WO2023050110A1 - Method for implementing automatic password change having fault tolerance mechanism for cloud host and cloud bastion host - Google Patents

Method for implementing automatic password change having fault tolerance mechanism for cloud host and cloud bastion host Download PDF

Info

Publication number
WO2023050110A1
WO2023050110A1 PCT/CN2021/121543 CN2021121543W WO2023050110A1 WO 2023050110 A1 WO2023050110 A1 WO 2023050110A1 CN 2021121543 W CN2021121543 W CN 2021121543W WO 2023050110 A1 WO2023050110 A1 WO 2023050110A1
Authority
WO
WIPO (PCT)
Prior art keywords
cloud
computing platform
cloud computing
automatic
bastion
Prior art date
Application number
PCT/CN2021/121543
Other languages
French (fr)
Chinese (zh)
Inventor
吴中岱
王骏翔
郭磊
胡蓉
韩冰
刘晋
Original Assignee
中远海运科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中远海运科技股份有限公司 filed Critical 中远海运科技股份有限公司
Priority to PCT/CN2021/121543 priority Critical patent/WO2023050110A1/en
Publication of WO2023050110A1 publication Critical patent/WO2023050110A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Definitions

  • the invention relates to the technical field of cloud computing and information security, in particular to a method for realizing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts.
  • Cloud host is an important part of cloud computing in infrastructure applications. It is located at the bottom of the cloud computing industry chain pyramid, and its products originate from cloud computing platforms. The platform integrates three core elements of Internet applications: computing, storage, and network, and provides users with public Internet infrastructure services. Cloud host is a virtualization technology similar to VPS host. VPS uses virtual software. VZ or VM virtualizes multiple parts similar to independent hosts on one host. operating system, the management method is the same as that of the host. With the development of cloud computing, the network security issues cannot be ignored.
  • the bastion host plays a key role in performing security compliance audits in the hybrid cloud environment.
  • the infrastructure is highly heterogeneous and widely distributed;
  • the scale of cloud resources continues to grow, requiring the bastion machine to have sufficient scalability;
  • the construction of the cloud computing platform has introduced a large number of different types of IT infrastructure.
  • the API interface of the computing platform also requires the bastion machine to have better adaptability and flexibility in asset access and management; in addition, because the current cloud computing platform has multiple enterprises, organizations, and tenants, resulting in the distribution of IT assets The scope is wide and the management is relatively decentralized.
  • the operation and maintenance security audit system based on the bastion machine needs to provide a multi-level authorization management system to adapt to the current IT management model
  • the infrastructure is highly heterogeneous and widely distributed, and the labor cost of password and other information maintenance is high.
  • the construction of a cloud computing platform introduces a large number of different types of IT infrastructure, including traditional physical bare metal devices within the enterprise, cloud computing virtualized resources, and so on.
  • the traditional bastion host does not have good adaptability and flexibility in asset access and management.
  • the addition, deletion, and modification of cloud host accounts need to be completed manually on both sides of the cloud resource and the bastion host.
  • the cost of configuration and manual maintenance is high, and the accuracy and real-time performance are not enough.
  • the isolation of the cloud computing platform and the traditional bastion host makes it difficult to realize real-time linkage and automatic encryption.
  • the cloud computing platform is relatively isolated from the traditional bastion host. It is difficult for cloud computing platform tenants and bastion host users to link up. It is often necessary to manually maintain the resources of the cloud computing platform and the bastion host. Due to the isolation of the traditional bastion host and the cloud computing platform, the cloud computing platform It is difficult to regularly and automatically change encryption through the cloud computing platform.
  • the present invention develops a A method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines, which can complete the automatic synchronization of cloud asset information in the cloud computing platform of the cloud computing platform and the bastion machine, and can issue password policies through the cloud computing platform to realize cloud computing.
  • the cloud asset information in the computing platform is automatically changed; under the unified management of the cloud platform, the random change of the cloud asset information in all cloud computing platforms is completed, and the information is synchronized with the cloud bastion machine, and the automatic change is realized.
  • the cloud tenant directly logs in to the cloud bastion machine through the cloud platform.
  • the cloud computing platform uses the self-developed bastion machine verification module and uses the cloud computing service orchestration technology to develop the cloud resource automatic encryption technology, which can directly set the cloud asset information encryption plan in the cloud computing platform on the cloud computing platform.
  • the docking between the platform and the open source bastion host completes automatic encryption and information synchronization.
  • the cloud computing platform has added an automatic password change fault-tolerant mechanism to improve the stability of automatic password changes, support strategic periodic batch password changes, increase the differentiation of passwords between different systems, and increase the complexity to meet management needs and meet different business scenarios. Resource security compliance requirements.
  • the present invention provides a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts, which is characterized in that it specifically includes the following steps:
  • S1 deploys and integrates the open source bastion host, builds a cloud bastion host suitable for cloud business scenarios on the cloud computing platform through the open API interface of the open source bastion host, realizes the connection between the cloud computing platform and the cloud bastion host, and realizes the cloud
  • the cloud asset information of the computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure Under the structural environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally;
  • S2 establishes a fault-tolerant mechanism response rule, and establishes a fault-tolerant mechanism response rule added in the cloud computing platform, which is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism refers to the cloud computing platform.
  • the automatic encryption and fault-tolerant mechanism was added;
  • S3 establishes the response rules for real-time synchronization of cloud asset information in the cloud computing platform, establishes real-time response rules for cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery and elastic scaling of cloud computing platform, and realizes the cloud Real-time automatic synchronization of cloud asset information on the cloud computing platform between the bastion host and the cloud computing platform;
  • S4 acquires the encryption policy, obtains the planned task customized by the cloud computing platform for automatic encryption, and determines the encryption strategy according to the planned task;
  • step S5 executes automatic encryption, and after obtaining the automatic encryption strategy, the cloud computing platform automatically calls the cloud computing platform and the cloud bastion machine docked in step S1, and completes the arrangement of the automatic encryption strategy of cloud asset information in the cloud computing platform Automatically responding to the fault-tolerant mechanism in step S2 and the verification module of the cloud bastion machine and performing regular automatic verification and performing batch re-encryption by the cloud bastion machine according to the described automatic encryption policy; and automatically by step S3
  • the execution result is synchronized by the cloud bastion host to the cloud computing platform, and takes effect in the corresponding cloud host.
  • the cloud bastion machine adopts a distributed architecture, supports cross-regional deployment of multiple computer rooms, supports horizontal expansion, and has no cloud asset information quantity and concurrency restrictions in the cloud computing platform;
  • the cloud asset information in the cloud computing platform includes: basic information such as ip and port of the cloud host, operation authority information of the cloud tenant, user names and password information of administrator users/non-administrator users in the cloud host resources, and other accounts. Cloud resource account information;
  • the cloud bastion host is provided to cloud tenants as one of the services provided by the cloud computing platform, and the cloud tenants can directly jump to use the cloud bastion host through the cloud computing platform.
  • the verification module of the cloud bastion machine is used for the cloud computing platform to automatically and/or manually complete the verification function with the cloud tenant on a regular basis, and to complete the verification of the relevant cloud in the cloud computing platform through automation technology.
  • Host cloud asset information verification verify its correctness through automatic remote login, and then verify with the cloud bastion host to ensure that the cloud asset information in the cloud platform is consistent with the cloud bastion, and initiate verification when the verification results are consistent.
  • the automatic re-encryption fault-tolerant mechanism includes: when the automatic re-encryption task is executed, the password verification function is performed synchronously one by one, and after the password modification is automatically completed, the previous password will be recorded. Then record the newly modified password together; then try to automatically verify the new password of the cloud host. If the verification fails, this cloud host task will be rolled back to ensure that the old password can be logged in; all automatic password change tasks are terminated and need Manual intervention, choose to skip or continue; if the verification is correct, continue to the next task.
  • the business scenarios such as dynamic delivery and elastic scaling include: through the dynamic scaling of cloud host resources, the newly expanded cloud host will have an independent account and password, and the independent account and The password will be synchronized with the cloud bastion host to ensure the operability of the new cloud host resources.
  • the cloud computing platform customizes the scheduled tasks for automatic encryption, including: start time, list of related cloud hosts, users related to cloud hosts, etc.
  • the present invention also provides a device for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts, which is characterized in that it includes:
  • the open source bastion machine module which is used to build a cloud bastion machine suitable for cloud business scenarios on the cloud computing platform through the open api interface of the open source bastion machine itself, realize the connection between the cloud computing platform and the cloud bastion machine, and realize all
  • the cloud asset information of the cloud computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure that In a multi-cloud heterogeneous environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally;
  • the fault-tolerant mechanism response module is used to automatically respond to the rules of the fault-tolerant mechanism, and is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism is to establish a cloud bastion machine verification module on the cloud computing platform , the added automatic password change fault-tolerant mechanism;
  • the real-time synchronization cloud asset information response module in the cloud computing platform is used to automatically respond to the real-time synchronization rules of the cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery of cloud asset information in the cloud computing platform and elastic scaling, and realize the above-mentioned Real-time automatic synchronization of the cloud asset information on the cloud computing platform between the cloud bastion machine and the cloud computing platform;
  • an encryption policy module used to acquire the planned tasks customized by the cloud computing platform for automatic encryption, and determine the encryption strategy according to the planned tasks
  • Execute the automatic encryption module which is used to automatically call the cloud computing platform and the cloud bastion machine that are deployed and integrated with the open source bastion machine module in the cloud computing platform after obtaining the automatic encryption policy, and complete the cloud assets in the cloud computing platform
  • module of obtaining and changing the encryption policy also includes:
  • the display sub-module is used to display the interface of the module in the cloud computing platform that is specially used for the automatic encryption task of the cloud host, and can provide user-defined timing tasks that need to enable automatic encryption;
  • Custom encryption policy sub-module cloud tenants can directly configure the cloud resource encryption plan through the cloud computing platform, and get a customized automatic encryption policy after the configuration is completed.
  • the present invention also includes an electronic device, which is characterized in that the device includes a memory and a processor, and the memory is stored with a cloud host and cloud bastion machine implementation that can run on the processor according to the present invention.
  • the configuration program of the device of automatic encryption technology when the configuration program is executed by the processor, it can realize the automatic encryption method with fault-tolerant mechanism for cloud host and cloud bastion machine according to the present invention.
  • the present invention also includes a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores the configuration of a device for implementing automatic encryption technology for cloud hosts and cloud bastion machines according to the present invention program, and the configuration program can be executed by one or more processors, so as to realize a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines according to the present invention.
  • the present invention has the advantages of:
  • the present invention develops a method for realizing automatic encryption technology for cloud hosts and cloud bastion machines.
  • the automatic synchronization of cloud resources and cloud asset information in the cloud computing platform of the bastion machine can be completed.
  • the password policy can be issued through the cloud computing platform to realize the automatic encryption of cloud asset information in the cloud computing platform; under the unified management of the cloud platform, the random encryption of cloud asset information in all cloud computing platforms can be completed and at the same time the information can be encrypted. Synchronize with the cloud bastion host, and realize that after automatic encryption, cloud tenants can directly log in to the cloud bastion host through the cloud platform.
  • the cloud asset information in the cloud computing platform will be synchronized with the cloud bastion machine in real time, and the cloud computing platform will verify the template through the cloud bastion machine to ensure the accuracy of cloud asset information synchronization in the cloud computing platform , for a multi-cloud heterogeneous environment, it is only necessary to maintain a set of cloud asset information in the cloud computing platform on the cloud computing platform to ensure that the automatic encryption plan can be executed normally.
  • the linkage between the cloud computing platform and the cloud fortress machine can solve the isolation problem, and the automatic encryption technology can be released and developed as a cloud service of the cloud computing platform to all parties.
  • Cloud tenants only need to use the cloud computing platform to complete the arrangement of the cloud resource automatic encryption plan, and the cloud bastion machine can strategically perform batch encryption regularly.
  • the cloud computing platform Through the connection between the cloud computing platform and the cloud bastion machine, it can meet the dynamic delivery of cloud resources and elastic expansion and other business scenarios to realize the synchronization timeliness of cloud asset information in the cloud computing platform and cloud bastion machine information, without manual maintenance of bastion machine information, reducing labor costs.
