CN112311804A - Multi-tenant service resource dynamic access authorization and authentication system and method - Google Patents

Multi-tenant service resource dynamic access authorization and authentication system and method Download PDF

Info

Publication number
CN112311804A
CN112311804A CN202011231085.6A CN202011231085A CN112311804A CN 112311804 A CN112311804 A CN 112311804A CN 202011231085 A CN202011231085 A CN 202011231085A CN 112311804 A CN112311804 A CN 112311804A
Authority
CN
China
Prior art keywords
service
tenant
access
resource
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011231085.6A
Other languages
Chinese (zh)
Other versions
CN112311804B (en
Inventor
冯朝路
李东修
陈帅征
黄明旭
栗伟
赵大哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN202011231085.6A priority Critical patent/CN112311804B/en
Publication of CN112311804A publication Critical patent/CN112311804A/en
Application granted granted Critical
Publication of CN112311804B publication Critical patent/CN112311804B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/83Admission control; Resource allocation based on usage prediction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • H04L41/0816Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/29Flow control; Congestion control using a combination of thresholds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • H04L47/62Queue scheduling characterised by scheduling criteria
    • H04L47/625Queue scheduling characterised by scheduling criteria for service slots or service orders
    • H04L47/6275Queue scheduling characterised by scheduling criteria for service slots or service orders based on priority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/82Miscellaneous aspects
    • H04L47/827Aggregation of resource allocation or reservation requests
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Probability & Statistics with Applications (AREA)
  • Software Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a multi-tenant service resource dynamic access authorization and authentication system and a method thereof, relating to the technical field of computers. The system and the method monitor the total amount of the available service resources of the cloud platform, complete system configuration and generate a service resource role forest and a service resource security access label forest; the real-time access control and the isolated sharing control of tenant service requirements are realized in the system operation process, the safe access control of tenant service requirement resources is realized, the tenant service requirement change and the system proceeding condition are monitored, and corresponding adjustment is made; the method comprises the following steps of recording the running state of the cloud platform to a log file in real time in the running process of the system; and when the cloud platform is crashed due to the irresistible external force, restarting and rolling back the cloud platform configuration and service operation state before the crash according to the log file. The system and the method provided by the invention can meet the real-time service requirements of tenants, realize the safe access control of the cloud platform service resources and improve the service performance and the safety performance of the cloud platform.

Description

Multi-tenant service resource dynamic access authorization and authentication system and method
Technical Field
The invention relates to the technical field of computers, in particular to a multi-tenant service resource dynamic access authorization and authentication system and a method.
Background
With the development of internet technology, the maturity of application software development technology, and the increase of the demand of enterprises for improving office efficiency, software as a service (SaaS) technology develops and matures gradually. Under the software-as-a-service mode, users can meet respective service requirements only by purchasing various application services from service providers, without purchasing software entities from software developers and paying attention to maintenance and updating of software versions. In addition, the technology realizes service resource deployment and scheduling based on a cloud platform, and users do not need to pay attention to server architecture and configuration. However, the user enjoying the service should pay the service provider for all reason. Therefore, cloud platform users are also referred to as "tenants". The total amount of cloud platform service resources is still limited relative to the number of tenants, and as the scale increases, the resource expansion needs to consume more manpower, material resources and financial resources. On the other hand, most tenants access service resources through the internet, so privacy and security access become key issues that must be solved. The security access control policy needs to ensure that the service resource can be safely accessed by an authorized tenant, and can effectively prevent the possibility of potential damage to data or resources by an illegal tenant. At present, Role-Based Access Control (RBAC) decouples the association relationship between users and authorities through the Role bridge function, simplifies the authorization operation process and the authority system security management mode, is easy to expand, and is a typical representative of a security Access Control strategy. However, in the prior art, isolation access control between tenants is simply realized, and the SaaS service is not regarded as an organic whole, so that the tenants are completely isolated, and contact between the tenants is ignored.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a system and a method for multi-tenant service resource dynamic access authorization and authentication aiming at the defects of the prior art, so as to realize tenant service resource security access control, provide personalized services for tenants and improve the service performance of a cloud platform.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: on one hand, the invention provides a multi-tenant service resource dynamic access authorization and authentication system, which comprises a system management module, a service control database and a security access control core processing module;
the system management module comprises a capacity management submodule, a fault management submodule, a performance management submodule, a configuration management submodule, a comprehensive monitoring submodule, a user management submodule and an authorization service submodule;
the capacity management submodule is used for monitoring the running state of the system in real time and finishing real-time scheduling of service resources according to the tenant service requirements;
the fault management submodule is used for recording the running state of the system in real time, giving prompt information when the system has a fault, and realizing the state rollback after the system is restarted through log recording;
the performance management submodule is used for evaluating the running performance of the system in real time, and if the system resource allowance is lower than a set resource amount threshold value and the tenant demand queuing length is larger than a set length threshold value, partially recovering the service resources currently occupied by the tenants with the priorities lower than the set priority threshold value in real time;
the configuration management submodule is used for assisting a system user to complete system configuration work;
the comprehensive monitoring submodule is used for monitoring the change condition of the tenant demand in real time, recording the historical demand data of the tenant, and updating a tenant role hierarchical tree and a service demand resource access tag tree which are constructed based on rules set by the configuration management submodule;
the user management submodule is used for realizing the registration and the registration of system user information;
the authorization service sub-module authenticates the identity of the user through the information provided by the user;
the service control database is used for recording data required by normal operation of the system and recording tenant registration information; the tenant registration information comprises a tenant identification, a service priority and a service requirement value;
the safety access control core processing module realizes safety access control of multi-tenant service resources according to real-time service requirements of tenants, and specifically comprises an application service layer, a service access filter layer, an access control management layer and a data access agent layer;
the application service layer directly corresponds to the tenant service requirement and is responsible for accessing control of the tenant real-time requirement;
the service access filter layer correspondingly processes the access request of the authorized user and directly forbids the access request of the unauthorized user; meanwhile, the access request of the tenant user is directly submitted to a tenant access control and authority management module of an access control management layer for processing, and the access request of the platform user is submitted to a service access control and authority management module of the access control management layer for processing;
the data access agent layer takes out corresponding data from the service control database according to the identity of the visitor and the security information of the visitor, so that a legal user is prevented from accessing illegal data;
preferably, the system configuration includes setting of system initial service resources, setting of minimum guaranteed resources, setting of length of a service demand queue, constructing a service resource role forest, setting of a security access control label, and constructing a corresponding relation table of roles and service resource security access labels.
Preferably, the service control database includes a tenant role description data structure table and a role hierarchy tree, a service label description data structure table and a label hierarchy tree, a multi-tenant common task description table obtained by evolutionary clustering according to a service demand history record, and a corresponding relationship table between tasks and roles.
On the other hand, the invention also provides a multi-tenant service resource dynamic access authorization and authentication method, which comprises the following steps:
step 1: when the multi-tenant service resource dynamic access authorization and authentication system is started, cloud platform initialization is completed;
step 1.1, monitoring the total amount of available service resources of a cloud platform, and performing matching verification with an initial log file;
step 1.2, assisting a system user to complete system configuration work, including setting of system initial service resources, setting of minimum guaranteed resources and setting of service requirement queue length;
step 1.3, according to the initial configuration file of the system, the registration and the registration of the system user information are realized;
step 1.4, the identity of the user is authenticated through the information provided by the user;
step 1.5, establishing a corresponding relation between service resources and roles, dividing system service resources according to the roles, and generating a service resource role forest;
step 1.6, service resources are subdivided, a security access control label is formulated, and a service resource security access label forest is generated;
step 2: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the real-time access control and the isolated sharing control of tenant service requirements are realized;
step 2.1, monitoring the tenant access request in real time, verifying the identity of the tenant, and directly forbidding the access request of an unauthorized user;
step 2.2, performing evolutionary clustering analysis according to the tenant service requirement passing identity authentication, and generating a tenant role hierarchical tree according to a clustering result;
step 2.3, matching the node attribute and the service resource role attribute in the tenant role hierarchical tree to realize the access control of the cloud platform service resources;
and step 3: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the safe access control of tenant service demand resources is realized;
step 3.1, constructing a tenant service demand resource access label tree by the tenant service resource demand role hierarchical tree and the corresponding relation table of the roles and the security access labels;
step 3.2, matching the tenant service demand resource access label tree with a service resource security access label forest to ensure the access authority of the tenant to the service resource;
and 4, step 4: monitoring the change of tenant service needs and the system running condition in real time and making corresponding adjustment in the running process of the multi-tenant service resource dynamic access authorization and authentication system;
step 4.1, monitoring the running state of the system in real time, and finishing real-time scheduling of service resources according to the tenant service requirements;
step 4.2, evaluating the running performance of the system in real time, if the system resource allowance is lower than a set resource threshold value, and the tenant demand queue length is larger than a set length threshold value, partially recovering the service resources currently occupied by the tenants with the priority lower than the set priority threshold value in real time;
4.3, monitoring the change condition of the tenant demand in real time, recording the historical demand data of the tenant, and predicting the tenant service demand in real time;
and 5: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the fault management submodule records the running state to a log file in real time; when the cloud service platform is crashed due to the irresistible external force, the fault management submodule restarts and rolls back the cloud platform configuration and the service operation state before the crash according to the log file.
Adopt the produced beneficial effect of above-mentioned technical scheme to lie in: the multi-tenant service resource dynamic access authorization and authentication system and method provided by the invention can meet the real-time service requirements of tenants, realize the safe access control of the cloud platform service resources and improve the service performance and the safety performance of the cloud platform.
Drawings
Fig. 1 is a schematic diagram of a framework of a multi-tenant service resource dynamic access authorization and authentication system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a role hierarchical tree in a method for dynamic access authorization and authentication of multi-tenant service resources according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a hierarchical tree of labels in the method for dynamic access authorization and authentication of multi-tenant service resources according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a method for dynamic access authorization and authentication of multi-tenant service resources according to an embodiment of the present invention;
fig. 5 is a flowchart of a method for dynamic access authorization and authentication of multi-tenant service resources according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
In this embodiment, a multi-tenant service resource dynamic access authorization and authentication system, as shown in fig. 1, includes a system management module, a service control database, and a security access control core processing module;
the system management module comprises a capacity management submodule, a fault management submodule, a performance management submodule, a configuration management submodule, a comprehensive monitoring submodule, a user management submodule and an authorization service submodule;
the capacity management submodule is used for monitoring the running state of the system in real time and finishing real-time scheduling of service resources according to the tenant service requirements;
the fault management submodule is used for recording the running state of the system in real time, giving prompt information when the system has a fault, and realizing the state rollback after the system is restarted through log recording;
the performance management submodule is used for evaluating the running performance of the system in real time, and if the system resource allowance is lower than a set resource amount threshold value and the tenant demand queuing length is larger than a set length threshold value, partially recovering the service resources currently occupied by the tenants with the priority lower than the set priority threshold value in real time;
in this embodiment, the cloud platform service resources are divided into two types, physical and non-physical, including a storage space, a memory, and a processor core, and the predetermined scales of the cloud platform service resources are S, M, C respectively. The non-physical resources comprise a software platform and a software tool in the cloud platform; software platform use right binary group in cloud platform<Sid,SN>Is shown in which SidIdentity representing the software platform, SNRepresenting the total number of software platform authorizations. Software tool use right binary group in cloud platform<Tid,TN>Is represented by, wherein, TidRepresenting the software tool identity, TNRepresenting the total number of software tool authorizations. More specifically, if the required resource is storage capacity, the resource size is the size of storage space in GB; if the required resource is the memory capacity, the resource size is the memory space size in MB.
The configuration management submodule is used for assisting a system user to complete system configuration work and comprises setting of system initial service resources, setting of minimum guaranteed resources, setting of length of a service demand queue, constructing a service resource role forest, formulating a security access control label and constructing a corresponding relation table of roles and service resource security access labels.
In this embodiment, the cloud platform configuration parameter IS composed of an initial service resource IS, a minimum guaranteed resource MS, a length QL of a service requirement queue, a service resource role forest SA, a service resource security access control tag ST, and a six-element group of a role and service resource security access tag correspondence table SAT, < IS, MS, QL, SA, ST, SAT >. Specifically, the IS and the MS are two independent lists, which are composed of physical and non-physical resources of the cloud platform service. The SA and the ST are a set of a plurality of tree structures, each tree structure corresponding to one physical and non-physical service resource in the cloud platform.
The comprehensive monitoring submodule is used for monitoring the change condition of the tenant demand in real time, recording the historical demand data of the tenant, and updating a tenant role hierarchical tree and a service demand resource access tag tree which are constructed based on rules set by the configuration management submodule;
based on the patent [ CN201911354225]In this embodiment, the existing database of the cloud platform system divides the tenant service into five grades, i.e., trial tenant l1, ordinary tenant l2, VIP tenant l3, super tenant l4 and management tenant l5 according to the tenant service requirement and payment condition, and the priority of using the same resource is sequentially increased. The tenant service requirement is a unique identification U globally identified by the tenantidSeven-element group U consisting of tenant service level U _ level, storage space Us, memory size Um, computing capacity Uc, software platform use right Up and software operation right UOR=<Uid,U_level,Us,Um,Uc,Up,Uo>. Specifically, Us, Um, and Uc are the size of the storage space in GB, the size of the memory in MB, and the number of processing cores, which are respectively corresponding to the scalar; up and UO are vectors composed of Boolean values, and the length of Up and UO is equal to the number of software platforms and the number of software tool requirements. And when the tenant has a requirement on the software platform or the software tool, the Boolean value of the corresponding position is 1, otherwise, the Boolean value is 0. Particularly, if the number of software platforms and the number of software tools that can provide services for the cloud platform change, the boolean vector Up is updated corresponding to the Uo length.
The user management submodule is used for realizing the registration and the registration of system user information;
in this embodiment, the system user refers to a cloud platform management user, rather than a service resource demand tenant. The information required by the system user registration comprises a user name, a password, a unit, a department, a contact way, a password retrieving way and the like.
The authorization service sub-module authenticates the identity of the user through information (user name, password and the like) provided by the user to ensure that only a legal user can access the system.
In this embodiment, the authentication of the system user identity is performed by matching the input user name and login password with information in the database.
The service control database is used for recording data required by normal operation of the system and recording tenant registration information; the tenant registration information comprises a tenant identification, a service priority and a service requirement value; the service control database comprises a tenant role description data structure table and a role hierarchy tree, a service label description data structure table and a label hierarchy tree, a multi-tenant common task description table obtained by evolutionary clustering according to service demand history records, and a corresponding relation table of tasks and roles.
The tenant role hierarchy tree, as shown in fig. 2, includes a role identifier, a role parent node list, and a role child node list.
In this embodiment, the role hierarchy tree is constructed by an evolutionary clustering algorithm according to service demand history data. Each node is composed of a triple < Aid, Apid, Asid > of a role identification Aid, a role parent node identification Apid, and a role child node identification Asid.
The hierarchical tree of service resource labels, as shown in fig. 3, includes a service resource identifier, a service resource parent node list, and a service resource child node list.
In this embodiment, each node in the service resource hierarchical tree is composed of a triple < Sid, Spid, Ssid > of a service resource identifier Sid, a service resource parent node identifier Spid, and a service resource child node identifier Ssid.
The service demand history data comprises tenant identification, service level and physical non-physical service resources.
The multi-tenant common task description table and the corresponding relation table of the tasks and the roles are formed by an evolutionary clustering algorithm according to tenant resource service historical data and real-time requirements of the data.
In the embodiment, the evolutionary clustering algorithm adopts a Kmeans method, and when the real-time demand of the tenant service resources is updated, the category of the tenant is estimated based on the current clustering center, and the clustering center is updated. And clustering the center number of the clusters and the corresponding relation table of the tasks and the roles, and completing the clustering by setting by a system user. In this embodiment, the tasks correspond to the clustering centers one to one.
The safety access control core processing module realizes safety access control of multi-tenant service resources according to real-time service requirements of tenants, and specifically comprises an application service layer, a service access filter layer, an access control management layer and a data access agent layer;
the application service layer directly corresponds to the tenant service requirement and is responsible for accessing control of the tenant real-time requirement;
the service access filter layer correspondingly processes the access request of the authorized user and directly forbids the access request of the unauthorized user; meanwhile, directly submitting the access request of the tenant user to a tenant access control and authority management module of an access control management layer for processing, and submitting the access request of the platform user to a platform access control and authority management module for processing;
in this embodiment, the user access authorization implements access control through a user name and password matching policy. Specifically, if the matching is successful, the platform access is legal, otherwise, the illegal access request is rejected.
The access control management layer comprises two functional modules of tenant access control and authority management and platform access control and authority management;
in this embodiment, the tenant access control and authority management is distributed by a system user and manages the access authority of the tenant to the platform, and the role and the label control policy realize the security access control of the tenant to the cloud platform service resources.
The data access agent layer takes out corresponding data from the service control database according to the identity of the visitor and the security information of the visitor, so that a legal user is prevented from accessing illegal data;
in this embodiment, after matching the tenant demand label hierarchy tree with the service resource label hierarchy is successful, the tenant may access the required service resource.
A multi-tenant service resource dynamic access authorization and authentication method, as shown in fig. 4 and 5, includes the following steps:
step 1: when the multi-tenant service resource dynamic access authorization and authentication system is started, cloud platform initialization is completed;
step 1.1: monitoring the total amount of the available service resources of the cloud platform, and performing matching verification with the initial log file;
in this embodiment, the cloud platform service resources are divided into two types, physical and non-physical, including a storage space, a memory, and a processor core, and the predetermined scales of the cloud platform service resources are S, M, C respectively. The non-physical resources comprise a software platform and a software tool in the cloud platform; software platform use right binary group in cloud platform<Sid,SN>Is shown in which SidIdentity representing the software platform, SNRepresenting the total number of software platform authorizations. Software tool use right binary group in cloud platform<Tid,TN>Is represented by, wherein, TidRepresenting the software tool identity, TNRepresenting the total number of software tool authorizations. More specifically, if the required resource is storage capacity, the resource size is the size of storage space in GB; if the required resource is the memory capacity, the resource size is the memory space size in MB.
Step 1.2, assisting a system user to complete system configuration work, including setting of system initial service resources, setting of minimum guaranteed resources, setting of service requirement queue length and the like;
in this embodiment, the cloud platform configuration parameter IS composed of an initial service resource IS, a minimum guaranteed resource MS, a length QL of a service requirement queue, a service resource role forest SA, a service resource security access control tag ST, and a six-element group of a role and service resource security access tag correspondence table SAT, < IS, MS, QL, SA, ST, SAT >. Specifically, the IS and the MS are two independent lists, which are composed of physical and non-physical resources of the cloud platform service. The SA and the ST are a set of a plurality of tree structures, each tree structure corresponding to one physical and non-physical service resource in the cloud platform.
Step 1.3: according to the system initial configuration file, realizing the registration and registration of the system user information;
in this embodiment, the system user refers to a cloud platform management user, rather than a service resource demand tenant. The information required by the system user registration comprises a user name, a password, a unit, a department, a contact way, a password retrieving way and the like.
Step 1.4: the identity of the user is authenticated through information (user name, password and the like) provided by the user to ensure that only a legal user can access the system;
in this embodiment, the system user refers to a cloud platform management user, rather than a service resource demand tenant. The authentication of the system user identity is performed by matching the input user name and login password with the information in the database.
Step 1.5: establishing a corresponding relation between service resources and roles, dividing system service resources according to the roles, and generating a service resource role forest;
the tenant role hierarchy forest is composed of a plurality of role hierarchy trees, and each role hierarchy tree comprises a plurality of role identifiers, a role parent node list and a role child node list.
In this embodiment, the role hierarchy tree is constructed by an evolutionary clustering algorithm according to service demand history data. Each node is composed of a triple < Aid, Apid, Asid > of a role identification Aid, a role parent node identification Apid, and a role child node identification Asid.
Step 1.6: subdividing service resources, formulating a security access control label, and generating a service resource security access label forest;
the service resource label forest is composed of a plurality of service resource label hierarchical trees, and each service resource label hierarchical tree comprises a plurality of service resource identifiers, a service resource father node list and a service resource son node list.
In this embodiment, each node in the service resource hierarchical tree is composed of a triple < Sid, Spid, Ssid > of a service resource identifier Sid, a service resource parent node identifier Spid, and a service resource child node identifier Ssid.
Step 2: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the real-time access control and the isolated sharing control of tenant service requirements are realized;
step 2.1: monitoring a tenant access request in real time, verifying the identity of the tenant, and directly forbidding an access request of an unauthorized user;
in this embodiment, the user access authorization implements access control through a user name and password matching policy. Specifically, if the matching is successful, the platform access is legal, otherwise, the illegal access request is rejected.
In the embodiment, the access right of the system user to the platform is distributed and managed by the system user, and the security access control of the system user to the cloud platform service resources is realized by the role and label control strategy.
Step 2.2: performing evolutionary clustering analysis according to the tenant service requirement passing identity authentication, and generating a tenant role hierarchical tree from a clustering result;
in this embodiment, the tenant service requirement is a globally unique identifier U of the tenantidSeven-element group U consisting of tenant service level U _ level, storage space Us, memory size Um, computing capacity Uc, software platform use right Up and software operation right UOR=<Uid,U_level,Us,Um,Uc,Up,Uo>。
In the embodiment, the evolutionary clustering algorithm adopts a Kmeans method, and when the real-time demand of the tenant service resources is updated, the category of the tenant is estimated based on the current clustering center, and the clustering center is updated. And clustering the center number of the clusters and the corresponding relation table of the tasks and the roles, and completing the clustering by setting by a system user. In this embodiment, the tasks correspond to the clustering centers one to one.
Step 2.3: matching the node attribute and the service resource role attribute in the tenant role hierarchy tree to realize the access control of the cloud platform service resources;
in this embodiment, the role hierarchy tree is constructed by an evolutionary clustering algorithm according to service demand history data. Each node is composed of a triple < Aid, Apid, Asid > of a role identification Aid, a role parent node identification Apid, and a role child node identification Asid.
And step 3: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the safe access control of tenant service demand resources is realized;
step 3.1, constructing a tenant service demand resource access label tree by the tenant service resource demand role hierarchical tree and the corresponding relation table of the roles and the security access labels;
the service resource label hierarchical tree comprises a plurality of service resource identifiers, a service resource father node list and a service resource son node list. In this embodiment, each node in the service resource hierarchical tree is composed of a triple < Sid, Spid, Ssid > of a service resource identifier Sid, a service resource parent node identifier Spid, and a service resource child node identifier Ssid.
Step 3.2, matching the tenant service demand resource access label tree with a service resource security access label forest to ensure the tenant access authority to the service resource so as to achieve the effect of security access;
and 4, step 4: monitoring the change of tenant service needs and the system running condition in real time and making corresponding adjustment in the running process of the multi-tenant service resource dynamic access authorization and authentication system;
step 4.1, monitoring the running state of the system in real time, and finishing real-time scheduling of service resources according to the tenant service requirements;
in this embodiment, the cloud platform operating state data structure includes seven-element groups < Ps _ list, Pm _ list, Pc _ list, Pp _ list, Po _ list, Pu _ use _ list > formed by storage space usage, memory space usage, processor core computation resource usage, software platform resource usage, software tool resource usage, tenant queuing, and tenant usage resource usage.
Step 4.2, evaluating the running performance of the system in real time, if the system resource allowance is lower than a set resource amount threshold value, and the tenant demand queue length is larger than a set length threshold value, partially recovering the service resources currently occupied by the tenants with the priority lower than the set priority threshold value in real time;
in this embodiment, when a tenant exits or maintains the cloud platform to run the guaranteed resource triggering threshold, the service resource recovery module recovers the exclusive and current spatial part of the service resources of part or all tenants in a reverse order according to the tenant priority. After the tenant service resources are recovered, the basic service requirements of the tenant service resources should be guaranteed. And the recovery amount of the tenant service resources is judged according to the basic operation guarantee of the cloud service platform. Updating tenant service requirements UR=<Uid,U_level,Us,Um,Uc,Up,Uo>Running state P of cloud platformR=<Ps_list,Pm_list,Pc_list,Pp_list,Po_list,Pu>Service resource allowance S, M, C,<Sid,SN>、<Tid,TN>。
4.3, monitoring the change condition of the tenant demand in real time, recording the historical demand data of the tenant, and predicting the tenant service demand in real time;
based on the patent [202010862881.3]In the embodiment, the recorded value U of any time in the historical service requirement is used as the resource requirement intelligent prediction system and method for the multi-tenant servicer(it) is regarded as the preceding T1Recording value U in time intervalr(T1+it),Ur(T1-t+it),Ur(T1-2t+it),...,Ur(t + it) is strongly correlated, and the correlation coefficient is recorded as
Figure BDA0002765225840000091
That is, if remember | Ur|=n,Ur(it) is yi,Ur(T1+it),Ur(T1-t+it),Ur(T1-2t+it),...,Ur(t + it) is xi1,xi2,...,xinThen y isi=wTxi. Wherein, wT=[w1,w2,...,wn]、xi=[xi1,xi2,...,xin]And T is a transpose. If the resource record entries required by the historical service are N, minimizing the objective function
Figure BDA0002765225840000092
Finding the optimum w*. Further, will yiWritten in vector form y ═ y1,y2,...,yN]TX is to bei=[xi1,xi2,...,xin]Written in matrix form, i.e.
Figure BDA0002765225840000093
Then w*=argminw(y-Xw)T(y-Xw)=(XTX)-1XTy. Therefore, the predicted value y of the tenant service demand at any time is xT(XTX)-1XTy. Wherein x is [ x ]1,x2,...,xn]Is this value of time-front T1Historical service demand log values over a period of time.
And 5: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the fault management submodule records the running state to a log file in real time; when the cloud service platform is crashed due to the irresistible external force, the fault management submodule restarts and rolls back the cloud platform configuration and the service operation state before the crash according to the log file.
In this embodiment, in the operation process of the cloud platform, the fault management submodule records the service requirement U of each tenant of the cloud platform every 10 minutes in real timeR=<Uid,U_level,Us,Um,Uc,Up,Uo>Running state P of cloud platformR=<Ps_list,Pm_list,Pc_list,Pp_list,Po_list,Pu>Service resource allowance S, M, C,<Sid,SN>、<Tid,TN>The log file is obtained, and when the cloud service platform is crashed and restarted due to the irresistible external force, the service requirement U recorded according to the log fileR=<Uid,U_level,Us,Um,Uc,Up,Uo>Running state P of cloud platformR=<Ps_list,Pm_list,Pc_list,Pp_list,Po_list,Pu>Service resource allowance S, M, C,<Sid,SN>、<Tid,TN>And restarting and rolling back the tenant task before the crash.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions and scope of the present invention as defined in the appended claims.

Claims (4)

1. A multi-tenant service resource dynamic access authorization and authentication system is characterized in that: the system comprises a system management module, a service control database and a security access control core processing module;
the system management module comprises a capacity management submodule, a fault management submodule, a performance management submodule, a configuration management submodule, a comprehensive monitoring submodule, a user management submodule and an authorization service submodule;
the capacity management submodule is used for monitoring the running state of the system in real time and finishing real-time scheduling of service resources according to the tenant service requirements;
the fault management submodule is used for recording the running state of the system in real time, giving prompt information when the system has a fault, and realizing the state rollback after the system is restarted through log recording;
the performance management submodule is used for evaluating the running performance of the system in real time, and if the system resource allowance is lower than a set resource amount threshold value and the tenant demand queuing length is larger than a set length threshold value, partially recovering the service resources currently occupied by the tenants with the priorities lower than the set priority threshold value in real time;
the configuration management submodule is used for assisting a system user to complete system configuration work;
the comprehensive monitoring submodule is used for monitoring the change condition of the tenant demand in real time, recording the historical demand data of the tenant, and updating a tenant role hierarchical tree and a service demand resource access tag tree which are constructed based on rules set by the configuration management submodule;
the user management submodule is used for realizing the registration and the registration of system user information;
the authorization service sub-module authenticates the identity of the user through the information provided by the user;
the service control database is used for recording data required by normal operation of the system and recording tenant registration information; the tenant registration information comprises a tenant identification, a service priority and a service requirement value;
the safety access control core processing module realizes safety access control of multi-tenant service resources according to real-time service requirements of tenants, and specifically comprises an application service layer, a service access filter layer, an access control management layer and a data access agent layer;
the application service layer directly corresponds to the tenant service requirement and is responsible for accessing control of the tenant real-time requirement;
the service access filter layer correspondingly processes the access request of the authorized user and directly forbids the access request of the unauthorized user; meanwhile, directly submitting the access request of the tenant user to a tenant access control and authority management module of an access control management layer for processing, and submitting the access request of the platform user to a platform access control and authority management module of the access control management layer for processing;
the data access agent layer takes out corresponding data from the service control database according to the identity of the visitor and the security information of the visitor, and prevents a legal user from accessing illegal data.
2. The system of claim 1, wherein the system further comprises: the system configuration comprises setting of system initial service resources, setting of minimum guaranteed resources, length setting of service demand queues, construction of service resource role forests, establishment of security access control labels, and construction of a corresponding relation table of roles and service resource security access labels.
3. The system of claim 1, wherein the system further comprises: the service control database comprises a tenant role description data structure table and a role hierarchy tree, a service label description data structure table and a label hierarchy tree, a multi-tenant common task description table obtained by evolutionary clustering according to service demand history records, and a corresponding relation table of tasks and roles.
4. A multi-tenant service resource dynamic access authorization and authentication method is realized based on the multi-tenant service resource dynamic access authorization and authentication system of claim 1, and is characterized in that: the method comprises the following steps:
step 1: when the multi-tenant service resource dynamic access authorization and authentication system is started, cloud platform initialization is completed;
step 1.1, monitoring the total amount of available service resources of a cloud platform, and performing matching verification with an initial log file;
step 1.2, assisting a system user to complete system configuration work, including setting of system initial service resources, setting of minimum guaranteed resources and setting of service requirement queue length;
step 1.3, according to the initial configuration file of the system, the registration and the registration of the system user information are realized;
step 1.4, the identity of the user is authenticated through the information provided by the user;
step 1.5, establishing a corresponding relation between service resources and roles, dividing system service resources according to the roles, and generating a service resource role forest;
step 1.6, service resources are subdivided, a security access control label is formulated, and a service resource security access label forest is generated;
step 2: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the real-time access control and the isolated sharing control of tenant service requirements are realized;
step 2.1, monitoring the tenant access request in real time, verifying the identity of the tenant, and directly forbidding the access request of an unauthorized user;
step 2.2, performing evolutionary clustering analysis according to the tenant service requirement passing identity authentication, and generating a tenant role hierarchical tree according to a clustering result;
step 2.3, matching the node attribute and the service resource role attribute in the tenant role hierarchical tree to realize the access control of the cloud platform service resources;
and step 3: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the safe access control of tenant service demand resources is realized;
step 3.1, constructing a tenant service demand resource access label tree by the tenant service resource demand role hierarchical tree and the corresponding relation table of the roles and the security access labels;
step 3.2, matching the tenant service demand resource access label tree with a service resource security access label forest to ensure the access authority of the tenant to the service resource;
and 4, step 4: monitoring the change of tenant service needs and the system running condition in real time and making corresponding adjustment in the running process of the multi-tenant service resource dynamic access authorization and authentication system;
step 4.1, monitoring the running state of the system in real time, and finishing real-time scheduling of service resources according to the tenant service requirements;
step 4.2, evaluating the running performance of the system in real time, if the system resource allowance is lower than a set resource threshold value, and the tenant demand queue length is larger than a set length threshold value, partially recovering the service resources currently occupied by the tenants with the priority lower than the set priority threshold value in real time;
4.3, monitoring the change condition of the tenant demand in real time, recording the historical demand data of the tenant, and predicting the tenant service demand in real time;
and 5: in the running process of the multi-tenant service resource dynamic access authorization and authentication system, the fault management submodule records the running state to a log file in real time; when the cloud service platform is crashed due to the irresistible external force, the fault management submodule restarts and rolls back the cloud platform configuration and the service operation state before the crash according to the log file.
CN202011231085.6A 2020-11-06 2020-11-06 Multi-tenant service resource dynamic access authorization and authentication system and method Active CN112311804B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011231085.6A CN112311804B (en) 2020-11-06 2020-11-06 Multi-tenant service resource dynamic access authorization and authentication system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011231085.6A CN112311804B (en) 2020-11-06 2020-11-06 Multi-tenant service resource dynamic access authorization and authentication system and method

Publications (2)

Publication Number Publication Date
CN112311804A true CN112311804A (en) 2021-02-02
CN112311804B CN112311804B (en) 2021-08-24

Family

ID=74325183

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011231085.6A Active CN112311804B (en) 2020-11-06 2020-11-06 Multi-tenant service resource dynamic access authorization and authentication system and method

Country Status (1)

Country Link
CN (1) CN112311804B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114546563A (en) * 2022-02-23 2022-05-27 北京京航计算通讯研究所 Multi-tenant page access control method and system
CN115242879A (en) * 2022-06-29 2022-10-25 浪潮通信技术有限公司 Data sharing system and method

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969475A (en) * 2010-11-15 2011-02-09 张军 Business data controllable distribution and fusion application system based on cloud computing
US20110321130A1 (en) * 2010-06-24 2011-12-29 Microsoft Corporation Network layer claims based access control
CN102413135A (en) * 2011-11-17 2012-04-11 成都康赛电子科大信息技术有限责任公司 Strong expansion network grid SaaS access control method
CN102739771A (en) * 2012-04-18 2012-10-17 上海和辰信息技术有限公司 Cloud application integrated management platform and method supporting service fusion
CN105871854A (en) * 2016-04-11 2016-08-17 浙江工业大学 Self-adaptive cloud access control method based on dynamic authorization mechanism
CN109040065A (en) * 2018-08-01 2018-12-18 杭州安恒信息技术股份有限公司 A kind of interconnection method and device of cloud security management platform and cloud platform
US10230709B1 (en) * 2016-06-30 2019-03-12 Juniper Networks, Inc. Method, system, and apparatus for delegating control over the configuration of multi-tenant network devices
CN109784090A (en) * 2018-12-27 2019-05-21 浪潮软件股份有限公司 A kind of method and system for realizing multi-tenant control based on cloud messaging service
US10412167B2 (en) * 2015-07-27 2019-09-10 Presidio Llc Hybrid cloud communication system
US20200007529A1 (en) * 2018-06-29 2020-01-02 Salesforce.Com, Inc. Authenticating computing system requests with an unknown destination across tenants of a multi-tenant system
CN111104226A (en) * 2019-12-25 2020-05-05 东北大学 Intelligent management system and method for multi-tenant service resources

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110321130A1 (en) * 2010-06-24 2011-12-29 Microsoft Corporation Network layer claims based access control
CN101969475A (en) * 2010-11-15 2011-02-09 张军 Business data controllable distribution and fusion application system based on cloud computing
CN102413135A (en) * 2011-11-17 2012-04-11 成都康赛电子科大信息技术有限责任公司 Strong expansion network grid SaaS access control method
CN102739771A (en) * 2012-04-18 2012-10-17 上海和辰信息技术有限公司 Cloud application integrated management platform and method supporting service fusion
US10412167B2 (en) * 2015-07-27 2019-09-10 Presidio Llc Hybrid cloud communication system
CN105871854A (en) * 2016-04-11 2016-08-17 浙江工业大学 Self-adaptive cloud access control method based on dynamic authorization mechanism
US10230709B1 (en) * 2016-06-30 2019-03-12 Juniper Networks, Inc. Method, system, and apparatus for delegating control over the configuration of multi-tenant network devices
US20200007529A1 (en) * 2018-06-29 2020-01-02 Salesforce.Com, Inc. Authenticating computing system requests with an unknown destination across tenants of a multi-tenant system
CN109040065A (en) * 2018-08-01 2018-12-18 杭州安恒信息技术股份有限公司 A kind of interconnection method and device of cloud security management platform and cloud platform
CN109784090A (en) * 2018-12-27 2019-05-21 浪潮软件股份有限公司 A kind of method and system for realizing multi-tenant control based on cloud messaging service
CN111104226A (en) * 2019-12-25 2020-05-05 东北大学 Intelligent management system and method for multi-tenant service resources

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114546563A (en) * 2022-02-23 2022-05-27 北京京航计算通讯研究所 Multi-tenant page access control method and system
CN114546563B (en) * 2022-02-23 2023-04-28 北京京航计算通讯研究所 Multi-tenant page access control method and system
CN115242879A (en) * 2022-06-29 2022-10-25 浪潮通信技术有限公司 Data sharing system and method
CN115242879B (en) * 2022-06-29 2024-04-02 浪潮通信技术有限公司 Data sharing system and method

Also Published As

Publication number Publication date
CN112311804B (en) 2021-08-24

Similar Documents

Publication Publication Date Title
CN112311804B (en) Multi-tenant service resource dynamic access authorization and authentication system and method
JP5623271B2 (en) Information processing apparatus, authority management method, program, and recording medium
CN110838065A (en) Transaction data processing method and device
US20090106844A1 (en) System and method for vulnerability assessment of network based on business model
CN103530106A (en) Method and system of context-dependent transactional management for separation of duties
CN114363352B (en) Cross-chain interaction method of Internet of things system based on block chain
CN112954031B (en) Equipment state notification method based on cloud mobile phone
US7203697B2 (en) Fine-grained authorization using mbeans
CN110705712A (en) Artificial intelligence basic resource and technology open platform for third-party social service
CN112291264B (en) Security control method, device, server and storage medium
RU2434283C1 (en) System for protecting information containing state secrets from unauthorised access
CN111444484B (en) Enterprise intranet user identity portrait processing method based on unified login management
CN112291266A (en) Data processing method and device
CN112149112A (en) Enterprise information security management method based on authority separation
RU2399091C2 (en) Method for adaptive parametric control of safety of information systems and system for realising said method
CN101931544A (en) Method and system for identifying unauthorized amendment of website content
CN110717192B (en) Big data security oriented access control method based on Key-Value accelerator
CN114997684A (en) Financial data safety management system
Mishra et al. Security requirements specification: a formal method perspective
US20030163721A1 (en) Method, system, and storage medium for preventing recurrence of a system outage in a computer net work
CN113676455A (en) Self-adaptive cross-domain access authentication method, system, terminal and storage medium
CN111917801A (en) Petri network-based user behavior authentication method in private cloud environment
CN112751867B (en) Access control authorization method based on logic unit and trust evaluation
CN114625320B (en) Hybrid cloud platform data management system based on characteristics
CN111683053B (en) Cloud platform security network architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant