CN115695017B - Multi-tenant access control method suitable for cloud platform operation - Google Patents
Multi-tenant access control method suitable for cloud platform operation Download PDFInfo
- Publication number
- CN115695017B CN115695017B CN202211367228.5A CN202211367228A CN115695017B CN 115695017 B CN115695017 B CN 115695017B CN 202211367228 A CN202211367228 A CN 202211367228A CN 115695017 B CN115695017 B CN 115695017B
- Authority
- CN
- China
- Prior art keywords
- data
- central control
- control module
- tenant
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- CLOMYZFHNHFSIQ-UHFFFAOYSA-N clonixin Chemical compound CC1=C(Cl)C=CC=C1NC1=NC=CC=C1C(O)=O CLOMYZFHNHFSIQ-UHFFFAOYSA-N 0.000 claims description 23
- 230000008859 change Effects 0.000 claims description 14
- 230000001276 controlling effect Effects 0.000 claims description 13
- 230000001105 regulatory effect Effects 0.000 claims description 7
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a multi-tenant access control method suitable for cloud platform operation, comprising the following steps that step s1, under the condition that personal information input by a user is matched with pre-stored user information, the user is authenticated as a tenant; step s2, judging whether the user has the right to acquire the data according to the grade of the user in the terminal; step s3, when determining that the tenant has the authority to acquire the data, determining whether to encrypt the data before conveying the data; step s4, judging the level of the data by analyzing the type of the data; step s5, the storage module is controlled to send the corresponding data to the terminal used by the tenant. According to the invention, different access rights are set according to the grades of the users, so that the problem of low safety efficiency of the platform caused by the fact that information of the users is revealed is effectively avoided; meanwhile, the central control module performs corresponding encryption processing according to the grade of the data, so that the safety of the data is effectively ensured, and the safety coefficient of the platform is further improved.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a multi-tenant access control method suitable for cloud platform operation.
Background
Cloud computing is to provide processing, storage, infrastructure and software services of a large-scale resource pool to users based on the Internet, so that IT services with low cost, automation, rapid provision and flexible are realized. The cloud computing service can lease the instance to different tenants, so that a plurality of tenants share data resources, and the effects of reducing enterprise cost and improving enterprise efficiency are achieved. However, the tenant uses its service by accessing the shared data platform, but does not want its own data to be accessed by other tenants, so how to implement access control of multi-tenant security is a problem to be solved.
Chinese patent publication No.: CN108259422B discloses a multi-tenant access control method and device, the method comprises: acquiring attributes corresponding to each role; clustering roles corresponding to the same attribute into a task group; and generating corresponding access information for each task group according to the attribute corresponding to the role in each task group so as to obtain the operation authority of the resource by using the access information corresponding to the task group. Therefore, although the access control of multiple tenants is completed, the method still cannot effectively avoid that different tenants acquire information of other tenants in the process of using data, and the safety coefficient is low.
Disclosure of Invention
Therefore, the invention provides a multi-tenant access control method suitable for cloud platform operation, which is used for solving the problem of low security coefficient caused by the fact that information of other tenants is obtained in the process of using data by different tenants in the prior art.
In order to achieve the above object, the present invention provides a multi-tenant access control method suitable for cloud platform operation, including:
step s1, the central control module authenticates the user as a tenant under the condition that personal information input by the user is matched with pre-stored user information, and sends a corresponding public key and private key aiming at the user;
Step s2, when a single terminal sends out a data acquisition application, the central control module judges whether a user has permission to acquire the data according to the grade of the user in the terminal;
step s3, when the central control module determines that the tenant in the terminal has the authority to acquire the data, determining whether to encrypt the data before conveying the data according to the grade of the data;
step s4, when the central control module receives a data uploading application of the terminal, the central control module judges the grade of the data by analyzing the type of the data;
step s5, when the central control module determines that the tenant has the authority to acquire the data, the central control module controls the storage module to send the corresponding data to the terminal used by the tenant.
Further, the data includes personal data only used by a corresponding single tenant, primary public data only used by each tenant, and secondary public data used by each tenant and read by each tourist; for different data, the central control module adds corresponding prefix codes for different level data,
For personal data, marking the prefix code of the data as A, controlling the storage module to output the corresponding data to the encryption module by the central control module and controlling the encryption module to select the corresponding encryption mode to encrypt the data according to the authentication information of the tenant;
For the first-level public data, marking the prefix code of the data as B, controlling the storage module to output the corresponding data to the encryption module by the central control module and controlling the encryption module to select the corresponding encryption mode to encrypt the data;
and for the secondary public data, the prefix code of the data is marked as C, and the central control module does not need to encrypt the data.
Further, when the tenant acquires the secondary public data, the central control module controls the storage module to send the corresponding secondary public data to a terminal used by the tenant;
When the tenant acquires the primary public data, the central control module controls the storage module to output the corresponding data to the encryption module, the encryption module encrypts the primary public data in a primary encryption mode by using a general encryption mode and transmits the encrypted primary public data to a terminal used by the tenant, and the tenant decrypts the primary encrypted primary public data by using a public key to acquire the primary public data;
when the tenant obtains the personal data, the central control module controls the storage module to output the corresponding personal data to the encryption module, the encryption module uses a general encryption mode to carry out primary encryption on the personal data and uses a corresponding personal encryption mode to carry out secondary encryption on the data after the primary encryption is finished, after the secondary encryption is finished, the encryption module conveys the personal data after the secondary encryption to a terminal used by the tenant, and the tenant decrypts the personal data after the secondary encryption by using a private key and uses a public key to carry out secondary decryption on the personal data after the primary decryption so as to obtain the personal data.
Further, the central control module is provided with a preset value R 0 for the number of tenants, adjusts the change period of the public key and the private key according to the number R of the tenants,
If R is less than or equal to R 0, the central control module controls the change period of the public key and the private key to be T O;
If R 0<R≤2R0, the central control module controls the change period of the public key and the private key to be T O/2;
If R > 2R 0, the central control module controls the change period of the public key and the private key to be T O/4.
Further, when the central control module adjusts the data level according to the ratio of the memory of the data in a single category to the memory of the total data, the central control module is provided with the ratio Q of the memory of the personal data to the memory of the total data, compares Q with the preset ratio Q 0, determines whether to adjust the personal data level,
If Q is less than or equal to Q 0, the central control module does not adjust the personal data grade;
If Q is more than Q 0, the central control module judges that the personal data grade is changed into the first-level public data, calculates delta Q and determines the ratio P of the personal data memory to be redistributed to the total personal data memory according to the delta Q.
Further, when the central control module finishes changing the personal data into the first-level public data, the central control module re-detects the ratio of the internal memory of the personal data to the internal memory of the total data and marks as Q' by comparing the ratio of the internal memory of the changed personal data to the internal memory of the total data with a preset ratio and adjusting the distribution rate of different equivalent data according to the comparison result,
If Q '> Q 0, the central control module adjusts the data distribution rate of different levels according to delta Q', reduces the memory ratio of the first level public data and increases the memory ratio of the personal data;
If Q' is less than or equal to Q 0, the central control module does not adjust the data distribution rate of different levels.
Further, the central control module determines the ratio P of the personal data memory to be redistributed to the total personal data memory according to DeltaQ, the central control module is provided with a first preset difference DeltaQ 1, a second preset difference DeltaQ 2, a first duty ratio adjustment coefficient alpha 1 and a second duty ratio adjustment coefficient alpha 2, wherein DeltaQ 1<△Q2,α2<α1 is less than 1,
If delta Q is less than or equal to delta Q 1, the central control module does not adjust the ratio P of the personal data memory to be redistributed to the total personal data memory;
If delta Q 1<△Q≤△Q2 is detected, the central control module uses alpha 1 to adjust the duty ratio P of the personal data memory to be redistributed and the total personal data memory;
If DeltaQ > DeltaQ 2, the central control module uses alpha 2 to adjust the duty ratio P of the personal data memory to be redistributed and the total personal data memory;
When the central control module determines that the P needs to be regulated by using α i, i=1, 2 is set, the ratio of the regulated personal data memory needing to be redistributed to the total personal data memory is denoted as P ', and P' =p×α i is set.
Further, the central control module adjusts the preset duty ratio Q 0 according to the difference DeltaR between the number R of tenants and the preset value R 0, the central control module is provided with a first preset difference DeltaR 1, a second preset difference DeltaR 2, a first duty ratio adjusting coefficient beta 1 and a second duty ratio adjusting coefficient beta 2, wherein DeltaR 1<△R2,1<β1<β2,
If DeltaR is less than or equal to DeltaR 1, the central control module does not adjust the preset duty ratio Q 0;
If DeltaR 1<△R≤△R2, the central control module adjusts the preset duty ratio Q 0 by using beta 1;
If DeltaR > DeltaR 2, the central control module uses beta 2 to adjust a preset duty ratio Q 0;
When the central control module determines that the Q 0 needs to be adjusted by using β j, j=1, 2 is set, the adjusted preset duty ratio is denoted as Q 0', and Q 0'=Q0×βj is set.
Further, the central control module judges whether the user has the authority to acquire the data of different grades according to the grade of the user,
If the user is an administrator, the central control module judges that the user has the authority to read the personal data, the primary public data and the secondary public data;
If the user is a tenant, the central control module judges that the user has the authority to read and use the personal data, the primary public data and the secondary public data;
If the user is a tourist, the central control module judges that the user has only the authority to read the secondary public data and does not have the authority to use the personal data, the primary public data and the secondary public data.
Further, the central control module uploads the data to the corresponding level by analyzing the type of the data,
If the data type is privacy information of the tenant individual, the central control module uploads the privacy information to the individual data;
if the data type is the information for perfecting or maintaining the cloud platform, the central control module uploads the data type to the primary public data;
and if the data type is a political news or a social imperial state, the central control module uploads the data type to the secondary public data.
Compared with the prior art, the central control module has the beneficial effects that different access rights are set according to the grade of the user, so that the problem of low safety efficiency of the platform caused by the leakage of personal information of the user is effectively avoided; meanwhile, the central control module performs corresponding encryption processing according to the grade of the data, so that the safety of the data is effectively ensured, and the safety coefficient of the platform is improved.
Furthermore, for data of different grades, the central control module adds corresponding prefix codes to the data, so that the data can be effectively classified, the user can conveniently distinguish and search the data, and the safety coefficient of tenants using the platform is further improved.
Further, when the tenant accesses the data of different grades, the platform carries out different processing on the data, and when the tenant accesses the secondary public data, the central control module directly transmits the secondary public data to the tenant terminal; when the tenant accesses the primary public data, the encryption module carries out primary encryption on the primary public data by using a general encryption mode and transmits the encrypted primary public data to the tenant terminal; when the tenant accesses the personal data, the encryption module encrypts the personal data twice and then transmits the personal data to the tenant terminal, and through the arrangement, the security coefficient of the platform is further improved while the security of the data is effectively ensured.
Furthermore, the invention adjusts the changing period of the secret key according to the number of tenants, and continuously shortens the changing period of the secret key along with the increase of the number of tenants, thereby further ensuring the safety of data and simultaneously further improving the safety coefficient of the platform.
Furthermore, the central control module adjusts the data grade according to the ratio of the memory of the data to the total memory of the data in a single type, and resources can be reasonably allocated through the arrangement, so that the platform is more organized, and the phenomenon of platform data loss caused by uneven memory ratio is avoided.
Further, the central control module of the invention adjusts the ratio of the personal data memory to be redistributed to the total memory of the personal data by comparing the delta Q with the preset difference value, thereby effectively ensuring the ratio of the data of each grade, further ensuring the average distribution of the data and further improving the safety coefficient of the platform.
Further, the central control module is provided with a plurality of preset difference values and a plurality of duty ratio adjusting coefficients according to the number of tenants, and the preset duty ratio Q 0 is adjusted by comparing the delta R with the preset difference values, so that the duty ratio of personal data of the tenants is ensured, the use requirement of the tenants is effectively met, and meanwhile, the safety coefficient of the platform is further improved.
Drawings
Fig. 1 is a block diagram of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention;
fig. 2 is a flowchart of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will become more apparent, the invention will be further described with reference to the following examples; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
It should be noted that, in the description of the present invention, terms such as "upper," "lower," "left," "right," "inner," "outer," and the like indicate directions or positional relationships based on the directions or positional relationships shown in the drawings, which are merely for convenience of description, and do not indicate or imply that the apparatus or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those skilled in the art according to the specific circumstances.
Fig. 1 is a block diagram of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention, wherein a terminal is used for an administrator or a tenant or a guest to use a medium of the platform; the authentication module is used for verifying the identity information of the user; the central control module is used for judging whether a user has the authority of accessing and acquiring data and controlling the storage module to send the corresponding data to a terminal used by a tenant; the encryption module is used for encrypting the data output by the central control module and is arranged at the output end of the central control module; the storage module is used for storing information and sending corresponding data to a terminal used by the tenant.
Fig. 2 is a flowchart of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention,
The multi-tenant access control method suitable for cloud platform operation comprises the following steps:
step s1, the central control module authenticates the user as a tenant under the condition that personal information input by the user is matched with pre-stored user information, and sends a corresponding public key and private key aiming at the user;
Step s2, when a single terminal sends out a data acquisition application, the central control module judges whether a user has permission to acquire the data according to the grade of the user in the terminal;
step s3, when the central control module determines that the tenant in the terminal has the authority to acquire the data, determining whether to encrypt the data before conveying the data according to the grade of the data;
step s4, when the central control module receives a data uploading application of the terminal, the central control module judges the grade of the data by analyzing the type of the data;
step s5, when the central control module determines that the tenant has the authority to acquire the data, the central control module controls the storage module to send the corresponding data to the terminal used by the tenant.
Specifically, the data includes personal data used only by a corresponding single tenant, primary public data used only by each tenant, and secondary public data used by each tenant and viewed by each tourist; for different data, the central control module adds corresponding prefix codes for different level data,
For personal data, marking the prefix code of the data as A, controlling the storage module to output the corresponding data to the encryption module by the central control module and controlling the encryption module to select the corresponding encryption mode to encrypt the data according to the authentication information of the tenant;
For the first-level public data, marking the prefix code of the data as B, controlling the storage module to output the corresponding data to the encryption module by the central control module and controlling the encryption module to select the corresponding encryption mode to encrypt the data;
and for the secondary public data, the prefix code of the data is marked as C, and the central control module does not need to encrypt the data.
According to the invention, for data of different grades, the central control module adds corresponding prefix codes to the data, so that the data can be effectively classified, the user can conveniently distinguish and search the data, and the safety coefficient of tenants using the platform is further improved.
Specifically, when a tenant acquires secondary public data, the central control module controls the storage module to send the corresponding secondary public data to a terminal used by the tenant;
When the tenant acquires the primary public data, the central control module controls the storage module to output the corresponding data to the encryption module, the encryption module encrypts the primary public data in a primary encryption mode by using a general encryption mode and transmits the encrypted primary public data to a terminal used by the tenant, and the tenant decrypts the primary encrypted primary public data by using a public key to acquire the primary public data;
when the tenant obtains the personal data, the central control module controls the storage module to output the corresponding personal data to the encryption module, the encryption module uses a general encryption mode to carry out primary encryption on the personal data and uses a corresponding personal encryption mode to carry out secondary encryption on the data after the primary encryption is finished, after the secondary encryption is finished, the encryption module conveys the personal data after the secondary encryption to a terminal used by the tenant, and the tenant decrypts the personal data after the secondary encryption by using a private key and uses a public key to carry out secondary decryption on the personal data after the primary decryption so as to obtain the personal data.
According to the invention, when the tenant accesses the data of different grades, the platform carries out different processing on the data, and when the tenant accesses the secondary public data, the central control module directly transmits the data to the tenant terminal; when the tenant accesses the primary public data, the encryption module carries out primary encryption on the primary public data by using a general encryption mode and transmits the encrypted primary public data to the tenant terminal; when the tenant accesses the personal data, the encryption module encrypts the personal data twice and then transmits the personal data to the tenant terminal, and through the arrangement, the security coefficient of the platform is further improved while the security of the data is effectively ensured.
Specifically, the central control module is provided with a preset value R 0 for the number of tenants, adjusts the change period of the public key and the private key according to the number R of the tenants,
If R is less than or equal to R 0, the central control module controls the change period of the public key and the private key to be T O;
If R 0<R≤2R0, the central control module controls the change period of the public key and the private key to be T O/2;
If R > 2R 0, the central control module controls the change period of the public key and the private key to be T O/4.
According to the invention, the change period of the secret key is regulated according to the number of tenants, and as the number of tenants is increased, the change period of the secret key is continuously shortened, so that the safety of data is further ensured, and the safety coefficient of the platform is further improved.
Specifically, when the central control module adjusts the data level according to the ratio of the memory of the data in a single category to the memory of the total data, the central control module is provided with the ratio Q of the memory of the personal data to the memory of the total data, compares Q with the preset ratio Q 0, determines whether to adjust the personal data level,
If Q is less than or equal to Q 0, the central control module does not adjust the personal data grade;
If Q is more than Q 0, the central control module judges that the personal data grade is changed into the first-level public data, calculates delta Q and determines the ratio P of the personal data memory to be redistributed to the total personal data memory according to the delta Q.
According to the invention, the central control module adjusts the data grade according to the ratio of the memory of the data in a single type to the total memory of the data, and resources can be reasonably allocated through the arrangement, so that the platform is more orderly, and the phenomenon of platform data loss caused by uneven memory ratio is avoided.
Specifically, when the central control module finishes changing the personal data into the first-level public data, the central control module re-detects the ratio of the internal memory of the personal data to the internal memory of the total data and marks as Q' by comparing the ratio of the internal memory of the changed personal data to the internal memory of the total data with a preset ratio and adjusting the distribution rate of different equivalent data according to the comparison result,
If Q' > Q 0, the central control module adjusts the data distribution rate of different levels according to delta Q', reduces the memory ratio of the first level public data and increases the memory ratio of the personal data;
If Q' is less than or equal to Q 0, the central control module does not adjust the data distribution rate of different levels.
Specifically, the central control module determines the duty ratio P of the personal data memory to be redistributed and the total personal data memory according to DeltaQ, the central control module is provided with a first preset difference DeltaQ 1, a second preset difference DeltaQ 2, a first duty ratio adjustment coefficient alpha 1 and a second duty ratio adjustment coefficient alpha 2, wherein DeltaQ 1<△Q2,α2<α1 is less than 1,
If delta Q is less than or equal to delta Q 1, the central control module does not adjust the ratio P of the personal data memory to be redistributed to the total personal data memory;
If delta Q 1<△Q≤△Q2 is detected, the central control module uses alpha 1 to adjust the duty ratio P of the personal data memory to be redistributed and the total personal data memory;
If DeltaQ > DeltaQ 2, the central control module uses alpha 2 to adjust the duty ratio P of the personal data memory to be redistributed and the total personal data memory;
When the central control module determines that the P needs to be regulated by using α i, i=1, 2 is set, the ratio of the regulated personal data memory needing to be redistributed to the total personal data memory is denoted as P ', and P' =p×α i is set.
The central control module adjusts the duty ratio of the personal data memory to be redistributed and the total personal data memory by comparing the delta Q with the preset difference value, thereby effectively ensuring the duty ratio of the data of each grade, further ensuring the average distribution of the data and further improving the safety coefficient of the platform.
Specifically, the central control module adjusts the preset duty ratio Q 0 according to the difference DeltaR between the number R of tenants and the preset value R 0, the central control module is provided with a first preset difference DeltaR 1, a second preset difference DeltaR 2, a first duty ratio adjusting coefficient beta 1 and a second duty ratio adjusting coefficient beta 2, wherein DeltaR 1<△R2,1<β1<β2,
If DeltaR is less than or equal to DeltaR 1, the central control module does not adjust the preset duty ratio Q 0;
If DeltaR 1<△R≤△R2, the central control module adjusts the preset duty ratio Q 0 by using beta 1;
If DeltaR > DeltaR 2, the central control module uses beta 2 to adjust a preset duty ratio Q 0;
When the central control module determines that the Q 0 needs to be adjusted by using β j, j=1, 2 is set, the adjusted preset duty ratio is denoted as Q 0', and Q 0'=Q0×βj is set.
According to the invention, aiming at the number of tenants, the central control module is provided with a plurality of preset difference values and a plurality of duty ratio adjusting coefficients, and the preset duty ratio Q 0 is adjusted by comparing the delta R with the preset difference values, so that the duty ratio of personal data of the tenants is ensured, and the safety coefficient of the platform is further improved while the use requirements of the tenants are effectively met.
Specifically, the central control module judges whether the user has the authority to acquire the data of different grades according to the grade of the user,
If the user is an administrator, the central control module judges that the user has the authority to read the personal data, the primary public data and the secondary public data;
If the user is a tenant, the central control module judges that the user has the authority to read and use the personal data, the primary public data and the secondary public data;
If the user is a tourist, the central control module judges that the user has only the authority to read the secondary public data and does not have the authority to use the personal data, the primary public data and the secondary public data.
In particular, the central control module uploads the data to the corresponding level by analyzing the type of the data,
If the data type is privacy information of the tenant individual, the central control module uploads the privacy information to the individual data;
if the data type is the information for perfecting or maintaining the cloud platform, the central control module uploads the data type to the primary public data;
and if the data type is a political news or a social imperial state, the central control module uploads the data type to the secondary public data.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the invention and is not intended to limit the invention; various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. The multi-tenant access control method suitable for cloud platform operation is characterized by comprising the following steps:
step s1, the central control module authenticates the user as a tenant under the condition that personal information input by the user is matched with pre-stored user information, and sends a corresponding public key and private key aiming at the user;
Step s2, when a single terminal sends out a data acquisition application, the central control module judges whether a user has permission to acquire the data according to the grade of the user in the terminal;
step s3, when the central control module determines that the tenant in the terminal has the authority to acquire the data, determining whether to encrypt the data before conveying the data according to the grade of the data;
step s4, when the central control module receives a data uploading application of the terminal, the central control module judges the grade of the data by analyzing the type of the data;
Step 5, when the central control module judges that the tenant has the right of acquiring data, the central control module controls the storage module to send the corresponding data to a terminal used by the tenant;
the data comprises personal data only used by a corresponding single tenant, primary public data only used by each tenant and secondary public data used by each tenant and read by each tourist; for different data, the central control module adds corresponding prefix codes for different level data,
For personal data, marking the prefix code of the data as A, controlling the storage module to output the corresponding data to the encryption module by the central control module and controlling the encryption module to select the corresponding encryption mode to encrypt the data according to the authentication information of the tenant;
For the first-level public data, marking the prefix code of the data as B, controlling the storage module to output the corresponding data to the encryption module by the central control module and controlling the encryption module to select the corresponding encryption mode to encrypt the data;
for the secondary public data, marking the prefix code of the data as C, and the central control module does not need to encrypt the data;
When the tenant acquires the secondary public data, the central control module controls the storage module to send the corresponding secondary public data to a terminal used by the tenant;
When the tenant acquires the primary public data, the central control module controls the storage module to output the corresponding data to the encryption module, the encryption module encrypts the primary public data in a primary encryption mode by using a general encryption mode and transmits the encrypted primary public data to a terminal used by the tenant, and the tenant decrypts the primary encrypted primary public data by using a public key to acquire the primary public data;
when the tenant obtains the personal data, the central control module controls the storage module to output the corresponding personal data to the encryption module, the encryption module uses a general encryption mode to carry out primary encryption on the personal data and uses a corresponding personal encryption mode to carry out secondary encryption on the data after the primary encryption is finished, after the secondary encryption is finished, the encryption module conveys the personal data after the secondary encryption to a terminal used by the tenant, and the tenant decrypts the personal data after the secondary encryption by using a private key and uses a public key to carry out secondary decryption on the personal data after the primary decryption so as to obtain the personal data.
2. The multi-tenant access control method for cloud platform operation according to claim 1, wherein the central control module sets a preset value R 0 for the number of tenants, adjusts the change period of the public key and the private key according to the number R of tenants,
If R is less than or equal to R 0, the central control module controls the change period of the public key and the private key to be T O;
If R 0<R≤2R0, the central control module controls the change period of the public key and the private key to be T O/2;
If R > 2R 0, the central control module controls the change period of the public key and the private key to be T O/4.
3. The multi-tenant access control method for cloud platform operation according to claim 2, wherein when the central control module adjusts the data level according to the ratio of the memory of the data in a single category to the memory of the total data, the central control module sets the ratio Q of the memory of the personal data to the memory of the total data, compares Q with a preset ratio Q 0, determines whether to adjust the personal data level,
If Q is less than or equal to Q 0, the central control module does not adjust the personal data grade;
If Q is more than Q 0, the central control module judges that the personal data grade is changed into the first-level public data, calculates delta Q and determines the ratio P of the personal data memory to be redistributed to the total personal data memory according to the delta Q.
4. The multi-tenant access control method for cloud platform operation according to claim 3, wherein when the central control module finishes changing the personal data into the first-level public data, by comparing the ratio of the memory of the changed personal data to the memory of the total data with a preset ratio, the central control module adjusts the distribution rate of different level data according to the comparison result, re-detects the ratio of the memory of the personal data to the memory of the total data, and marks the ratio as Q',
If Q '> Q 0, the central control module adjusts the data distribution rate of different levels according to delta Q', reduces the memory ratio of the first level public data and increases the memory ratio of the personal data;
If Q' is less than or equal to Q 0, the central control module does not adjust the data distribution rate of different levels.
5. The multi-tenant access control method for cloud platform operation according to claim 4, wherein the central control module determines a ratio P of personal data memory to be redistributed to a total personal data memory according to Δq, the central control module is provided with a first preset difference Δq 1, a second preset difference Δq 2, a first duty ratio adjustment coefficient α 1 and a second duty ratio adjustment coefficient α 2, wherein Δq 1<△Q2,α2<α1 is less than 1,
If delta Q is less than or equal to delta Q 1, the central control module does not adjust the ratio P of the personal data memory to be redistributed to the total personal data memory;
If delta Q 1<△Q≤△Q2 is detected, the central control module uses alpha 1 to adjust the duty ratio P of the personal data memory to be redistributed and the total personal data memory;
If DeltaQ > DeltaQ 2, the central control module uses alpha 2 to adjust the duty ratio P of the personal data memory to be redistributed and the total personal data memory;
When the central control module determines that the P needs to be regulated by using α i, i=1, 2 is set, the ratio of the regulated personal data memory needing to be redistributed to the total personal data memory is denoted as P ', and P' =p×α i is set.
6. The multi-tenant access control method for cloud platform operation according to claim 5, wherein the central control module adjusts the preset duty ratio Q 0 according to a difference Δr between the number R of tenants and a preset value R 0, and the central control module is provided with a first preset difference Δr 1, a second preset difference Δr 2, a first duty ratio adjustment coefficient β 1 and a second duty ratio adjustment coefficient β 2, wherein Δr 1<△R2,1<β1<β2,
If DeltaR is less than or equal to DeltaR 1, the central control module does not adjust the preset duty ratio Q 0;
If DeltaR 1<△R≤△R2, the central control module uses beta 1 to adjust a preset duty cycle Q 0;
If DeltaR > DeltaR 2, the central control module uses beta 2 to adjust a preset duty ratio Q 0;
When the central control module determines that the Q 0 needs to be adjusted by using β j, j=1, 2 is set, the adjusted preset duty ratio is denoted as Q 0', and Q 0'=Q0×βj is set.
7. The multi-tenant access control method of claim 6, wherein the central control module determines whether the user has permission to obtain data of different levels according to the level of the user,
If the user is an administrator, the central control module judges that the user has the authority to read the personal data, the primary public data and the secondary public data;
If the user is a tenant, the central control module judges that the user has the authority to read and use the personal data, the primary public data and the secondary public data;
If the user is a tourist, the central control module judges that the user has only the authority to read the secondary public data and does not have the authority to use the personal data, the primary public data and the secondary public data.
8. The multi-tenant access control method for cloud platform operation of claim 7, wherein the central control module uploads data to a corresponding level by analyzing a type of the data,
If the data type is privacy information of the tenant individual, the central control module uploads the privacy information to the individual data;
if the data type is the information for perfecting or maintaining the cloud platform, the central control module uploads the data type to the primary public data;
and if the data type is a political news or a social imperial state, the central control module uploads the data type to the secondary public data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211367228.5A CN115695017B (en) | 2022-11-02 | 2022-11-02 | Multi-tenant access control method suitable for cloud platform operation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211367228.5A CN115695017B (en) | 2022-11-02 | 2022-11-02 | Multi-tenant access control method suitable for cloud platform operation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115695017A CN115695017A (en) | 2023-02-03 |
| CN115695017B true CN115695017B (en) | 2024-04-23 |
Family
ID=85047576
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211367228.5A Active CN115695017B (en) | 2022-11-02 | 2022-11-02 | Multi-tenant access control method suitable for cloud platform operation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115695017B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104123616A (en) * | 2014-07-25 | 2014-10-29 | 南京邮电大学 | Cloud computing system towards multiple tenants |
| CN104252454A (en) * | 2013-06-25 | 2014-12-31 | 广州中国科学院软件应用技术研究所 | Method and system for multi-tenant mode data authority control oriented to cloud calculation |
| CN104767745A (en) * | 2015-03-26 | 2015-07-08 | 浪潮集团有限公司 | Cloud data security protection method |
| CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
| CN108259422A (en) * | 2016-12-29 | 2018-07-06 | 中兴通讯股份有限公司 | A kind of multi-tenant access control method and device |
| WO2021218328A1 (en) * | 2020-04-28 | 2021-11-04 | 深圳壹账通智能科技有限公司 | Multi-tenant access service implementation method, apparatus and device, and storage medium |
-
2022
- 2022-11-02 CN CN202211367228.5A patent/CN115695017B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104252454A (en) * | 2013-06-25 | 2014-12-31 | 广州中国科学院软件应用技术研究所 | Method and system for multi-tenant mode data authority control oriented to cloud calculation |
| CN104123616A (en) * | 2014-07-25 | 2014-10-29 | 南京邮电大学 | Cloud computing system towards multiple tenants |
| CN104767745A (en) * | 2015-03-26 | 2015-07-08 | 浪潮集团有限公司 | Cloud data security protection method |
| CN108259422A (en) * | 2016-12-29 | 2018-07-06 | 中兴通讯股份有限公司 | A kind of multi-tenant access control method and device |
| CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
| WO2021218328A1 (en) * | 2020-04-28 | 2021-11-04 | 深圳壹账通智能科技有限公司 | Multi-tenant access service implementation method, apparatus and device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115695017A (en) | 2023-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11126670B2 (en) | Token and device location-based automatic client device authentication | |
| US10853517B2 (en) | Method for handling privacy data | |
| US9071583B2 (en) | Provisioned configuration for automatic wireless connection | |
| EP2014067B1 (en) | Provisioned configuration for automatic wireless connection | |
| US20170374551A1 (en) | Method for connecting network access device to wireless network access point, network access device, and application server | |
| US7690026B2 (en) | Distributed single sign-on service | |
| US20240048985A1 (en) | Secure password sharing for wireless networks | |
| US8621577B2 (en) | Method for performing multiple pre-shared key based authentication at once and system for executing the method | |
| US20140109179A1 (en) | Multiple server access management | |
| CN107846394B (en) | System and method for providing customers with access to different services of a service provider | |
| EP2879421B1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
| US20060056634A1 (en) | Apparatus, system and method for setting security information on wireless network | |
| CN111954211B (en) | Novel authentication key negotiation system of mobile terminal | |
| CN113727345A (en) | Wireless network connection access control method, device, storage medium and terminal | |
| EP1915837B1 (en) | Method for performing multiple pre-shared key based authentication at once and system for executing the method | |
| US8161295B2 (en) | Storing of data in a device | |
| US20160050184A1 (en) | Method for secure e-mail exchange | |
| CN115695017B (en) | Multi-tenant access control method suitable for cloud platform operation | |
| CN106713228A (en) | Cloud platform key management method and system | |
| KR101372090B1 (en) | Log in system and method | |
| KR101809976B1 (en) | A method for security certification generating authentication key combinating multi-user element | |
| CN106899615A (en) | A kind of single sign-on authentication method and system | |
| CN109598114B (en) | Cross-platform unified user account management method and system | |
| RU2698424C1 (en) | Authorization control method | |
| CN1764313A (en) | Wireless access point selecting method and device in wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |