CN117668816A - Container password management method, device, apparatus, storage medium, and program product - Google Patents
Container password management method, device, apparatus, storage medium, and program product Download PDFInfo
- Publication number
- CN117668816A CN117668816A CN202311558830.1A CN202311558830A CN117668816A CN 117668816 A CN117668816 A CN 117668816A CN 202311558830 A CN202311558830 A CN 202311558830A CN 117668816 A CN117668816 A CN 117668816A
- Authority
- CN
- China
- Prior art keywords
- password
- container
- resource
- encryption
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title abstract description 51
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000004590 computer program Methods 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 7
- 238000004064 recycling Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 12
- 230000015654 memory Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000014509 gene expression Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The disclosure provides a container password management method, relates to the technical field of cloud computing, and can be applied to the technical field of finance. The method comprises the following steps: responding to a container creation event, and acquiring a password annotation identifier of a target container; generating a plaintext password according to the password annotation identifier; encrypting the plaintext cipher to generate a ciphertext cipher; creating the ciphertext password as an encryption resource and storing the encryption resource into cluster metadata; and mounting the encrypted resource as a storage volume under the target container. The present disclosure also provides a container password management apparatus, device, storage medium, and program product.
Description
Technical Field
The present disclosure relates to the field of cloud computing technology, and in particular, to the field of cluster operation and maintenance technology, and more particularly, to a method, an apparatus, a device, a storage medium, and a program product for managing container passwords.
Background
With the rapid development of cloud computing and containerization technologies, kubernetes is one of the most popular container orchestration and management platforms. In a Kubernetes cluster, tenants can implement deployment and management of applications by deploying their own container applications within the cluster. Password security management of tenants becomes particularly important. However, in the conventional password management method, the plaintext password is usually stored in a code or a configuration file, hard-coded in a container image, and a shared configuration file is used, so that risks of password leakage, insufficient access right isolation, difficulty in password expiration management and the like exist, and the security requirement in a multi-tenant environment cannot be met.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a container password management method, apparatus, device, storage medium, and program product that improve password security.
According to a first aspect of the present disclosure, there is provided a container password management method, the method comprising:
responding to a container creation event, and acquiring a password annotation identifier of a target container;
generating a plaintext password according to the password annotation identifier;
encrypting the plaintext cipher to generate a ciphertext cipher;
creating the ciphertext password as an encryption resource and storing the encryption resource into cluster metadata; and
and mounting the encrypted resource as a storage volume under the target container.
According to an embodiment of the present disclosure, the password configuration information includes a password expiration time, the method further comprising:
setting the mounting time of the storage volume according to the password failure time; and
and after the mounting duration expires, recycling the encrypted resources.
According to an embodiment of the disclosure, the generating a plaintext password from the password annotation identifier includes:
determining password configuration information of the target container according to the password annotation identifier; and
and generating a plaintext password according to the password configuration information.
According to an embodiment of the present disclosure, before generating a plaintext password from the password annotation identification, the method further comprises:
matching encryption resources under a naming space to which the application belongs according to the password configuration information;
and if the encryption resource which meets the condition is determined to be not available, calling a password generator component to generate a new password according to the password configuration information.
According to an embodiment of the present disclosure, before mounting the encrypted resource as a storage volume under the target container, the method further comprises:
and in response to the creation event of the encrypted resource, performing tenant identity verification on the target container and the encrypted resource matched with the target container.
According to an embodiment of the disclosure, the cryptographic annotation identification comprises cryptographic configuration information comprising a cryptographic generation manner, a cryptographic expiration time and a cryptographic combination rule.
A second aspect of the present disclosure provides a container password management apparatus, the apparatus comprising:
the acquisition module is used for responding to the container creation event and acquiring the password annotation identification of the target container;
the first password generation module is used for generating a plaintext password according to the password annotation identifier;
the password encryption module is used for encrypting the plaintext password to generate a ciphertext password;
the encryption resource creation module is used for creating the ciphertext password as encryption resources and storing the encryption resources into the cluster metadata; and
and the encryption resource mounting module is used for mounting the encryption resource serving as a storage volume under the target container.
According to an embodiment of the present disclosure, the apparatus further comprises: a setting module and a recycling module.
The setting module is used for setting the mounting duration of the storage volume according to the password failure time; and
and the recovery module is used for recovering the encrypted resources after the mounting duration expires.
According to an embodiment of the present disclosure, the password generation module includes: a first determination submodule and a password generation submodule.
The first determining submodule is used for determining the password configuration information of the target container according to the password annotation identification; and
and the password generation sub-module is used for generating a plaintext password according to the password configuration information.
According to an embodiment of the present disclosure, the apparatus further comprises: the device comprises a matching module and a second password generation module.
The matching module is used for matching the encryption resources under the name space to which the application belongs according to the password configuration information;
and the second password generating module is used for calling the password generator component to generate a new password according to the password configuration information if the fact that the password resources which meet the conditions are not determined.
According to an embodiment of the present disclosure, the apparatus further comprises: and a verification module.
And the verification module is used for responding to the creation event of the encrypted resource and carrying out tenant identity verification on the target container and the encrypted resource matched with the target container.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the container password management method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described container password management method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the container password management method described above.
According to the container password management method provided by the embodiment of the disclosure, after the container with the password annotation identifier is created, the password annotation identifier of the target container is obtained; generating a plaintext password according to the password annotation identifier; after generating a plaintext cipher, encrypting the plaintext cipher to generate a ciphertext cipher; creating the ciphertext password as an encryption resource and storing the encryption resource into cluster metadata; and mounting the encrypted resource as a storage volume under the target container. By using the secret object to store and manage the tenant passwords, the risk of directly exposing the passwords in the container is avoided, the security of the transmission and access of the passwords is effectively improved, and in addition, the passwords are processed in an encryption mode to protect the confidentiality of the passwords.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a system architecture diagram of a container password management device according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates an application scenario diagram of a container password management method, apparatus, device, storage medium, and program product according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a method of container password management provided in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a method of creating a container password provided in accordance with another embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of a method of container password management provided in accordance with yet another embodiment of the present disclosure;
FIG. 6 schematically illustrates a block diagram of a container password management device according to an embodiment of the present disclosure; and
fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a container password management method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The terms appearing in the embodiments of the present disclosure will first be explained:
kubernetes: an open source system platform for automatically deploying, expanding and managing containerized applications.
Pod: the Kubernetes platform manages the minimum load unit.
Kube-apiserver: components of the exposed Kubernetes API deployed at the management node.
Password-gen component: and integrating various password generating tools, generating a password, then performing base64 encoding or hash encryption, and storing the generated password ciphertext into the Kubernetes Secret object.
The password-mount component: the password management and mounting solution based on the Kubernetes achieves strict management of password access rights in a multi-tenant environment through authentication in the RBAC multi-tenant environment.
Based on the above technical problems, embodiments of the present disclosure provide a container password management method, which includes: responding to a container creation event, and acquiring a password annotation identifier of a target container; generating a plaintext password according to the password annotation identifier; encrypting the plaintext cipher to generate a ciphertext cipher; creating the ciphertext password as an encryption resource and storing the encryption resource into cluster metadata; and mounting the encrypted resource as a storage volume under the target container.
Fig. 1 schematically illustrates a system architecture diagram of a container password management device according to an embodiment of the present disclosure. As shown in fig. 1, an apparatus provided in an embodiment of the present disclosure includes: the password-gen component and the password-mount component. The password-gen component integrates various password generation tools, such as pwgen, keePassXC, and can perform base64 encoding or hash encryption after generating the password, and then store the generated password ciphertext into the Kubernetes Secret object. Then, by mounting the Secret object as a Volume in the Pod configuration file of the container, the file system in the application container can access the Volume, thereby obtaining the ciphertext of the password. The password-mount component is a password management and mounting solution based on Kubernetes, and realizes strict management of password access rights in a multi-tenant environment through authentication in an RBAC multi-tenant environment; the password-mount is used for mounting the password into the container in the form of volume, so that the risk of directly exposing the password in the container is avoided; meanwhile, the automatic password life cycle management is realized, and the password-mount component realizes the automatic management of the password life cycle by recording the password mounting cycle and counting down.
Fig. 2 schematically illustrates an application scenario diagram of a container password management method, apparatus, device, storage medium and program product according to an embodiment of the present disclosure.
As shown in fig. 2, the application scenario 200 according to this embodiment may include a container password management scenario. The network 204 is the medium used to provide communication links between the terminal devices 201, 202, 203 and the server 205. The network 204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 205 via the network 204 using the terminal devices 201, 202, 203 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 201, 202, 203.
The terminal devices 201, 202, 203 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 205 may be a cluster operation server, which may perform the container password management method provided by the embodiments of the present disclosure, and obtain the password annotation identifier of the target container in response to the container creation event; generating a plaintext password according to the password annotation identifier; encrypting the plaintext cipher to generate a ciphertext cipher; creating the ciphertext password as an encryption resource and storing the encryption resource into cluster metadata; and mounting the encrypted resource as a storage volume under the target container.
It should be noted that, the method for managing container passwords provided in the embodiments of the disclosure may be generally executed by the server 205. Accordingly, the container password management device provided in the embodiments of the present disclosure may be generally disposed in the server 205. The container password management method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 205 and is capable of communicating with the terminal devices 201, 202, 203 and/or the server 205. Accordingly, the container password management apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 205 and is capable of communicating with the terminal devices 201, 202, 203 and/or the server 205.
It should be understood that the number of terminal devices, networks and servers in fig. 2 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
It should be noted that, the method and the device for managing the container password according to the embodiments of the present disclosure may be used in the field of cloud computing technology, or may be used in the field of finance technology, or may be used in any field other than the field of finance, and the application field of the method and the device for managing the container password according to the embodiments of the present disclosure is not limited.
The container password management method according to the embodiment of the present disclosure will be described in detail below with reference to fig. 3 to 5 based on the system architecture described in fig. 1 and the application scenario described in fig. 2.
Fig. 3 schematically illustrates a flow chart of a method for managing container passwords according to an embodiment of the disclosure. As shown in fig. 3, the container password management method of this embodiment includes operations S210 to S250, which may be performed by a server or other computing device.
In operation S210, a cryptographic annotation identification of the target container is obtained in response to the container creation event.
In operation S220, a plaintext cipher is generated based on the cipher-note identification.
In one example, at the time of container startup, the user needs to prepare an animation of the container, the annotation identifying rules including password configuration information, such as password generation for the container, password expiration time, password length, and the like. Both the password-gen and the password-mount will monitor kube-apiserver in real time, and any event of interest will trigger their own logic. The password-gen component triggers the logic for generating the container password when acquiring a pod with a special animation from a kube-api server through an event mechanism and generating the password according to the password annotation identifier, wherein the password is a plaintext password.
In operation S230, the plaintext cipher is encrypted to generate a ciphertext cipher.
In operation S240, the ciphertext password is created as an encryption resource and stored into the cluster metadata.
In operation S250, the encrypted resource is mounted under the target container as a storage volume.
In one example, to prevent the risk of password disclosure, the confidentiality of the password is protected, and the plaintext password is encrypted after the plaintext password is generated, for example, by performing base64 encoding or performing hash encryption to obtain the ciphertext password. The password-gen component saves the password in the Kubernetes Secret object after generating the password, and specifically, creates an encryption resource (secret resource) for the ciphertext password and stores the encryption resource in metadata of the cluster.
In one example, when a new encrypted resource is created, the logic of the password-mount component is triggered, the encrypted resource and the node are authenticated first, and after the encrypted resource and the node are confirmed to belong to the same user, the encrypted resource is mounted under the container of the pod node in the form of a storage volume. Thus, the container can obtain the cipher of the cipher text by reading the storage volume, and the service is used by the cipher text cipher.
According to the container password management method provided by the embodiment of the disclosure, after the container with the password annotation identifier is created, the password annotation identifier of the target container is obtained; generating a plaintext password according to the password annotation identifier; after generating a plaintext cipher, encrypting the plaintext cipher to generate a ciphertext cipher; creating the ciphertext password as an encryption resource and storing the encryption resource into cluster metadata; and mounting the encrypted resource as a storage volume under the target container. By using the secret object to store and manage the tenant passwords, the risk of directly exposing the passwords in the container is avoided, the security of the transmission and access of the passwords is effectively improved, and in addition, the passwords are processed in an encryption mode to protect the confidentiality of the passwords.
Fig. 4 schematically illustrates a flow chart of a method of creating a container password provided in accordance with another embodiment of the present disclosure.
As shown in fig. 4, operations S310 to S360 are included.
In operation S310, a cryptographic annotation identification of the target container is obtained in response to the container creation event.
According to an embodiment of the present disclosure, the cryptographic annotation identification comprises cryptographic configuration information including a cryptographic generation manner, a cryptographic expiration time, and a cryptographic combination rule.
In operation S320, the password configuration information of the target container is determined according to the password annotation identifier.
In operation S330, the encryption resources are matched under the namespace to which the application belongs according to the password configuration information.
In operation S340, if it is determined that there is no eligible encryption resource, the password generator component is invoked to generate a new password according to the password configuration information.
In operation S350, the plaintext cipher is encrypted to generate a ciphertext cipher.
In operation S360, the ciphertext password is created as an encryption resource and stored into the cluster metadata.
In one example, when the password-gen component monitors that a container with a password annotation identifier is created, password configuration information in the password annotation identifier is obtained, and the password configuration information specifically comprises a password generation mode, a password expiration time and a password combination rule, wherein the password generation mode can be a tool such as pwgen, keePassXC, the password expiration time is used for representing the life cycle of a current password, the password combination rule can be configuration information such as a password length, a character combination mode in the password, and the like, and whether a secret resource meeting a condition exists is matched under a naming space to which an application belongs according to the password configuration information for storing the password. If no eligible secret resource is found, the password-gen internal password generator component is invoked to generate a new password. The password is in plaintext at this time. The password-gen will be base64 encoded or hash encrypted to protect the confidentiality of the password. The ciphertext password is created as a secret resource and stored in metadata of the cluster.
Fig. 5 schematically illustrates a flow chart of a method of container password management provided in accordance with yet another embodiment of the present disclosure. Including operations S410-S440.
In operation S410, in response to the creation event of the encrypted resource, tenant identity verification is performed on the target container and the encrypted resource matched with the target container.
In operation S420, the encrypted resource is mounted under the target container as a storage volume.
In operation S430, a mount duration of the storage volume is set according to the password expiration time.
In operation S440, after the mounting duration expires, the encrypted resource is reclaimed.
In one example, after the password-mount component monitors the creation of a new encrypted resource, it first re-confirms whether the node where the encrypted resource and the target container are located all belong to the same user. If so, the password-mount will mount the secret resource as a storage volume under the pod's container. The mounting action is not long, in order to realize the management of the full life cycle of the password, the password-mount sets the mounting duration of the storage volume according to the password expiration time, records the mounting cycles of the volumes and counts down. When the mounting duration expires, namely the password expiration time expires, the password-mount can automatically disable the password so as to ensure the security of the password.
According to the container password management method provided by the embodiment of the disclosure, the tenant passwords are stored and managed by using the Secret resource object in the Kubernetes cluster, and the tenant passwords are encrypted, so that the automatic on-demand generation, the safe transmission, the tenant identity verification and the life cycle management of the authorized passwords are realized.
Based on the container password management method, the disclosure also provides a container password management device. The device will be described in detail below in connection with fig. 6.
Fig. 6 schematically illustrates a block diagram of a container password management apparatus according to an embodiment of the present disclosure. As shown in fig. 6, the container password management apparatus 600 of this embodiment includes an acquisition module 610, a first password generation module 620, a password encryption module 630, an encryption resource creation module 640, and an encryption resource mounting module 650.
An obtaining module 610 is configured to obtain a cryptographic annotation identifier of the target container in response to the container creation event. In an embodiment, the obtaining module 610 may be configured to perform the operation S210 described above, which is not described herein.
The first password generation module 620 is configured to generate a plaintext password according to the password annotation identifier. In an embodiment, the first password generation module 620 may be used to perform the operation S220 described above, which is not described herein.
The cipher encryption module 630 is configured to encrypt the plaintext cipher to generate a ciphertext cipher. In an embodiment, the cryptographic module 630 may be used to perform the operation S230 described above, which is not described herein.
And the encryption resource creation module 640 is configured to create the ciphertext password as an encryption resource and store the encryption resource into the cluster metadata. In an embodiment, the encryption resource creation module 640 may be configured to perform the operation S240 described above, which is not described herein.
And the encrypted resource mounting module 650 is configured to mount the encrypted resource as a storage volume under the target container. In an embodiment, the encryption resource mounting module 650 may be configured to perform the operation S250 described above, which is not described herein.
According to an embodiment of the present disclosure, the apparatus further comprises: a setting module and a recycling module.
The setting module is used for setting the mounting duration of the storage volume according to the password failure time; and
and the recovery module is used for recovering the encrypted resources after the mounting duration expires.
According to an embodiment of the present disclosure, the password generation module includes: a first determination submodule and a password generation submodule.
The first determining submodule is used for determining the password configuration information of the target container according to the password annotation identification; and
and the password generation sub-module is used for generating a plaintext password according to the password configuration information.
According to an embodiment of the present disclosure, the apparatus further comprises: the device comprises a matching module and a second password generation module.
The matching module is used for matching the encryption resources under the name space to which the application belongs according to the password configuration information;
and the second password generating module is used for calling the password generator component to generate a new password according to the password configuration information if the fact that the password resources which meet the conditions are not determined.
According to an embodiment of the present disclosure, the apparatus further comprises: and a verification module.
And the verification module is used for responding to the creation event of the encrypted resource and carrying out tenant identity verification on the target container and the encrypted resource matched with the target container.
Any of the acquisition module 610, the first password generation module 620, the password encryption module 630, the encryption resource creation module 640, and the encryption resource mounting module 650 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules, according to an embodiment of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the acquisition module 610, the first cryptographic generation module 620, the cryptographic module 630, the cryptographic resource creation module 640, and the cryptographic resource mounting module 650 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or as hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or as any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the acquisition module 610, the first password generation module 620, the password encryption module 630, the encrypted resource creation module 640, and the encrypted resource mounting module 650 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a container password management method according to an embodiment of the disclosure.
As shown in fig. 7, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of the following components connected to the I/O interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 909 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 909, so that a computer program read therefrom is installed into the storage section 908 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The above-described computer-readable storage medium carries one or more programs which, when executed, implement a container password management method according to an embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code means for causing a computer system to implement the container password management method provided by the embodiments of the present disclosure when the computer program product is run in the computer system.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (10)
1. A method of container password management, the method comprising:
responding to a container creation event, and acquiring a password annotation identifier of a target container;
generating a plaintext password according to the password annotation identifier;
encrypting the plaintext cipher to generate a ciphertext cipher;
creating the ciphertext password as an encryption resource and storing the encryption resource into cluster metadata; and
and mounting the encrypted resource as a storage volume under the target container.
2. The method of claim 1, wherein the password configuration information includes a password expiration time, the method further comprising:
setting the mounting time of the storage volume according to the password failure time; and
and after the mounting duration expires, recycling the encrypted resources.
3. The method of claim 1, wherein the generating a plaintext password from the password annotation identification comprises:
determining password configuration information of the target container according to the password annotation identifier; and
and generating a plaintext password according to the password configuration information.
4. A method according to claim 3, wherein prior to generating a plaintext cipher from the cipher-note identification, the method further comprises:
matching encryption resources under a naming space to which the application belongs according to the password configuration information;
and if the encryption resource which meets the condition is determined to be not available, calling a password generator component to generate a new password according to the password configuration information.
5. The method of claim 1, wherein prior to mounting the encrypted resource as a storage volume under the target container, the method further comprises:
and in response to the creation event of the encrypted resource, performing tenant identity verification on the target container and the encrypted resource matched with the target container.
6. The method of any one of claims 1 to 5, wherein the cryptographic annotation identification comprises cryptographic configuration information including a cryptographic generation manner, a cryptographic expiration time, and a cryptographic combination rule.
7. A container password management device, the device comprising:
the acquisition module is used for responding to the container creation event and acquiring the password annotation identification of the target container;
the first password generation module is used for generating a plaintext password according to the password annotation identifier;
the password encryption module is used for encrypting the plaintext password to generate a ciphertext password;
the encryption resource creation module is used for creating the ciphertext password as encryption resources and storing the encryption resources into the cluster metadata; and
and the encryption resource mounting module is used for mounting the encryption resource serving as a storage volume under the target container.
8. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311558830.1A CN117668816A (en) | 2023-11-21 | 2023-11-21 | Container password management method, device, apparatus, storage medium, and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311558830.1A CN117668816A (en) | 2023-11-21 | 2023-11-21 | Container password management method, device, apparatus, storage medium, and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117668816A true CN117668816A (en) | 2024-03-08 |
Family
ID=90081769
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311558830.1A Pending CN117668816A (en) | 2023-11-21 | 2023-11-21 | Container password management method, device, apparatus, storage medium, and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117668816A (en) |
-
2023
- 2023-11-21 CN CN202311558830.1A patent/CN117668816A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11720410B2 (en) | Secure service isolation between instances of cloud products using a SaaS model | |
| CN110580262B (en) | Private data query method and device based on intelligent contract | |
| CN110580413B (en) | Private data query method and device based on down-link authorization | |
| CN110580414B (en) | Private data query method and device based on block chain account | |
| Ahmed et al. | Taxonomy for identification of security issues in cloud computing environments | |
| US10614233B2 (en) | Managing access to documents with a file monitor | |
| CN110580417B (en) | Private data query method and device based on intelligent contract | |
| US10785211B2 (en) | Authorization and authentication for recurring workflows | |
| CN110580412A (en) | Permission query configuration method and device based on chain codes | |
| EP3440822A1 (en) | Identity based behavior measurement architecture | |
| CN114826733B (en) | File transmission method, device, system, equipment, medium and program product | |
| CN114745158A (en) | Applying rights management policies to protected files | |
| US10528708B2 (en) | Prevention of unauthorized resource updates | |
| CN113704211B (en) | Data query method and device, electronic equipment and storage medium | |
| US20230169204A1 (en) | Secure sharing of personal data in distributed computing zones | |
| US11526633B2 (en) | Media exfiltration prevention system | |
| CN117668816A (en) | Container password management method, device, apparatus, storage medium, and program product | |
| Shafqat et al. | Identity matrix: architecture framework for trusted cloud computing through cloud intellect | |
| US9858423B2 (en) | Application modification based on a security vulnerability | |
| CN114615087B (en) | Data sharing method, device, equipment and medium | |
| Vesyropoulos et al. | Ensuring Cloud Security: Current Concerns and Research Challenges | |
| US20230032363A1 (en) | Sensitive data encryption | |
| US20210049290A1 (en) | File exposure to an intended recipient | |
| CN118018265A (en) | Login authentication method and device based on NFT, electronic equipment and storage medium | |
| CN117061221A (en) | Method and device for realizing cloud password service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |