Disclosure of Invention
The application provides a desktop cloud access control method and device and a desktop cloud terminal device, so that user experience is improved.
In a first aspect, an access control method for a desktop cloud is provided, which includes: the method comprises the steps that a security login module of the desktop cloud detects a USBKey removal event, wherein the USBKey removal event is used for indicating that the USBKey required for logging in the desktop cloud is removed from the desktop cloud terminal equipment; the security login module determines that the USBKey is mapped to a virtual machine providing the desktop cloud; the security login module controls the desktop cloud to be in an accessible state which can be accessed by a desktop cloud user.
In the embodiment of the application, after the secure login module detects the USBKey removal event, and the USBKey removal event is triggered by the virtual machine mapped to the desktop cloud, the secure login module controls the desktop cloud to be in an accessible state, so that the situation that in a traditional access control mode of the desktop cloud, the secure login module mistakenly considers that the USBKey is removed after the USBKey is mapped to the virtual machine in the process of logging in the desktop cloud through the USBKey is avoided, the desktop cloud is controlled to be in an access prohibition state, and the user experience of the desktop cloud is improved.
In one possible implementation, the method further includes: the security login module receives first indication information sent by the desktop cloud client, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
The access prohibition state may include interrupting a desktop protocol of the desktop cloud and/or controlling a terminal of the desktop cloud to be in a screen lock state. Certainly, after only the desktop protocol of the desktop cloud is interrupted, the user can still operate the desktop cloud terminal device, but cannot log in the desktop cloud, and at this time, the desktop cloud terminal device is similar to a traditional PC.
In the embodiment of the application, the security login module is communicated with the desktop cloud client, and after the USBKey is removed from the virtual machine, the desktop cloud is controlled to be in the access prohibition state, so that the security performance of the desktop cloud is improved.
In one possible implementation manner, the determining, by the secure login module, that the USBkey is mapped to the virtual machine providing the desktop cloud includes: and the security login module acquires the state of the USBKey, and the state of the USBKey is mapped to the virtual machine.
In a possible implementation manner, before the secure login module obtains the state of the USBkey, the method further includes: the security login module receives second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating the USBKey to be mapped to the virtual machine from the desktop cloud terminal equipment; and the safety login module modifies the state of the USBKey according to the indication information.
It should be noted that the modification of the state of the USBkey by the security login module may also occur before the security login module of the desktop cloud detects the USBkey removal event, so as to improve the accuracy of the security login module in obtaining the USBkey, avoid the situation that the security login module has detected the USBkey removal event when the security login module has not modified the state of the USBkey, and facilitate the improvement of the accuracy of the security login module in controlling the desktop cloud access.
In one possible implementation manner, the determining, by the secure login module, that the USBkey is mapped to the virtual machine providing the desktop cloud through USB mapping includes: the security login module inquires the device directory recorded by the desktop cloud terminal device, and records a port for accessing the USBKey; and the safety login module determines that the USBKey is mapped to the virtual machine.
In one possible implementation, the method further includes: the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
In the embodiment of the application, the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine, and then controls the desktop cloud to be in a state of access prohibition, so that the security of the desktop cloud is improved.
In a second aspect, an access control apparatus of a desktop cloud is provided, and the apparatus includes various modules for performing the above method.
In a third aspect, a desktop cloud terminal device is provided, which includes a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program from the memory so that the controller executes the method.
In a fourth aspect, there is provided a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform the method of the above-mentioned aspects.
It should be noted that, all or part of the computer program code may be stored in the first storage medium, where the first storage medium may be packaged with the processor or may be packaged separately from the processor, and this application is not limited in this respect.
In a fifth aspect, a computer-readable medium is provided, which stores program code, which, when run on a computer, causes the computer to perform the method of the above-mentioned aspects.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a desktop cloud system used in an embodiment of the present application. The desktop cloud system 100 shown in fig. 1 includes a desktop cloud terminal device 110, and a desktop cloud platform 120.
And the desktop cloud terminal device 110 is used for providing a user interface for the desktop cloud. The desktop cloud terminal device may be provided with a secure login module 111 and a desktop cloud client 112.
For example, the desktop cloud terminal device 110 may be a thin client or any other device connected to a network. The thin client (or thin terminal) transcodes the built-in storage at a hardware level, and a transcoding algorithm is bound with unique information of hardware. The TC system can adopt a simplified and reinforced Linux embedded OS or a Windows embedded OS, and the TC has no local storage.
And the secure login module 111 is used for controlling the access state of the desktop cloud, wherein the access state comprises an accessible state in which the desktop cloud user can access the desktop cloud and an access prohibited state in which the desktop cloud user is prohibited from accessing the desktop cloud.
The desktop cloud client 112, also called a desktop protocol client, is configured to communicate with a desktop protocol server of the desktop cloud platform to establish a desktop protocol channel.
And the desktop cloud platform 120 is used for managing and scheduling desktop cloud resources. For example, the interface of the cloud management fusion manager, the interface of the unified integrated desktop cloud business maintenance system, the interface of the virtualization platform and the interface of the hardware management system can be provided. Taking hua as a desktop cloud platform as an example, the desktop cloud platform may include a Web Interface (WI), a hua as desktop controller (Huawei desktop controller), a GaussDB, an ITA node, a License node, and the like.
WI: and providing a Web login interface for a user, forwarding login information (encrypted user name and password) of the user to the HDC when the user initiates a login request, and presenting a virtual machine list provided by the HDC to the user by the WI so as to provide an entrance for the user to access the virtual machine.
Hua Desktop Controller (HDC): the virtual desktop management system is a core component of the desktop cloud management system and has the functions of completing virtual desktop service distribution, virtual desktop management, virtual desktop login management and virtual machine policy management.
GaussDB: the ITA and the HDC are provided with a database for storing data information, such as association of virtual machines and users, desktop groups, virtual machine naming rules and timing task information.
An ITA node: the ITA provides an interface and a Portal function for a user to manage virtual IT assets, and functions of virtual machine creation and distribution, virtual machine state management, virtual machine mirror image management, virtual desktop system operation maintenance and the like are achieved.
License node: a management and issuing system of desktop cloud License is disclosed, wherein a License server is used for controlling the number of users accessing a desktop cloud.
TC management: and performing centralized management on the thin terminal, wherein the centralized management comprises version upgrading, state management, information monitoring, log management and the like.
In the traditional process of logging in the desktop cloud based on the USBKey, in order to obtain the authority of accessing the virtual machine, the USBKey needs to be mapped into the virtual machine from the desktop cloud client, and at the moment, for the desktop cloud client, the screen locking operation can be carried out on the desktop cloud client due to the fact that the USBKey cannot be detected, so that the desktop cloud user cannot access the desktop cloud client any more. However, this case of actually mapping the USBkey to the virtual machine is only for identity authentication in the virtual machine, so that the user may select the virtual machine for accessing the desktop cloud. The situation that the USBKey is mapped to the virtual machine is different from the situation that the USBKey is physically pulled out and logs out of the desktop cloud, in the scene, a user still needs to access the desktop cloud, and the user has the right to access the desktop cloud (the USBKey is still inserted into the desktop cloud client).
Therefore, in order to avoid that the desktop cloud is in the access prohibition state due to the fact that the USBkey is mapped to the virtual machine in the above scenario, the application provides an access control method for the desktop cloud, and the state of the desktop cloud is controlled to be in the access permission state or the access prohibition state according to whether the USBkey is mapped to the virtual machine for login authentication.
The method of the embodiments of the present application is described below in conjunction with fig. 2. Fig. 2 is a schematic flowchart of an access control method of a desktop cloud according to an embodiment of the present application. It should be understood that the method shown in FIG. 2 may be performed by the secure login module 111 shown in FIG. 1.
210, the secure login module of the desktop cloud detects a USBkey removal event, wherein the USBkey removal event is used for indicating that the USBkey required for logging in the desktop cloud is removed from the desktop cloud terminal equipment.
It should be noted that, the USB devices used in the desktop cloud terminal device are various, including a USB disk, a USB key, etc., and for distinguishing, the USB key removal event and the removal events of other USB devices, whether the current removal event is the USB key removal event or the USB removal event may be determined by PID/VID information of the USB key.
220, the secure login module determines that the USBkey is mapped to the virtual machine providing the desktop cloud, wherein the mapping may be PC/SC mapping or USB mapping.
The USBKey is mapped to the virtual machine providing the desktop cloud, and the method can be understood as that the identity authentication information in the USBKey is provided for the virtual machine, so that the virtual machine can determine whether a user has the authority to use the virtual machine according to the identity authentication information.
Optionally, the step 220 includes: and the security login module acquires the state of the USBKey, and the state of the USBKey is mapped to the virtual machine.
The security login module can record the state of the USBKey, and judges whether the USBKey is physically pulled out from the desktop cloud terminal equipment or mapped to the virtual machine when the USBKey removal event is detected according to the state of the USBKey. Accordingly, the status of the USBkey may be referred to as being located in the virtual machine when the USBkey is mapped to the virtual machine.
The function of recording the state of the USBkey may be implemented by the secure login module, but the operation of mapping the USBkey to the virtual machine is mainly performed by the client of the desktop cloud, that is, the client of the desktop cloud is required to notify the secure login module of the current state of the USBkey, so that the secure login module records the state of the USBkey.
That is, before the secure login module of the desktop cloud detects a USBkey removal event, the method further comprises: the security login module receives second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating the USBKey to be mapped to the virtual machine from the desktop cloud terminal equipment; and the safety login module modifies the state of the USBKey according to the indication information.
It should be noted that, the notifying, by the desktop cloud client, of the security login module to record the state of the USBkey may be performed before the desktop cloud client maps the USBkey to the virtual machine, so that the security login module detects the USBkey removal event after the desktop cloud client maps the USBkey to the virtual machine and does not have to notify the security login module to record the state of the USBkey yet, and at this time, the security login module controls the desktop cloud to be in the access prohibition state because the security login module cannot acquire the accurate state of the USBkey. Certainly, in the embodiment of the application, the notification of the state of the USBkey of the secure login module may be performed after the desktop cloud client maps the USBkey to the virtual machine, that is, the execution sequence may cause the secure login module to generate misjudgment.
The desktop cloud client informs the security login module of a communication mechanism for recording the state of the USBKey, and a system event processing mechanism in an operating system can be multiplexed, namely, the desktop cloud client generates a USBKey removal event, generates the second indication information according to the USBKey removal event, and informs the security login module of recording the state of the USBKey. Specifically, the system event for indicating that the USBkey is mapped TO the virtual machine may command that the USBkey is mapped FROM the desktop cloud client TO the virtual machine event (USBkey FROM TC TO VM EVT).
Optionally, as an embodiment, step 220 includes: the security login module inquires the device directory recorded by the desktop cloud terminal device, and records a port for accessing the USBKey; and the safety login module determines that the USBKey is mapped to the virtual machine.
In other operating systems, such as Linux operating systems, it is also possible to distinguish whether the USBkey is mapped into the virtual machine or unplugged from the desktop cloud terminal device by querying that port information of the USBkey is also recorded under a device directory (e.g., dev/bus/usb) in the operating system. That is, if the port information of the USBkey cannot be queried in the device directory, it is stated that the USBkey is pulled out from the desktop cloud terminal device; if the port information of the USBkey can be inquired in the device directory, the USBkey is mapped to the virtual machine.
230, the secure login module controls the desktop cloud to be in an accessible state which can be accessed by the desktop cloud user.
The desktop cloud is in an accessible state, and the desktop protocol of the desktop cloud can perform normal communication, and the display screen of the terminal device of the desktop cloud is not locked.
In the embodiment of the application, after the secure login module detects the USBKey removal event, and the USBKey removal event is triggered by the virtual machine mapped to the desktop cloud, the secure login module controls the desktop cloud to be in an accessible state, so that the situation that in a traditional access control mode of the desktop cloud, the secure login module mistakenly considers that the USBKey is removed after the USBKey is mapped to the virtual machine in the process of logging in the desktop cloud through the USBKey is avoided, the desktop cloud is controlled to be in an access prohibition state, and the user experience of the desktop cloud is improved.
Optionally, as an embodiment, the method further includes: the security login module receives first indication information sent by the desktop cloud client, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
If the USBKey is mapped to the virtual machine, the security login module receives first indication information sent by the desktop cloud client again to indicate that the USBKey is removed from the virtual machine, and at the moment, the security login module can control the desktop cloud to be in a state of access prohibition.
The access prohibition state may include interrupting a desktop protocol of the desktop cloud, and further, may control the terminal of the desktop cloud to be in a screen locking state. Certainly, after only the desktop protocol of the desktop cloud is interrupted, the user can still operate the desktop cloud terminal device, but cannot log in the desktop cloud, and at this time, the desktop cloud terminal device is similar to a traditional PC.
It should be noted that the mechanism for sending the first indication information to the secure login module by the desktop cloud client is the same as the mechanism for sending the second indication information to the secure login module by the desktop cloud client, and the mechanism can be used for reusing an event processing mechanism in the existing operating system. Of course, the system event that triggers the second indication information may be named a USBKey REMOVE event FROM the virtual machine (USBKey REMOVE FROM VM EVT).
In the embodiment of the application, the security login module is communicated with the desktop cloud client, and after the USBKey is removed from the virtual machine, the desktop cloud is controlled to be in the access prohibition state, so that the security performance of the desktop cloud is improved.
Optionally, as an embodiment, the method further includes: the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine; the security login module controls the desktop cloud to be in an access prohibition state of prohibiting being accessed by the desktop cloud user.
The manner in which the security login module determines that the USBkey is mapped from the virtual machine to the desktop cloud terminal device is the same as the manner in which the security login module determines that the USBkey is mapped from the desktop cloud terminal device to the virtual machine, and for brevity, detailed description is not provided here.
The name for indicating the system event that the USBkey is mapped FROM the virtual machine TO the desktop cloud terminal device may be a system event (USBkey FROM VM TO TCEVT) that the USBkey is mapped FROM the virtual machine TO the desktop cloud terminal device.
The system event of the USBkey mapped from the virtual machine to the desktop cloud terminal device may be when the desktop cloud user wishes to exit the virtual machine, at this time, the access prohibition state may be only to disconnect a desktop protocol of the desktop cloud, so that the user cannot log in the virtual machine on the desktop cloud terminal device, but the user may still operate the desktop cloud client in a manner of operating a PC. Certainly, the secure login module may also lock the desktop cloud terminal device at the same time, which is not specifically limited in this embodiment of the present application.
In the embodiment of the application, the security login module determines that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine, and then controls the desktop cloud to be in a state of access prohibition, so that the security of the desktop cloud is improved.
Optionally, as an embodiment, when logging in to the desktop cloud terminal device and the desktop cloud terminal device sends a login request to the desktop cloud platform, the WI located on the desktop cloud platform may randomly generate a login password, and return the login password to the desktop cloud controller for caching, so that a subsequent user logs in the virtual machine for use. The effective times of the randomly generated password can be set to 1 time, that is, each login request needs to correspond to a new login password, so as to improve the virtual security of user login.
The method for controlling access to a desktop cloud according to an embodiment of the present invention is described in detail above with reference to fig. 1 and 2, and the apparatus according to an embodiment of the present invention is described in detail below with reference to fig. 3 and 4. It should be noted that the apparatuses shown in fig. 3 to fig. 4 can implement the steps in the above method, and are not described herein again for brevity.
Fig. 3 is a schematic diagram of an access control apparatus of a desktop cloud according to an embodiment of the present application. The apparatus 300 depicted in FIG. 3 includes a detection module 310, a processing module 320, and a control module 330.
The detection module 310 is configured to detect a USBkey removal event, where the USBkey removal event is used to indicate that a USBkey required for logging in a desktop cloud is removed from a desktop cloud terminal device;
a processing module 320, configured to determine that the USBkey maps to a virtual machine providing the desktop cloud;
a control module 330, configured to control the desktop cloud to be in an accessible state that can be accessed by a desktop cloud user.
Optionally, as an embodiment, the control module is further configured to: receiving first indication information sent by the desktop cloud client, wherein the first indication information is used for indicating that the USBKey is removed from the virtual machine; and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
Optionally, as an embodiment, the processing module is configured to: and acquiring the state of the USBKey, wherein the state of the USBKey is mapped to the virtual machine.
Optionally, as an embodiment, the processing module is further configured to: receiving second indication information sent by a client of the desktop cloud, wherein the second indication information is used for indicating that the USBKey is mapped to the virtual machine from the desktop cloud terminal equipment; and modifying the state of the USBKey according to the indication information.
Optionally, as an embodiment, the processing module is further configured to: inquiring an equipment directory recorded by the desktop cloud terminal equipment, wherein a port for accessing the USBKey is recorded; determining that the USBKey is mapped into the virtual machine.
Optionally, as an embodiment, the control module is further configured to: determining that the USBKey is mapped to the desktop cloud terminal equipment from the virtual machine; and controlling the desktop cloud to be in an access prohibition state which prohibits the desktop cloud user from accessing.
In an alternative embodiment, the apparatus 300 may also be a desktop cloud terminal device 400, specifically, the detection module 310, the processing module 320, and the control module 330 may be a processor 420, and the apparatus may further include a memory 410 and an input/output interface 430, specifically as shown in fig. 4.
Fig. 4 is a schematic block diagram of a desktop cloud terminal device according to an embodiment of the present application. The desktop cloud terminal device 400 shown in fig. 4 may include: memory 410, processor 420, and input/output interface 430. The memory 410, the processor 420 and the input/output interface 430 are connected through an internal connection path, the memory 410 is used for storing program instructions, and the processor 420 is used for executing the program instructions stored in the memory 420 to control the input/output interface 430 to receive input data and information and output data such as operation results.
It should be understood that, in the embodiment of the present Application, the processor 420 may adopt a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, for executing related programs to implement the technical solutions provided in the embodiments of the present Application.
The memory 410 may include both read-only memory and random-access memory, and provides instructions and data to the processor 420. A portion of processor 420 may also include non-volatile random access memory. For example, processor 420 may also store information of the device type.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 420. The method disclosed in the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 410, and the processor 420 reads the information in the memory 410 and performs the steps of the above method in combination with the hardware thereof. To avoid repetition, it is not described in detail here.
It should be understood that in the embodiments of the present application, the processor may be a Central Processing Unit (CPU), and the processor may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.