  • the unified management of passwords can be carried out through the cloud computing platform to meet the needs of different tenants to change passwords and improve the stability of automatic password changes.
  • Figure 1 The steps of a method for implementing automatic encryption with fault-tolerant mechanisms for cloud hosts and cloud bastion hosts provided by the present invention.
  • FIG. 2 A block diagram of a configuration program for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
  • FIG. 3 A program module diagram of the obtaining and reciphering policy module in another automatic reciphering configuration program with fault-tolerant mechanism for cloud hosts and cloud bastion machines provided by the present invention.
  • Fig. 4 is a specific flow chart of another method for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
  • Fig. 1 shows the steps of a method for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
  • a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines specifically includes the following steps:
  • Step S1 deploys and integrates the Jumpserver open-source bastion host, constructs a cloud bastion host suitable for cloud business scenarios on the cloud computing platform through the open API interface of the open-source bastion host, realizes the connection between the cloud computing platform and the cloud bastion host, and realizes all
  • the cloud asset information of the cloud computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure that In a multi-cloud heterogeneous environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform that is synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally.
  • the open source bastion host is not limited to the Jumpserver open source bastion host already used in this embodiment.
  • the cloud bastion machine adopts a distributed architecture, supports cross-regional deployment of multiple computer rooms, supports horizontal expansion, and has no cloud asset information quantity and concurrency restrictions in the cloud computing platform.
  • the cloud hosts involved in this embodiment include various operating systems and versions (such as windows, linux) on various types of cloud basic resources (Vware, openstack, bare metal, etc.), and the users involved are cloud computing service platforms. All cloud tenants, application scenarios: industry-wide production, development, UAT, testing and other business systems, general-purpose. It should be noted that in practical applications, the solutions provided by the present invention are not limited to the users or application fields described in the above-mentioned embodiments, but include commonly used devices understood by those skilled in the art.
  • the cloud bastion machine verification module is used for the cloud computing platform to automatically or/and cloud tenants to manually complete the verification function on a regular basis, and to complete the verification of the relevant cloud host cloud assets in the cloud computing platform through automation technology Information verification, verify its correctness through automatic remote login, and at the same time verify with the cloud bastion machine to ensure that the cloud asset information in the cloud platform is consistent with that in the cloud bastion, and initiate verification when the verification results are consistent.
  • the cloud asset information includes cloud host ip, cloud host operating system, cloud host remote login port, account, password, etc.
  • the cloud asset information in the cloud computing platform includes: basic information such as ip and port of the cloud host, operation authority information of the cloud tenant, user names and password information of administrator users/non-administrator users in the cloud host resources, and other accounts. Cloud resource account information.
  • one cloud asset corresponds to multiple cloud resource account information.
  • the cloud bastion host is provided to cloud tenants as one of the services provided by the cloud computing platform, and the cloud tenants can directly jump to use the cloud bastion host through the cloud computing platform.
  • Step S2 establishes a fault-tolerant mechanism response rule, and establishes a fault-tolerant mechanism response rule added in the cloud computing platform, which is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism is in the cloud computing platform
  • the automatic code change fault-tolerant mechanism includes: when the automatic code change task is executed, the password verification function is performed synchronously one by one, after the password modification is automatically completed , will record the previous password, and then record the newly modified password; then try to automatically verify the new password of the cloud host. If the verification fails, this cloud host task will be rolled back to ensure that the old password can be logged in; all The automatic password change task is terminated and manual intervention is required. Choose to skip or continue; if the verification is correct, continue to the next task.
  • Step S3 establishes a response rule for synchronizing cloud asset information in the cloud computing platform in real time, establishes a real-time response rule for cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery of cloud asset information in the cloud computing platform and elastic scaling, and realizes the above
  • the business scenarios such as dynamic delivery and elastic scaling include: through the dynamic scaling of cloud host resources, the newly expanded cloud host will have an independent Account and password, the independent account and password will be synchronized with the cloud bastion host to ensure the operability of the new cloud host resources.
  • Step S4 obtains the encryption policy, obtains the planned task customized by the cloud computing platform for automatic encryption, and determines the encryption strategy according to the planned task; the planned task customized by the cloud computing platform for automatic encryption includes: start time , the list of cloud hosts involved, the users of cloud hosts, etc.
  • Step S5 executes the automatic encryption change.
  • the cloud computing platform and the cloud bastion machine docked in step S1 are automatically invoked in the cloud computing platform to complete the automatic encryption strategy of the cloud asset information in the cloud computing platform.
  • the result of automatic execution is synchronized by the cloud bastion host to the cloud computing platform, and takes effect in the corresponding cloud host.
  • Fig. 2 is a module diagram of a configuration program for implementing automatic encryption with fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
  • the present invention provides a kind of device that realizes the automatic reciphering that contains fault-tolerant mechanism for cloud host and cloud bastion machine, wherein, comprises:
  • the open source bastion host module 101 which is used to build a cloud bastion host suitable for cloud business scenarios on the cloud computing platform through the open api interface of the Jumpserver open source bastion host, so as to realize the connection between the cloud computing platform and the cloud bastion host, and Realize that the cloud asset information of the cloud computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform for Ensure that in a multi-cloud heterogeneous environment, to verify and ensure the accuracy of the cloud asset information that is synchronized between the cloud computing platform and the cloud bastion machine, and ensure that the automatic encryption plan can be executed normally;
  • the fault-tolerant mechanism response module 102 is used to automatically respond to the rules of the fault-tolerant mechanism, to increase the password differentiation between different systems, and to improve the stability of automatic encryption; wherein, the fault-tolerant mechanism is to establish a cloud bastion machine verification on the cloud computing platform When the module is installed, the automatic password change fault-tolerant mechanism is added;
  • the real-time synchronization cloud asset information response module 103 in the cloud computing platform is used to automatically respond to the real-time synchronization rules of the cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery of cloud asset information and elastic scaling in the cloud computing platform, and realize all Real-time automatic synchronization of cloud asset information on the cloud computing platform between the cloud bastion machine and the cloud computing platform;
  • Obtaining an encryption policy module 104 configured to acquire a planned task customized by the cloud computing platform for automatic encryption, and determine an encryption policy according to the planned task;
  • Execute the automatic encryption module 105 for after obtaining the automatic encryption strategy, automatically call the cloud computing platform and the cloud bastion machine that are deployed and merged with the open source bastion machine module in the cloud computing platform, and complete the cloud computing platform in the cloud computing platform.
  • the present invention also provides another method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines, wherein the obtained encryption strategy also includes cloud tenant-defined Change encryption policy.
  • Fig. 3 is a program module diagram of another automatic re-encryption device implementing a fault-tolerant mechanism for cloud hosts and cloud bastion machines provided by the present invention.
  • the present invention provides another program module diagram of the acquisition and modification policy module in an automatic modification device with fault-tolerant mechanism for cloud hosts and cloud bastion machines.
  • obtaining the modification strategy module 104 also includes:
  • the display sub-module 1041 is used to display the interface of the module that is specially used for the automatic encryption task of the cloud host in the cloud computing platform, and can provide the timed task that user-defined needs to enable automatic encryption;
  • the sub-module 1042 of self-defining encryption policy is used for cloud tenants to directly configure the cloud resource encryption plan through the cloud computing platform, and obtain a customized automatic encryption policy after the configuration is completed.
  • the cloud computing platform can be opened to any authorized user through the authority control of the cloud platform itself.
  • the interface of the module specially used for the automatic encryption task of the cloud host in the cloud computing platform is displayed on the user terminal interface, which can provide the timing task that the user needs to enable automatic encryption; and through the customization
  • the encryption policy sub-module 1042 enables the cloud tenant to directly configure the cloud resource encryption plan through the cloud computing platform, and obtain a self-defined automatic encryption policy after the configuration is completed.
  • Fig. 4 is a specific flow chart of another method for implementing automatic encryption with fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
  • the cloud computing platform automatically obtains the planned tasks for automatic encryption customization of the cloud computing platform by obtaining the encryption policy module 104, determines the encryption strategy according to the planned tasks, and automatically performs cloud host encryption by executing the automatic encryption module 105 ; Run the remote login verification according to the asset information of the cloud computing platform and the bastion machine, and enter the verification module of the cloud bastion machine.
  • the self-defined reclassification plan also includes the automatic reclassification policy of the cloud tenant's custom configuration: during the cloud tenant's custom configuration process, the self-defined automatic reclassification is realized by editing the reclassification plan Policy configuration includes: configuration of basic settings on the display interface, including configuration of basic content, such as name, remarks, account type, and encryption execution time. It also includes the setting of resources on the display interface. The interface is set with a visual click window component and a search window component, and there are candidate options, which are the main and commonly used basic settings in the existing encryption configuration. It is used for cloud tenants to directly select without Search; if users have specific needs or queries, they can directly search for keywords in the search window and then click to confirm.
  • the custom configured plan can carry out basic maintenance, modification and debugging, including sharing, recreation, etc.
  • the cloud bastion machine verification module completes the verification of the relevant cloud asset information of the cloud host through automated technology, including the cloud host ip, cloud host operating system, cloud host remote login port, account, password, etc., and verifies it through automatic remote login. At the same time, it is verified with the cloud bastion machine to ensure that the cloud asset information in the cloud platform is consistent with that in the cloud bastion.
  • the verification results are consistent, the verification is successful, and the verification is initiated to enter the automatic encryption stage. After triggering [Change Encryption Successfully 1], it will enter N times of verification. If the verification is successful, the encryption will be successfully changed. It will automatically take effect in the cloud host, and at the same time update the cloud asset information and synchronize the asset information of the cloud bastion machine.
  • the cloud bastion machine acts as a cloud computing platform.
  • One of the services provided is provided to cloud tenants, and cloud tenants can use the cloud bastion host directly through the cloud computing platform or through single sign-in.
  • the verification fails in the verification module of the cloud bastion machine or the automatic re-encryption fails, it enters the fault-tolerant module, automatically responds to the fault-tolerant mechanism, and returns to the cloud computing platform; the specific process includes: when the automatic re-encryption task is executed, the background is parallel Perform the password verification function in batches one by one. After the password modification is automatically completed, the previous password will be recorded, and the newly modified password will be recorded together; then try to automatically verify the new password of the cloud host. If the verification fails, Then this cloud host task is rolled back to ensure that the old password can be logged in; all automatic password change tasks are terminated and manual intervention is required, choose to skip or continue; if the verification is correct, continue to the next task.
  • the present invention also includes an electronic device, wherein the device includes a memory and a processor, and the memory stores a configuration program that can run the device as provided in this embodiment on the processor, and the configuration program When executed by the processor, a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts as provided in this embodiment can be realized.
  • the present invention also includes a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores a configuration program of the device provided in this embodiment, and the configuration program can be processed by one or more Execution by the server, so as to implement a method for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts as provided in this embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the technical field of cloud computing and information security, and in particular, to a method for implementing automatic password change having a fault tolerance mechanism for a cloud host and a cloud bastion host. In the present invention, an open-source bastion host are deployed and integrated by means of cloud computing service orchestration, a cloud computing platform is connected to a cloud bastion host, and automatic synchronization of cloud asset information of the cloud computing platform is completed; by adding a fault tolerance mechanism and a password issuance by cloud computing platform policy, timed and automatic password change for cloud asset information of the cloud computing platform is implemented. An open-source bastion host is deployed and integrated, and a cloud bastion host verification module is developed; a fault tolerance mechanism response rule is established; a response rule for real-time synchronization of cloud asset information in a cloud computing platform is established; a password change policy is obtained; and automatic password change is performed. According to the present invention, automatic password change for a cloud host and a cloud bastion host is implemented, random password change for all cloud resource accounts is completed and synchronization with the cloud bastion host is also implemented, and a cloud tenant directly logs into the cloud bastion host by means of the cloud platform after automatic password change.

Description

面向云主机和云堡垒机实现含容错机制的自动改密的方法A method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts 技术领域technical field
本发明涉及云计算以及信息安全技术领域,具体涉及一种面向云主机和云堡垒机实现含容错机制的自动改密的方法。The invention relates to the technical field of cloud computing and information security, in particular to a method for realizing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts.
背景技术Background technique
云主机是云计算在基础设施应用上的重要组成部分,位于云计算产业链金字塔底层,产品源自云计算平台。该平台整合了互联网应用三大核心要素:计算、存储、网络,面向用户提供公用化的互联网基础设施服务。云主机是一种类似VPS主机的虚拟化技术,VPS是采用虚拟软件,VZ或VM在一台主机上虚拟出多个类似独立主机的部分,能够实现单机多用户,每个部分都可以做单独的操作系统,管理方法同主机一样。而随着云主机云计算的发展的网络安全问题也不容忽视。Cloud host is an important part of cloud computing in infrastructure applications. It is located at the bottom of the cloud computing industry chain pyramid, and its products originate from cloud computing platforms. The platform integrates three core elements of Internet applications: computing, storage, and network, and provides users with public Internet infrastructure services. Cloud host is a virtualization technology similar to VPS host. VPS uses virtual software. VZ or VM virtualizes multiple parts similar to independent hosts on one host. operating system, the management method is the same as that of the host. With the development of cloud computing, the network security issues cannot be ignored.
堡垒机作为云计算平台安全体系重要部件,堡垒机承担着在混合云环境下进行安全合规审计的关键作用,同时也面临许多问题:基础设施高度异构化、分布范围广;混合云中的云资源规模持续增长,需要堡垒机具备充分的可扩展性;云动态资源交付和弹性伸缩情况下的云资源管理及自动改密。As an important part of the security system of the cloud computing platform, the bastion host plays a key role in performing security compliance audits in the hybrid cloud environment. At the same time, it also faces many problems: the infrastructure is highly heterogeneous and widely distributed; The scale of cloud resources continues to grow, requiring the bastion machine to have sufficient scalability; cloud resource management and automatic encryption under cloud dynamic resource delivery and elastic scaling.
由于企业内部的传统物理设备、虚拟化平台、私有云,以及公有云,导致云计算平台的建设引入了大量不同类型的IT基础设施,而为了降低平台资源管理的难度,很好的适配云计算平台的API接口,又要求堡垒机能够在资产接入和管理上有较好的适配性和灵活性;另外,由于目前云计算平台拥有多企业、多组织、多租户,导致IT资产分布范围广,管理也相对分散。基于堡垒机构建的运维安全审计系统需要提供多级授权管理体系,以适配当前的IT管理模式Due to the traditional physical equipment, virtualization platform, private cloud, and public cloud within the enterprise, the construction of the cloud computing platform has introduced a large number of different types of IT infrastructure. In order to reduce the difficulty of platform resource management, it is well adapted to the cloud The API interface of the computing platform also requires the bastion machine to have better adaptability and flexibility in asset access and management; in addition, because the current cloud computing platform has multiple enterprises, organizations, and tenants, resulting in the distribution of IT assets The scope is wide and the management is relatively decentralized. The operation and maintenance security audit system based on the bastion machine needs to provide a multi-level authorization management system to adapt to the current IT management model
基础设施高度异构化、分布范围广,密码等信息维护人工成本高。云计算平台的建设引入了大量不同类型的IT基础设施,包括企业内部的传统物理裸金属设备、云计算虚拟化资源等。传统堡垒机在资产接入和管理上未有较好的适配性和灵活性,而传统模式下,云主机的账户新增、删除、修改等都需要人工在云资源和堡垒机两边先后完成配置,人工维护成本高,准确性和实时性都不够。The infrastructure is highly heterogeneous and widely distributed, and the labor cost of password and other information maintenance is high. The construction of a cloud computing platform introduces a large number of different types of IT infrastructure, including traditional physical bare metal devices within the enterprise, cloud computing virtualized resources, and so on. The traditional bastion host does not have good adaptability and flexibility in asset access and management. In the traditional mode, the addition, deletion, and modification of cloud host accounts need to be completed manually on both sides of the cloud resource and the bastion host. The cost of configuration and manual maintenance is high, and the accuracy and real-time performance are not enough.
云计算平台与传统堡垒机的孤立性,难以实现实时联动自动改密。云计算平台与传统堡垒机相对孤立,云计算平台租户与堡垒机用户难以联动,往往需要手工同步维护云计算平台资源与堡垒机资源,由于传统堡垒机和云计算平台的孤立性,云计算平台难以通过云计算平台策略化的进行定期自动改密。The isolation of the cloud computing platform and the traditional bastion host makes it difficult to realize real-time linkage and automatic encryption. The cloud computing platform is relatively isolated from the traditional bastion host. It is difficult for cloud computing platform tenants and bastion host users to link up. It is often necessary to manually maintain the resources of the cloud computing platform and the bastion host. Due to the isolation of the traditional bastion host and the cloud computing platform, the cloud computing platform It is difficult to regularly and automatically change encryption through the cloud computing platform.
云动态资源交付和弹性伸缩情况下的云资源管理难度大,自动改密不稳定。由于云资源的动态交付和弹性伸缩的灵活性,资源的变化以及信息维护往往需要人工手动进行维护,时效性很差,往往会遇到堡垒机因信息维护不及时和信息维护错误等问题导致使用异常,自动改密存在不稳定因素。In the case of cloud dynamic resource delivery and elastic scaling, cloud resource management is difficult, and automatic encryption is unstable. Due to the dynamic delivery of cloud resources and the flexibility of elastic scaling, resource changes and information maintenance often require manual maintenance. Abnormal, there are unstable factors in automatic encryption.
因此,如何解决云计算平台的基础设施高度异构化、分布散乱、云计算平台与传统堡垒机的孤立性导致的难以实现自动改密及即便实现了也存在自动改密不稳定等问题,是目前亟待解决的技术问题。Therefore, how to solve the problems of highly heterogeneous and scattered infrastructure of the cloud computing platform, the isolation of the cloud computing platform and the traditional bastion machine, which makes it difficult to realize automatic encryption, and even if it is realized, there will be automatic encryption instability. Technical problems that need to be solved urgently.
发明内容Contents of the invention
为解决云计算平台的基础设施高度异构化、分布散乱、云计算平台与传统堡垒机的孤立性导致的难以实现自动改密及实现后的自动改密不稳定等问题,本发明开发了一种面向云主机和云堡垒机实现含容错机制的自动改密的方法,可完成云计算平台与堡垒机的云计算平台中云资产信息自动同步,可通过云计算平台下发密码策略,实现云计算平台中云资产信息自动改密;实现了在云平台的统一管理下,完成对所有云计算平台中云资产信息随机改密的同时将这些信息与云堡垒机的同步,并实现在自动改密后,云租户直接通过云平台,登入云堡垒机。In order to solve the problems of highly heterogeneous and scattered infrastructure of the cloud computing platform, the isolation of the cloud computing platform and the traditional bastion machine, it is difficult to realize automatic encryption and the automatic encryption is unstable after realization, etc., the present invention develops a A method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines, which can complete the automatic synchronization of cloud asset information in the cloud computing platform of the cloud computing platform and the bastion machine, and can issue password policies through the cloud computing platform to realize cloud computing. The cloud asset information in the computing platform is automatically changed; under the unified management of the cloud platform, the random change of the cloud asset information in all cloud computing platforms is completed, and the information is synchronized with the cloud bastion machine, and the automatic change is realized. After encryption, the cloud tenant directly logs in to the cloud bastion machine through the cloud platform.
本发明请求保护以下技术方案:The present invention claims to protect the following technical solutions:
云计算平台通过与开源堡垒机的api接口的对接和功能开发,完成了云计算平台和云堡垒机的关于云计算平台中云资产信息的自动同步,实现云计算平台与堡垒机的无缝衔接,不再需要人工进行两套系统信息维护,云计算平台中云资产信息只需在云计算平台上维护即可。Through the docking and function development of the API interface of the cloud computing platform with the open source bastion machine, the automatic synchronization of cloud asset information on the cloud computing platform and the cloud bastion machine is completed, and the seamless connection between the cloud computing platform and the bastion machine is realized. , It is no longer necessary to manually maintain two sets of system information, and the cloud asset information in the cloud computing platform only needs to be maintained on the cloud computing platform.
云计算平台通过自主研发的堡垒机校验模块,利用云计算服务编排技术,研发了云资源自动改密技术,可直接在云计算平台设置云计算平台中云资产信息改密计划,通过云计算平台与开源堡垒机的对接,完成自动改密与信息同步。The cloud computing platform uses the self-developed bastion machine verification module and uses the cloud computing service orchestration technology to develop the cloud resource automatic encryption technology, which can directly set the cloud asset information encryption plan in the cloud computing platform on the cloud computing platform. The docking between the platform and the open source bastion host completes automatic encryption and information synchronization.
云计算平台加入自动改密容错机制,提升自动改密稳定性,支持策略化的定期批量改密,增加不同系统之间密码差异化,提升复杂度以满足管理需求,以满足不同业务场景对云资源安全合规性的需求。The cloud computing platform has added an automatic password change fault-tolerant mechanism to improve the stability of automatic password changes, support strategic periodic batch password changes, increase the differentiation of passwords between different systems, and increase the complexity to meet management needs and meet different business scenarios. Resource security compliance requirements.
具体的:specific:
本发明提供一种面向云主机和云堡垒机实现含容错机制的自动改密的方法,其特征在于,具体包括以下步骤:The present invention provides a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts, which is characterized in that it specifically includes the following steps:
S1部署并融合开源堡垒机,通过开源堡垒机自身的开放的api接口在云计算 平台上构建了适合云业务场景的云堡垒机,实现云计算平台与云堡垒机的对接,及实现所述云计算平台的云资产信息与所述云堡垒机的云资产信息在云计算平台上进行统一管理和维护;同时在对接后的云计算平台上建立云堡垒机校验模块,用于确保在多云异构环境下,以验证和确保云计算平台与云堡垒机之间同步的所述云计算平台中云资产信息的准确性,保证自动改密计划能正常执行;S1 deploys and integrates the open source bastion host, builds a cloud bastion host suitable for cloud business scenarios on the cloud computing platform through the open API interface of the open source bastion host, realizes the connection between the cloud computing platform and the cloud bastion host, and realizes the cloud The cloud asset information of the computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure Under the structural environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally;
S2建立容错机制响应规则,建立在云计算平台中加入的容错机制响应规则,用于增加不同系统之间密码差异化,提升自动改密稳定性;其中,所述容错机制是指在云计算平台建立云堡垒机校验模块时,加入的自动改密容错机制;S2 establishes a fault-tolerant mechanism response rule, and establishes a fault-tolerant mechanism response rule added in the cloud computing platform, which is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism refers to the cloud computing platform. When establishing the verification module of the cloud bastion machine, the automatic encryption and fault-tolerant mechanism was added;
S3建立实时同步云计算平台中云资产信息的响应规则,建立在云计算平台中云资产信息动态交付和弹性伸缩等业务场景下的云计算平台中云资产信息的实时响应规则,实现所述云堡垒机和云计算平台的关于云计算平台中云资产信息实时自动同步;S3 establishes the response rules for real-time synchronization of cloud asset information in the cloud computing platform, establishes real-time response rules for cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery and elastic scaling of cloud computing platform, and realizes the cloud Real-time automatic synchronization of cloud asset information on the cloud computing platform between the bastion host and the cloud computing platform;
S4获取改密策略,获取云计算平台对自动改密自定义的计划任务,根据所述计划任务确定改密策略;S4 acquires the encryption policy, obtains the planned task customized by the cloud computing platform for automatic encryption, and determines the encryption strategy according to the planned task;
S5执行自动改密,在获取自动改密策略后,云计算平台中自动调用步骤S1所对接的云计算平台与云堡垒机,完成所述云计算平台中云资产信息的自动改密策略的编排;自动响应步骤S2中的容错机制及所述云堡垒机校验模块并通过所述云堡垒机按照所述自动改密策略进行的定期自动校验及执行批量改密;并通过步骤S3将自动执行的结果由所述云堡垒机同步至所述云计算平台,并在对应的所述云主机中生效。S5 executes automatic encryption, and after obtaining the automatic encryption strategy, the cloud computing platform automatically calls the cloud computing platform and the cloud bastion machine docked in step S1, and completes the arrangement of the automatic encryption strategy of cloud asset information in the cloud computing platform Automatically responding to the fault-tolerant mechanism in step S2 and the verification module of the cloud bastion machine and performing regular automatic verification and performing batch re-encryption by the cloud bastion machine according to the described automatic encryption policy; and automatically by step S3 The execution result is synchronized by the cloud bastion host to the cloud computing platform, and takes effect in the corresponding cloud host.
进一步的,在所述步骤S1中,所述云堡垒机采用分布式架构,支持多机房跨区域部署,支持横向扩展,无云计算平台中云资产信息数量及并发限制;Further, in the step S1, the cloud bastion machine adopts a distributed architecture, supports cross-regional deployment of multiple computer rooms, supports horizontal expansion, and has no cloud asset information quantity and concurrency restrictions in the cloud computing platform;
所述云计算平台中云资产信息包含:云主机的ip及端口等基础信息、云租户的操作权限信息、云主机资源中管理员用户/非管理员用户的用户名和密码信息等多个账户的云资源账户信息;The cloud asset information in the cloud computing platform includes: basic information such as ip and port of the cloud host, operation authority information of the cloud tenant, user names and password information of administrator users/non-administrator users in the cloud host resources, and other accounts. Cloud resource account information;
所述云堡垒机作为云计算平台提供的服务之一提供给云租户,云租户通过云计算平台可直接跳转使用云堡垒机。The cloud bastion host is provided to cloud tenants as one of the services provided by the cloud computing platform, and the cloud tenants can directly jump to use the cloud bastion host through the cloud computing platform.
进一步的,在所述步骤S1中,所述云堡垒机校验模块是,用于云计算平台定期自动或/和云租户手动完成校验功能,在云计算平台中通过自动化技术完成对相关云主机云资产信息校验,通过自动远程登入的方式验证其正确性,同时再与云堡垒机进行校验,保证云平台中云资产信息与云堡垒中一致,当验证结果一 致时,发起验证。Further, in the step S1, the verification module of the cloud bastion machine is used for the cloud computing platform to automatically and/or manually complete the verification function with the cloud tenant on a regular basis, and to complete the verification of the relevant cloud in the cloud computing platform through automation technology. Host cloud asset information verification, verify its correctness through automatic remote login, and then verify with the cloud bastion host to ensure that the cloud asset information in the cloud platform is consistent with the cloud bastion, and initiate verification when the verification results are consistent.
进一步的,在所述步骤S2中,所述自动改密容错机制包括:控制在自动改密任务执行的时候,同步逐条进行密码校验功能,在自动完成密码修改后,会记录之前的密码,再将新修改的密码一并记录;然后进行尝试自动的云主机新密码校验,若校验失败,则此条云主机任务回退,确保老密码可以登入;所有自动改密任务终止,需要人工介入,选择跳过或继续;若校验正确,则继续下一条任务。Further, in the step S2, the automatic re-encryption fault-tolerant mechanism includes: when the automatic re-encryption task is executed, the password verification function is performed synchronously one by one, and after the password modification is automatically completed, the previous password will be recorded. Then record the newly modified password together; then try to automatically verify the new password of the cloud host. If the verification fails, this cloud host task will be rolled back to ensure that the old password can be logged in; all automatic password change tasks are terminated and need Manual intervention, choose to skip or continue; if the verification is correct, continue to the next task.
进一步的,在所述步骤S3中,所述动态交付和弹性伸缩等业务场景包括:通过云主机资源的动态伸缩,新伸展出来的云主机将具有独立的账号和密码,所述独立的账号和密码将与所述云堡垒机进行同步,以保证新生云主机资源的可操作性。Further, in the step S3, the business scenarios such as dynamic delivery and elastic scaling include: through the dynamic scaling of cloud host resources, the newly expanded cloud host will have an independent account and password, and the independent account and The password will be synchronized with the cloud bastion host to ensure the operability of the new cloud host resources.
进一步的,在所述步骤S4中,所述云计算平台对自动改密自定义的计划任务,包含:开始时间、涉及云主机清单、涉及云主机的使用者等。Further, in the step S4, the cloud computing platform customizes the scheduled tasks for automatic encryption, including: start time, list of related cloud hosts, users related to cloud hosts, etc.
本发明还提供一种面向云主机和云堡垒机实现含容错机制的自动改密的装置,其特征在于,包括:The present invention also provides a device for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts, which is characterized in that it includes:
部署并融合开源堡垒机模块,用于通过开源堡垒机自身的开放的api接口在云计算平台上构建了适合云业务场景的云堡垒机,实现云计算平台与云堡垒机的对接,及实现所述云计算平台的云资产信息与所述云堡垒机的云资产信息在云计算平台上进行统一管理和维护;同时在对接后的云计算平台上建立云堡垒机校验模块,用于确保在多云异构环境下,以验证和确保云计算平台与云堡垒机之间同步的所述云计算平台中云资产信息的准确性,保证自动改密计划能正常执行;Deploy and integrate the open source bastion machine module, which is used to build a cloud bastion machine suitable for cloud business scenarios on the cloud computing platform through the open api interface of the open source bastion machine itself, realize the connection between the cloud computing platform and the cloud bastion machine, and realize all The cloud asset information of the cloud computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure that In a multi-cloud heterogeneous environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally;
容错机制响应模块,用于自动响应容错机制的规则,用于增加不同系统之间密码差异化,提升自动改密稳定性;其中,所述容错机制是在云计算平台建立云堡垒机校验模块时,加入的自动改密容错机制;The fault-tolerant mechanism response module is used to automatically respond to the rules of the fault-tolerant mechanism, and is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism is to establish a cloud bastion machine verification module on the cloud computing platform , the added automatic password change fault-tolerant mechanism;
实时同步云计算平台中云资产信息响应模块,用于自动响应在云计算平台中云资产信息动态交付和弹性伸缩等业务场景下的云计算平台中云资产信息的实时同步的规则,实现所述云堡垒机和云计算平台的关于云计算平台中云资产信息实时自动同步;The real-time synchronization cloud asset information response module in the cloud computing platform is used to automatically respond to the real-time synchronization rules of the cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery of cloud asset information in the cloud computing platform and elastic scaling, and realize the above-mentioned Real-time automatic synchronization of the cloud asset information on the cloud computing platform between the cloud bastion machine and the cloud computing platform;
获取改密策略模块,用于获取云计算平台对自动改密自定义的计划任务,根据所述计划任务确定改密策略;Obtaining an encryption policy module, used to acquire the planned tasks customized by the cloud computing platform for automatic encryption, and determine the encryption strategy according to the planned tasks;
执行自动改密模块,用于在获取自动改密策略后,云计算平台中自动调用所述部署并融合开源堡垒机模块对接的云计算平台与云堡垒机,完成所述云计算平 台中云资产信息的自动改密策略的编排;自动所述容错机制响应模块中的容错机制及所述云堡垒机校验模块并通过所述云堡垒机按照所述自动改密策略进行的定期自动校验及执行批量改密;并通过所述实时同步云计算平台中云资产信息响应模块,将自动执行的结果由所述云堡垒机同步至所述云计算平台,并在对应的所述云主机中生效。Execute the automatic encryption module, which is used to automatically call the cloud computing platform and the cloud bastion machine that are deployed and integrated with the open source bastion machine module in the cloud computing platform after obtaining the automatic encryption policy, and complete the cloud assets in the cloud computing platform The arrangement of the automatic re-encryption strategy of information; the automatic fault-tolerant mechanism in the fault-tolerant mechanism response module and the verification module of the cloud bastion machine and the regular automatic verification and verification carried out by the cloud bastion machine according to the automatic re-encryption strategy Execute batch encryption; and through the cloud asset information response module in the real-time synchronization cloud computing platform, the result of automatic execution is synchronized from the cloud bastion machine to the cloud computing platform, and takes effect in the corresponding cloud host .
进一步的,所述获取改密策略模块还包括:Further, the module of obtaining and changing the encryption policy also includes:
显示子模块,用于显示云计算平台中专门用于云主机自动改密任务的模块的界面,可以提供用户自定义所需要启用自动改密的定时任务;The display sub-module is used to display the interface of the module in the cloud computing platform that is specially used for the automatic encryption task of the cloud host, and can provide user-defined timing tasks that need to enable automatic encryption;
自定义改密策略子模块,云租户通过云计算平台可直接配置云资源改密计划,配置完成后得到自定义的自动改密策略。Custom encryption policy sub-module, cloud tenants can directly configure the cloud resource encryption plan through the cloud computing platform, and get a customized automatic encryption policy after the configuration is completed.
本发明还包括一种电子装置,其特征在于,该装置包括存储器、处理器,所述存储器上存储有可在所述处理器上运行本发明所述的一种面向云主机和云堡垒机实现自动改密技术的装置的配置程序,所述配置程序被所述处理器执行时可以实现本发明所述的一种面向云主机和云堡垒机实现含容错机制的自动改密的方法。The present invention also includes an electronic device, which is characterized in that the device includes a memory and a processor, and the memory is stored with a cloud host and cloud bastion machine implementation that can run on the processor according to the present invention. The configuration program of the device of automatic encryption technology, when the configuration program is executed by the processor, it can realize the automatic encryption method with fault-tolerant mechanism for cloud host and cloud bastion machine according to the present invention.
本发明还包括一种计算机可读存储介质,其特征在于,所述计算机可读的存储介质上存储有本发明所述的一种面向云主机和云堡垒机实现自动改密技术的装置的配置程序,所述配置程序可以被一个或多个处理器执行,以实现本发明所述的一种面向云主机和云堡垒机实现含容错机制的自动改密的方法。The present invention also includes a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores the configuration of a device for implementing automatic encryption technology for cloud hosts and cloud bastion machines according to the present invention program, and the configuration program can be executed by one or more processors, so as to realize a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines according to the present invention.
与现有技术相比,本发明的优点在于:Compared with the prior art, the present invention has the advantages of:
本发明开发了一种面向云主机和云堡垒机实现自动改密技术的方法,通过云计算平台与开源堡垒机的对接,可完成云资源与堡垒机的云计算平台中云资产信息自动同步,可通过云计算平台下发密码策略,实现云计算平台中云资产信息自动改密;解决了在云平台的统一管理下,完成对所有云计算平台中云资产信息随机改密的同时将这些信息与云堡垒机的同步,并实现在自动改密后,云租户直接通过云平台,登入云堡垒机。The present invention develops a method for realizing automatic encryption technology for cloud hosts and cloud bastion machines. Through the docking of the cloud computing platform and the open source bastion machine, the automatic synchronization of cloud resources and cloud asset information in the cloud computing platform of the bastion machine can be completed. The password policy can be issued through the cloud computing platform to realize the automatic encryption of cloud asset information in the cloud computing platform; under the unified management of the cloud platform, the random encryption of cloud asset information in all cloud computing platforms can be completed and at the same time the information can be encrypted. Synchronize with the cloud bastion host, and realize that after automatic encryption, cloud tenants can directly log in to the cloud bastion host through the cloud platform.
通过云计算平台与开源堡垒无缝的对接,云计算平台中云资产信息将与云堡垒机实时同步,云计算平台通过云堡垒机校验模板以确保云计算平台中云资产信息同步的准确性,针对多云异构环境,也只需在云计算平台维护一套云计算平台中云资产信息,保证自动改密计划能正常执行。Through the seamless connection between the cloud computing platform and the open source fortress, the cloud asset information in the cloud computing platform will be synchronized with the cloud bastion machine in real time, and the cloud computing platform will verify the template through the cloud bastion machine to ensure the accuracy of cloud asset information synchronization in the cloud computing platform , for a multi-cloud heterogeneous environment, it is only necessary to maintain a set of cloud asset information in the cloud computing platform on the cloud computing platform to ensure that the automatic encryption plan can be executed normally.
通过云计算平台整与云堡垒无缝的对接,云计算平台与云堡垒机之间的联动使孤立性问题得以解决,自动改密技术可以作为云计算平台的一项云服务进行发布开发给各云租户,只需通过云计算平台即可完成云资源自动改密计划的编排,云堡垒机可策略化的定期执行批量改密。Through the seamless connection between the cloud computing platform and the cloud fortress, the linkage between the cloud computing platform and the cloud fortress machine can solve the isolation problem, and the automatic encryption technology can be released and developed as a cloud service of the cloud computing platform to all parties. Cloud tenants only need to use the cloud computing platform to complete the arrangement of the cloud resource automatic encryption plan, and the cloud bastion machine can strategically perform batch encryption regularly.
通过云计算平台与云堡垒机的对接,可满足云资源动态交付和弹性伸缩等业务场景下实现云计算平台中云资产信息与云堡垒机信息同步时效性,无需手工进行堡垒机信息维护,降低了人工成本。同时可通过云计算平台进行密码统一管理,满足不同租户改密策略需求,提升自动改密的稳定性。Through the connection between the cloud computing platform and the cloud bastion machine, it can meet the dynamic delivery of cloud resources and elastic expansion and other business scenarios to realize the synchronization timeliness of cloud asset information in the cloud computing platform and cloud bastion machine information, without manual maintenance of bastion machine information, reducing labor costs. At the same time, the unified management of passwords can be carried out through the cloud computing platform to meet the needs of different tenants to change passwords and improve the stability of automatic password changes.
附图说明Description of drawings
图1.本发明提供的一种面向云主机和云堡垒机实现含容错机制的自动改密的方法步骤。Figure 1. The steps of a method for implementing automatic encryption with fault-tolerant mechanisms for cloud hosts and cloud bastion hosts provided by the present invention.
图2.本发明提供的一种面向云主机和云堡垒机实现含容错机制的自动改密的配置程序模块图。Fig. 2. A block diagram of a configuration program for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
图3.本发明提供的另外一种面向云主机和云堡垒机实现含容错机制的自动改密配置程序中的获取改密策略模块的程序模块图。Fig. 3. A program module diagram of the obtaining and reciphering policy module in another automatic reciphering configuration program with fault-tolerant mechanism for cloud hosts and cloud bastion machines provided by the present invention.
图4.是本发明提供的另外一种面向云主机和云堡垒机实现含容错机制的自动改密的方法的具体流程图。Fig. 4 is a specific flow chart of another method for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only Embodiments of some, but not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆益不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统,产品或设备不必限于清楚地列出的那些步骤或单 元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the description and claims of the present invention and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having" and any variations thereof are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units need not be limited to the explicitly listed Instead, other steps or elements not explicitly listed or inherent to the process, method, product or apparatus may be included.
为使本发明技术方案的优点更加清楚,下面结合附图和实施例对本发明做详细说明。In order to make the advantages of the technical solution of the present invention clearer, the present invention will be described in detail below in conjunction with the accompanying drawings and embodiments.
图1是本发明提供的一种面向云主机和云堡垒机实现含容错机制的自动改密的方法步骤。Fig. 1 shows the steps of a method for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
如图1所示,本发明提供的一种面向云主机和云堡垒机实现含容错机制的自动改密的方法,其中,具体包括以下步骤:As shown in Figure 1, a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines provided by the present invention, specifically includes the following steps:
步骤S1部署并融合Jumpserver开源堡垒机,通过开源堡垒机自身的开放的api接口在云计算平台上构建了适合云业务场景的云堡垒机,实现云计算平台与云堡垒机的对接,及实现所述云计算平台的云资产信息与所述云堡垒机的云资产信息在云计算平台上进行统一管理和维护;同时在对接后的云计算平台上建立云堡垒机校验模块,用于确保在多云异构环境下,以验证和确保云计算平台与云堡垒机之间的同步的所述云计算平台中云资产信息的准确性,保证自动改密计划能正常执行。Step S1 deploys and integrates the Jumpserver open-source bastion host, constructs a cloud bastion host suitable for cloud business scenarios on the cloud computing platform through the open API interface of the open-source bastion host, realizes the connection between the cloud computing platform and the cloud bastion host, and realizes all The cloud asset information of the cloud computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure that In a multi-cloud heterogeneous environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform that is synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally.
在本发明中,所述的开源堡垒机不限于本实施例已经利用的Jumpserver开源堡垒机。In the present invention, the open source bastion host is not limited to the Jumpserver open source bastion host already used in this embodiment.
所述云堡垒机采用分布式架构,支持多机房跨区域部署,支持横向扩展,无云计算平台中云资产信息数量及并发限制。The cloud bastion machine adopts a distributed architecture, supports cross-regional deployment of multiple computer rooms, supports horizontal expansion, and has no cloud asset information quantity and concurrency restrictions in the cloud computing platform.
本实施例中涉及的云主机包含各种云基础资源种类的(Vware、openstack、裸金属等)上的各种操作系统及版本(如:windows、linux),涉及的用户是云计算服务平台中所有的云租户,应用场景:全行业的生产、开发、UAT、测试等业务系统,通用型。需要注意的是,实际应用中,本发明提供的方案不仅限于上述实施例所述用户或应用领域,包括本领域理解的常用的装置设备等。The cloud hosts involved in this embodiment include various operating systems and versions (such as windows, linux) on various types of cloud basic resources (Vware, openstack, bare metal, etc.), and the users involved are cloud computing service platforms. All cloud tenants, application scenarios: industry-wide production, development, UAT, testing and other business systems, general-purpose. It should be noted that in practical applications, the solutions provided by the present invention are not limited to the users or application fields described in the above-mentioned embodiments, but include commonly used devices understood by those skilled in the art.
在所述步骤S1中,所述云堡垒机校验模块是,用于云计算平台定期自动或/和云租户手动完成校验功能,在云计算平台中通过自动化技术完成对相关云主机云资产信息校验,通过自动远程登入的方式验证其正确性,同时再与云堡垒机进行校验,保证云平台中云资产信息与云堡垒中一致,当验证结果一致时,发起验证。其中云资产信息包括云主机ip、云主机操作系统、云主机远程登入的端口、账户、密码等。In the step S1, the cloud bastion machine verification module is used for the cloud computing platform to automatically or/and cloud tenants to manually complete the verification function on a regular basis, and to complete the verification of the relevant cloud host cloud assets in the cloud computing platform through automation technology Information verification, verify its correctness through automatic remote login, and at the same time verify with the cloud bastion machine to ensure that the cloud asset information in the cloud platform is consistent with that in the cloud bastion, and initiate verification when the verification results are consistent. The cloud asset information includes cloud host ip, cloud host operating system, cloud host remote login port, account, password, etc.
所述云计算平台中云资产信息包含:云主机的ip及端口等基础信息、云租 户的操作权限信息、云主机资源中管理员用户/非管理员用户的用户名和密码信息等多个账户的云资源账户信息。在本实施例中,一个云资产对应有多个云资源账户信息。The cloud asset information in the cloud computing platform includes: basic information such as ip and port of the cloud host, operation authority information of the cloud tenant, user names and password information of administrator users/non-administrator users in the cloud host resources, and other accounts. Cloud resource account information. In this embodiment, one cloud asset corresponds to multiple cloud resource account information.
在本实施例中,所述云堡垒机作为云计算平台提供的服务之一提供给云租户,云租户通过云计算平台可直接跳转使用云堡垒机。In this embodiment, the cloud bastion host is provided to cloud tenants as one of the services provided by the cloud computing platform, and the cloud tenants can directly jump to use the cloud bastion host through the cloud computing platform.
步骤S2建立容错机制响应规则,建立在云计算平台中加入的容错机制响应规则,用于增加不同系统之间密码差异化,提升自动改密稳定性;其中,所述容错机制是在云计算平台建立云堡垒机校验模块时,加入的自动改密容错机制;所述自动改密容错机制包括:控制在自动改密任务执行的时候,同步逐条进行密码校验功能,在自动完成密码修改后,会记录之前的密码,再将新修改的密码一并记录;然后进行尝试自动的云主机新密码校验,若校验失败,则此条云主机任务回退,确保老密码可以登入;所有自动改密任务终止,需要人工介入,选择跳过或继续;若校验正确,则继续下一条任务。Step S2 establishes a fault-tolerant mechanism response rule, and establishes a fault-tolerant mechanism response rule added in the cloud computing platform, which is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism is in the cloud computing platform When establishing the verification module of the cloud bastion machine, the automatic code change fault-tolerant mechanism is added; the automatic code change fault-tolerant mechanism includes: when the automatic code change task is executed, the password verification function is performed synchronously one by one, after the password modification is automatically completed , will record the previous password, and then record the newly modified password; then try to automatically verify the new password of the cloud host. If the verification fails, this cloud host task will be rolled back to ensure that the old password can be logged in; all The automatic password change task is terminated and manual intervention is required. Choose to skip or continue; if the verification is correct, continue to the next task.
步骤S3建立实时同步云计算平台中云资产信息的响应规则,建立在云计算平台中云资产信息动态交付和弹性伸缩等业务场景下的云计算平台中云资产信息的实时响应规则,实现所述云堡垒机和云计算平台的关于云计算平台中云资产信息实时自动同步;所述动态交付和弹性伸缩等业务场景包括:通过云主机资源的动态伸缩,新伸展出来的云主机将具有独立的账号和密码,所述独立的账号和密码将与所述云堡垒机进行同步,以保证新生云主机资源的可操作性。Step S3 establishes a response rule for synchronizing cloud asset information in the cloud computing platform in real time, establishes a real-time response rule for cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery of cloud asset information in the cloud computing platform and elastic scaling, and realizes the above The real-time automatic synchronization of the cloud asset information on the cloud computing platform between the cloud bastion machine and the cloud computing platform; the business scenarios such as dynamic delivery and elastic scaling include: through the dynamic scaling of cloud host resources, the newly expanded cloud host will have an independent Account and password, the independent account and password will be synchronized with the cloud bastion host to ensure the operability of the new cloud host resources.
步骤S4获取改密策略,获取云计算平台对自动改密自定义的计划任务,根据所述计划任务确定改密策略;所述云计算平台对自动改密自定义的计划任务,包含:开始时间、涉及云主机清单、涉及云主机的使用者等。Step S4 obtains the encryption policy, obtains the planned task customized by the cloud computing platform for automatic encryption, and determines the encryption strategy according to the planned task; the planned task customized by the cloud computing platform for automatic encryption includes: start time , the list of cloud hosts involved, the users of cloud hosts, etc.
步骤S5执行自动改密,在获取自动改密策略后,云计算平台中自动调用步骤S1所对接的云计算平台与云堡垒机,完成所述云计算平台中云资产信息的自动改密策略的编排;自动响应步骤S2中的容错机制及所述云堡垒机校验模块并通过所述云堡垒机按照所述自动改密策略进行的定期自动校验及执行批量改密;并通过步骤S3将自动执行的结果由所述云堡垒机同步至所述云计算平台,并在对应的所述云主机中生效。Step S5 executes the automatic encryption change. After the automatic encryption change strategy is obtained, the cloud computing platform and the cloud bastion machine docked in step S1 are automatically invoked in the cloud computing platform to complete the automatic encryption strategy of the cloud asset information in the cloud computing platform. Arranging; automatically responding to the fault-tolerant mechanism in step S2 and the verification module of the cloud bastion machine and performing regular automatic verification and performing batch re-encryption by the cloud bastion machine according to the automatic re-encryption strategy; and passing through step S3 The result of automatic execution is synchronized by the cloud bastion host to the cloud computing platform, and takes effect in the corresponding cloud host.
图2是本发明提供的一种面向云主机和云堡垒机实现含容错机制的自动改密的配置程序模块图。Fig. 2 is a module diagram of a configuration program for implementing automatic encryption with fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
如图2所示,本发明提供一种面向云主机和云堡垒机实现含容错机制的自动 改密的装置,其中,包括:As shown in Fig. 2, the present invention provides a kind of device that realizes the automatic reciphering that contains fault-tolerant mechanism for cloud host and cloud bastion machine, wherein, comprises:
部署并融合开源堡垒机模块101,用于通过Jumpserver开源堡垒机自身的开放的api接口在云计算平台上构建了适合云业务场景的云堡垒机,实现云计算平台与云堡垒机的对接,及实现所述云计算平台的云资产信息与所述云堡垒机的云资产信息在云计算平台上进行统一管理和维护;同时在对接后的云计算平台上建立云堡垒机校验模块,用于确保在多云异构环境下,以验证和确保云计算平台与云堡垒机之间的同步的所述云资产信息的准确性,保证自动改密计划能正常执行;Deploy and integrate the open source bastion host module 101, which is used to build a cloud bastion host suitable for cloud business scenarios on the cloud computing platform through the open api interface of the Jumpserver open source bastion host, so as to realize the connection between the cloud computing platform and the cloud bastion host, and Realize that the cloud asset information of the cloud computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform for Ensure that in a multi-cloud heterogeneous environment, to verify and ensure the accuracy of the cloud asset information that is synchronized between the cloud computing platform and the cloud bastion machine, and ensure that the automatic encryption plan can be executed normally;
容错机制响应模块102,用于自动响应容错机制的规则,用于增加不同系统之间密码差异化,提升自动改密稳定性;其中,所述容错机制是在云计算平台建立云堡垒机校验模块时,加入的自动改密容错机制;The fault-tolerant mechanism response module 102 is used to automatically respond to the rules of the fault-tolerant mechanism, to increase the password differentiation between different systems, and to improve the stability of automatic encryption; wherein, the fault-tolerant mechanism is to establish a cloud bastion machine verification on the cloud computing platform When the module is installed, the automatic password change fault-tolerant mechanism is added;
实时同步云计算平台中云资产信息响应模块103,用于自动响应在云计算平台中云资产信息动态交付和弹性伸缩等业务场景下的云计算平台中云资产信息的实时同步的规则,实现所述云堡垒机和云计算平台的关于云计算平台中云资产信息实时自动同步;The real-time synchronization cloud asset information response module 103 in the cloud computing platform is used to automatically respond to the real-time synchronization rules of the cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery of cloud asset information and elastic scaling in the cloud computing platform, and realize all Real-time automatic synchronization of cloud asset information on the cloud computing platform between the cloud bastion machine and the cloud computing platform;
获取改密策略模块104,用于获取云计算平台对自动改密自定义的计划任务,根据所述计划任务确定改密策略;Obtaining an encryption policy module 104, configured to acquire a planned task customized by the cloud computing platform for automatic encryption, and determine an encryption policy according to the planned task;
执行自动改密模块105,用于在获取自动改密策略后,云计算平台中自动调用所述部署并融合开源堡垒机模块对接的云计算平台与云堡垒机,完成所述云计算平台中云资产信息的自动改密策略的编排;自动所述容错机制响应模块中的容错机制及所述云堡垒机校验模块并通过所述云堡垒机按照所述自动改密策略进行的定期自动校验及执行批量改密;并通过所述实时同步云计算平台中云资产信息响应模块,将自动执行的结果由所述云堡垒机同步至所述云计算平台,并在对应的所述云主机中生效。Execute the automatic encryption module 105, for after obtaining the automatic encryption strategy, automatically call the cloud computing platform and the cloud bastion machine that are deployed and merged with the open source bastion machine module in the cloud computing platform, and complete the cloud computing platform in the cloud computing platform. Arrangement of the automatic re-encryption strategy of asset information; automatic fault-tolerant mechanism in the fault-tolerant mechanism response module and the verification module of the cloud bastion machine, and regular automatic verification carried out by the cloud bastion machine according to the automatic re-encryption strategy and perform batch re-encryption; and through the cloud asset information response module in the real-time synchronization cloud computing platform, the result of automatic execution is synchronized from the cloud bastion machine to the cloud computing platform, and in the corresponding cloud host take effect.
除上述自动改密的方法之外,本发明还提供另外一种面向云主机和云堡垒机实现含容错机制的自动改密的方法,其中,所述获取改密策略其中还包括云租户自定义改密策略。图3是本发明提供的另一种面向云主机和云堡垒机实现含容错机制的自动改密装置中的获取改密策略模块的程序模块图。In addition to the above-mentioned method for automatically changing encryption, the present invention also provides another method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines, wherein the obtained encryption strategy also includes cloud tenant-defined Change encryption policy. Fig. 3 is a program module diagram of another automatic re-encryption device implementing a fault-tolerant mechanism for cloud hosts and cloud bastion machines provided by the present invention.
在图3中,本发明提供了另外一种面向云主机和云堡垒机实现含容错机制的自动改密装置中的获取改密策略模块的程序模块图。其中,获取改密策略模块104还包括:In FIG. 3 , the present invention provides another program module diagram of the acquisition and modification policy module in an automatic modification device with fault-tolerant mechanism for cloud hosts and cloud bastion machines. Wherein, obtaining the modification strategy module 104 also includes:
显示子模块1041,用于显示云计算平台中专门用于云主机自动改密任务的 模块的界面,可以提供用户自定义所需要启用自动改密的定时任务;The display sub-module 1041 is used to display the interface of the module that is specially used for the automatic encryption task of the cloud host in the cloud computing platform, and can provide the timed task that user-defined needs to enable automatic encryption;
自定义改密策略子模块1042,用于云租户通过云计算平台可直接配置云资源改密计划,配置完成后得到自定义的自动改密策略。The sub-module 1042 of self-defining encryption policy is used for cloud tenants to directly configure the cloud resource encryption plan through the cloud computing platform, and obtain a customized automatic encryption policy after the configuration is completed.
在本实施例中,云计算平台通过云平台自身的权限管控可以开放给任何有权限的用户。通过显示子模块1041,在用户终端界面上显示出云计算平台中专门用于云主机自动改密任务的模块的界面,可以提供用户自定义所需要启用自动改密的定时任务;并通过自定义改密策略子模块1042,使得云租户自己可以通过云计算平台可直接配置云资源改密计划,配置完成后得到自定义的自动改密策略。In this embodiment, the cloud computing platform can be opened to any authorized user through the authority control of the cloud platform itself. Through the display sub-module 1041, the interface of the module specially used for the automatic encryption task of the cloud host in the cloud computing platform is displayed on the user terminal interface, which can provide the timing task that the user needs to enable automatic encryption; and through the customization The encryption policy sub-module 1042 enables the cloud tenant to directly configure the cloud resource encryption plan through the cloud computing platform, and obtain a self-defined automatic encryption policy after the configuration is completed.
本实施例中通过对自动改密的实现流程进一步进行说明。In this embodiment, the implementation process of automatic encryption is further described.
图4是本发明提供的另外一种面向云主机和云堡垒机实现含容错机制的自动改密的方法的具体流程图。Fig. 4 is a specific flow chart of another method for implementing automatic encryption with fault-tolerant mechanism for cloud hosts and cloud bastion hosts provided by the present invention.
如图4所示,通过上述部署并融合开源堡垒机模块101、容错机制响应模块102、实时同步云计算平台中云资产信息响应模块103、获取改密策略模块104、执行自动改密模块105,建立了自动改密的云服务自动化;通过利用云服务的自动化的能力,可以使得云租户的云资源账户信息在云计算平台中实现同步、使得云租户可以通过云计算平台远程控制、登录校验、改密、N次校验等的容错判断机制,实现云堡垒机自动改密的容错能力并实现自动改密。As shown in Figure 4, through the above-mentioned deployment and integration of the open source bastion machine module 101, fault-tolerant mechanism response module 102, real-time synchronization of cloud asset information response module 103 in the cloud computing platform, acquisition and modification strategy module 104, and automatic modification module 105, Cloud service automation with automatic password change has been established; by utilizing the automation capabilities of cloud services, the cloud resource account information of cloud tenants can be synchronized in the cloud computing platform, so that cloud tenants can remotely control and log in for verification through the cloud computing platform The fault-tolerant judgment mechanism of , encryption, N-time verification, etc., realizes the fault-tolerant ability of the automatic encryption of the cloud fortress machine and realizes automatic encryption.
云计算平台自动的通过获取改密策略模块104,获取云计算平台对自动改密自定义的计划任务,根据所述计划任务确定改密策略,通过执行自动改密模块105自动进行云主机改密;根据云计算平台与堡垒机的资产信息运行远程登入校验,进入云堡垒机校验模块。The cloud computing platform automatically obtains the planned tasks for automatic encryption customization of the cloud computing platform by obtaining the encryption policy module 104, determines the encryption strategy according to the planned tasks, and automatically performs cloud host encryption by executing the automatic encryption module 105 ; Run the remote login verification according to the asset information of the cloud computing platform and the bastion machine, and enter the verification module of the cloud bastion machine.
其中,在本实施例中,所述的自定义改密计划还包括云租户自定义配置的自动改密策略:在云租户自定义配置过程中,通过编辑改密计划实现自定义的自动改密策略的配置,包括:在显示界面对基础设置进项配置,包括对基本内容,如名称、备注、账户类型、改密执行时间的配置。还包括在显示界面对资源进行的设置,界面设置有可视化点选窗口组件以及搜索窗口组件,并设置有候选项,是现有改密配置中主要常用的基础设置,用于云租户直接选择无需进行搜索;如果用户有特定需求或查询,可以在搜索窗口直接进行关键字搜索后再进行点选确认。自定义配置好的计划可以进行基本的维护和修改调试,包括分享、再创建等。Wherein, in this embodiment, the self-defined reclassification plan also includes the automatic reclassification policy of the cloud tenant's custom configuration: during the cloud tenant's custom configuration process, the self-defined automatic reclassification is realized by editing the reclassification plan Policy configuration includes: configuration of basic settings on the display interface, including configuration of basic content, such as name, remarks, account type, and encryption execution time. It also includes the setting of resources on the display interface. The interface is set with a visual click window component and a search window component, and there are candidate options, which are the main and commonly used basic settings in the existing encryption configuration. It is used for cloud tenants to directly select without Search; if users have specific needs or queries, they can directly search for keywords in the search window and then click to confirm. The custom configured plan can carry out basic maintenance, modification and debugging, including sharing, recreation, etc.
云堡垒机校验模块通过自动化技术完成对相关云主机云资产信息校验,包括云主机ip、云主机操作系统、云主机远程登入的端口、账户、密码等,通过自动 远程登入的方式验证其正确性,同时再与云堡垒机进行校验,保证云平台中云资产信息与云堡垒中一致,当校验结果一致时,校验成功,发起验证进入自动改密阶段。在触发[改密成功1]后进入N次校验,验证成功则改密成功,在云主机中自动生效,同时更新云资产信息并同时同步云堡垒机资产信息,云堡垒机作为云计算平台提供的服务之一提供给云租户,云租户可以通过云计算平台可直接跳转或单点登入使用云堡垒机。The cloud bastion machine verification module completes the verification of the relevant cloud asset information of the cloud host through automated technology, including the cloud host ip, cloud host operating system, cloud host remote login port, account, password, etc., and verifies it through automatic remote login. At the same time, it is verified with the cloud bastion machine to ensure that the cloud asset information in the cloud platform is consistent with that in the cloud bastion. When the verification results are consistent, the verification is successful, and the verification is initiated to enter the automatic encryption stage. After triggering [Change Encryption Successfully 1], it will enter N times of verification. If the verification is successful, the encryption will be successfully changed. It will automatically take effect in the cloud host, and at the same time update the cloud asset information and synchronize the asset information of the cloud bastion machine. The cloud bastion machine acts as a cloud computing platform. One of the services provided is provided to cloud tenants, and cloud tenants can use the cloud bastion host directly through the cloud computing platform or through single sign-in.
如果在云堡垒机校验模块中校验失败或自动改密失败,进入容错模块,则自动响应容错机制,返回至云计算平台;具体过程包括:控制在自动改密任务执行的时候,后台并行分批次逐条进行密码校验功能,在自动完成密码修改后,会记录之前的密码,再将新修改的密码一并记录;然后进行尝试自动的云主机新密码校验,若校验失败,则此条云主机任务回退,确保老密码可以登入;所有自动改密任务终止,需要人工介入,选择跳过或继续;若校验正确,则继续下一条任务。If the verification fails in the verification module of the cloud bastion machine or the automatic re-encryption fails, it enters the fault-tolerant module, automatically responds to the fault-tolerant mechanism, and returns to the cloud computing platform; the specific process includes: when the automatic re-encryption task is executed, the background is parallel Perform the password verification function in batches one by one. After the password modification is automatically completed, the previous password will be recorded, and the newly modified password will be recorded together; then try to automatically verify the new password of the cloud host. If the verification fails, Then this cloud host task is rolled back to ensure that the old password can be logged in; all automatic password change tasks are terminated and manual intervention is required, choose to skip or continue; if the verification is correct, continue to the next task.
在本发明中还包括一种电子装置,其中,该装置包括存储器、处理器,所述存储器上存储有可在所述处理器上运行如本实施例提供的装置的配置程序,所述配置程序被所述处理器执行时可以实现如本实施例提供的一种面向云主机和云堡垒机实现含容错机制的自动改密的方法。The present invention also includes an electronic device, wherein the device includes a memory and a processor, and the memory stores a configuration program that can run the device as provided in this embodiment on the processor, and the configuration program When executed by the processor, a method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts as provided in this embodiment can be realized.
在本发明中还包括一种计算机可读存储介质,其特征在于,所述计算机可读的存储介质上存储有如本实施例提供的装置的配置程序,所述配置程序可以被一个或多个处理器执行,以实现如本实施例提供的一种面向云主机和云堡垒机实现含容错机制的自动改密的方法。The present invention also includes a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores a configuration program of the device provided in this embodiment, and the configuration program can be processed by one or more Execution by the server, so as to implement a method for implementing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts as provided in this embodiment.
以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (10)

  1. 面向云主机和云堡垒机实现含容错机制的自动改密的方法,其特征在于,具体包括以下步骤:The method for realizing automatic encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts is characterized in that it specifically includes the following steps:
    S1部署并融合开源堡垒机,通过开源堡垒机自身的开放的api接口在云计算平台上构建了适合云业务场景的云堡垒机,实现云计算平台与云堡垒机的对接,及实现所述云计算平台的云资产信息与所述云堡垒机的云资产信息在云计算平台上进行统一管理和维护;同时在对接后的云计算平台上建立云堡垒机校验模块,用于确保在多云异构环境下,以验证和确保云计算平台与云堡垒机之间同步的所述云计算平台中云资产信息的准确性,保证自动改密计划能正常执行;S1 deploys and integrates the open source bastion host, builds a cloud bastion host suitable for cloud business scenarios on the cloud computing platform through the open API interface of the open source bastion host, realizes the connection between the cloud computing platform and the cloud bastion host, and realizes the cloud The cloud asset information of the computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure Under the structural environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally;
    S2建立容错机制响应规则,建立在云计算平台中加入的容错机制响应规则,用于增加不同系统之间密码差异化,提升自动改密稳定性;其中,所述容错机制是指在云计算平台建立云堡垒机校验模块时,加入的自动改密容错机制;S2 establishes a fault-tolerant mechanism response rule, and establishes a fault-tolerant mechanism response rule added in the cloud computing platform, which is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism refers to the cloud computing platform. When establishing the verification module of the cloud bastion machine, the automatic encryption and fault-tolerant mechanism was added;
    S3建立实时同步云计算平台中云资产信息的响应规则,建立在云计算平台中云资产信息动态交付和弹性伸缩等业务场景下的云计算平台中云资产信息的实时响应规则,实现所述云堡垒机和云计算平台的关于云计算平台中云资产信息实时自动同步;S3 establishes the response rules for real-time synchronization of cloud asset information in the cloud computing platform, establishes real-time response rules for cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery and elastic scaling of cloud computing platform, and realizes the cloud Real-time automatic synchronization of cloud asset information on the cloud computing platform between the bastion host and the cloud computing platform;
    S4获取改密策略,获取云计算平台对自动改密自定义的计划任务,根据所述计划任务确定改密策略;S4 acquires the encryption policy, obtains the planned task customized by the cloud computing platform for automatic encryption, and determines the encryption strategy according to the planned task;
    S5执行自动改密,在获取自动改密策略后,云计算平台中自动调用步骤S1所对接的云计算平台与云堡垒机,完成所述云计算平台中云资产信息的自动改密策略的编排;自动响应步骤S2中的容错机制及所述云堡垒机校验模块并通过所述云堡垒机按照所述自动改密策略进行的定期自动校验及执行批量改密;并通过步骤S3将自动执行的结果由所述云堡垒机同步至所述云计算平台,并在对应的所述云主机中生效。S5 executes automatic encryption, and after obtaining the automatic encryption strategy, the cloud computing platform automatically calls the cloud computing platform and the cloud bastion machine docked in step S1, and completes the arrangement of the automatic encryption strategy of cloud asset information in the cloud computing platform Automatically responding to the fault-tolerant mechanism in step S2 and the verification module of the cloud bastion machine and performing regular automatic verification and performing batch re-encryption by the cloud bastion machine according to the described automatic encryption policy; and automatically by step S3 The execution result is synchronized by the cloud bastion host to the cloud computing platform, and takes effect in the corresponding cloud host.
  2. 根据权利要求1所述的自动改密技术的方法,其特征还在于,The method for automatic encryption technology according to claim 1, further characterized in that,
    在所述步骤S1中,所述云堡垒机采用分布式架构,支持多机房跨区域部署,支持横向扩展,无云计算平台中云资产信息数量及并发限制;In the step S1, the cloud bastion machine adopts a distributed architecture, supports cross-regional deployment of multiple computer rooms, supports horizontal expansion, and has no cloud asset information quantity and concurrency restrictions in the cloud computing platform;
    所述云计算平台中云资产信息包含:云主机的ip及端口等基础信息、云租户的操作权限信息、云主机资源中管理员用户/非管理员用户的用户名和密码信息等多个账户的云资源账户信息;The cloud asset information in the cloud computing platform includes: basic information such as ip and port of the cloud host, operation authority information of the cloud tenant, user names and password information of administrator users/non-administrator users in the cloud host resources, and other accounts. Cloud resource account information;
    所述云堡垒机作为云计算平台提供的服务之一提供给云租户,云租户通过云计算平台可直接跳转使用云堡垒机。The cloud bastion host is provided to cloud tenants as one of the services provided by the cloud computing platform, and the cloud tenants can directly jump to use the cloud bastion host through the cloud computing platform.
  3. 根据权利要求1或2所述的自动改密技术的方法,其特征还在于,The method according to claim 1 or 2, further characterized in that,
    在所述步骤S1中,所述云堡垒机校验模块是,用于云计算平台定期自动或/和云租户手动完成校验功能,在云计算平台中通过自动化技术完成对相关云主机云资产信息校验,通过 自动远程登入的方式验证其正确性,同时再与云堡垒机进行校验,保证云平台中云资产信息与云堡垒中一致,当验证结果一致时,发起验证。In the step S1, the cloud bastion machine verification module is used for the cloud computing platform to automatically or/and cloud tenants to manually complete the verification function on a regular basis, and to complete the verification of the relevant cloud host cloud assets in the cloud computing platform through automation technology Information verification, verify its correctness through automatic remote login, and at the same time verify with the cloud bastion machine to ensure that the cloud asset information in the cloud platform is consistent with that in the cloud bastion, and initiate verification when the verification results are consistent.
  4. 根据权利要求1-3任一项所述的自动改密技术的方法,其特征还在于,The method according to any one of claims 1-3, further characterized in that,
    在所述步骤S2中,所述自动改密容错机制包括:控制在自动改密任务执行的时候,同步逐条进行密码校验功能,在自动完成密码修改后,会记录之前的密码,再将新修改的密码一并记录;然后进行尝试自动的云主机新密码校验,若校验失败,则此条云主机任务回退,确保老密码可以登入;所有自动改密任务终止,需要人工介入,选择跳过或继续;若校验正确,则继续下一条任务。In the step S2, the automatic code change fault-tolerant mechanism includes: when the automatic code change task is executed, the password verification function is performed synchronously one by one. After the password modification is automatically completed, the previous password will be recorded, and then the new Record the modified password together; then try to automatically verify the new password of the cloud host. If the verification fails, this cloud host task will be rolled back to ensure that the old password can be logged in; all automatic password change tasks will be terminated and manual intervention is required. Choose to skip or continue; if the verification is correct, continue to the next task.
  5. 根据权利要求1的自动改密技术的方法,其特征还在于,According to the method for automatic encryption technology of claim 1, it is also characterized in that,
    在所述步骤S3中,所述动态交付和弹性伸缩等业务场景包括:通过云主机资源的动态伸缩,新伸展出来的云主机将具有独立的账号和密码,所述独立的账号和密码将与所述云堡垒机进行同步,以保证新生云主机资源的可操作性。In the step S3, the business scenarios such as dynamic delivery and elastic scaling include: through the dynamic scaling of cloud host resources, the newly stretched cloud host will have an independent account and password, and the independent account and password will be consistent with The cloud bastion host performs synchronization to ensure the operability of the new cloud host resources.
  6. 根据权利要求1的自动改密技术的方法,其特征还在于,According to the method for automatic encryption technology of claim 1, it is also characterized in that,
    在所述步骤S4中,所述云计算平台对自动改密自定义的计划任务,包含:开始时间、涉及云主机清单、涉及云主机的使用者等。In the step S4, the cloud computing platform customizes the planned tasks for automatic encryption, including: start time, list of related cloud hosts, users related to cloud hosts, etc.
  7. 一种面向云主机和云堡垒机实现含容错机制的自动改密的装置,其特征在于,包括:A device for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion hosts, characterized in that it includes:
    部署并融合开源堡垒机模块,用于通过开源堡垒机自身的开放的api接口在云计算平台上构建了适合云业务场景的云堡垒机,实现云计算平台与云堡垒机的对接,及实现所述云计算平台的云资产信息与所述云堡垒机的云资产信息在云计算平台上进行统一管理和维护;同时在对接后的云计算平台上建立云堡垒机校验模块,用于确保在多云异构环境下,以验证和确保云计算平台与云堡垒机之间同步的所述云计算平台中云资产信息的准确性,保证自动改密计划能正常执行;Deploy and integrate the open source bastion machine module, which is used to build a cloud bastion machine suitable for cloud business scenarios on the cloud computing platform through the open api interface of the open source bastion machine itself, realize the connection between the cloud computing platform and the cloud bastion machine, and realize all The cloud asset information of the cloud computing platform and the cloud asset information of the cloud bastion machine are managed and maintained in a unified manner on the cloud computing platform; at the same time, a cloud bastion machine verification module is established on the connected cloud computing platform to ensure that In a multi-cloud heterogeneous environment, to verify and ensure the accuracy of the cloud asset information in the cloud computing platform synchronized between the cloud computing platform and the cloud bastion machine, to ensure that the automatic encryption plan can be executed normally;
    容错机制响应模块,用于自动响应容错机制的规则,用于增加不同系统之间密码差异化,提升自动改密稳定性;其中,所述容错机制是在云计算平台建立云堡垒机校验模块时,加入的自动改密容错机制;The fault-tolerant mechanism response module is used to automatically respond to the rules of the fault-tolerant mechanism, and is used to increase the password differentiation between different systems and improve the stability of automatic password change; wherein, the fault-tolerant mechanism is to establish a cloud bastion machine verification module on the cloud computing platform , the added automatic password change fault-tolerant mechanism;
    实时同步云计算平台中云资产信息响应模块,用于自动响应在云计算平台中云资产信息动态交付和弹性伸缩等业务场景下的云计算平台中云资产信息的实时同步的规则,实现所述云堡垒机和云计算平台的关于云计算平台中云资产信息实时自动同步;The real-time synchronization cloud asset information response module in the cloud computing platform is used to automatically respond to the real-time synchronization rules of the cloud asset information in the cloud computing platform under business scenarios such as dynamic delivery of cloud asset information in the cloud computing platform and elastic scaling, and realize the above-mentioned Real-time automatic synchronization of the cloud asset information on the cloud computing platform between the cloud bastion machine and the cloud computing platform;
    获取改密策略模块,用于获取云计算平台对自动改密自定义的计划任务,根据所述计划任务确定改密策略;Obtaining an encryption policy module, used to acquire the planned tasks customized by the cloud computing platform for automatic encryption, and determine the encryption strategy according to the planned tasks;
    执行自动改密模块,用于在获取自动改密策略后,云计算平台中自动调用所述部署并融合开源堡垒机模块对接的云计算平台与云堡垒机,完成所述云计算平台中云资产信息的自动 改密策略的编排;自动所述容错机制响应模块中的容错机制及所述云堡垒机校验模块并通过所述云堡垒机按照所述自动改密策略进行的定期自动校验及执行批量改密;并通过所述实时同步云计算平台中云资产信息响应模块,将自动执行的结果由所述云堡垒机同步至所述云计算平台,并在对应的所述云主机中生效。Execute the automatic encryption module, which is used to automatically call the cloud computing platform and the cloud bastion machine that are deployed and integrated with the open source bastion machine module in the cloud computing platform after obtaining the automatic encryption policy, and complete the cloud assets in the cloud computing platform The arrangement of the automatic re-encryption strategy of information; the automatic fault-tolerant mechanism in the fault-tolerant mechanism response module and the verification module of the cloud bastion machine and the regular automatic verification and verification carried out by the cloud bastion machine according to the automatic re-encryption strategy Execute batch encryption; and through the cloud asset information response module in the real-time synchronization cloud computing platform, the result of automatic execution is synchronized from the cloud bastion machine to the cloud computing platform, and takes effect in the corresponding cloud host .
  8. 根据权利要求7的自动改密技术的装置,其特征还在于,The device of automatic encryption technology according to claim 7, further characterized in that,
    所述获取改密策略模块还包括:The module of acquiring and changing the encryption strategy also includes:
    显示子模块,用于显示云计算平台中专门用于云主机自动改密任务的模块的界面,可以提供用户自定义所需要启用自动改密的定时任务;The display sub-module is used to display the interface of the module in the cloud computing platform that is specially used for the automatic encryption task of the cloud host, and can provide user-defined timing tasks that need to enable automatic encryption;
    自定义改密策略子模块,云租户通过云计算平台可直接配置云资源改密计划,配置完成后得到自定义的自动改密策略。Custom encryption policy sub-module, cloud tenants can directly configure the cloud resource encryption plan through the cloud computing platform, and get a customized automatic encryption policy after the configuration is completed.
  9. 一种电子装置,其特征在于,该装置包括存储器、处理器,所述存储器上存储有可在所述处理器上运行如权利要求7-8所述装置的配置程序,所述配置程序被所述处理器执行时可以实现如权利要求1-6所述的面向云主机和云堡垒机实现含容错机制的自动改密的方法。An electronic device, characterized in that the device includes a memory and a processor, and the memory stores a configuration program that can run on the processor as described in claims 7-8, and the configuration program is controlled by the When said processor executes, it can realize the method for realizing automatic encryption including fault-tolerant mechanism for cloud host and cloud bastion machine as described in claims 1-6.
  10. 一种计算机可读存储介质,其特征在于,所述计算机可读的存储介质上存储有权利要求7-8所述装置的配置程序,所述配置程序可以被一个或多个处理器执行,以实现如权利要求1-6所述的面向云主机和云堡垒机实现含容错机制的自动改密的方法。A computer-readable storage medium, characterized in that, the computer-readable storage medium stores the configuration program of the device according to claims 7-8, and the configuration program can be executed by one or more processors to Realize the method for automatically changing encryption with a fault-tolerant mechanism for cloud hosts and cloud bastion machines as described in claims 1-6.
PCT/CN2021/121543 2021-09-29 2021-09-29 Method for implementing automatic password change having fault tolerance mechanism for cloud host and cloud bastion host WO2023050110A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/121543 WO2023050110A1 (en) 2021-09-29 2021-09-29 Method for implementing automatic password change having fault tolerance mechanism for cloud host and cloud bastion host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/121543 WO2023050110A1 (en) 2021-09-29 2021-09-29 Method for implementing automatic password change having fault tolerance mechanism for cloud host and cloud bastion host

Publications (1)

Publication Number Publication Date
WO2023050110A1 true WO2023050110A1 (en) 2023-04-06

Family

ID=85781008

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/121543 WO2023050110A1 (en) 2021-09-29 2021-09-29 Method for implementing automatic password change having fault tolerance mechanism for cloud host and cloud bastion host

Country Status (1)

Country Link
WO (1) WO2023050110A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117729057A (en) * 2024-02-18 2024-03-19 北京建恒信安科技有限公司 Method for accessing zero trust based on identity security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110145587A1 (en) * 2009-12-11 2011-06-16 Samsung Electronics Co. Ltd. Integrated login input apparatus and method in portable terminal
CN106506153A (en) * 2016-11-28 2017-03-15 浙江齐治科技股份有限公司 One kind changes decryption method, device and fort machine automatically
CN112347463A (en) * 2020-11-11 2021-02-09 杭州飞致云信息科技有限公司 Method and device for changing passwords in batches and computer-readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110145587A1 (en) * 2009-12-11 2011-06-16 Samsung Electronics Co. Ltd. Integrated login input apparatus and method in portable terminal
CN106506153A (en) * 2016-11-28 2017-03-15 浙江齐治科技股份有限公司 One kind changes decryption method, device and fort machine automatically
CN112347463A (en) * 2020-11-11 2021-02-09 杭州飞致云信息科技有限公司 Method and device for changing passwords in batches and computer-readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王骏翔 (WANG, JUNXIANG): "数据中心自动化运维平台的设计与实现 (Design and Implementation of Data Center Automatic Operation and Maintenance Platform)", 上海船舶运输科学研究所学报 (JOURNAL OF SHANGHAI SHIP AND SHIPPING RESEARCH INSTITUTE), no. 3, 30 September 2016 (2016-09-30) *
陈健锋等 (CHEN, JIANFENG ET AL.): "浅析运维堡垒机的设计和应用前景 (Non-official translation: Analyze Design and Application Prospect of Operation and Maintenance Fortress Aircraft)", 有线电视技术 (CATV TECHNOLOGY), no. 5, 31 May 2015 (2015-05-31) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117729057A (en) * 2024-02-18 2024-03-19 北京建恒信安科技有限公司 Method for accessing zero trust based on identity security

Similar Documents

Publication Publication Date Title
US11281457B2 (en) Deployment of infrastructure in pipelines
US10572226B2 (en) Methods, systems, and portal using software containers for accelerating aspects of data analytics application development and deployment
US10057113B2 (en) Techniques for workload coordination
US20190230129A1 (en) Monitoring & reporting enterprise level cybersecurity remediation
US10104053B2 (en) System and method for providing annotated service blueprints in an intelligent workload management system
US7020697B1 (en) Architectures for netcentric computing systems
US9342328B2 (en) Model for simulation within infrastructure management software
CA2388624C (en) Architectures for netcentric computing systems
WO2021203979A1 (en) Operation and maintenance processing method and apparatus, and computer device
Moravcik et al. Overview of Docker container orchestration tools
WO2016137397A2 (en) Multi-tenant cloud based systems and methods for secure semiconductor design-to-release manufacturing workflow and digital rights management
US20220156164A1 (en) Method and system for managing cloud resources
CN112328390A (en) Method and device for automatically implementing cloud management platform and storage medium
CA3159291A1 (en) Virtual workspace experience visualization and optimization
WO2023050110A1 (en) Method for implementing automatic password change having fault tolerance mechanism for cloud host and cloud bastion host
CN112286985B (en) Clinical research statistical analysis system based on cloud computing
Awasthi et al. Openstack-paradigm shift to open source cloud computing & its integration
WO2023142087A1 (en) Method for realizing cloud resource multi-account permission management and control for cloud host and cloud bastion host
CN116319341A (en) Cloud sharing industrial control network safety shooting range system
CN114995941A (en) Task scheduling method and device and readable storage medium
US10601959B2 (en) System and method for managing virtual environments in an infrastructure
CN113204459A (en) U shield testing method, device, equipment and medium
WO2023142070A1 (en) Method for realizing cloud host permission linkage for cloud host and cloud bastion host
CN114374691A (en) Cloud host and cloud fort machine oriented method for realizing automatic encryption with fault-tolerant mechanism
Tankariya et al. AWS Certified Developer-Associate Guide: Your one-stop solution to pass the AWS developer's certification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21958703

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE