CN106411857A - Private cloud GIS service access control method based on virtual isolation mechanism - Google Patents

Private cloud GIS service access control method based on virtual isolation mechanism Download PDF

Info

Publication number
CN106411857A
CN106411857A CN201610807010.5A CN201610807010A CN106411857A CN 106411857 A CN106411857 A CN 106411857A CN 201610807010 A CN201610807010 A CN 201610807010A CN 106411857 A CN106411857 A CN 106411857A
Authority
CN
China
Prior art keywords
service
gis
tenant
data
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610807010.5A
Other languages
Chinese (zh)
Other versions
CN106411857B (en
Inventor
葛莹
艾斯卡尔·阿不力米提
陈刚锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Pintu Surveying and Mapping Technology Co.,Ltd.
Original Assignee
Hohai University HHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hohai University HHU filed Critical Hohai University HHU
Priority to CN201610807010.5A priority Critical patent/CN106411857B/en
Publication of CN106411857A publication Critical patent/CN106411857A/en
Application granted granted Critical
Publication of CN106411857B publication Critical patent/CN106411857B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a private cloud GIS service access control method based on a virtual isolation mechanism. The method sequentially comprises the following steps: (1) network control; (2) data isolation and access control; and (3) cloud GIS service interface strategy. According to the private cloud GIS service access control method disclosed by the invention, a set of security isolation, access control and communication mechanism is applied to multi-user GIS services in a private cloud platform environment, so that the private cloud platform has the ability of processing geospatial data of multiple users, the GIS service processing security can be improved, and the objective of changing the geospatial data into assets is achieved.

Description

A kind of private clound GIS service access control method based on virtual isolation mech isolation test
Technical field
The present invention relates to the privately owned cloud computing technology of GIS is and in particular to a kind of private clound GIS based on virtual isolation mech isolation test takes Business access control method.
Background technology
In recent years, with the fast development of cloud computing technology, the application of cloud computing has penetrated into all trades and professions.Sub- horse The scientific & technical corporation such as inferior, Microsoft constantly release enterprise-level cloud computing service, to meet the business demand of users.GIS industry Unexceptional.Well-known GIS companies are proposed cloud GIS products & services both at home and abroad for ESRI, hypergraph etc..
At present, traditional file system, exclusive formula tightly coupled Web Application Server trunking mode cannot meet privately owned Cloud GIS service elastic load requires in a balanced way it is necessary to provide a kind of new cloud GIS to calculate access control method and communication mechanism. Cloud storage technology is the basis of cloud computing application, and heterogeneous storage devices in network can be passed through software system integration by it, jointly Data storage and Operational Visit function (Bao Aihua etc., 2014) are externally provided.For GIS data service, mainly for public affairs Many offer spatial analysis and geographical information sharing service, it requires that the delay of data positioning, inquiry or modification is less.Furthermore, In view of geographic information data concerning security matters, domestic many enterprises can only adopt private clound numerical procedure.
Content of the invention
Goal of the invention:It is an object of the invention to solution the deficiencies in the prior art, provide a kind of based on virtual every The private clound GIS service access control method of system of disembarking is a kind of virtual isolation scheme of private clound GIS platform multi-tenant resource with And service-oriented role access (Workflow-based and Service-oriented Role Based Access Control, WSRBAC) as access control module GIS data with service-oriented (Service Oriented Architecture, SOA) the method shared of mode, wherein GIS resource isolation includes Network Isolation and software isolation, passes through The combination of above two method, ensures data safety under isomery private clound GIS platform for the GIS data first, secondly user with Role accesses public GIS data as authority, and manages and share privately owned GIS data.
Technical scheme:A kind of private clound GIS service access control method based on virtual isolation mech isolation test of the present invention, successively Comprise the following steps:
(1) network controls:Set up when disposing hardware virtualization environment in private clound platform environment three separate The virtual network segment, is that data storage network segment VLANIF16, Service Source network segment VLANIF18 and user use the network segment respectively VLANIF20;
(2) data isolation and access control:
(21) the forced quarantine not data between commensurate;
(22) the data appropriateness isolation between different tissues shared data in same units;
(23) private data between strict separating tissues and between tenant;
(24) tenant must ask to use GIS service, the service access control of VLANIF18 by predefined interface System verifying authorization processed, after being verified, by GIS service using licensing to this tenant, this tenant is according to authorization message for this system Using corresponding GIS service, after the completion of GIS service is processed, result is returned to tenant, tenant by VLANIF18 by system The IasS layer of privately owned cloud platform cannot directly be accessed;
(25) tenant presses the role's application of itself and obtains GIS data service, and applies for obtaining the use of GIS application service Power, when processing GIS application service every time, system distributes temporary authority for this service automatically;After service processing terminates, system is automatic Reclaim temporary authority;
(3) cloud GIS service interface strategies:Will be complete to hardware resource, Internet resources, GIS data resource and GIS application resource Portion is supplied to user in the way of service-oriented and uses.
Further, in described step (1), the structure of tri- work network segments of VLANIF16, VLANIF18 and VLANIF20 Realized by three layers of physical switches or virtual switch, wherein, VLANIF16 distributes to a distribution type file server collection Group use, this group cluster can only be accessed by VLANIF18, if it is desired that with the GIS data service on VLANIF16 it is necessary to GIS data, file can be read and write after the service access control system being deployed on VLANIF18 obtains file access authority Access rights are by the predefined IP address of distributed file server master control configuration file core-site.xml in VLANIF16 Distributed file server control can be obtained with the combination of access rights field access-key.
Further, in described step (2), based on access control based roles strategy;
In step (21), organize Organization label in conjunction with Subjective and Objective, with number shared between private data, multi-tenant According to the mode of shared data and other users shared data four class access control right in, platform, divide for different tenant's logics Join resource pool space, the data between different tenants in the privately owned cloud platform of forced quarantine, cannot with the tenant reaching a certain tissue Its hetero-organization of unauthorized access is not allowed to the purpose of the data of access;
In step (22), the condition that accessed as resource using the logical combination of multiple security attributes, bar is accessed by resource The screening of part, the data of appropriateness isolation private clound platform internal memory storage, tenant can customize resource according to inherently safe demand and visit Ask control strategy, to isolate the private data from different tenants;
In step (23), shared data is divided into full shared data and partial sharing data two class, introduces the general of Virtual Organization Read, in conjunction with the formulation of sharing policy, realize data between tenant and entirely share and partial sharing;By the definition of conflict of interest class, Data sharing and between tissue between strict restriction conflict tenant;
In step (24), introduce the concept of service Service, propose service-oriented role-based access control model, by angle Color access control is promoted to service dynamic authorization protection from the protection of resource Static authorization, when tenant request uses GIS service, The checking system of VLANIF18 is according to its legitimacy of tenant's Information Authentication, and authorizes the GIS service right to use of corresponding role;
In step (25), system can dynamic role of manager and automatically distribute role hierarchy, the role of each grade assigns Give the access rights of one group of GIS service, tenant can apply for being upgraded to high-grade role from inferior grade role, except mutual role help Outside strategy, system also can be accessed using dynamic authorization policy control GIS application service, this GIS application service access right In tenant's role-security strategy, the former controls GIS application service to access to policy independence, and the latter controls hardware resource and GIS number Access according to service.
Further, the concrete grammar of described step (3) is:
(31) VLANIF18 disposes the service access control system of independent development, and this system is each GIS service using definition The interface rules of REST style, access GIS service for tenant, and tenant sends using of GIS service by interface rules and asks, please Ask and must be verified by service access control system, after system is verified, tenant can use corresponding GIS service;
(32) VLANIF18 dispose independent development hardware resource operation control system, this system can by physical memory, The hardware resource such as virtual cpu and storage is supplied to tenant in the way of servicing and uses.The web client by control system for the tenant End application hardware resource service;System manager responds and verifies this application service in the management end of control system, is verified The hardware resource needed for its distribution in hardware resource pool afterwards, then the description information of its hardware resource is returned to web client End, is supplied to tenant and uses;
(33) VLANIF18 disposes the GIS application service system of independent development, and this system can be by GIS business to service Mode is supplied to tenant and uses.Tenant can be in two ways using GIS application service:One kind is directly to use single GIS to answer With service, another kind is that some single GIS application services are combined as a business, is supplied to tenant and uses.
Further, in described step (25), the detailed process of dynamic authorization policy control GIS application service access is:Rent The authority application corresponding GIS data service of oneself affiliated role is pressed at family, then applies for the right to use of GIS application service, system Workflow is merged in GIS data service and GIS application service, and automatically distributes processing authority for this workflow, when having processed Bi Hou, system will automatically retract the authority of this workflow.
Beneficial effect:The present invention in private clound platform environment be multi-tenant GIS service using design a set of safety every From, access control and communication mechanism so that privately owned cloud platform can have the ability that multi-tenant processes geographical spatial data, can improve The security that GIS service is processed, reaches the purpose becoming geographical spatial data into assets.
Brief description
Fig. 1 is the Method of Data Organization schematic diagram in file server in embodiment.
Fig. 2 is the schematic diagram of REST service interface message in embodiment.
Specific embodiment
Below technical solution of the present invention is described in detail, but protection scope of the present invention is not limited to described enforcement Example.
Embodiment 1:
The realization of Network Control Segment:
, after switch energising, acquiescence opens a work to network configuration in the present embodiment taking Huawei's S5700 switch as a example Make the network segment.Three work network segments to be set up in this example, so reconfiguring switch.Comprise the following steps that:
First, switch passes through Serial Port Line and connects with computer, and corresponding com serial ports opened by computer, and configures switch Com serial ports parameter, configuration information is as follows:Frequency:9600;Data bit:8;Even-odd check:No;Stop bit:1;Data flow con-trol: No.
Second, open serial communication program keypad any key activation serial communication in a computer, receive switch and ring Switch pin is inputted again after answering information.After password authentification is passed through, computer display occurs "<Quidway>", explanation Switch is ready for ready.Now, input on computers with newly-built three required work network segments on switches of issuing orders:
<Quidway>
<Quidway>system-view
[Quidway]interface vlanif 1016
[Quidway-Vlanif1016]ip address 192.168.16.254 255.255.255.0
[Quidway-Vlanif1016]quit
<Quidway>
<Quidway>system-view
[Quidway]interface vlanif 1018
[Quidway-Vlanif1018]ip address 192.168.18.254 255.255.255.0
[Quidway-Vlanif1018]quit
<Quidway>
<Quidway>system-view
[Quidway]interface vlanif 1020
[Quidway-Vlanif1020]ip address 192.168.20.254 255.255.255.0
[Quidway-Vlanif1020]quit
1016,1018,1,020 3 work network segments are established by above Management Information Base.
3rd, the physical internet ports of switch are distributed on three work network segments of new establishment, configuration mode is as follows:
(1) execution order system-view, enters system view;
(2) execution order interface vlanif vlan-id, enters VLANIF interface view;
(3) execution order ip address ip-address { mask | mask-length }, configures main ip address.
Concrete operations are exemplified below.If numbering 0/0/1 is the ip address of first network interface, configuration operation is:
<Quidway>system-view
[Quidway]vlan 1016
[Quidway-Vlan1016]quit
[Quidway]interface gigabitethernet 0/0/1
[Quidway-Gigabitethernet0/0/1]port hybrid pvid vlan 1016
[Quidway-Gigabitethernet0/0/1]port htbrid untagged vlan 1016
[Quidway-Gigabitethernet0/0/1]quit
Distribute the corresponding work network segment by ordering above to each physical internet ports of switch.
The realization of data isolation part:
Data isolation is divided into two parts:First, the isolation of initial data.Initial data trustship in privately owned cloud platform point Cloth file server, by the file access control module in distributed file server and hardware resource operation control system Realize the operation of initial data;Second, the access control of GIS service.GIS service in privately owned cloud platform in trust to GIS Server server, the access control of service is visited by the service in GIS Server server and hardware resource operation control system Ask that control module is implemented in combination with.
Distributed file server is isolated:Distributed file server is deployed in 1016 network segments, according to network control every From design, 1016 network segments can only by the file access control module accesses of the hardware resource operation control system of 1018 network segments, The subscription client of 1020 network segments cannot directly access the distributed file server of 1016 network segments.In distributed file server Method of Data Organization as shown in Figure 1.
File access control module is isolated:File access control module is 1018 network segment hardware resource operation control systems One of assembly, the response of responsible user file request and the request of other program files.User file request refers to when 1020 nets When the user's request of section is to initial data read-write operation in privately owned cloud platform, user's request is first by 1018 network segment service access Subscriber authentication module in control system intercepts and verifies, if user's request meets identity legitimacy and operation validity two simultaneously Plant checking, then user's request just can be distributed to service access control system, and then service access control system sends instruction and allows 1016 network segment distributed file system response user's requests.In above-mentioned steps implementation procedure, user is to be unable to direct read/write The distributed file server of 1016 network segments, more cannot obtain the physical address that file is deposited, so the client of 1020 network segments Required GIS resource cannot directly be accessed, client must send to the REST service interface of the subscriber authentication module of 1018 network segments User's checking is asked, as shown in Fig. 2 REST service interface message is as follows:
URL:http://{host}/user/generatetoken
Method:POST
Data:{username:user0606,password:ab123456}
Instantiation is as follows:
(1) user is logged in by username and password.After login, user place client obtains one and takes from 1018 network segments The token that business access control system sends, token information presses the transmission of JSON form, as follows:
This is logged on the token information that after successfully, user receives.Wherein, Status represents logging status, if logining successfully Then return success, otherwise return error;Tokenstring is a string encryption information, using user name, two random characters Encryption forms in strange land for string and token generation ageing.After user obtains token, retransmit during other requests just not With inputting username and password, user token is deciphered to verify the legitimacy of user identity by system automatically;Exparetime is Refer to token and generate the time;Timelong is service effective time, and expired time is in seconds.1200000 represent current Token effective time is 20 minutes.
(2) after logging in, if user uploads a private data, send following request:
URL:http://{host}/user/{username}/zone/{filefolder}?Token= {tokenstring}
Method:POST
Data:{file:filedata,type:[number,default 0]
Wherein, URL is the api interface of upload service;Host is the ip address of service access control system;Username is User name;Filefolder is the privately owned directory address of user;Tokenstring is the token of user;Data is that user will send Post parameter;File is user's file to be uploaded;Type is the access rights of file, and 0 represents that file is privately owned, 1 table Show that file is shared in organization department, 2 represent that files are shared to full platform, either 1 or 2, other users can only obtain literary composition The right to use of part, it is deleted and the authority of change is owned by file distribution person all the time.
If obtaining the GIS resource in privately owned cloud platform, equally http get request is sent to corresponding REST service interface, The information providing is as follows:
Uri:http://{host}/user/{username}/getfile/{fileoid}?Token= {tokenstring}
Method:GET
Wherein, fileoid is the unique identifier of GIS resource in privately owned cloud platform, is automatically given birth to by system during files passe Become, and be saved in database.After user sends above request, system verifies user's token information, after being verified, system Verify whether this user has the reading authority of fileoid file again, concrete operations are as follows:
(1) upload if this document is active user, have reading authority;
(2) if what this document was uploaded by other users, if access rights are set in organization department shared, and currently use Family and upload user in same organization department, then have reading authority;
(3) if what this document was uploaded by other users, if access rights be set to full platform share, active user has Read authority.
GIS Server isolates:GIS Server provides the services such as map, image, geographical process to have the clothes of GIS function Business device.User obtains GIS by oneself username and password and the role being distributed in privately owned cloud platform The right to use of Server.If role hierarchy is low, only there is the GIS Server and public GIS using tissue belonging to oneself The authority of Server;If role hierarchy is high, in addition to this it is possible to there be application to create the authority of privately owned GIS Server.
(1) use public GIS Server:After login, user obtains, by following API, the GIS that oneself can use Server list:
URL:http://{host}/user/{username}/gisserver?Token={ tokenstring }
Method:GET
If asking successfully, user receives the available GIS Server list of system return:
Wherein, type 1 represents that this server is privately owned GIS Server, and type 2 represents that this server is public GIS Server.User has absolute control to privately owned GIS Server, only has access right to public GIS Server, not more Change authority.
Service access control module is isolated:Service access control module is one of assembly of 1018 network section control systems, uses Family is all verified by this assembly to the access request of GIS service every time, user can also by this assembly obtain service list, And the parameter of service.The GIS service scope that user uses includes the public GIS clothes of privately owned cloud platform public GIS website offer GIS clothes in the privately owned GIS website that business, shared GIS service in the department that user affiliated function provides, and user oneself create Business.
User calls the process of privately owned cloud platform REST interface service as follows:
(1) user sends the call request of special services according to REST interface format:
(2) user's request is intercepted by 1018 network segments, verifies token information.If token information does not meet, return JSON Information, illustrates to refuse this user service call request;
If token information meets, it is verified, user's request goes to GIS service business module, takes from user's request Go out special services oid, then inquiry database obtains the corresponding service of oid, then the GIS Server being located from this service, allows use Family Connection inquiring to service in.

Claims (5)

1. a kind of private clound GIS service access control method based on virtual isolation mech isolation test it is characterised in that:Include following successively Step:
(1) network controls:Set up when disposing hardware virtualization environment in private clound platform environment three separate virtual The network segment, is that data storage network segment VLANIF16, Service Source network segment VLANIF18 and user use the network segment respectively VLANIF20;
(2) data isolation and access control:
(21) the forced quarantine not data between commensurate;
(22) the data appropriateness isolation between different tissues shared data in same units;
(23) private data between strict separating tissues and between tenant;
(24) tenant must ask to use GIS service by predefined interface, and the service access of VLANIF18 controls system System verifying authorization, after being verified, by GIS service using licensing to this tenant, this tenant uses this system according to authorization message Corresponding GIS service, after the completion of GIS service is processed, result is returned to tenant by VLANIF18 by system, and tenant cannot Directly access the IasS layer of privately owned cloud platform;
(25) tenant presses the role's application of itself and obtains GIS data service, and applies for obtaining the right to use of GIS application service, often During secondary process GIS application service, system distributes temporary authority for this service automatically;After service processing terminates, system reclaims automatically Temporary authority;
(3) cloud GIS service interface strategies:By hardware resource, Internet resources, GIS data resource and GIS application resource all with Service-oriented mode is supplied to user and uses.
2. the private clound GIS service access control method based on virtual isolation mech isolation test according to claim 1, its feature exists In:In described step (1), the three layers of physics that are constructed by of tri- work network segments of VLANIF16, VLANIF18 and VLANIF20 are handed over Change planes or virtual switch is realized, wherein, the cluster that VLANIF16 distributes to a distribution type file server uses, this group Cluster can only be accessed by VLANIF18, if it is desired that with the GIS data service on VLANIF16 it is necessary to pass through to be deployed in Service access control system on VLANIF18 can read and write GIS data after obtaining file access authority, file access authority by The predefined IP address of distributed file server master control configuration file core-site.xml and access rights in VLANIF16 The combination of both fields access-key can obtain distributed file server control.
3. the private clound GIS service access control method based on virtual isolation mech isolation test according to claim 1, its feature exists In:In described step (2), based on access control based roles strategy;
In step (21), organize Organization label in conjunction with Subjective and Objective, with private data, multi-tenant data sharing, put down The mode of shared data and other users shared data four class access control right in platform, for different tenant's assignment of logical resources Pool space, the data between different tenants in the privately owned cloud platform of forced quarantine, cannot be gone beyond one's commission visit with the tenant reaching a certain tissue Ask the purpose of the data that its hetero-organization is not allowed to access;
In step (22), the condition that accessed as resource using the logical combination of multiple security attributes, by resource access consideration Screening, the data of appropriateness isolation private clound platform internal memory storage, tenant can customize resource according to inherently safe demand and access control System strategy, to isolate the private data from different tenants;
In step (23), shared data is divided into full shared data and partial sharing data two class, introduces the concept of Virtual Organization, knot Close the formulation of sharing policy, realize data between tenant and entirely share and partial sharing;By the definition of conflict of interest class, strict limit Data sharing and between tissue between system conflict tenant;
In step (24), introduce the concept of service Service, propose service-oriented role-based access control model, role is visited Ask that control is promoted to service dynamic authorization protection from the protection of resource Static authorization, when tenant request uses GIS service, The checking system of VLANIF18 is according to its legitimacy of tenant's Information Authentication, and authorizes the GIS service right to use of corresponding role;
In step (25), system can dynamic role of manager and automatically distribute role hierarchy, the role of each grade gives one The access rights of group GIS service, tenant can apply for being upgraded to high-grade role from inferior grade role, except mutual role help strategy Outside, system also can be accessed using dynamic authorization policy control GIS application service, this GIS application service access right strategy Independent of tenant's role-security strategy, the former controls GIS application service to access, and the latter controls hardware resource and GIS data clothes The access of business.
4. the private clound GIS service access control method based on virtual isolation mech isolation test according to claim 1, its feature exists In:The concrete grammar of described step (3) is:
(31) VLANIF18 disposes the service access control system of independent development, and this system is each GIS service using definition REST The interface rules of style, access GIS service for tenant, and tenant sends using of GIS service by interface rules and asks, and request must Must be verified by service access control system, after system is verified, tenant can use corresponding GIS service;
(32) VLANIF18 disposes the hardware resource operation control system of independent development, and this system can be by physical memory, virtual The hardware resource such as CPU and storage is supplied to tenant in the way of servicing and uses.Tenant passes through the Web client Shen of control system Please hardware resource service;System manager responds and verifies this application service in the management end of control system, after being verified For the hardware resource that its distribution is required in hardware resource pool, then the description information of its hardware resource is returned to Web client, carry Supply tenant uses;
(33) VLANIF18 dispose independent development GIS application service system, this system can by by GIS business to service in the way of It is supplied to tenant to use.Tenant can be in two ways using GIS application service:One kind is directly to use single GIS application clothes Business, another kind is that some single GIS application services are combined as a business, is supplied to tenant and uses.
5. the private clound GIS service access control method based on virtual isolation mech isolation test according to claim 3, its feature exists In:In described step (25), the detailed process of dynamic authorization policy control GIS application service access is:Tenant presses oneself affiliated angle The authority application corresponding GIS data service of color, then applies for the right to use of GIS application service, system by GIS data service and Workflow is merged in GIS application service, and automatically distributes processing authority for this workflow, and after being disposed, system will be automatically Withdraw the authority of this workflow.
CN201610807010.5A 2016-09-07 2016-09-07 A kind of private clound GIS service access control method based on virtual isolation mech isolation test Active CN106411857B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610807010.5A CN106411857B (en) 2016-09-07 2016-09-07 A kind of private clound GIS service access control method based on virtual isolation mech isolation test

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610807010.5A CN106411857B (en) 2016-09-07 2016-09-07 A kind of private clound GIS service access control method based on virtual isolation mech isolation test

Publications (2)

Publication Number Publication Date
CN106411857A true CN106411857A (en) 2017-02-15
CN106411857B CN106411857B (en) 2019-03-29

Family

ID=57999565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610807010.5A Active CN106411857B (en) 2016-09-07 2016-09-07 A kind of private clound GIS service access control method based on virtual isolation mech isolation test

Country Status (1)

Country Link
CN (1) CN106411857B (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685994A (en) * 2017-02-22 2017-05-17 河海大学 Cloud GIS (Geographic Information System) resource access control method based on GIS role grade permission
CN107819875A (en) * 2017-11-27 2018-03-20 深信服科技股份有限公司 User specially enjoys method of servicing and device under a kind of cloud platform
CN108270858A (en) * 2018-01-15 2018-07-10 郑州云海信息技术有限公司 A kind of private cloud framework and its data processing method based on API gateway
CN108810024A (en) * 2018-07-19 2018-11-13 广东浪潮大数据研究有限公司 A kind of isolation network data transmission method, device, medium, management platform
CN108846634A (en) * 2018-05-30 2018-11-20 北京尚易德科技有限公司 A kind of case automatic authorization method and system
CN109787938A (en) * 2017-11-14 2019-05-21 中国电信股份有限公司 Realize the method, apparatus and computer readable storage medium of access virtual private cloud
CN110109731A (en) * 2019-04-19 2019-08-09 苏州浪潮智能科技有限公司 The management method and system of virtual credible root under a kind of cloud environment
CN110417863A (en) * 2019-06-27 2019-11-05 华为技术有限公司 Generate method and apparatus, identity authentication method and the device of identity code
CN110827167A (en) * 2019-09-29 2020-02-21 武汉开目信息技术股份有限公司 Product design manufacturability knowledge sharing method and device for collaborative manufacturing
CN110826101A (en) * 2019-11-05 2020-02-21 安徽数据堂科技有限公司 Privatization deployment data processing method for enterprise
CN111432024A (en) * 2020-04-09 2020-07-17 兰州聚源信息科技有限公司 Construction method of composite cloud training platform based on SCORM technology
CN112532474A (en) * 2020-11-19 2021-03-19 用友网络科技股份有限公司 Control method and device of data management system and readable storage medium
CN112637232A (en) * 2020-12-29 2021-04-09 国云科技股份有限公司 Cloud platform resource isolation framework implementation method and device supporting multiple strategies
CN115604028A (en) * 2022-11-28 2023-01-13 北京鸿迪鑫业科技有限公司(Cn) Cloud server data security protection system
CN116910015A (en) * 2023-09-12 2023-10-20 苏州浪潮智能科技有限公司 Storage platform service method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102708316A (en) * 2012-04-19 2012-10-03 北京华胜天成科技股份有限公司 Method for isolating data in multi-tenant architecture
CN102307185B (en) * 2011-06-27 2015-02-25 北京大学 Data isolation method used in storage cloud
CN103067406B (en) * 2013-01-14 2015-07-22 暨南大学 Access control system and access control method between public cloud and private cloud
CN105591863A (en) * 2014-10-20 2016-05-18 中兴通讯股份有限公司 Method and device for realizing interworking between virtual private cloud network and external network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307185B (en) * 2011-06-27 2015-02-25 北京大学 Data isolation method used in storage cloud
CN102708316A (en) * 2012-04-19 2012-10-03 北京华胜天成科技股份有限公司 Method for isolating data in multi-tenant architecture
CN103067406B (en) * 2013-01-14 2015-07-22 暨南大学 Access control system and access control method between public cloud and private cloud
CN105591863A (en) * 2014-10-20 2016-05-18 中兴通讯股份有限公司 Method and device for realizing interworking between virtual private cloud network and external network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
唐权等: "云GIS平台构建的关键技术研究", 《测绘与空间地理信息》 *
曹全龙等: "基于ArcGIS的云GIS平台设计方案研究", 《测绘与空间地理信息》 *
鲍爱华等: "一种基于虚拟隔离机制的安全私有云存储系统", 《计算机科学》 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685994A (en) * 2017-02-22 2017-05-17 河海大学 Cloud GIS (Geographic Information System) resource access control method based on GIS role grade permission
CN109787938B (en) * 2017-11-14 2021-04-30 中国电信股份有限公司 Method and device for realizing access to virtual private cloud and computer readable storage medium
CN109787938A (en) * 2017-11-14 2019-05-21 中国电信股份有限公司 Realize the method, apparatus and computer readable storage medium of access virtual private cloud
CN107819875A (en) * 2017-11-27 2018-03-20 深信服科技股份有限公司 User specially enjoys method of servicing and device under a kind of cloud platform
CN108270858A (en) * 2018-01-15 2018-07-10 郑州云海信息技术有限公司 A kind of private cloud framework and its data processing method based on API gateway
CN108846634A (en) * 2018-05-30 2018-11-20 北京尚易德科技有限公司 A kind of case automatic authorization method and system
CN108810024A (en) * 2018-07-19 2018-11-13 广东浪潮大数据研究有限公司 A kind of isolation network data transmission method, device, medium, management platform
CN110109731A (en) * 2019-04-19 2019-08-09 苏州浪潮智能科技有限公司 The management method and system of virtual credible root under a kind of cloud environment
CN110417863B (en) * 2019-06-27 2021-01-29 华为技术有限公司 Method and device for generating identity identification code and method and device for authenticating identity
CN110417863A (en) * 2019-06-27 2019-11-05 华为技术有限公司 Generate method and apparatus, identity authentication method and the device of identity code
CN110827167A (en) * 2019-09-29 2020-02-21 武汉开目信息技术股份有限公司 Product design manufacturability knowledge sharing method and device for collaborative manufacturing
CN110826101B (en) * 2019-11-05 2021-01-05 安徽数据堂科技有限公司 Privatization deployment data processing method for enterprise
CN110826101A (en) * 2019-11-05 2020-02-21 安徽数据堂科技有限公司 Privatization deployment data processing method for enterprise
CN111432024A (en) * 2020-04-09 2020-07-17 兰州聚源信息科技有限公司 Construction method of composite cloud training platform based on SCORM technology
CN112532474A (en) * 2020-11-19 2021-03-19 用友网络科技股份有限公司 Control method and device of data management system and readable storage medium
CN112637232A (en) * 2020-12-29 2021-04-09 国云科技股份有限公司 Cloud platform resource isolation framework implementation method and device supporting multiple strategies
WO2022141915A1 (en) * 2020-12-29 2022-07-07 国云科技股份有限公司 Cloud platform resource isolation framework implementation method and apparatus supporting multiple policies
CN115604028A (en) * 2022-11-28 2023-01-13 北京鸿迪鑫业科技有限公司(Cn) Cloud server data security protection system
CN116910015A (en) * 2023-09-12 2023-10-20 苏州浪潮智能科技有限公司 Storage platform service method, device, equipment and storage medium
CN116910015B (en) * 2023-09-12 2024-01-19 苏州浪潮智能科技有限公司 Storage platform service method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN106411857B (en) 2019-03-29

Similar Documents

Publication Publication Date Title
CN106411857B (en) A kind of private clound GIS service access control method based on virtual isolation mech isolation test
US10623406B2 (en) Access authentication for cloud-based shared content
US9047462B2 (en) Computer account management system and realizing method thereof
CN108293045B (en) Single sign-on identity management between local and remote systems
CN105247531B (en) Managed browser is provided
CN103312721B (en) A kind of cloud platform accesses and controls framework and implementation method thereof
CN110472388B (en) Equipment management and control system and user permission control method thereof
CN109565511A (en) Tenant and service management for multi-tenant identity and data safety management cloud service
US20150200928A1 (en) Techniques for secure access management in virtual environments
US10397213B2 (en) Systems, methods, and software to provide access control in cloud computing environments
CN103441986A (en) Data resource security control method in thin client mode
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
CN107426152B (en) Multitask security isolation system and method under cloud platform actual situation Interconnection Environment
CN112541190B (en) Map authority control method and control system based on unified user information
WO2009045607A1 (en) Methods and systems for user authorization
CN108111473A (en) Mixed cloud Explore of Unified Management Ideas, device and system
CN101729541B (en) Method and system for accessing resources of multi-service platform
CN107026825A (en) A kind of method and system for accessing big data system
DE112011102224B4 (en) Identity mediation between client and server applications
CN111274569A (en) Research, development, operation and maintenance integrated system for unified login authentication and login authentication method thereof
CN103118030A (en) Desktop cloud based identity authentication method
RU2415466C1 (en) Method of controlling identification of users of information resources of heterogeneous computer network
CN104994086B (en) A kind of control method and device of data-base cluster permission
KR20060062319A (en) Home network gateway for assigning authority and administering connection classfied by user and control method thereof
KR20070076342A (en) User Group Role / Permission Management System and Access Control Methods in a Grid Environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Ge Ying

Inventor before: Ge Ying

Inventor before: AISIKAER.ABULIMITI

Inventor before: Chen Gangrui

CB03 Change of inventor or designer information
TR01 Transfer of patent right

Effective date of registration: 20211227

Address after: 200241 330, floor 3, building 2, No. 588, Zixing Road, Minhang District, Shanghai

Patentee after: Shanghai Nongsheng Intelligent Technology Co.,Ltd.

Address before: No.8, Fucheng West Road, Jiangning Development Zone, Nanjing, Jiangsu Province

Patentee before: HOHAI University

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240329

Address after: Room 05, 12th Floor, Building D2, No. 32 Dazhou Road, Yuhuatai District, Nanjing City, Jiangsu Province, 210000

Patentee after: Nanjing Pintu Surveying and Mapping Technology Co.,Ltd.

Country or region after: China

Address before: 200241 330, floor 3, building 2, No. 588, Zixing Road, Minhang District, Shanghai

Patentee before: Shanghai Nongsheng Intelligent Technology Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right