CN109150863B - Desktop cloud access control method and device and desktop cloud terminal equipment - Google Patents
Desktop cloud access control method and device and desktop cloud terminal equipment Download PDFInfo
- Publication number
- CN109150863B CN109150863B CN201810882540.5A CN201810882540A CN109150863B CN 109150863 B CN109150863 B CN 109150863B CN 201810882540 A CN201810882540 A CN 201810882540A CN 109150863 B CN109150863 B CN 109150863B
- Authority
- CN
- China
- Prior art keywords
- desktop cloud
- usbkey
- virtual machine
- login module
- desktop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a desktop cloud access control method, a desktop cloud access control device and a desktop cloud terminal device, wherein the method comprises the following steps: the method comprises the steps that a security login module of the desktop cloud detects a USBKey removal event, wherein the USBKey removal event is used for indicating that the USBKey required for logging in the desktop cloud is removed from the desktop cloud terminal equipment; the security login module determines that the USBKey is mapped to a virtual machine providing desktop cloud; the security login module controls the desktop cloud to be in an accessible state which can be accessed by a desktop cloud user. According to the method, the security login module can determine that the trigger of the USBKey removal event is due to the fact that the USBKey is mapped to the virtual machine through the state of the USBKey, so that the desktop cloud is controlled to be in an accessible state, and user experience is improved.
Description
Technical Field
The present application relates to the field of information technology, and in particular, to a desktop cloud access control method and apparatus, and a desktop cloud terminal device.
Background
The desktop cloud is a virtual desktop application based on a cloud computing platform, and software and hardware are deployed on the cloud platform, so that a user can access a cross-platform application program and an entire client desktop through a Thin Client (TC) or any other device connected to a network. Desktop clouds can replace traditional Personal Computers (PCs) for office work. At present, the desktop cloud is also widely applied to industries with higher security levels, such as governments, armies, banks, and the like, and in order to meet the requirements of the industries on the security level, a user needs to use a USBkey to perform identity authentication and log in the desktop cloud.
In the process of logging in the desktop cloud through the USBKey, the USBKey needs to be mapped to a virtual machine providing the desktop cloud from a desktop cloud client to perform identity authentication so as to obtain the authority of accessing the virtual machine, and therefore the desktop cloud is accessed through accessing the virtual machine.
However, in the process of logging in the desktop cloud, in order to obtain the right to access the virtual machine, the USBkey needs to be mapped from the desktop cloud client to the virtual machine, and at this time, for the desktop cloud client, since the USBkey cannot be detected, it is considered that the USBkey is removed, and the desktop cloud is controlled to be in the access prohibition state, so that the desktop cloud user cannot access the desktop cloud client any more.
Disclosure of Invention
The application provides a desktop cloud access control method and device and a desktop cloud terminal device, so that user experience is improved.
In a first aspect, an access control method for a desktop cloud is provided, which includes: the method comprises the steps that a security login module of the desktop cloud detects a USBKey removal event, wherein the USBKey removal event is used for indicating that the USBKey required for logging in the desktop cloud is removed from the desktop cloud terminal equipment; the security login module determines that the USBKey is mapped to a virtual machine providing the desktop cloud; the security login module controls the desktop cloud to be in an accessible state which can be accessed by a desktop cloud user.
In the embodiment of the application, after the secure login module detects the USBKey removal event, and the USBKey removal event is triggered by the virtual machine mapped to the desktop cloud, the secure login module controls the desktop cloud to be in an accessible state, so that the situation that in a traditional access control mode of the desktop cloud, the secure login module mistakenly considers that the USBKey is removed after the USBKey is mapped to the virtual machine in the process of logging in the desktop cloud through the USBKey is avoided, the desktop cloud is controlled to be in an access prohibition state, and the user experience of the desktop cloud is improved.
In one possible implementation, the method further includes: the security login module receives first indication information sent by the desktop cloud client, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
The access prohibition state may include interrupting a desktop protocol of the desktop cloud and/or controlling a terminal of the desktop cloud to be in a screen lock state. Certainly, after only the desktop protocol of the desktop cloud is interrupted, the user can still operate the desktop cloud terminal device, but cannot log in the desktop cloud, and at this time, the desktop cloud terminal device is similar to a traditional PC.
In the embodiment of the application, the security login module is communicated with the desktop cloud client, and after the USBKey is removed from the virtual machine, the desktop cloud is controlled to be in the access prohibition state, so that the security performance of the desktop cloud is improved.
In one possible implementation manner, the determining, by the secure login module, that the USBkey is mapped to the virtual machine providing the desktop cloud includes: and the security login module acquires the state of the USBKey, and the state of the USBKey is mapped to the virtual machine.
In a possible implementation manner, before the secure login module obtains the state of the USBkey, the method further includes: the security login module receives second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating the USBKey to be mapped to the virtual machine from the desktop cloud terminal equipment; and the safety login module modifies the state of the USBKey according to the indication information.
It should be noted that the modification of the state of the USBkey by the security login module may also occur before the security login module of the desktop cloud detects the USBkey removal event, so as to improve the accuracy of the security login module in obtaining the USBkey, avoid the situation that the security login module has detected the USBkey removal event when the security login module has not modified the state of the USBkey, and facilitate the improvement of the accuracy of the security login module in controlling the desktop cloud access.
In one possible implementation manner, the determining, by the secure login module, that the USBkey is mapped to the virtual machine providing the desktop cloud through USB mapping includes: the security login module inquires the device directory recorded by the desktop cloud terminal device, and records a port for accessing the USBKey; and the safety login module determines that the USBKey is mapped to the virtual machine.
In one possible implementation, the method further includes: the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
In the embodiment of the application, the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine, and then controls the desktop cloud to be in a state of access prohibition, so that the security of the desktop cloud is improved.
In a second aspect, an access control apparatus of a desktop cloud is provided, and the apparatus includes various modules for performing the above method.
In a third aspect, a desktop cloud terminal device is provided, which includes a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program from the memory so that the controller executes the method.
In a fourth aspect, there is provided a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform the method of the above-mentioned aspects.
It should be noted that, all or part of the computer program code may be stored in the first storage medium, where the first storage medium may be packaged with the processor or may be packaged separately from the processor, and this application is not limited in this respect.
In a fifth aspect, a computer-readable medium is provided, which stores program code, which, when run on a computer, causes the computer to perform the method of the above-mentioned aspects.
Drawings
Fig. 1 is a schematic diagram of a desktop cloud system used in an embodiment of the present application.
Fig. 2 is a schematic flowchart of an access control method of a desktop cloud according to an embodiment of the present application.
Fig. 3 is a schematic diagram of an access control apparatus of a desktop cloud according to an embodiment of the present application.
Fig. 4 is a schematic block diagram of a desktop cloud terminal device according to an embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a desktop cloud system used in an embodiment of the present application. The desktop cloud system 100 shown in fig. 1 includes a desktop cloud terminal device 110, and a desktop cloud platform 120.
And the desktop cloud terminal device 110 is used for providing a user interface for the desktop cloud. The desktop cloud terminal device may be provided with a secure login module 111 and a desktop cloud client 112.
For example, the desktop cloud terminal device 110 may be a thin client or any other device connected to a network. The thin client (or thin terminal) transcodes the built-in storage at a hardware level, and a transcoding algorithm is bound with unique information of hardware. The TC system can adopt a simplified and reinforced Linux embedded OS or a Windows embedded OS, and the TC has no local storage.
And the secure login module 111 is used for controlling the access state of the desktop cloud, wherein the access state comprises an accessible state in which the desktop cloud user can access the desktop cloud and an access prohibited state in which the desktop cloud user is prohibited from accessing the desktop cloud.
The desktop cloud client 112, also called a desktop protocol client, is configured to communicate with a desktop protocol server of the desktop cloud platform to establish a desktop protocol channel.
And the desktop cloud platform 120 is used for managing and scheduling desktop cloud resources. For example, the interface of the cloud management fusion manager, the interface of the unified integrated desktop cloud business maintenance system, the interface of the virtualization platform and the interface of the hardware management system can be provided. Taking hua as a desktop cloud platform as an example, the desktop cloud platform may include a Web Interface (WI), a hua as desktop controller (Huawei desktop controller), a GaussDB, an ITA node, a License node, and the like.
WI: and providing a Web login interface for a user, forwarding login information (encrypted user name and password) of the user to the HDC when the user initiates a login request, and presenting a virtual machine list provided by the HDC to the user by the WI so as to provide an entrance for the user to access the virtual machine.
Hua Desktop Controller (HDC): the virtual desktop management system is a core component of the desktop cloud management system and has the functions of completing virtual desktop service distribution, virtual desktop management, virtual desktop login management and virtual machine policy management.
GaussDB: the ITA and the HDC are provided with a database for storing data information, such as association of virtual machines and users, desktop groups, virtual machine naming rules and timing task information.
An ITA node: the ITA provides an interface and a Portal function for a user to manage virtual IT assets, and functions of virtual machine creation and distribution, virtual machine state management, virtual machine mirror image management, virtual desktop system operation maintenance and the like are achieved.
License node: a management and issuing system of desktop cloud License is disclosed, wherein a License server is used for controlling the number of users accessing a desktop cloud.
TC management: and performing centralized management on the thin terminal, wherein the centralized management comprises version upgrading, state management, information monitoring, log management and the like.
In the traditional process of logging in the desktop cloud based on the USBKey, in order to obtain the authority of accessing the virtual machine, the USBKey needs to be mapped into the virtual machine from the desktop cloud client, and at the moment, for the desktop cloud client, the screen locking operation can be carried out on the desktop cloud client due to the fact that the USBKey cannot be detected, so that the desktop cloud user cannot access the desktop cloud client any more. However, this case of actually mapping the USBkey to the virtual machine is only for identity authentication in the virtual machine, so that the user may select the virtual machine for accessing the desktop cloud. The situation that the USBKey is mapped to the virtual machine is different from the situation that the USBKey is physically pulled out and logs out of the desktop cloud, in the scene, a user still needs to access the desktop cloud, and the user has the right to access the desktop cloud (the USBKey is still inserted into the desktop cloud client).
Therefore, in order to avoid that the desktop cloud is in the access prohibition state due to the fact that the USBkey is mapped to the virtual machine in the above scenario, the application provides an access control method for the desktop cloud, and the state of the desktop cloud is controlled to be in the access permission state or the access prohibition state according to whether the USBkey is mapped to the virtual machine for login authentication.
The method of the embodiments of the present application is described below in conjunction with fig. 2. Fig. 2 is a schematic flowchart of an access control method of a desktop cloud according to an embodiment of the present application. It should be understood that the method shown in FIG. 2 may be performed by the secure login module 111 shown in FIG. 1.
210, the secure login module of the desktop cloud detects a USBkey removal event, wherein the USBkey removal event is used for indicating that the USBkey required for logging in the desktop cloud is removed from the desktop cloud terminal equipment.
It should be noted that, the USB devices used in the desktop cloud terminal device are various, including a USB disk, a USB key, etc., and for distinguishing, the USB key removal event and the removal events of other USB devices, whether the current removal event is the USB key removal event or the USB removal event may be determined by PID/VID information of the USB key.
220, the secure login module determines that the USBkey is mapped to the virtual machine providing the desktop cloud, wherein the mapping may be PC/SC mapping or USB mapping.
The USBKey is mapped to the virtual machine providing the desktop cloud, and the method can be understood as that the identity authentication information in the USBKey is provided for the virtual machine, so that the virtual machine can determine whether a user has the authority to use the virtual machine according to the identity authentication information.
Optionally, the step 220 includes: and the security login module acquires the state of the USBKey, and the state of the USBKey is mapped to the virtual machine.
The security login module can record the state of the USBKey, and judges whether the USBKey is physically pulled out from the desktop cloud terminal equipment or mapped to the virtual machine when the USBKey removal event is detected according to the state of the USBKey. Accordingly, the status of the USBkey may be referred to as being located in the virtual machine when the USBkey is mapped to the virtual machine.
The function of recording the state of the USBkey may be implemented by the secure login module, but the operation of mapping the USBkey to the virtual machine is mainly performed by the client of the desktop cloud, that is, the client of the desktop cloud is required to notify the secure login module of the current state of the USBkey, so that the secure login module records the state of the USBkey.
That is, before the secure login module of the desktop cloud detects a USBkey removal event, the method further comprises: the security login module receives second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating the USBKey to be mapped to the virtual machine from the desktop cloud terminal equipment; and the safety login module modifies the state of the USBKey according to the indication information.
It should be noted that, the notifying, by the desktop cloud client, of the security login module to record the state of the USBkey may be performed before the desktop cloud client maps the USBkey to the virtual machine, so that the security login module detects the USBkey removal event after the desktop cloud client maps the USBkey to the virtual machine and does not have to notify the security login module to record the state of the USBkey yet, and at this time, the security login module controls the desktop cloud to be in the access prohibition state because the security login module cannot acquire the accurate state of the USBkey. Certainly, in the embodiment of the application, the notification of the state of the USBkey of the secure login module may be performed after the desktop cloud client maps the USBkey to the virtual machine, that is, the execution sequence may cause the secure login module to generate misjudgment.
The desktop cloud client informs the security login module of a communication mechanism for recording the state of the USBKey, and a system event processing mechanism in an operating system can be multiplexed, namely, the desktop cloud client generates a USBKey removal event, generates the second indication information according to the USBKey removal event, and informs the security login module of recording the state of the USBKey. Specifically, the system event for indicating that the USBkey is mapped TO the virtual machine may command that the USBkey is mapped FROM the desktop cloud client TO the virtual machine event (USBkey FROM TC TO VM EVT).
Optionally, as an embodiment, step 220 includes: the security login module inquires the device directory recorded by the desktop cloud terminal device, and records a port for accessing the USBKey; and the safety login module determines that the USBKey is mapped to the virtual machine.
In other operating systems, such as Linux operating systems, it is also possible to distinguish whether the USBkey is mapped into the virtual machine or unplugged from the desktop cloud terminal device by querying that port information of the USBkey is also recorded under a device directory (e.g., dev/bus/usb) in the operating system. That is, if the port information of the USBkey cannot be queried in the device directory, it is stated that the USBkey is pulled out from the desktop cloud terminal device; if the port information of the USBkey can be inquired in the device directory, the USBkey is mapped to the virtual machine.
230, the secure login module controls the desktop cloud to be in an accessible state which can be accessed by the desktop cloud user.
The desktop cloud is in an accessible state, and the desktop protocol of the desktop cloud can perform normal communication, and the display screen of the terminal device of the desktop cloud is not locked.
In the embodiment of the application, after the secure login module detects the USBKey removal event, and the USBKey removal event is triggered by the virtual machine mapped to the desktop cloud, the secure login module controls the desktop cloud to be in an accessible state, so that the situation that in a traditional access control mode of the desktop cloud, the secure login module mistakenly considers that the USBKey is removed after the USBKey is mapped to the virtual machine in the process of logging in the desktop cloud through the USBKey is avoided, the desktop cloud is controlled to be in an access prohibition state, and the user experience of the desktop cloud is improved.
Optionally, as an embodiment, the method further includes: the security login module receives first indication information sent by the desktop cloud client, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
If the USBKey is mapped to the virtual machine, the security login module receives first indication information sent by the desktop cloud client again to indicate that the USBKey is removed from the virtual machine, and at the moment, the security login module can control the desktop cloud to be in a state of access prohibition.
The access prohibition state may include interrupting a desktop protocol of the desktop cloud, and further, may control the terminal of the desktop cloud to be in a screen locking state. Certainly, after only the desktop protocol of the desktop cloud is interrupted, the user can still operate the desktop cloud terminal device, but cannot log in the desktop cloud, and at this time, the desktop cloud terminal device is similar to a traditional PC.
It should be noted that the mechanism for sending the first indication information to the secure login module by the desktop cloud client is the same as the mechanism for sending the second indication information to the secure login module by the desktop cloud client, and the mechanism can be used for reusing an event processing mechanism in the existing operating system. Of course, the system event that triggers the second indication information may be named a USBKey REMOVE event FROM the virtual machine (USBKey REMOVE FROM VM EVT).
In the embodiment of the application, the security login module is communicated with the desktop cloud client, and after the USBKey is removed from the virtual machine, the desktop cloud is controlled to be in the access prohibition state, so that the security performance of the desktop cloud is improved.
Optionally, as an embodiment, the method further includes: the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
The manner in which the security login module determines that the USBkey is mapped from the virtual machine to the desktop cloud terminal device is the same as the manner in which the security login module determines that the USBkey is mapped from the desktop cloud terminal device to the virtual machine, and for brevity, detailed description is not provided here.
The name for indicating the system event that the USBkey is mapped FROM the virtual machine TO the desktop cloud terminal device may be a system event (USBkey FROM VM TO TCEVT) that the USBkey is mapped FROM the virtual machine TO the desktop cloud terminal device.
The system event of the USBkey mapped from the virtual machine to the desktop cloud terminal device may be when the desktop cloud user wishes to exit the virtual machine, at this time, the access prohibition state may be only to disconnect a desktop protocol of the desktop cloud, so that the user cannot log in the virtual machine on the desktop cloud terminal device, but the user may still operate the desktop cloud client in a manner of operating a PC. Certainly, the secure login module may also lock the desktop cloud terminal device at the same time, which is not specifically limited in this embodiment of the present application.
In the embodiment of the application, the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine, and then controls the desktop cloud to be in a state of access prohibition, so that the security of the desktop cloud is improved.
Optionally, as an embodiment, when logging in to the desktop cloud terminal device and the desktop cloud terminal device sends a login request to the desktop cloud platform, the WI located on the desktop cloud platform may randomly generate a login password, and return the login password to the desktop cloud controller for caching, so that a subsequent user logs in the virtual machine for use. The effective times of the randomly generated password can be set to 1 time, that is, each login request needs to correspond to a new login password, so as to improve the virtual security of user login.
The method for controlling access to a desktop cloud according to an embodiment of the present invention is described in detail above with reference to fig. 1 and 2, and the apparatus according to an embodiment of the present invention is described in detail below with reference to fig. 3 and 4. It should be noted that the apparatuses shown in fig. 3 to fig. 4 can implement the steps in the above method, and are not described herein again for brevity.
Fig. 3 is a schematic diagram of an access control apparatus of a desktop cloud according to an embodiment of the present application. The apparatus 300 depicted in FIG. 3 includes a detection module 310, a processing module 320, and a control module 330.
The detection module 310 is configured to detect a USBkey removal event, where the USBkey removal event is used to indicate that a USBkey required for logging in a desktop cloud is removed from a desktop cloud terminal device;
a processing module 320, configured to determine that the USBkey maps to a virtual machine providing the desktop cloud;
a control module 330, configured to control the desktop cloud to be in an accessible state that can be accessed by a desktop cloud user.
Optionally, as an embodiment, the control module is further configured to: receiving first indication information sent by the desktop cloud client, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine; and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
Optionally, as an embodiment, the processing module is configured to: and acquiring the state of the USBKey, wherein the state of the USBKey is mapped to the virtual machine.
Optionally, as an embodiment, the processing module is further configured to: receiving second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating that the USBKey is mapped to the virtual machine from the desktop cloud terminal equipment; and modifying the state of the USBKey according to the indication information.
Optionally, as an embodiment, the processing module is further configured to: inquiring an equipment directory recorded by the desktop cloud terminal equipment, wherein a port for accessing the USBKey is recorded; determining that the USBKey is mapped into the virtual machine.
Optionally, as an embodiment, the control module is further configured to: determining that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine; and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
In an alternative embodiment, the apparatus 300 may also be a desktop cloud terminal device 400, specifically, the detection module 310, the processing module 320, and the control module 330 may be a processor 420, and the apparatus may further include a memory 410 and an input/output interface 430, specifically as shown in fig. 4.
Fig. 4 is a schematic block diagram of a desktop cloud terminal device according to an embodiment of the present application. The desktop cloud terminal device 400 shown in fig. 4 may include: memory 410, processor 420, and input/output interface 430. The memory 410, the processor 420 and the input/output interface 430 are connected through an internal connection path, the memory 410 is used for storing program instructions, and the processor 420 is used for executing the program instructions stored in the memory 420 to control the input/output interface 430 to receive input data and information and output data such as operation results.
It should be understood that, in the embodiment of the present Application, the processor 420 may adopt a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, for executing related programs to implement the technical solutions provided in the embodiments of the present Application.
The memory 410 may include both read-only memory and random-access memory, and provides instructions and data to the processor 420. A portion of processor 420 may also include non-volatile random access memory. For example, processor 420 may also store information of the device type.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 420. The method disclosed in the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 410, and the processor 420 reads the information in the memory 410 and performs the steps of the above method in combination with the hardware thereof. To avoid repetition, it is not described in detail here.
It should be understood that in the embodiments of the present application, the processor may be a Central Processing Unit (CPU), and the processor may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (14)
1. An access control method of a desktop cloud, comprising:
the method comprises the steps that a security login module of the desktop cloud detects a USBKey removal event, wherein the USBKey removal event is used for indicating that the USBKey required for logging in the desktop cloud is removed from the desktop cloud terminal equipment;
the security login module determines that the USBKey is mapped to a virtual machine providing the desktop cloud;
the security login module controls the desktop cloud to be in an accessible state which can be accessed by a desktop cloud user.
2. The method of claim 1, wherein the method further comprises:
the security login module receives first indication information sent by a client of the desktop cloud, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine;
the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
3. The method of claim 1 or 2, wherein the secure login module determining that the USBKey maps into a virtual machine that provides the desktop cloud comprises:
and the security login module acquires the state of the USBKey, and the state of the USBKey is mapped to the virtual machine.
4. The method of claim 3, wherein prior to the secure login module obtaining the status of the USBKey,
the method further comprises the following steps:
the security login module receives second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating the USBKey to be mapped to the virtual machine from the desktop cloud terminal equipment;
and the safety login module modifies the state of the USBKey according to the indication information.
5. The method of claim 1 or 2, wherein the secure login module determining that the USBKey is mapped into a virtual machine providing the desktop cloud via a USB mapping comprises:
the security login module inquires the device directory recorded by the desktop cloud terminal device, and records a port for accessing the USBKey;
and the safety login module determines that the USBKey is mapped to the virtual machine.
6. The method of claim 1 or 2, wherein the method further comprises:
the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine;
the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
7. An access control apparatus of a desktop cloud, comprising:
the detection module is used for detecting a USBKey removal event, wherein the USBKey removal event is used for indicating that the USBKey required by logging in the desktop cloud is removed from the desktop cloud terminal equipment;
the processing module is used for determining that the USBKey is mapped to a virtual machine providing the desktop cloud;
and the control module is used for controlling the desktop cloud to be in an accessible state which can be accessed by a desktop cloud user.
8. The apparatus of claim 7, wherein the control module is further to:
receiving first indication information sent by a client of the desktop cloud, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine;
and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
9. The apparatus of claim 7 or 8, wherein the processing module is to:
and acquiring the state of the USBKey, wherein the state of the USBKey is mapped to the virtual machine.
10. The apparatus of claim 9, wherein the processing module is further to:
receiving second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating that the USBKey is mapped to the virtual machine from the desktop cloud terminal equipment;
and modifying the state of the USBKey according to the indication information.
11. The apparatus of claim 7 or 8, wherein the processing module is further to:
inquiring an equipment directory recorded by the desktop cloud terminal equipment, wherein a port for accessing the USBKey is recorded;
determining that the USBKey is mapped into the virtual machine.
12. The apparatus of claim 7 or 8, wherein the control module is further to:
determining that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine;
and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
13. A desktop cloud terminal device, characterized in that the desktop cloud terminal device comprises a secure login module of a desktop cloud and a desktop cloud client, the secure login module performing the method of any one of claims 1-6.
14. A computer-readable medium, characterized in that the computer-readable medium has stored program code which, when run on a computer, causes the computer to perform the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810882540.5A CN109150863B (en) | 2018-07-31 | 2018-07-31 | Desktop cloud access control method and device and desktop cloud terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810882540.5A CN109150863B (en) | 2018-07-31 | 2018-07-31 | Desktop cloud access control method and device and desktop cloud terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109150863A CN109150863A (en) | 2019-01-04 |
| CN109150863B true CN109150863B (en) | 2020-10-09 |
Family
ID=64791621
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810882540.5A Active CN109150863B (en) | 2018-07-31 | 2018-07-31 | Desktop cloud access control method and device and desktop cloud terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109150863B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120062969A (en) * | 2010-12-07 | 2012-06-15 | 한국과학기술연구원 | Security apparatus and method for desktop virtualization |
| CN103533034A (en) * | 2013-09-28 | 2014-01-22 | 福建星网锐捷软件有限公司 | Method for seamlessly using cloud terminal local camera in VDI (Virtual Device Interface) virtual desktop |
| CN103544453A (en) * | 2013-10-23 | 2014-01-29 | 成都卫士通信息产业股份有限公司 | USB (universal serial bus) KEY based virtual desktop file protection method and device |
| CN104881315A (en) * | 2014-10-27 | 2015-09-02 | 深圳市京华科讯科技有限公司 | Desktop virtualization technology based storage device mapping method and system |
| CN105069383A (en) * | 2015-05-21 | 2015-11-18 | 中国科学院计算技术研究所 | Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system |
| CN105404544A (en) * | 2015-11-10 | 2016-03-16 | 中国电子科技集团公司第三十研究所 | Method and system for device mapping between cloud terminal and cloud desktop |
| CN106060029A (en) * | 2016-05-24 | 2016-10-26 | 杭州华三通信技术有限公司 | Access control method and device of virtual desktop |
| WO2016183261A1 (en) * | 2015-05-12 | 2016-11-17 | Citrix Systems, Inc. | Delegated authentication through peripheral device linked to authentication server |
| WO2017053539A1 (en) * | 2015-09-22 | 2017-03-30 | Amazon Technologies, Inc. | Connection-based resource management for virtual desktop instances |
| CN108205504A (en) * | 2016-12-16 | 2018-06-26 | 广州杰赛科技股份有限公司 | Terminal USB mapping methods, virtual machine USB mapping methods and system |
-
2018
- 2018-07-31 CN CN201810882540.5A patent/CN109150863B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120062969A (en) * | 2010-12-07 | 2012-06-15 | 한국과학기술연구원 | Security apparatus and method for desktop virtualization |
| CN103533034A (en) * | 2013-09-28 | 2014-01-22 | 福建星网锐捷软件有限公司 | Method for seamlessly using cloud terminal local camera in VDI (Virtual Device Interface) virtual desktop |
| CN103544453A (en) * | 2013-10-23 | 2014-01-29 | 成都卫士通信息产业股份有限公司 | USB (universal serial bus) KEY based virtual desktop file protection method and device |
| CN104881315A (en) * | 2014-10-27 | 2015-09-02 | 深圳市京华科讯科技有限公司 | Desktop virtualization technology based storage device mapping method and system |
| WO2016183261A1 (en) * | 2015-05-12 | 2016-11-17 | Citrix Systems, Inc. | Delegated authentication through peripheral device linked to authentication server |
| CN105069383A (en) * | 2015-05-21 | 2015-11-18 | 中国科学院计算技术研究所 | Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system |
| WO2017053539A1 (en) * | 2015-09-22 | 2017-03-30 | Amazon Technologies, Inc. | Connection-based resource management for virtual desktop instances |
| CN105404544A (en) * | 2015-11-10 | 2016-03-16 | 中国电子科技集团公司第三十研究所 | Method and system for device mapping between cloud terminal and cloud desktop |
| CN106060029A (en) * | 2016-05-24 | 2016-10-26 | 杭州华三通信技术有限公司 | Access control method and device of virtual desktop |
| CN108205504A (en) * | 2016-12-16 | 2018-06-26 | 广州杰赛科技股份有限公司 | Terminal USB mapping methods, virtual machine USB mapping methods and system |
Non-Patent Citations (2)
| Title |
|---|
| Private desktop cloud architecture with instant-start virtual machines;X Chen;《Journal of Computer Applications》;20150617;全文 * |
| 虚拟化环境下的USB设备访问方法;王继刚;《计算机应用》;20110531;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109150863A (en) | 2019-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11100216B2 (en) | Method and apparatus for applying application context security controls for software containers | |
| US9436832B2 (en) | System and method for virtual image security in a cloud environment | |
| KR101752082B1 (en) | Development-environment system, development-environment device, and development-environment provision method and computer readable medium recording program | |
| CN109831420A (en) | The determination method and device of kernel process permission | |
| US11831687B2 (en) | Systems and methods for authenticating platform trust in a network function virtualization environment | |
| KR20150106937A (en) | Context based switching to a secure operating system environment | |
| CN110390184B (en) | Method, apparatus and computer program product for executing applications in the cloud | |
| EP3416333A1 (en) | Seamless provision of secret token to cloud-based assets on demand | |
| KR101478801B1 (en) | System and method for providing cloud computing service using virtual machine | |
| CN109997138A (en) | For detecting the system and method for calculating the malicious process in equipment | |
| CN115033930A (en) | User mode file integrity measurement method, device, equipment and medium | |
| CN109213572B (en) | Credibility determination method based on virtual machine and server | |
| CN113110912A (en) | Container safety protection method and electronic equipment | |
| CN109150863B (en) | Desktop cloud access control method and device and desktop cloud terminal equipment | |
| CN114861160A (en) | Method, device, equipment and storage medium for improving non-administrator account authority | |
| KR102357715B1 (en) | Method to management operating system image for security and internet server using the methods | |
| CN110677483B (en) | Information processing system and trusted security management system | |
| US10747871B2 (en) | System and method for producing secure data management software | |
| KR101680608B1 (en) | The system which detects a illegal software based on the network type licence circulation structure | |
| KR101651392B1 (en) | Additional authentication execution system through execution specialized module and method thereof | |
| US10089261B2 (en) | Discriminating dynamic connection of disconnectable peripherals | |
| KR101680605B1 (en) | The system which detects a illegal software based on the network type licence circulation structure | |
| CN113922975B (en) | Security control method, server, terminal, system and storage medium | |
| JP5814138B2 (en) | Security setting system, security setting method and program | |
| WO2020057119A1 (en) | Authentication method, apparatus, and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220209 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Patentee after: Huawei Cloud Computing Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221207 Address after: 518129 Huawei Headquarters Office Building 101, Wankecheng Community, Bantian Street, Longgang District, Shenzhen, Guangdong Patentee after: Shenzhen Huawei Cloud Computing Technology Co.,Ltd. Address before: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Patentee before: Huawei Cloud Computing Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |