A kind of access control method and device
Technical field
The present embodiments relate to cloud resource technical field more particularly to a kind of access control methods and device.
Background technique
In cloud service scene, especially public cloud scene, it will appear new online resource pool and old in the same cloud project
Resource pool and the case where deposit.New online resource pool, which refers to, just to be released, the shorter resource pool of on-line time;Old resource pool refer to compared with
It is early to release, the longer resource pool of on-line time.New online resource pool usually requires to maintain the several months, tests the phase as friendly user.
Within friendly user's test phase of new online resource pool, all users can access old resource pool, but only allow the friend of selection
See and access the resource of new online resource pool in handy family.It is thus possible to which the problem of exposing, control was in friendly user scope
It is interior, avoid risk from expanding, and according to the feedback of exposed problem and friendly user, rectify and improve to new online resource pool, simultaneously
The usage experience that can also ensure friendly user avoids being interfered by using for other users.
In practical application, identity and access management (Identity and Access Management, IAM) server are logical
It is usually used in being responsible for, all users to all new, the old resource pools requested access in same cloud project do uniform registration and identity
Authentication management.It will lead to non-friendly user also accessible new online resource pool in this way, thus to risk control and friendly use
The use at family causes severe jamming.
A solution in the prior art is that network is arranged on the firewall on new online resource pool console boundary
Agreement (Internet Protocol, IP) address white list only allows friendly user to access new online resource pool, but this kind of side
Formula has done stringent limitation to IP address, and friendly user only could access new online resource pool by the terminal of specified IP address,
New online resource pool cannot be accessed by other IP address;Also, if IP address changes, the weight on firewall is needed
Newly configured, it is poor so as to cause the usage experience of user.
Summary of the invention
The embodiment of the present invention provides a kind of access control method and device, and friendly user can allow for pass through with any IP
The new online resource pool of the terminal access of address.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of access control method, it is applied to exclusive IAM module, one exclusive
IAM module corresponds to a new online resource pool, and preserves the newly corresponding close friend of online resource pool corresponding with exclusive IAM module
The account information of user in user group, this method comprises: firstly, exclusive IAM module receives portal server is sent first
Account information.Wherein, the first account information is the logged-in user for requesting access to the corresponding new online resource pool of exclusive IAM module
Account information, logged-in user is the user for having logged in portal server.Secondly, close friend of the exclusive IAM module according to preservation
The account information of user in user group authenticates the first account information.Then, exclusive IAM module is to portal server
Certification instruction message is sent, certification instruction message, which is used to indicate the first account information and whether authenticates, to be passed through.
It is corresponding since exclusive IAM module is basis " account information " new online resource pool corresponding to exclusive IAM module
Friendly user group in logged-in user carry out authentication, rather than carried out according to " IP address " of terminal where user
Certification, thus the user being located in the friendly user group of anywhere, any IP address can be passed through according to account information
The new online resource pool of terminal access, without being limited by IP address of terminal, to improve the usage experience of user.
In a kind of possible design, the account information of the user in the friendly user group according to preservation, to the first account
Before number information is authenticated, method further include: exclusive IAM module receives the second account information that global I AM module is sent.Its
In, the second account information is the account of the user in the corresponding friendly user group of corresponding with exclusive IAM module new online resource pool
Number information.The mode of the account information of this user being arranged in friendly user group in exclusive IAM module is relatively simple convenient.
In a kind of possible design, when the on-line time of new online resource pool is more than or equal to preset time threshold
When, this method further include: exclusive IAM module receives the account information for all users that global I AM module is sent.To exclusive
The account information of all users is preserved in IAM module, it can be to requesting access to the corresponding new online resource of the exclusive IAM module
All logged-in users in pond carry out authentication.
Second aspect, the embodiment of the present invention provide a kind of control access method, are applied to global I AM module, global I AM mould
Block preserves the registration information of all users, and registration information includes account information, this method comprises: global I AM module receives door
The first account information that family server is sent.Wherein, the first account information is the logged-in user for requesting access to old resource pool
Account information.Then, global I AM module authenticates the first account information according to the registration information of all users of preservation.
Also, global I AM module is respectively by the user's in friendly user group corresponding with each new online resource pool in all users
Account information is sent in the corresponding exclusive IAM module of new online resource pool.
Thus, global I AM module can carry out the account information of all logged-in users for requesting access to old resource pool
Certification.Also, global I AM module is respectively by the use in friendly user group corresponding with each new online resource pool in all users
The account information at family is sent to the corresponding exclusive IAM module of new online resource pool, can be simply and easily in exclusive IAM module
The account information of the middle user being arranged in friendly user group.
In a kind of possible design, this method further include: when the on-line time of new online resource pool is more than or equal to
When preset time threshold, the account information of all users is sent to the corresponding exclusive IAM of new online resource pool by global I AM module
In module, so that the account information of all users can be preserved in exclusive IAM module, thus can be to requesting access to this
All logged-in users of the corresponding new online resource pool of exclusive IAM module, carry out authentication.
In a kind of possible design, registration information further includes encrypted message, method further include: firstly, global I AM module
Receive the second account information and encrypted message that portal server is sent.Wherein, the second account information and encrypted message are request
Log in the account information and encrypted message of the user of portal server.Secondly, global I AM module is according to all users' of preservation
Registration information authenticates the second account information and encrypted message.Then, global I AM module is recognized to portal server transmission
Instruction message is demonstrate,proved, certification instruction message is used to indicate the second account information and whether encrypted message authenticates and pass through.To global
The identity for all users that IAM module can log in portal server to request authenticates.
The third aspect provides a kind of access control method, is applied to portal server, this method comprises: firstly, portal takes
Device be engaged in after user logs in portal server, instruction terminal shows resource pool list to logged-in user.Secondly, portal server
The new online resource pool access request that terminal is sent is received, new online resource pool access request includes the account letter of logged-in user
Breath and new online resource pool mark to be visited.Then, the account information of logged-in user is sent to be visited by portal server
New online resource pool identifies corresponding exclusive identity and access management IAM module.Later, portal server receives exclusive IAM mould
Whether the first certification instruction message that block is sent, the account information that the first certification instruction message is used to indicate logged-in user authenticate
Pass through.Finally, allowing logged-in user to access new online resource to be visited when the first certification instruction message instruction certification passes through
Pond.
In this way, portal server can be by logged-in user when logged-in user wants access to new online resource pool
Account information is sent to the newly upper corresponding exclusive IAM module of resource pool, so that exclusive IAM module is used according to the close friend of preservation
" account information " of user in the group of family carries out authentication to logged-in user, rather than according to terminal where user
" IP address " is authenticated, thus the user being located in the friendly user group of anywhere, can be passed through according to account information
The new online resource pool of the terminal access of any IP address, without being limited by IP address of terminal, to improve the use of user
Experience.
In a kind of possible design, before the process per se further include: before method further include: firstly, portal service
Device receives the login request message that terminal is sent, and login request message includes the account letter for the user that request logs in portal server
Breath and encrypted message.Secondly, request is logged in the account information and encrypted message hair of the user of portal server by portal server
Give global I AM module.Then, portal server receives the second certification instruction message that global I AM module is sent.Wherein,
Two certification instruction messages be used to indicate request log in portal server user account information and encrypted message whether authenticate it is logical
It crosses.Then, if the second certification instruction message instruction certification passes through, portal server allows user to log in.To global I AM
The identity for all users that module can log in portal server to request authenticates.
In a kind of possible design, portal server instruction terminal shows that resource pool list includes: to logged-in user
When there is no the new online resource pool that on-line time is more than or equal to preset time threshold, portal server instruction terminal exists
In resource pool list, show that the user in had been friends in the past resource pool and corresponding friendly user group includes having logged in logged-in user
All new online resource pools of user.
In this way, the user in friendly user group can see at the terminal and click new online resource pool and old resource pool,
To request access to new online resource pool and old resource pool.Rather than the user in friendly user group can only see at the terminal simultaneously
Old resource pool is clicked, without can be appreciated that new online resource pool, so that new online resource pool, new online resource can not be requested and be accessed
The corresponding exclusive IAM module in pond would not also authenticate the account information of the user in non-friendly user group, to reduce
The workload of exclusive IAM module.
In a kind of possible design, when there are the new online resources that on-line time is more than or equal to preset time threshold
Chi Shi, portal server instruction terminal show had been friends in the past resource pool and on-line time in resource pool list, to logged-in user
More than or equal to all new online resource pools and on-line time of preset time threshold be less than preset time threshold it is new on
In line resource pool, the user in corresponding close friend's user group includes all new online resource pools of logged-in user.It is thus possible to
It is when new online resource pool passes through friendly user and tests the phase, the new online resource pool is open to all users, and be not only pair
User in friendly user group is open.
In a kind of possible design, this method further include: portal server receives the old resource pool access that terminal is sent
Request, old resource pool access request include the account information and old resource pool mark to be visited of logged-in user.Then, portal takes
The account information of logged-in user is sent to global I AM module by device of being engaged in, with by global I AM module to requesting access to old resource
The account information of the logged-in user in pond is authenticated.
Another aspect, the embodiment of the invention provides a kind of system, the system include above-mentioned aspect may be implemented it is exclusive
The device of the function of IAM module, may be implemented global I AM module function device and the function of portal server may be implemented
Device.
In another aspect, the embodiment of the invention provides a kind of computer storage medium, for being stored as above-mentioned exclusive IAM mould
Computer software instructions used in block, it includes for executing program designed by above-mentioned aspect.
In another aspect, the embodiment of the invention provides a kind of computer storage medium, for being stored as above-mentioned global I AM mould
Computer software instructions used in block, it includes for executing program designed by above-mentioned aspect.
In another aspect, the embodiment of the invention provides a kind of computer storage medium, for being stored as above-mentioned portal service
Computer software instructions used in device, it includes for executing program designed by above-mentioned aspect.
Compared to the prior art, in scheme provided in an embodiment of the present invention, exclusive IAM module is according to the friendly user of preservation
The account information of user carries out authentication to logged-in user in group, rather than is authenticated according to " IP address ", thus position
User in the friendly user group of anywhere, can according to account information by the terminal access of any IP address it is new on
Line resource pool, to improve the usage experience of user.
In order to make it easy to understand, the exemplary explanation for giving part concept related to the present invention is for reference.It is as follows:
Portal website: referring to and lead to the comprehensive internet information resource of certain class and provide the application system in relation to information service,
It is the website of portal server management.
Resource pool: referring to the cloud resource pond under cloud service scene in the embodiment of the present invention, is the set of multiple cloud resources.This
In cloud resource may include cloud computing resources, cloud storage resource etc., the cloud resource in resource pool is usually required through multiple objects
Reason load bearing equipment is carried.
Single-sign-on: in multiple application systems, user, which only needs to log in, can once access all mutual trusts
Application system.
Console: being the frame of storage and managenent tool, including file and other containers, webpage and other management items.Control
Platform processed has window, these windows can provide console tree view and the management attribute caused by the item in console tree, service
And the view of event.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be in embodiment or description of the prior art
Required attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some realities of the invention
Example is applied, it for those of ordinary skill in the art, without creative efforts, can also be according to these attached drawings
Obtain other attached drawings.
Fig. 1 is a kind of basic framework schematic diagram of access control system provided in an embodiment of the present invention;
Fig. 2 is a kind of basic framework schematic diagram of improved access control system provided in an embodiment of the present invention;
Fig. 3 is a kind of access control method flow chart provided in an embodiment of the present invention;
Fig. 4 is another access control method flow chart provided in an embodiment of the present invention;
Fig. 5 is the method flow that a kind of portal server instruction terminal provided in an embodiment of the present invention shows resource pool list
Figure;
Fig. 6 A is a kind of terminal display interface schematic diagram provided in an embodiment of the present invention;
Fig. 6 B is another terminal display interface schematic diagram provided in an embodiment of the present invention;
Fig. 7 is another access control method flow chart provided in an embodiment of the present invention;
Fig. 8 is another access control method flow chart provided in an embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram of exclusive IAM module provided in an embodiment of the present invention;
Figure 10 is a kind of structural schematic diagram of global I AM module provided in an embodiment of the present invention;
Figure 11 is a kind of structural schematic diagram of portal server provided in an embodiment of the present invention;
Figure 12 A is the structural schematic diagram of the exclusive IAM module of another kind provided in an embodiment of the present invention;
Figure 12 B is the structural schematic diagram of the exclusive IAM module of another kind provided in an embodiment of the present invention;
Figure 13 A is the structural schematic diagram of another global I AM module provided in an embodiment of the present invention;
Figure 13 B is the structural schematic diagram of another global I AM module provided in an embodiment of the present invention;
Figure 14 A is the structural schematic diagram of another portal server provided in an embodiment of the present invention;
Figure 14 B is the structural schematic diagram of another portal server provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description.Obviously, described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Fig. 1 is provided under a kind of cloud service scene, the basic framework schematic diagram of resource pool access control system.The resource pool
Access control system includes terminal, portal server, access control apparatus, firewall, console and physical carrier equipment.Its
In, portal server can be connected at least one terminal, the logging request or resource pool sent with to receive user by terminal
Access request;Portal server is also connected with access control apparatus, will be in the logging request of user or resource pool access request
The identity information of the user of carrying is sent to access control apparatus and is authenticated;Portal server can also be with multiple consoles
It is connected, the resource pool access request of user is redirected to resource pool pair to be requested by the corresponding resource pool of each console
The console answered, to access resource pool to be requested;Each console can be connected at least one physical carrier equipment, this is extremely
Few physical carrier equipment is for carrying the corresponding resource pool of the console.Specifically, access control apparatus here is specific
It can be IAM server, terminal here specifically can be the physical equipments such as computer, mobile phone, iPad.As shown in Figure 1, a cloud
Multiple resource pools can be existed simultaneously in project, different resource pond can be located in a different geographical location, such as Beijing, Shanghai,
Shenzhen etc..Here resource pool can specifically include multiple old resource pools more early released and multiple new online resources just released
Pond.User can pass through single-sign-on portal server at the terminal, that is, log in the mode of portal website, access in the cloud project
All resource pools.
On firewall of the prior art by the corresponding console boundary of new online resource pool shown in Fig. 1, IP is set
Address white list, so that only allowing the user in friendly user group to visit within friendly user's test phase of new online resource pool
Ask new online resource pool.This kind of mode has done stringent limitation to IP address, and the user in friendly group only passes through white list middle finger
The corresponding terminal of fixed IP address could access new online resource pool, and cannot pass through the corresponding terminal access of other IP address
New online resource pool, to reduce user experience.
In view of the above-mentioned problems, the embodiment of the present invention proposes a kind of improved access control system, basic framework signal
Figure may refer to Fig. 2.Wherein, shown in Fig. 1 compared with framework, in framework shown in Fig. 2, access control apparatus includes the overall situation
IAM module and at least one exclusive IAM module, different IAM modules can be respectively arranged in different physical equipments, can also be with
It is integrated in the same physical equipment, is not specifically limited here.Wherein, the note of all users is preserved in global I AM module
Volume information, which includes the identity information of the users such as account information and encrypted message.Global I AM module is for responsible pair
The user that request logs in portal server carries out authentication, and carries out identity to the user for requesting access to had been friends in the past resource pool and recognize
Card.Here logged-in user refers to the user for successfully logging in portal server.Corresponding one of each exclusive IAM module is new
Online resource pool, for example, new online resource pool 2 corresponds to as shown in Fig. 2, new online resource pool 1 corresponds to exclusive IAM module 1
Exclusive IAM module 2 etc..The corresponding close friend of the corresponding new online resource pool of the exclusive IAM module is only preserved in exclusive IAM module
The account information of user in user group, exclusive IAM module is for being responsible for requesting access to having stepped on for corresponding new online resource pool
The account information for employing family is authenticated.
Wherein, exclusive IAM module is according to " the account of the user in the corresponding friendly user group of new online resource pool of preservation
Information " recognizes " account information " of the logged-in user for requesting access to the corresponding new online resource pool of the exclusive IAM module
Card, rather than authentication is carried out to logged-in user according to " IP address ", thus it is located at the friendly user group of anywhere
In user, new online resource pool can be accessed, without the limit by IP address by the terminal with any IP address
System, so as to improve the usage experience of user.
Basic framework schematic diagram as shown in connection with fig. 2, the embodiment of the invention provides a kind of access control methods, referring to figure
3, this method may include:
301, after user logs in portal server, portal server instruction terminal shows resource pool column to logged-in user
Table.
Wherein, logged-in user here refers to the user for having logged in portal server, that is, has logged in portal server pipe
The user of the portal website of reason.After user successfully logs in portal server by terminal and browser, portal server can
Resource pool list is shown with instruction terminal.Resource pool list is for accessible resource pool to be presented to logged-in user.
302, portal server receives the new online resource pool access request that terminal is sent, new online resource pool access request
Account information and new online resource pool mark to be visited including logged-in user.
303, the account information of logged-in user is sent to new online resource pool mark to be visited and corresponded to by portal server
Exclusive IAM module.
When logged-in user requests access to a new online resource pool in resource pool list, login user can pass through
Terminal sends new online resource pool access request to portal server, and carries this in new online resource pool access request and stepped on
Employ the account information and new online resource pool mark to be visited at family.Wherein, new online resource pool mark to be visited is for unique
Identify the new online resource pool to be visited.
In step 302-303, portal server is receiving the logged-in user hair for requesting access to new online resource pool
When the new online resource pool access request sent, can by the account information of logged-in user in new online resource pool access request,
It is transmitted to new online resource pool to be visited and identifies corresponding exclusive IAM module.
304, exclusive IAM module is used after receiving the first account information that portal server is sent according to the close friend of preservation
The account information of user in the group of family authenticates the first account information.
Wherein, the first account information here refers to what portal server was sent in step 303, requests access to exclusive
The account information of the logged-in user of the corresponding new online resource pool of IAM module.In the account information for receiving logged-in user
Afterwards, new online resource pool to be visited identify corresponding exclusive IAM module can be according to the user's in the friendly user group of preservation
Account information authenticates first account information.
When logged-in user is the user in the corresponding friendly user group of new online resource pool to be visited, this has logged in use
The account information at family can pass through the certification of exclusive IAM module;When logged-in user is that new online resource pool to be visited is corresponding
It is non-close friend user group in user when, the account information of the logged-in user cannot pass through the certification of exclusive IAM module.
305, exclusive IAM module sends certification instruction message to portal server, and certification instruction message is used to indicate first
Whether account information, which authenticates, passes through.
After exclusive IAM module in step 304 authenticates the first account information, authentication result can be passed through to certification
Whether instruction message is sent to portal server, passed through with notifying the first account information of portal server to authenticate.
306, portal server is after receiving the first certification instruction message that exclusive IAM module is sent, when the first certification refers to
When showing that message instruction certification passes through, logged-in user is allowed to access new online resource pool to be visited.
After receiving the first certification instruction message that exclusive IAM module is sent, when the first certification instruction message instruction certification
By when, portal server allows logged-in user to access new online resource pool to be visited;When the first certification instruction message instruction
It is unverified by when, portal server does not allow logged-in user access new online resource pool to be visited.
Specifically, can will have been stepped on when portal server allows logged-in user to access new online resource pool to be visited
The new online resource pool access request that family is sent by terminal is employed, the corresponding control of newly online resource pool to be visited is redirected to
Platform, to access new online resource pool to be visited by console.
In access control method provided in an embodiment of the present invention, exclusive IAM module is responsible for corresponding new to requesting access to
The account information of the logged-in user of online resource pool is authenticated, when logged-in user requests access to new online resource pool,
Newly the corresponding exclusive IAM module of online resource pool may determine that the account information of the logged-in user, if save with itself
Some account information of user in friendly user group matches.If matching, illustrates that log-on message is friendly user group for this
In user, the logged-in user is by authentication, and the accessible new online resource pool.If mismatching, illustrate specially
Belong to the account information that the logged-in user is not saved in IAM module, it is corresponding which belongs to the new online resource pool
Non- friendly user group in user, thus cannot can not also access the new online resource pool by authentication.
It therefore, is the user in non-friendly user group, then if requesting access to the logged-in user of the new online resource pool
The account information of login user can not be by the certification of the exclusive IAM module, so that the new online resource pool can not be accessed;And work as
The logged-in user of the new online resource pool is requested access to, when for user in friendly user group, then the account of logged-in user
Information can be by the certification of the exclusive IAM module, so as to access the new online resource pool.Thus, when new online resource
Service, function or the operating system of the offer in pond when something goes wrong, the problem of newly online resource pool expose control can be existed
In friendly user scope, risk is avoided to expand, and according to the feedback of exposed problem and friendly user, to new online resource pool into
Row rectification avoids the use interference of non-friendly user at the same time it can also ensure the usage experience of friendly user.
Also, since exclusive IAM module carries out authentication to logged-in user according to " account information ", rather than
The user for being authenticated, thus being located in the friendly user group of anywhere according to " IP address ", can believe according to account
Breath passes through the new online resource pool of the terminal access of any IP address, it can achievees the effect that " account white list ", without by end
The limitation of end IP address will not influence the positive frequentation of user in friendly user group even if the IP address of terminal is changed
New online resource pool is asked, to improve the usage experience of user.
It should be noted that in embodiments of the present invention, the corresponding friend of new online resource pool that is saved in exclusive IAM module
The account information of user in good user group, specifically can be pre-set, be also possible to through global I AM module or other
Device is sent to exclusive IAM module, does not limit specifically here.
Optionally, referring to fig. 4, before above-mentioned steps 304, this method can also include:
307, global I AM module respectively will be in friendly user group corresponding with each new online resource pool in all users
The account information of user is sent in the corresponding exclusive IAM module of new online resource pool.
It include account information in registration information due to preserving the registration information of all users in global I AM module, thus
It can be sent to specially by global I AM module by the account information of the user in the corresponding friendly user group of new online resource pool
Belong to IAM module, and this kind of mode is more simple and convenient.
Corresponding with step 307, exclusive IAM module can receive " the second account information " of global I AM module transmission, this
In " the second account information " be that global I AM module is sent in step 307, new online money corresponding with exclusive IAM module
The account information of user in the corresponding friendly user group in source pond.In the second account information for receiving the transmission of global I AM module
And after saving, exclusive IAM module can be new to requesting access to according to the account information of the user in the friendly user group of preservation
The account information of the logged-in user of online resource pool is authenticated.
Specifically, portal server instruction terminal shows resource pool list to logged-in user in above-mentioned steps 301,
May include step 3011 and step 3012 as shown in Figure 5:
3011, when there is no the new online resource pool that on-line time is more than or equal to preset time threshold, portal clothes
Device instruction terminal of being engaged in is shown in had been friends in the past resource pool and corresponding friendly user group in resource pool list to logged-in user
User includes all new online resource pools of logged-in user.
Wherein, which can test the duration of phase for preset friendly user.When there is no on-line times
More than or equal to preset time threshold new online resource pool when, each newly upper resource pool within friendly user's test phase, this
When can show that the user in had been friends in the past resource pool and corresponding close friend's user group include logged-in user to logged-in user
All new online resource pools.In this way, the user in friendly user group can see at the terminal and click corresponding new online money
Yuan Chi and old resource pool, to request access to corresponding new online resource pool and old resource pool.Rather than the use in friendly user group
Old resource pool can only be seen at the terminal and be clicked in family, without can be appreciated that new online resource pool, to can not request and access
New online resource pool, newly the corresponding exclusive IAM module of online resource pool also would not be to the account of the user in non-friendly user group
Number information is authenticated, to reduce the workload of exclusive IAM module.
Illustratively, if user 1 is the corresponding friendly user group of new online resource pool 1 (Shanghai resource pool) shown in Fig. 2
In user, but be not Fig. 2 the corresponding friendly user group of new online resource pool 2 (Beijing resource pool) in user, then referring to
Terminal display interface shown in Fig. 6 A can be in the resource pool column that terminal is shown after user 1 logs in portal server by terminal
In table, it is seen that new online resource pool 1 (Shanghai resource pool) and had been friends in the past resource pool, but can not see new online 2 (Beijing of resource pool
Resource pool).User 1 can click the resource pool shown in terminal, to access to it.
In addition, when there is no the new online resource pool that on-line time is more than or equal to preset time threshold, portal clothes
Business device also can indicate that terminal shows all resource pools to logged-in user in resource pool list, if logged-in user is not certain
User in the corresponding friendly user group of a new online resource pool, then the display mode of the new online resource pool is different from other moneys
The display mode in source pond, and click after the new online resource pool without response.In this way, although the user in non-close friend's user group can be with
New online resource pool is seen at the terminal, but can not be requested and be accessed new online resource pool.
Illustratively, all moneys shown in Fig. 2 can be seen at the terminal after user 1 is logged in by terminal referring to Fig. 6 B
Source pond, but the display format of the icon of new online resource pool 2 (Beijing resource pool) is different from the display of the icon of other resource pools
Form, and without response after click, user 1 can not access the resource in new online resource pool 2.
3012, when there are the new online resource pool that on-line time is more than or equal to preset time threshold, portal service
It is pre- that device instruction terminal shows that had been friends in the past resource pool and on-line time are more than or equal in resource pool list, to logged-in user
If all new online resource pools and on-line time of time threshold are less than in the new online resource pool of preset time threshold, right
The user in friendly user group answered includes all new online resource pools of logged-in user.
When the on-line time of new online resource pool is more than or equal to preset time threshold, the new online resource pool is
The phase is tested by friendly user, service, function and the operating system etc. which provides have tended towards stability, at this time
Can be open to all users by the new online resource pool, and be not only open to the user in friendly user group.Thus, portal
Server can with instruction terminal in resource pool list, to logged-in user show had been friends in the past resource pool and on-line time be greater than or
Person is less than the new online resource of preset time threshold equal to all new online resource pools and on-line time of preset time threshold
Chi Zhong, the user in corresponding close friend's user group include all new online resource pools of logged-in user.
Further, when the on-line time of new online resource pool is more than or equal to preset time threshold, this method is also
May include: global I AM module is sent to the corresponding exclusive IAM module of new online resource pool for the account information of all users
In.
In this way, the new online resource pool that on-line time can be made to be more than or equal to preset time threshold is corresponding exclusive
In IAM module, the account information of all users is preserved.When logged-in user requests access to the new online resource pool, no matter
The logged-in user is that the user in friendly user group is also user in non-friendly user group, as long as the logged-in user is
The legitimate user of registration, account information can be by the certifications of the exclusive IAM module, so that the logged-in user be allowed to visit
Ask the new online resource pool.
It should be noted that due to having saved the corresponding friend of corresponding new online resource pool before in exclusive IAM module
The account information of the user of good user group, thus when the on-line time of new online resource pool is more than or equal to preset time threshold
When, global I AM module can be sent to new only by the account information of the user of the corresponding non-friendly user group of newly online resource pool
The corresponding exclusive IAM module of online resource pool, so that the account information of all users can be preserved in exclusive IAM module.
In addition, when the on-line time of new online resource pool is more than or equal to preset time threshold, if having new user into
Row registration, then global I AM module can save the registration information of new user, and the account information of new user is synchronized and is sent to this
Newly in the corresponding exclusive IAM module of online resource pool.
Further, referring to Fig. 7, before above-mentioned steps 301, this method can also include:
701, portal server receives the login request message that terminal is sent, and login request message includes that request logs in portal
The account information and encrypted message of the user of server.
702, the account information of the user of request login portal server and encrypted message are sent to entirely by portal server
Office's IAM module.
703, global I AM module is after receiving the second account information and encrypted message that portal server is sent, according to guarantor
The registration information of all users deposited authenticates the second account information and encrypted message.
Wherein, here the second account information and encrypted message refer to, what portal server was sent in a step 702, asks
Seek the account information and encrypted message for logging in the user of portal server.
704, global I AM module sends certification instruction message to portal server, and certification instruction message is used to indicate second
Whether account information and encrypted message, which authenticate, passes through.
705, after receiving the second certification instruction message of global I AM module transmission, if the second certification instruction message refers to
Show that certification passes through, then portal server allows user to log in.
Wherein, portal server receives in step 705 " the second certification instruction message ", it is global as in step 704
" the certification instruction message " that IAM module is sent, is used to indicate account information and password that request logs in the user of portal server
Whether information, which authenticates, passes through.
In addition, passing through if the second certification instruction message instruction is unverified, portal server does not allow user to log in.
It should be noted that in embodiments of the present invention, request logs in the account information of the user of portal server and close
The identity informations such as code information are authenticated by global I AM module.
Further, after above-mentioned steps 705, referring to Fig. 8, method provided in an embodiment of the present invention can also include:
801, portal server receives the old resource pool access request that terminal is sent, and old resource pool access request includes having stepped on
Employ the account information and old resource pool mark to be visited at family.
802, the account information of logged-in user is sent to global I AM module by portal server.
It is old resource pool that portal server, which identifies determine that logged-in user wants access to according to old resource pool to be visited, because
And the account information of logged-in user can be sent to global I AM module and authenticated.
803, after the first account information for receiving portal server transmission, global I AM module is according to all of preservation
The registration information of user authenticates the first account information.
It should be noted that, " first account letter in step 803 different from " the first account information " in step 304
Breath " refers to what portal server was sent in step 802, requests access to the account information of the logged-in user of old resource pool.
As it can be seen that in embodiments of the present invention, global I AM module is responsible for logging in request the logged-in user of portal server
Account information and encrypted message verified, and the account information for the logged-in user for requesting access to old resource pool is recognized
Card;And exclusive IAM module is then specially to the logged-in user for requesting access to the corresponding new online resource pool of the exclusive IAM module
Account information is authenticated.
It should be noted that global I AM module and each exclusive IAM module can be respectively arranged at different physics and set
In standby, and when exclusive IAM module is located at same geographic location with corresponding resource pool, it is possible to reduce the access control of user
Time delay, to improve the user experience.For example, resource pool corresponding exclusive IAM module in Shanghai can be set in Shanghai, Beijing
The corresponding exclusive IAM module of resource pool can be set in Beijing.Certainly, global I AM module and all exclusive IAM modules can also be with
It is integrated in a physical equipment, is not especially limited here.
As shown in figure 9, the embodiment of the present invention provides a kind of apparatus structure schematic diagram of exclusive IAM module 900.This is exclusive
IAM module 900 may include: receiving unit 901, for receiving the first account information of portal server transmission, the first account
Information is to request access to the account information of the logged-in user of the corresponding new online resource pool of exclusive IAM module, logged-in user
For the user for having logged in portal server;Authentication unit 902, the account for the user in the friendly user group according to preservation are believed
Breath, authenticates the first account information;Transmission unit 903, for sending certification instruction message to portal server, certification refers to
Show that message is used to indicate the first account information and whether authenticates to pass through.
Further, device shown in Fig. 9 can be used for executing any that exclusive IAM module executes in above method process
Process.
As shown in Figure 10, the embodiment of the present invention provides a kind of apparatus structure schematic diagram of global I AM module 1000.This is exclusive
IAM module 1000 may include: receiving unit 1001, for receiving the first account information of portal server transmission, the first account
Number information is to request access to the account information of the logged-in user of old resource pool;Authentication unit 1002, for the institute according to preservation
There is the registration information of user, the first account information is authenticated;Transmission unit 1003, being used for respectively will be in all users and every
The account information of user in the corresponding friendly user group of a new online resource pool, it is corresponding exclusive to be sent to new online resource pool
In IAM module.
Further, device shown in Fig. 10 can be used for executing times that global I AM module in above method process executes
One process.
As shown in figure 11, the embodiment of the present invention provides a kind of apparatus structure schematic diagram of portal server 1100.The portal
Server 1100 may include: indicating unit 1101, for after user logs in portal server, instruction terminal to be to having logged in use
Family shows resource pool list;Receiving unit 1102, for receiving the new online resource pool access request of terminal transmission, new online money
Source pond access request includes the account information and new online resource pool mark to be visited of logged-in user;Transmission unit 1103 is used
In the account information of logged-in user to be sent to, new online resource pool to be visited identifies corresponding exclusive identity and access manages
IAM module;Receiving unit 1102 is also used to, and receives the first certification instruction message that exclusive IAM module is sent, the first certification instruction
Whether the account information that message is used to indicate logged-in user, which authenticates, passes through;Processing unit 1104, for when the first certification instruction
When message instruction certification passes through, logged-in user is allowed to access new online resource pool to be visited.
Further, device shown in Figure 11 can be used for executing any that portal server executes in above method process
Process.
It is above-mentioned that mainly scheme provided in an embodiment of the present invention is described from the angle of interaction between each network element.It can
With understanding, each network element, such as exclusive IAM module, global I AM module and portal server etc. are in order to realize above-mentioned function
Can, it comprises execute the corresponding hardware configuration of each function and/or software module.Those skilled in the art should be easy to anticipate
Know, unit and algorithm steps described in conjunction with the examples disclosed in the embodiments of the present disclosure, the present invention can with hardware or
The combining form of hardware and computer software is realized.Some function is actually with the side of hardware or computer software driving hardware
Formula executes, specific application and design constraint depending on technical solution.Professional technician can be to each specific
Using using different methods to achieve the described function, but such implementation should not be considered as beyond the scope of the present invention.
The embodiment of the present invention can be according to above method example to exclusive IAM module, global I AM module and portal service
Device etc. carries out the division of functional module, for example, each functional module of each function division can be corresponded to, it can also be by two or two
A above function is integrated in a processing module.Above-mentioned integrated module both can take the form of hardware realization, can also
It is realized in the form of using software function module.It should be noted that being schematic to the division of module in the embodiment of the present invention
, only a kind of logical function partition, there may be another division manner in actual implementation.
Using integrated unit, Figure 12 A shows exclusive IAM module involved in above-described embodiment
A kind of possible structural schematic diagram.Exclusive IAM module 1200 includes: processing module 1202 and communication module 1203.Processing module
1202 for carrying out control management to the movement of exclusive IAM module, for example, processing module 1202 is for supporting exclusive IAM module
Execute the process 304 in Fig. 3 and Fig. 4, and/or other processes for techniques described herein.Communication module 1203 is used for
Support the communication of exclusive IAM module and other network entities, for example, with functional module shown in Fig. 2, Fig. 3, Fig. 4 or Fig. 7 or
Communication between network entity.Exclusive IAM module can also include memory module 1201, for storing the journey of exclusive IAM module
Sequence code and data.
Wherein, processing module 1202 can be processor or controller, such as can be central processing unit (Central
Processing Unit, CPU), general processor, digital signal processor (Digital Signal Processor, DSP),
Specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array
It is (Field Programmable Gate Array, FPGA) or other programmable logic device, transistor logic, hard
Part component or any combination thereof.It may be implemented or execute to combine and various illustratively patrol described in the disclosure of invention
Collect box, module and circuit.The processor is also possible to realize the combination of computing function, such as includes one or more micro- places
Manage device combination, DSP and the combination of microprocessor etc..Communication module 1203 can be communication interface, transmission circuit etc..Store mould
Block 1201 can be memory.
When processing module 1202 is processor, communication module 1203 is communication interface, when memory module 1201 is memory,
Exclusive IAM module involved in the embodiment of the present invention can be exclusive IAM module shown in Figure 12 B.
Refering to fig. 1 shown in 2B, which includes: processor 1212, communication interface 1213, memory
1211 and bus 1214.Wherein, communication interface 1213, processor 1212 and memory 1211 are interconnected by 1214 phase of bus
It connects;Bus 1214 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus
Or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..It is described total
Line can be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in Figure 12 B convenient for indicating, but
It is not offered as only a bus or a type of bus.
Using integrated unit, Figure 13 A shows global I AM module involved in above-described embodiment
A kind of possible structural schematic diagram.Global I AM module 1300 includes: processing module 1302 and communication module 1303.Processing module
1302 for carrying out control management to the movement of global I AM module, for example, processing module 1302 is for supporting global I AM module
Execute the process 703 in Fig. 7, the process 703 and 803 in Fig. 8, and/or other processes for techniques described herein.It is logical
Letter module 1303 is used to supporting the communication of global I AM module Yu other network entities, for example, with show in Fig. 2, Fig. 4, Fig. 7 or Fig. 8
Communication between functional module out or network entity.Global I AM module can also include memory module 1301, for storing the
The program code and data of Unit one.
Wherein, processing module 1302 can be processor or controller, such as can be central processor CPU, general place
Manage device, digital signal processor DSP, application-specific integrated circuit ASIC, on-site programmable gate array FPGA or other programmable patrol
Collect device, transistor logic, hardware component or any combination thereof.It is may be implemented or executed in conjunction in of the invention disclose
Hold described various illustrative logic blocks, module and circuit.The processor is also possible to realize the group of computing function
It closes, such as is combined comprising one or more microprocessors, DSP and the combination of microprocessor etc..Communication module 1303 can be
Communication interface, transmission circuit etc..Memory module 1301 can be memory.
When processing module 1302 is processor, communication module 1303 is communication interface, when memory module 1301 is memory,
Global I AM module involved in the embodiment of the present invention can be global I AM module shown in Figure 13 B.
Refering to fig. 1 shown in 3B, global I AM module 1310 includes: processor 1312, communication interface 1313, memory
1311 and bus 1314.Wherein, communication interface 1313, processor 1312 and memory 1311 are interconnected by 1314 phase of bus
It connects;Bus 1314 can be Peripheral Component Interconnect standard PCI bus or expanding the industrial standard structure eisa bus etc..The bus
Address bus, data/address bus, control bus etc. can be divided into.Only to be indicated with a thick line in Figure 13 B, but simultaneously convenient for indicating
Only a bus or a type of bus are not indicated.
Using integrated unit, Figure 14 A shows portal server involved in above-described embodiment
A kind of possible structural schematic diagram.Portal server 1400 includes: processing module 1402 and communication module 1403.Processing module
1402 for carrying out control management to the movement of portal server, for example, processing module 1402 is for supporting portal server to hold
Process 306 in row Fig. 3 and Fig. 4, process 306 or process 705 in Fig. 7, the process 705 in Fig. 8, and/or it is used for this paper institute
Other processes of the technology of description.Communication module 1403 is used to support the communication of portal server Yu other network entities, such as
Communication between functional module or network entity shown in Fig. 2, Fig. 3, Fig. 4, Fig. 5, Fig. 7 or Fig. 8.Portal server may be used also
To include memory module 1401, for storing the program code and data of first unit.
Wherein, processing module 1402 can be processor or controller, such as can be central processor CPU, general place
Manage device, digital signal processor DSP, application-specific integrated circuit ASIC, on-site programmable gate array FPGA or other programmable patrol
Collect device, transistor logic, hardware component or any combination thereof.It is may be implemented or executed in conjunction in of the invention disclose
Hold described various illustrative logic blocks, module and circuit.The processor is also possible to realize the group of computing function
It closes, such as is combined comprising one or more microprocessors, DSP and the combination of microprocessor etc..Communication module 1403 can be
Communication interface, transmission circuit etc..Memory module 1401 can be memory.
When processing module 1402 is processor, communication module 1403 is communication interface, when memory module 1401 is memory,
Portal server involved in the embodiment of the present invention can be portal server shown in Figure 14 B.
Refering to fig. 1 shown in 4B, which includes: processor 1412, communication interface 1413, memory 1411
And bus 1414.Wherein, communication interface 1413, processor 1412 and memory 1411 are connected with each other by bus 1414;
Bus 1414 can be Peripheral Component Interconnect standard PCI bus or expanding the industrial standard structure eisa bus etc..The bus can
To be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in Figure 14 B, but not convenient for indicating
Indicate only have a bus or a type of bus.
Another embodiment of the present invention provides a kind of system, basic structure schematic diagram may refer to Fig. 2, which can wrap
Include at least one exclusive IAM module as shown in the figure, global module as shown in the figure and portal server as shown in the figure.
Wherein, exclusive IAM module, global I AM module and portal server are for executing the access provided in above method embodiment
Control method.
Specifically, the corresponding new online resource pool of an exclusive IAM module, and preserve and the exclusive IAM module
The account information of user in the corresponding friendly user group of corresponding new online resource pool.Exclusive IAM module can be used for receiving
The first account information that portal server is sent, first account information are corresponding to request access to the exclusive IAM module
The account information of the logged-in user of new online resource pool, the logged-in user is the use for having logged in the portal server
Family;According to the account information of the user in the friendly user group of preservation, first account information is authenticated;To the door
Family server send certification instruction message, the certification instruction message be used to indicate first account information whether authenticate it is logical
It crosses.
Wherein, global I AM module preserves the registration information of all users, and the registration information includes account information, can
With the first account information for receiving portal server transmission, first account information is to have requested access to old resource pool
The account information of login user;According to the registration information of all users of preservation, first account information is authenticated;Point
Not by the account information of the user in friendly user group corresponding with each new online resource pool in all users, it is sent to described
Newly in the corresponding exclusive IAM module of online resource pool.
Portal server can be used for, and after user logs in portal server, instruction terminal shows to logged-in user and provides
Source pool list;The new online resource pool access request that terminal is sent is received, the new online resource pool access request includes having stepped on
Employ the account information and new online resource pool mark to be visited at family;The account information of the logged-in user is sent to described
New online resource pool to be visited identifies corresponding exclusive identity and access management IAM module;The exclusive IAM module is received to send
The first certification instruction message, to be used to indicate the account information of the logged-in user be to deny to the first certification instruction message
Card passes through;When the first certification instruction message instruction certification passes through, allow the logged-in user access described to be visited
New online resource pool.
The step of method in conjunction with described in the disclosure of invention or algorithm can realize in a manner of hardware, can also
It is realized in a manner of being to execute software instruction by processor.Software instruction can be made of corresponding software module, software mould
Block can be stored on random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read
Only Memory, ROM), Erasable Programmable Read Only Memory EPROM (Erasable Programmable ROM, EPROM), electricity can
Erasable programmable read-only memory (Electrically EPROM, EEPROM), register, hard disk, mobile hard disk, CD-ROM
(CD-ROM) or in the storage medium of any other form well known in the art.A kind of illustrative storage medium is coupled to place
Device is managed, to enable a processor to from the read information, and information can be written to the storage medium.Certainly, it stores
Medium is also possible to the component part of processor.Pocessor and storage media can be located in ASIC.In addition, the ASIC can position
In core network interface equipment.Certainly, pocessor and storage media, which can also be used as discrete assembly and be present in core network interface, sets
In standby.
Those skilled in the art are it will be appreciated that in said one or multiple examples, function described in the invention
It can be realized with hardware, software, firmware or their any combination.It when implemented in software, can be by these functions
Storage in computer-readable medium or as on computer-readable medium one or more instructions or code transmitted.
Computer-readable medium includes computer storage media and communication media, and wherein communication media includes convenient for from a place to another
Any medium of one place transmission computer program.Storage medium can be general or specialized computer can access it is any
Usable medium.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention
Protection scope, all any modification, equivalent substitution, improvement and etc. on the basis of technical solution of the present invention, done should all
Including within protection scope of the present invention.