例并不限于上述应用, 可以应用于各种应用中, 可以提供的动 态的调配来满足用户的需求。 Of course, the embodiment of the present invention is not limited to the above application, and can be applied to various applications, and can be provided. State of the deployment to meet the needs of users.
在采用本发明实施例的方法之后, 每个用户设备可以对应多个证书, 例如, 图 8 为本发明实施例中应用场景的示意图, 参见图 8, 每个用户设备 (USER) 可以对应 一个证书集, 该证书集中包括多个证书, 不同证书具有不同的权限, 其中用户设备例 如为企业、 家庭、 个人。 由于证书具有不同的权限, 采用不同证书时可以执行的操作 不同, 因此可以实现分权分域管理。 After the method of the embodiment of the present invention is used, each user equipment can correspond to multiple certificates. For example, FIG. 8 is a schematic diagram of an application scenario according to an embodiment of the present invention. Referring to FIG. 8, each user equipment (USER) can correspond to a certificate. In the set, the certificate set includes multiple certificates, and different certificates have different rights, wherein the user equipment is, for example, a business, a family, and an individual. Since certificates have different permissions, different operations can be performed when different certificates are used, so decentralized and domain-based management can be implemented.
另外, 本发明实施例通过一个证书将其下的资源分配给另一个证书, 可以实现资 源共享, 例如, 图 9为本发明实施例中资源共享前后的示意图, 参见图 9, 资源共享 前, USER 1 (对应的数字证书为证书〜 1 ) 可以访问的资源为 VM~1, USER-2 (对 应的数字证书为证书〜 2) 可以访问的资源为 VM~2; 当证书〜 2授权给证书〜 1实现资 源共享后, USER-1 (对应的数字证书为证书〜 1 )可以访问的资源为 VM~1和 VM~2, USER-2 (对应的数字证书为证书〜 2) 可以访问的资源为 VM~2。 In addition, the embodiment of the present invention can allocate resources to another certificate by using a certificate, and the resource sharing can be implemented. For example, FIG. 9 is a schematic diagram of the resource sharing before and after the resource sharing in the embodiment of the present invention. Referring to FIG. 9, before the resource sharing, USER 1 (corresponding digital certificate is certificate ~ 1) The resources that can be accessed are VM~1, USER-2 (corresponding digital certificate is certificate~ 2) The resources that can be accessed are VM~2; When certificate~2 is authorized to certificate~ 1 After the resource sharing is realized, the resources that USER-1 (corresponding digital certificate is certificate ~ 1) can be accessed by VM~1 and VM~2, USER-2 (the corresponding digital certificate is certificate~ 2). The resources that can be accessed are VM~2.
综上所述, 本发明实施例中的数字证书不仅可以实现认证功能, 另外通过对数字 证书进行授权,授权包括操作和资源,可以通过数字证书进行分权分域管理以及资源 共享, 使得分权分域操作更加合理。通过采用具有分权分域功能的数字证书, 可以使 得接入用户请求时便可以完成通用鉴权与业务鉴权,使得整个系统的管理层次更加分 明。 同时资源共享可以避免整个系统中的资源浪费,用户对于资源的整体需求也会收 缩, 从而节省用户资源效益, 同时资源操作更加灵活。 In summary, the digital certificate in the embodiment of the present invention can not only implement the authentication function, but also authorize the digital certificate by authorizing the operation and resources, and can perform decentralized domain management and resource sharing through the digital certificate, so that the decentralization is performed. The domain operation is more reasonable. By adopting a digital certificate with decentralized and decentralized functions, it is possible to complete common authentication and service authentication when accessing a user request, so that the management hierarchy of the entire system is more distinct. At the same time, resource sharing can avoid waste of resources in the whole system, and the overall demand of resources for users will also shrink, thereby saving user resource efficiency, and at the same time, resource operation is more flexible.
图 10为本发明第六实施例的设备结构示意图, 包括接收模块 101、获取模块 102 和执行模块 103 ; 接收模块 101用于接收用户设备发送的用于对资源进行操作的第一 消息,所述第一消息中携带数字证书及请求的操作; 获取模块 102用于根据预先记录 的数字证书与角色的对应关系以及角色与操作的对应关系,获取与所述数字证书对应 的操作列表; 执行模块 103用于如果所述请求的操作属于所述操作列表, 则允许对所 述请求的操作。 FIG. 10 is a schematic structural diagram of a device according to a sixth embodiment of the present invention, including a receiving module 101, an obtaining module 102, and an executing module 103. The receiving module 101 is configured to receive a first message sent by a user equipment for operating a resource, where The first message carries the operation of the digital certificate and the request; the obtaining module 102 is configured to obtain an operation list corresponding to the digital certificate according to the correspondence between the pre-recorded digital certificate and the role and the correspondence between the role and the operation; For allowing the operation of the request if the requested operation belongs to the operation list.
其中, 当所述数字证书为具有创建虚拟机权限的数字证书, 所述请求的操作为创 建虚拟机时,所述执行模块具体用于创建与所述具有创建权限的数字证书对应的虚拟 机, 并记录数字证书与虚拟机的对应关系。 The execution module is specifically configured to create a virtual machine corresponding to the digital certificate having the created permission, when the digital certificate is a digital certificate having the right to create a virtual machine, and the operation of the request is to create a virtual machine. And record the correspondence between the digital certificate and the virtual machine.
或者, 当所述数字证书为具有分配权限的数字证书, 所述请求的操作为将所述具 有分配权限的数字证书对应的虚拟机分配给被授权的数字证书时,所述执行模块具体 用于将所述具有分配权限的数字证书对应的虚拟机分配给所述被授权的数字证书;更 新已记录的数字证书与资源的对应关系,使得与所述有授权权限的数字证书对应的资 源, 与所述被授权的数字证书关联, 以便用户设备采用所述被授权的数字证书能够对 与所述有授权权限的数字证书对应的资源进行操作。 Or, when the digital certificate is a digital certificate with an assigned authority, and the operation of the request is to allocate the virtual machine corresponding to the digital certificate with the assigned authority to the authorized digital certificate, the executing module is specifically used to Assigning, to the authorized digital certificate, the virtual machine corresponding to the digital certificate with the assigned authority; updating the correspondence between the recorded digital certificate and the resource, so that the resource corresponding to the digital certificate with the authorized authority is And a source, associated with the authorized digital certificate, so that the user equipment can operate the resource corresponding to the authorized digital certificate by using the authorized digital certificate.
或者, 在具有授权权限的数字证书将对应的资源授权给被授权的数字证书后, 所 述执行模块具体用于根据所述被授权的数字证书的权限,对与所述具有授权权限的数 字证书对应的资源进行操作。 Or, after the digital certificate with the authorized authority grants the corresponding resource to the authorized digital certificate, the executing module is specifically configured to use the digital certificate with the authorized authority according to the authority of the authorized digital certificate. The corresponding resource operates.
本实施例通过在访问云资源中采用数字证书, 该数字证书对应不同的角色, 不同 的角色对应不同的操作, 因此,通过该数字证书可以使得具有不同权限或者不同区域 的用户能够执行的操作不同, 实现对用户的分权分域管理。 In this embodiment, a digital certificate is used in accessing a cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can enable different users with different rights or different regions to perform different operations. , to achieve decentralized domain management of users.
图 11为本发明第七实施例的系统结构示意图, 包括 UPF 111和云管理设备 112; UPF 111用于接收用户设备发送的用于注册的第二消息, 所述第二消息中携带请求的 角色; 根据预先配置的角色与数字证书的对应关系, 为所述用户设备分配数字证书, 并记录数字证书与角色的对应关系; 将分配的数字证书发送给所述用户设备, 以便所 述用户设备采用所述数字证书请求操作;云管理设备 112用于接收用户设备发送的用 于对资源进行操作的第一消息, 所述第一消息中携带数字证书及请求的操作; 根据 UPF中记录的数字证书与角色的对应关系以及角色与操作的对应关系,获取与所述数 字证书对应的操作列表; 如果所述请求的操作属于所述操作列表, 则允许对该请求的 操作。 FIG. 11 is a schematic structural diagram of a system according to a seventh embodiment of the present invention, including a UPF 111 and a cloud management device 112. The UPF 111 is configured to receive a second message sent by the user equipment for registration, where the second message carries the requested role. And assigning a digital certificate to the user equipment according to a correspondence between the pre-configured role and the digital certificate, and recording a correspondence between the digital certificate and the role; and sending the distributed digital certificate to the user equipment, so that the user equipment adopts The digital certificate request operation; the cloud management device 112 is configured to receive a first message sent by the user equipment for operating on the resource, where the first message carries a digital certificate and a request operation; according to the digital certificate recorded in the UPF Corresponding relationship with the role and a correspondence between the role and the operation, obtaining an operation list corresponding to the digital certificate; if the requested operation belongs to the operation list, allowing the operation of the request.
本实施例通过在访问云资源中采用数字证书, 该数字证书对应不同的角色, 不同 的角色对应不同的操作, 因此,通过该数字证书可以使得具有不同权限或者不同区域 的用户能够执行的操作不同, 实现对用户的分权分域管理。 In this embodiment, a digital certificate is used in accessing a cloud resource, and the digital certificate corresponds to different roles, and different roles correspond to different operations. Therefore, the digital certificate can enable different users with different rights or different regions to perform different operations. , to achieve decentralized domain management of users.
可以理解的是, 上述方法及设备中的相关特征可以相互参考。 另外, 上述实施例 中的 "第一"、 "第二"等是用于区分各实施例, 而并不代表各实施例的优劣。 It can be understood that related features in the above methods and devices can be referred to each other. Further, "first", "second", and the like in the above embodiments are used to distinguish the embodiments, and do not represent the advantages and disadvantages of the embodiments.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过 程序指令相关的硬件来完成, 前述的程序可以存储于计算机可读取存储介质中, 该程 序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括: ROM, RAM, 磁碟或者光盘等各种可以存储程序代码的介质。 A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and when executed, the program includes The foregoing steps of the method embodiment; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其限制; 尽 管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解: 其 依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行 等同替换; 而这些修改或者替换, 并不使相应技术方案的本质脱离本发明各实施例技 术方案的精神和范围。 Finally, it should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the foregoing embodiments are modified, or the equivalents of the technical features are replaced by the same. However, the modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010604779.X | 2010-12-23 | ||
| CN 201010604779 CN102035849B (en) | 2010-12-23 | 2010-12-23 | Method, equipment and system for realizing resource management in cloud computing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2011147361A1 true WO2011147361A1 (en) | 2011-12-01 |
Family
ID=43888172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2011/075341 Ceased WO2011147361A1 (en) | 2010-12-23 | 2011-06-03 | Method, device and system for implementing resource management in cloud computing |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102035849B (en) |
| WO (1) | WO2011147361A1 (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9729321B2 (en) * | 2015-04-29 | 2017-08-08 | Citrix Systems, Inc. | Autonomous private key recovery |
| CN102035849B (en) * | 2010-12-23 | 2013-12-18 | 华为技术有限公司 | Method, equipment and system for realizing resource management in cloud computing |
| CN102291452B (en) * | 2011-08-09 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Virtual machine management method, cloud management server and cloud system based on cloud strategy |
| US20130074064A1 (en) * | 2011-09-15 | 2013-03-21 | Microsoft Corporation | Automated infrastructure provisioning |
| WO2013091196A1 (en) * | 2011-12-21 | 2013-06-27 | 华为技术有限公司 | Method, device, and system for setting user's right to access virtual machine |
| CN103377330B (en) * | 2012-04-23 | 2016-08-17 | 佛山市智慧岛信息技术有限公司 | A kind of virtual resource allocation method and virtual resource allocation system |
| US9210162B2 (en) * | 2012-05-02 | 2015-12-08 | Microsoft Technology Licensing, Llc | Certificate based connection to cloud virtual machine |
| CN102903029A (en) * | 2012-09-27 | 2013-01-30 | 广东亿迅科技有限公司 | Domain-partitioned authorization method for cloud computing resources |
| CN102984252B (en) * | 2012-11-26 | 2015-04-08 | 中国科学院信息工程研究所 | Cloud resource access control method based on dynamic cross-domain security token |
| CN104125203B (en) * | 2013-04-26 | 2019-03-26 | 腾讯科技(深圳)有限公司 | Rights management method and system |
| US20150019705A1 (en) * | 2013-06-26 | 2015-01-15 | Amazon Technologies, Inc. | Management of computing sessions |
| CN103312814B (en) * | 2013-06-28 | 2016-03-30 | 武汉大学 | Method for establishing VNC hidden channel between cloud management platform and virtual machine terminal user |
| CN106656935A (en) * | 2015-11-03 | 2017-05-10 | 电信科学技术研究院 | Character issuing method, access control method and correlation equipment thereof |
| US10255092B2 (en) * | 2016-02-09 | 2019-04-09 | Airwatch Llc | Managed virtual machine deployment |
| CN107276965B (en) * | 2016-04-07 | 2021-05-14 | 阿里巴巴集团控股有限公司 | Authority control method and device of service discovery component |
| CN105763638A (en) * | 2016-04-18 | 2016-07-13 | 广州优达信息科技有限公司 | Cloud terminal reverse control system |
| CN110912704B (en) | 2017-10-11 | 2023-02-28 | Oppo广东移动通信有限公司 | Certificate loading method and related products |
| CN115118480B (en) * | 2022-06-22 | 2024-04-26 | 中电信数智科技有限公司 | Method and device for realizing split-weight split-domain function of Skyline system based on Openstack |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197026A (en) * | 2007-12-20 | 2008-06-11 | 浙江大学 | Design and storage method of resource and its access control policy in high-performance access control system |
| CN101296230A (en) * | 2008-06-17 | 2008-10-29 | 浙江大学 | Web Service Security Control Mechanism Based on PKI and PMI |
| CN102035849A (en) * | 2010-12-23 | 2011-04-27 | 华为技术有限公司 | Method, equipment and system for realizing resource management in cloud computing |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2858900B1 (en) * | 2003-08-12 | 2006-01-06 | Cit Alcatel | PROVIDING RESOURCE RESERVATION SERVICES WITHIN A RESOURCE MANAGEMENT COMMUNICATIONS NETWORK THROUGH POLICY RULES |
| CN101350710B (en) * | 2007-07-16 | 2011-11-16 | 华为技术有限公司 | Network system, authority issuing server, authority issuing and executing method |
| CN101425027B (en) * | 2008-11-20 | 2013-03-20 | 上海交通大学 | Virtual machine safety protocol method and system based on TPM |
-
2010
- 2010-12-23 CN CN 201010604779 patent/CN102035849B/en active Active
-
2011
- 2011-06-03 WO PCT/CN2011/075341 patent/WO2011147361A1/en not_active Ceased
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197026A (en) * | 2007-12-20 | 2008-06-11 | 浙江大学 | Design and storage method of resource and its access control policy in high-performance access control system |
| CN101296230A (en) * | 2008-06-17 | 2008-10-29 | 浙江大学 | Web Service Security Control Mechanism Based on PKI and PMI |
| CN102035849A (en) * | 2010-12-23 | 2011-04-27 | 华为技术有限公司 | Method, equipment and system for realizing resource management in cloud computing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102035849B (en) | 2013-12-18 |
| CN102035849A (en) | 2011-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2011147361A1 (en) | Method, device and system for implementing resource management in cloud computing | |
| US10402578B2 (en) | Management of encrypted data storage | |
| CA3117713C (en) | Authorization with a preloaded certificate | |
| CN110032865B (en) | Authority management method, device and storage medium | |
| GB2526240B (en) | Key management in multi-tenant environments | |
| CN112118221B (en) | A power access control method for privacy data sharing based on blockchain | |
| CN106302334B (en) | Access role acquisition method, device and system | |
| US8948399B2 (en) | Dynamic key management | |
| CN104104692B (en) | A kind of virtual machine encryption method, decryption method and encryption and decryption control system | |
| CN109587101B (en) | Digital certificate management method, device and storage medium | |
| CN110099043A (en) | The hiding more authorization center access control methods of support policy, cloud storage system | |
| EP2702744B1 (en) | Method for securely creating a new user identity within an existing cloud account in a cloud system | |
| JP6943511B2 (en) | Resource processing methods, equipment, systems and computer readable media | |
| WO2014059860A1 (en) | Method and system for improving cloud computing data security | |
| CN110572258A (en) | A cloud encryption computing platform and computing service method | |
| Li et al. | A novel cyberspace-oriented access control model | |
| CN107302524B (en) | A ciphertext data sharing system in cloud computing environment | |
| Fugkeaw | Achieving privacy and security in multi-owner data outsourcing | |
| JP2011076505A (en) | Information processing system and information processing method | |
| CN117879819A (en) | Key management method, device, storage medium, equipment and computing power service system | |
| CN114817957B (en) | Encrypted partition access control method, system and computing device based on domain management platform | |
| CN107357631A (en) | A kind of method and apparatus and computer-readable recording medium for managing virtual machine key | |
| CN111464311A (en) | Method for integrated authorization management of mechanical-fixed multi-nodes | |
| CN119788391B (en) | Data security sharing method, client, server, storage medium and program product | |
| Yan et al. | Spatial data access control in grid environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11786133 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 11786133 Country of ref document: EP Kind code of ref document: A1 |