CN101594386A - Reliable virtual organization construction method and device based on distributed strategy verification - Google Patents

Reliable virtual organization construction method and device based on distributed strategy verification Download PDF

Info

Publication number
CN101594386A
CN101594386A CNA2009100879874A CN200910087987A CN101594386A CN 101594386 A CN101594386 A CN 101594386A CN A2009100879874 A CNA2009100879874 A CN A2009100879874A CN 200910087987 A CN200910087987 A CN 200910087987A CN 101594386 A CN101594386 A CN 101594386A
Authority
CN
China
Prior art keywords
virtual organization
policy
mapping policy
server
territory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2009100879874A
Other languages
Chinese (zh)
Other versions
CN101594386B (en
Inventor
李建欣
怀进鹏
胡春明
沃天宇
刘超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN2009100879874A priority Critical patent/CN101594386B/en
Publication of CN101594386A publication Critical patent/CN101594386A/en
Application granted granted Critical
Publication of CN101594386B publication Critical patent/CN101594386B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a kind of reliable virtual organization construction method and device based on distributed strategy verification, wherein this method comprises: by Virtual Organization's server, set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store described mapping policy, described Virtual Organization server is included in described initial autonomous territory or the autonomous territory of target; According to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy; Effectively regular according to Virtual Organization's coordination strategy, whether the described Virtual Organization of the checking coordination strategy that distributes is credible, if then according to described Virtual Organization coordination strategy, make up reliable virtual organization.Technical scheme provided by the present invention at exist making up the problem that there is fail safe hidden danger in the not high and Virtual Organization's coordination strategy of efficient in the prior art Virtual Organization construction method, has realized making up quickly and safely the purpose of reliable virtual organization.

Description

Reliable virtual organization construction method and device based on distributed strategy verification
Technical field
The present invention relates to Virtual Organization's constructing technology, particularly a kind of reliable virtual organization construction method and device based on distributed strategy verification belong to Distributed Calculation and field of information security technology.
Background technology
Along with the computer nowadays technology rapid development, virtual (Virtualization), software are promptly served the development of (Software as a Service) and Web interaction technique, provide effective support to make up believable networked software application system based on the Internet, constantly being that the user provides more simple, transparent modes and dynamically obtains large-scale calculations and stores service ability.For example " cloud " and " cloud computing is exactly a kind of typical this type of application model.
So-called " cloud " can be regarded as computer cluster, can comprise hundreds of thousands platform even up to a million computers.The benefit of " cloud " is that computer wherein can upgrade at any time.Present " cloud " substantially all is that large enterprise is used, the elasticity calculation services of Amazon (Amazon) (Elastic Compute Cloud for example, abbreviation EC2), simple data stores service (Simple Storage Service, be called for short S3), the cloud computing product Windows Azure of Microsoft etc., all be to make up such " cloud.
" cloud " be " platform of cloud computing, promptly so-called " cloud computing can be regarded as the calculating that is based on " cloud ", further, be based on virtual, software is promptly served and correlation technique such as Web exchange on emerging technology." what cloud computing brought is that a kind of new resource and software application are attempted, and the user only just can visit " cloud " very easily by network and by browser, " cloud " center as data storage and application service.At present in the large enterprise that has " cloud ", its user according to enterprises " cloud " carried out " cloud computing is specially; calculating that the user is required and storage capacity will be transferred in the whole local area network (so-called " cloud ") of enterprises; by allowing the calculating that the user carried out be distributed on a large amount of distributed computers; but not in local computer or the remote server; thereby make the operation of enterprise data center will be more similar to the Internet; and then make that enterprise can be with resource switch to the application of needs, according to demand access computer and storage system.
Along with the continuous development of hardware technology, the enterprises structure " cloud " that appears as of virtual machine is provided convenience.Because virtual machine itself has good isolation performance, the property monitored and animal migration, has guaranteed single computer or triangular web node security in " cloud ", yet " cloud " managed on the whole that demand side is realized to the security strategy of virtual machine.Security policy manager based on virtual machine, can make up " cloud computing platform, product Hyper-V, the system OVirt of RedHat etc. of product VirtualCenter, the Microsoft of IT company such as VMWare both at home and abroad in the single territory (described single territory relates to enterprise or school etc.) effectively.Yet, along with " user uses the retractility to capability requirement in the cloud computing platform, and user's demand might not be satisfied in the autonomous territory that each single territory provided (can comprise at least one " cloud ").Therefore, the inventor relies on the experience of being engaged in research work for many years in this area, and heightened awareness remains a plurality of autonomous inter-domain resources of solution to a plurality of autonomous territories formation VO of structure (Virtual Organization, Virtual Organization) and shares a kind of method.For example when virtual resource in the autonomous territory of certain enterprise was not enough, the part virtual resource that can rent the autonomous territory of Amazon formed VO; Perhaps certain network strategy laboratory forms the VO of oneself for making up the system that many geographical position are disposed, need rent the virtual resource that is in the autonomous territory of diverse geographic location provider.But in the prior art, when making up VO, there is following defective:
1. between autonomous territory can the associating aspect: relate to cross-domain resource and share, the adding of its virtual resource is withdrawed from often comparatively frequent, in this case, the efficient that VO makes up is challenged, as VOMS (Virtual Organization Management Service, the management for Virtual Organizations service), CAS (Central Authentication Service, central authorities' authentication service) wait the pre-assigned user of VO management system needs add VO, because the structure of VO directly is basic module with user, so the efficient that VO makes up is not high.
2. make up the tactful fail safe aspect of VO:, destroy the fail safe of original autonomous domain policy because the authority mutual mapping between autonomous territory is easy to cause a lower-level user to enjoy higher-level user's authority through the mapping winding.
3.VO operational efficiency can the guarantee aspect: because VO makes up a plurality of processes such as relating to strategy customization, security verification, guarantee finally to use the efficient of VO subscriber authorisation of VO most important, at this problem, in the method for the structure VO of prior art dynamic trust chain, owing to do not have relevant authorized agreement that VO user's confidence level is limited, so the efficient of VO subscriber authorisation is relatively low.
Summary of the invention
The purpose of this invention is to provide a kind of reliable virtual organization construction method and device based on distributed strategy verification, make up efficient fail safe not high, initial autonomous territory at Virtual Organization in the prior art Virtual Organization construction method and have hidden danger and the lower technical problem of Virtual Organization's subscriber authorisation efficient, to realize making up quickly and safely the purpose of reliable virtual organization.
For achieving the above object, the invention provides a kind of reliable virtual organization construction method based on distributed strategy verification, comprising:
By Virtual Organization's server, to set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store described mapping policy, described Virtual Organization server is included in described initial autonomous territory or the autonomous territory of target;
According to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
Effectively regular according to Virtual Organization's coordination strategy, whether the described Virtual Organization of the checking coordination strategy that distributes is credible, if then according to described Virtual Organization coordination strategy, make up reliable virtual organization.
Further, the invention provides a kind of reliable virtual organization construction device based on distributed strategy verification, comprising:
The mapping policy module is used for the server by Virtual Organization, sets up to start from the mapping policy of controlling between territory and the autonomous territory of target, and stores described mapping policy;
Customized module is connected in described mapping policy module, is used for according to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
The distribution authentication module is connected in described customized module, is used for according to the effective rule of Virtual Organization's coordination strategy, and whether the described Virtual Organization of the checking coordination strategy that distributes is credible;
Make up module, be connected in described distribution authentication module, be used for then according to described Virtual Organization coordination strategy, making up reliable virtual organization if the described Virtual Organization of the checking coordination strategy that distributes is credible.
By above technical scheme as can be known, reliable virtual organization construction method and device based on distributed strategy verification provided by the present invention, a kind of Virtual Organization's building mode based on distributed strategy verification is provided, whether checking Virtual Organization coordination strategy is credible by distributing, if then according to described Virtual Organization coordination strategy, make up the technical scheme of Virtual Organization, it is not high to make up efficient at Virtual Organization in the prior art Virtual Organization construction method, there is the technical problem of hidden danger in the fail safe in initial autonomous territory, has realized fast, make up the purpose of reliable virtual organization safely.
Description of drawings
Fig. 1 is the flow chart that the present invention is based on the reliable virtual organization construction method of distributed strategy verification;
Fig. 2 constitutes the structural representation of reliable virtual organization for the autonomous territory of the present invention;
Fig. 3 is the structural representation that the present invention is based on the reliable virtual organization construction device of distributed strategy verification;
Fig. 4 is the structural representation that the present invention is based on mapping policy module in the reliable virtual organization construction device of distributed strategy verification;
Fig. 5 is a reliable virtual organization structural representation of the present invention;
Fig. 6 is each server-assignment structural representation of reliable virtual organization.
Embodiment
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Fig. 1 is the flow chart that the present invention is based on the reliable virtual organization construction method of distributed strategy verification.As shown in Figure 1, this method comprises:
101, by Virtual Organization's server, to set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store described mapping policy, described Virtual Organization server is included in described initial autonomous territory or the autonomous territory of target;
Shown in the structural representation that constitutes Virtual Organization for the autonomous territory of the present invention as Fig. 2, comprise initial autonomous territory 1, the autonomous territory 2 of target and Virtual Organization's server (VirtualOrganization Server in the structure of reliable virtual organization 4, VOS) 3, wherein, Virtual Organization's server 3 can be consulted selected or initiatively chosen certain station server in the autonomous territory by initial autonomous territory 1 by the autonomous territory 2 of initial autonomous territory 1 and target, and Virtual Organization's server 3 can be certain station server that is included in the initial autonomous territory 1 in the present embodiment.Further, initial autonomous territory 1 comprises role R A1And R A2, role R A2 p RA1 ( pExpression role level inheritance), be specially initial autonomous domain policy H i, wherein the role is associated with authority, if user of expression belongs to role R A1The member, then be assigned role R automatically A2All authorities; The autonomous territory 2 of target comprises role R B1And R B2, role R B2≤ R B1, be specially the autonomous domain policy H of target k oIf in like manner user of expression belongs to role R B1The member, then be assigned role R automatically B2All authorities; Virtual Organization's server 3 comprises role R VO1And R VO2, role R VO2≤ R VO1, be specially the server policy H of Virtual Organization VOIf in like manner user of expression belongs to role R VO2The member, then be assigned role R automatically VO1All authorities.To set up role R A1And R B1Between mapping policy be example, particularly, by described R A1And R B1Between mapping policy be based on role's hierarchy mapping strategy, at first set up one-level mapping policy m VO, set up particularly to start from and control assigned role R in the territory 1 A1Assigned role R to Virtual Organization's server 3 VO1One-level mapping policy m 1, and be stored in described Virtual Organization server 3; Then set up secondary mapping policy m i, set up assigned role R in Virtual Organization's server 3 particularly VO1Assigned role R to the autonomous territory 2 of target B1Secondary mapping policy m i, and be stored in the initial autonomous territory 1; According to described one-level mapping policy m 1With secondary mapping policy m i, set up to start from and control assigned role R in the territory 1 A1Assigned role R to the autonomous territory 2 of target B1Based on role's hierarchy mapping strategy, can be expressed as mapping policy chain (m 1, m i).Can be by above-mentioned to set up role R A1And R B1Between mapping policy be example, set up and start from the mapping policy of controlling all roles in the autonomous territory 2 of territory 1 and target, correspondingly role-security is also inherited accordingly;
102, according to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
According to described one-level mapping policy m 1With secondary mapping policy m i, initial autonomous domain policy H i, the server policy H of Virtual Organization VOWith the autonomous domain policy H of target k o, customizing virtual organizing cooperating strategy;
103, effectively regular according to Virtual Organization's coordination strategy, whether the described Virtual Organization of the checking coordination strategy that distributes is credible, if then according to described Virtual Organization coordination strategy, make up reliable virtual organization;
The described Virtual Organization effective rule of coordination strategy comprises first rule and second rule; Again as shown in Figure 2, with mapping policy chain (m 1, m i) be example,
Described first rule is, in the mapping policy between initial autonomous territory 1 and the autonomous territory 2 of target, and mapping policy chain (m 1, m i) comprise assigned role R at least one Virtual Organization's server 3 VO1, and comprise assigned role R in the described initial autonomous territory 1 A1With assigned role R in the autonomous territory of described target B1
Described second rule is assigned role R A1, R B1And R VO1Be included in the closure set that described initial autonomous territory 1, Virtual Organization's server 3 and the autonomous territory 2 of target constituted, and do not have assigned role R in the initial autonomous territory 1 A1To the autonomous territory 2 assigned role R of target B1Direct mapping policy;
Described first rule and second rule avoided in the autonomous territory 2 of target as shown in Figure 2, originally role R B2≤ R B1Role's level inheritance, become R after the mapping policy repeatedly B1≤ R B2, in actual conditions, usually show as at the autonomous territory of target 2 ends, one belongs to role R B1Low level authority user by the repeatedly role transforming between autonomous territory 2 and the Virtual Organization's server 3, finally in the autonomous territory 2 of target, obtain high-level role R B2The authority that could visit, thus the fail safe in the autonomous territory 2 of target is caused potential threat, particularly, another one-level mapping policy m 3Be role R VO2≤ R B2(m wherein 1And m 3The unified m that is expressed as i), again by role R VO1≤ R VO2With role R B1≤ R VO1Mapping policy, will go out R by mapping policy B1≤ R B2, R further VO2R is arranged B2Authority, R VO1R is arranged VO2Authority, R B1R is arranged VO1Authority, so R B2Just have R B1Authority, reason is, another one-level mapping policy m 3With m iDo not constitute a complete mapping policy chain, just do not have simultaneously yet and follow the regulation that in first rule mapping policy chain need comprise assigned role and target autonomy territory 2 assigned roles in the described initial autonomous territory 1.For script R B1Have R B2Normal persona level inheritance, caused the confusion of role's level inheritance in the autonomous territory 2 of target, threatened the fail safe in the autonomous territory 2 of target;
According to described first rule and second rule, whether crediblely verify to each mapping policy chain of setting up based on role's hierarchy mapping strategy, rather than wait all mapping policy chains all to set up to be over and go checking again, whether the described Virtual Organization of the checking coordination strategy that distributes is credible, along with the foundation all about the mapping policy chain of role and authority relation is finished, reliable virtual organization promptly makes up and finishes.
About the concrete grammar of the described Virtual Organization of the checking coordination strategy that distributes, can realize by following steps:
Step 11, according to the server policy H of Virtual Organization VO, adopt the Warshall algorithm to obtain the server closure set H of Virtual Organization Vo +, the server closure set of general Virtual Organization has only one;
Step 12, according to initial autonomous domain policy H i, adopt the Warshall algorithm to obtain initial autonomous territory closure set H i +, closure set in general initial autonomous territory also has only one;
Step 13, according to the autonomous domain policy H of target k o, adopt the Warshall algorithm to obtain the autonomous territory of target closure set H k O+, because that the autonomous territory of target generally has is a plurality of, so H k O+, k=n, there is the closure set of the autonomous territory of a plurality of targets in corresponding meeting;
Step 14, according to described initial autonomous territory closure set H i +, the autonomous territory of target closure set H k O+, Virtual Organization server closure set H Vo +, the one-level mapping policy unified expression m VOWith secondary mapping policy m i, generate mapping policy complete or collected works S;
Step 15, judge whether the mapping policy chain of violating described first rule and/or second rule is arranged among the described mapping policy complete or collected works, if having, then described Virtual Organization coordination strategy is insincere.
Violate the mapping policy chain of described first rule, comprising: assigned role at least one described Virtual Organization server, and comprise in the described initial autonomous territory assigned role in the assigned role and another described initial autonomous territory; Perhaps, comprise assigned role at least one described Virtual Organization server, and comprise in the autonomous territory of a described target assigned role in the assigned role and another described initial autonomous territory, this situation is referred to as to exist implicit expression conflict strategy;
The mapping policy chain of violating described second rule comprises: assigned role in the described initial autonomous territory, not by assigned role in the described Virtual Organization server, map directly to assigned role in the autonomous territory of described target, this situation is referred to as to exist and shows that conflict is tactful;
Judge whether there is implicit expression conflict strategy among the described mapping policy complete or collected works and/or shows the conflict strategy, if then described Virtual Organization coordination strategy is insincere.
In actual applications, according to above method, the described Virtual Organization of the checking coordination strategy that distributes the whether concrete programming mode of credible subprogram is:
Policy_Evaluation()
{
H vo + = Warshall ( H VO ) ; // adopt the Warshall algorithm to obtain the server closure set H of Virtual Organization Vo +
H i + = Warshall ( H i ) ; // adopt the Warshall algorithm to obtain the closure set H of initial autonomous domain policy i +
for(int?k=1;k<=n;k++)
{
if(k!=i) { H k o + = Warshall ( H k o ) ; } // adopt the Warshall algorithm to obtain the autonomous territory of all targets closure collection
S = ( U k = 1 n H k o + · m VO · H VO + · m i · H i + ) ; // according to described initial autonomous territory closure set H i +, the autonomous territory of target closure set H k O+, Virtual Organization server closure set H Vo +, the one-level mapping policy unified expression m VOWith secondary mapping policy m i, generate mapping policy complete or collected works S
If
Figure A20091008798700133
{ return false; } // exist, explicit conflict was tactful, F iCan not be carried out the set of role-map for what customize according to the autonomous territory of target
If ((r, r) ∈ S﹠amp; ﹠amp; R ∈ R i)) { return false; } // if exist as (m among Fig. 2 3, m 2) the mapping policy winding, then have implicit expression conflict strategy
}
return?true;
}
The reliable virtual organization construction method that present embodiment provided based on distributed strategy verification, whether checking Virtual Organization coordination strategy is credible by distributing, if then according to described Virtual Organization coordination strategy, make up the technical scheme of Virtual Organization, make up efficient fail safe not high, initial autonomous territory at Virtual Organization in the prior art Virtual Organization construction method and have the technical problem of hidden danger, realized making up quickly and safely the purpose of reliable virtual organization.
Fig. 3 is the structural representation that the present invention is based on the reliable virtual organization construction device of distributed strategy verification.As shown in Figure 3, the reliable virtual organization construction device based on distributed strategy verification that present embodiment provided comprises: mapping policy module 301, customized module 302, distribution authentication module 303 and structure module 304.Wherein mapping policy module 301 is set up and is started from the mapping policy of controlling between territory and the autonomous territory of target, and store described mapping policy by Virtual Organization's server; Customized module 302 is connected in mapping policy module 301, according to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy; Distribution authentication module 303 is connected in customized module 302, and is effectively regular according to Virtual Organization's coordination strategy, and whether the described Virtual Organization of the checking coordination strategy that distributes is credible; Make up module 304 and be connected in distribution authentication module 303,,, make up reliable virtual organization then according to described Virtual Organization coordination strategy if the described Virtual Organization of the checking coordination strategy that distributes is credible.
Further, as Fig. 4 is to the present invention is based on shown in the structural representation of mapping policy module 301 in the reliable virtual organization construction device of distributed strategy verification, and mapping policy module 301 comprises one-level mapping policy unit 401, secondary mapping policy unit 402 and hierarchy mapping policy unit 403.Wherein, one-level mapping policy unit 401 is set up and is started from the one-level mapping policy of controlling the assigned role to Virtual Organization's server of assigned role in the territory, and is stored in described Virtual Organization server; The mapping policy secondary mapping policy of the assigned role to the autonomous territory of target of assigned role in the described Virtual Organization server is set up in secondary mapping policy unit 402, and is stored in initial autonomous territory; Hierarchy mapping policy unit 403 is connected to one-level mapping policy unit 401 and secondary mapping policy unit 402, and according to described one-level mapping policy and secondary mapping policy, set up assigned role in the described initial autonomous territory to the autonomous territory of described target assigned role based on role's hierarchy mapping strategy.
Here it should be noted that, the concrete grammar that present embodiment makes up reliable virtual organization based on the reliable virtual organization construction device of distributed strategy verification,, repeat no more here based on as described in the specific descriptions among the reliable virtual organization construction method embodiment of distributed strategy verification as above-mentioned.
The reliable virtual organization construction device that present embodiment provided based on distributed strategy verification, utilize the distribution authentication module to distribute and verify whether Virtual Organization's coordination strategy is credible, if, then according to described Virtual Organization coordination strategy, by making up the technical scheme of module construction reliable virtual organization, make up efficient fail safe not high, initial autonomous territory at Virtual Organization in the prior art Virtual Organization construction method and have the technical problem of hidden danger, realized making up quickly and safely the purpose of reliable virtual organization.
Fig. 5 is a reliable virtual organization structural representation of the present invention.As shown in Figure 5, Virtual Organization's structure mainly comprises management for Virtual Organizations device 501 and Virtual Organization's O﹠M device 502, wherein,
Management for Virtual Organizations device 501 is used to the keeper that the access point of operating database is provided, and encapsulation is to the order of database manipulation, and the management of user right; Checking to administrator role, user role, and realize the establishment of Virtual Organization, policy configurations, user management, Role Management and the rights management of Virtual Organization, and, be that different Virtual Organization generates different databases according to the establishment demand of different virtual tissue; Carry out service processes, so that the operation of reading Virtual Organization's database to be provided, and when the user sends inquiry or obtains instruction, for the user provides query interface.
Virtual Organization's O﹠M device 502 is used to provide command-line tools such as Attribute certificate request, letter of attorment establishment, generates the required Attribute certificate of described resource requestor for resource requestor according to application demand; Funding source supplier uses, and the checking to resource requestor Attribute certificate, certificate of capability is provided, and carries out to authorize and force and decision-making.
Further, management for Virtual Organizations device 501 comprises door module 5011, configuration service module 5012 and operation service module 5013.Wherein, door module 5011 is used to the keeper that the access point of operating database is provided, and encapsulation is to the order of database manipulation, and the management of user right; Configuration service module 5012, connect door module 5011, be used for checking to administrator role, user role, and realize the establishment of Virtual Organization, policy configurations, user management, Role Management and the rights management of Virtual Organization, and, be that different Virtual Organization generates different databases according to the establishment demand of different virtual tissue; Operation service module 5013 connects configuration service module 5012, is used to carry out service processes, so that the operation of reading Virtual Organization's database to be provided, and when the user sends inquiry or obtains instruction, for the user provides query interface.
Again further, Virtual Organization's O﹠M device 502 comprises initial autonomous territory 5021 and the autonomous territory 5022 of target, wherein, initial autonomous territory 5021 is connected with operation service module 5013, be used to provide command-line tools such as Attribute certificate request, letter of attorment establishment, generate the required Attribute certificate of described resource requestor according to application demand for resource requestor; The autonomous territory 5022 of target belongs to an autonomous territory that adds Virtual Organization, is used for funding source supplier and uses, and the checking to resource requestor Attribute certificate, certificate of capability is provided, and carries out to authorize and force and decision-making.
The combined with virtual institutional framework, the running of this Virtual Organization is specially:
In management for Virtual Organizations device 501 sides:
Step 51, keeper or the user of Virtual Organization import user's identity information by 5011 logins of door module, and described identity information comprises user name, password and identifying code, or adopt the letter of identity login;
Step 52, by the cryptographic hash contrast of configuration service module 5012 with user in the identity information of user input and the database, perhaps realize, and being saved in letter of identity checking to the user in the mutual session with the generation authorization information by the https agreement;
Step 53, if described authorization information for passing through state, the operational order that configuration service module 5012 receives to door module 5011, and the operations such as establishment, deletion and configuration of realization different virtual tissue database, wherein in the configuration operation of configuration service module 5012, mainly comprise user's adding and withdraw from, user's group and role's foundation and destruction and user and group/role's mapping policy assigns and operates.
In management for Virtual Organizations device 502 sides:
Step 54, user at first differentiate by two-way identity based on GSS-API secured session and operation service module 5013 by initial autonomous territory 5021, set up the context of secured session, and configuration attribute certificate acquisition parameter information table, appointment need be obtained the certificate of character types etc.;
The request instruction in the initial autonomous territory of user is read in step 55,5013 services of operation service module, and the information of inquiry appointment Virtual Organization database, returns the required attribute information of user (through 5013 certificate signature of operation service module) according to demand;
The resource request visit is initiated to the autonomous territory 5022 of target in step 56, initial autonomous territory 5021, sets up secured session with the autonomous territory 5022 of target, and carries the Attribute certificate of the Virtual Organization that asks;
The identity attribute information in initial autonomous territory is verified in step 57, the autonomous territory 5022 of target, and according to the security strategy of this locality resource access request is made ultimate authority.
Present embodiment provides Virtual Organization's structure, to the Virtual Organization that builds based on distributed strategy verification, the management for Virtual Organizations device that comprises by himself and Virtual Organization's O﹠M device have been realized the operation to whole Virtual Organization, possess the high characteristics of safety and operational efficiency.
After Virtual Organization is built into, in its management for Virtual Organizations life cycle, carry out from the tissue task that is established to, the one-level mapping policy in Virtual Organization's coordination strategy, each autonomous territory all changes at any time, and autonomous territory also can add or withdraw from any time, and these change and all can cause Virtual Organization's coordination strategy believable reappraising whether.In conjunction with being shown in each server-assignment structural representation of reliable virtual organization as Fig. 6, present embodiment adds Virtual Organization's 1 background that builds based on distributed strategy verification with the autonomous territory 2 that comprises autonomous domain server 602, the management process of Virtual Organization to autonomous domain policy in Virtual Organization's coordination strategy and Virtual Organization's server policy is described, is specially:
Step 61: the Virtual Organization's server in Virtual Organization 1 601 of autonomous domain server 602 initiates to join request in the autonomous territory 2, and the part public information of the autonomous domain policy of storing in the autonomous domain server 602 is sent to Virtual Organization's server 601;
Step 62: Virtual Organization 1 differentiates the identity in the autonomous territory 2 of new adding by described part public information, after being proved to be successful as access control, will initiate coordination strategy to the autonomous domain server in the autonomous territory 3~5 603~605 and upgrade and the request of reappraising;
Step 63: assessment result is returned by the assessment from autonomous domain policy to each autonomous domain server 603~605 in autonomous territory 3~5.If there is not collision scenario in assessment result for each autonomous territory 3~5, then return correct.If existence and conflict processing policy are " cooperation are preferential ", then the autonomous domain policy that has this autonomous territory of conflicting is revised, until assessing successfully.If processing policy is " autonomous territory is preferential ", then this conflicts specifically in which autonomous territory to 601 reports of Virtual Organization's server;
Step 64: Virtual Organization's server 601 is after the return messages that receive each the autonomous territory that comprises autonomous domain server 603~605, solve suggestion if receive " autonomous territory the is preferential " conflict in certain autonomous territory, whether Virtual Organization makes amendment to its autonomous domain policy according to pre-configured decision, if revise then repeat to enter step 2, if checking Virtual Organization coordination strategy is believable, then all successes of the safety evaluation result in whole autonomous territories, then notice comprises that autonomous territory 2 adds successfully.
In Virtual Organization, about autonomous territory withdraw from and renewal to wait other operating procedures be similarly with said process all, repeat no more here.
Further, present embodiment is used for explanation after Virtual Organization is built into, the user is using Virtual Organization to need described user is authorized in the Virtual Organization, can be divided into that role in the initial autonomous territory at user place assigns, the role of Virtual Organization in Virtual Organization's server assigns and the autonomous territory of target in the role assign three processes, be specially:
Step 71: the autonomous domain server of user in initial autonomous territory, its place sends outside role inquiry request, autonomous domain server is signed all open role sets of described user's association (wherein autonomous domain server signing messages is used for Virtual Organization's server and the autonomous territory of target is verified every mapping policy chain validity), forms credentials and sends to the user;
Step 72: the user sends the role of Virtual Organization assignment request to Virtual Organization's server, and Virtual Organization's server, generates credentials and sends to the user for the role set of user under Virtual Organization signed by the inquiry to Virtual Organization's coordination strategy;
Step 73: for the user of Virtual Organization, the autonomous domain server that the affiliated role of Virtual Organization gives its inside is transmitted in initial autonomous territory, check the validity of described mapping policy chain by the autonomous domain server in initial autonomous territory, for the user assigns role in the autonomous territory of target, and be transmitted to the autonomous domain server in the autonomous territory of target, and the user is authorized by the autonomous domain server in the autonomous territory of target, if Authorization result is for allowing, the autonomous territory of target is with the resource request of authorized user, if Authorization result is refusal or uncertain, the autonomous territory of target is with the resource request of refusing user's.
Provide the associated authorization agreement that the user of Virtual Organization adds Virtual Organization the user's of Virtual Organization confidence level is limited in the present embodiment, improved the mandate efficient that VO user adds Virtual Organization.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.

Claims (9)

1, a kind of reliable virtual organization construction method based on distributed strategy verification is characterized in that, comprising:
By Virtual Organization's server, to set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store described mapping policy, described Virtual Organization server is included in described initial autonomous territory or the autonomous territory of target;
According to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
Effectively regular according to Virtual Organization's coordination strategy, whether the described Virtual Organization of the checking coordination strategy that distributes is credible, if then according to described Virtual Organization coordination strategy, make up reliable virtual organization.
2, the reliable virtual organization construction method based on distributed strategy verification according to claim 1 is characterized in that, by Virtual Organization's server, sets up and starts from the mapping policy of controlling between territory and the autonomous territory of target, and store described mapping policy, comprising:
Described mapping policy is based on role's hierarchy mapping strategy, comprises one-level mapping policy and secondary mapping policy;
Set up and start from the one-level mapping policy of controlling the assigned role to Virtual Organization's server of assigned role in the territory, and be stored in described Virtual Organization server;
Set up the secondary mapping policy of the assigned role to the autonomous territory of target of assigned role in the described Virtual Organization server, and be stored in initial autonomous territory;
According to described one-level mapping policy and secondary mapping policy, set up assigned role in the described initial autonomous territory to the autonomous territory of described target assigned role based on role's hierarchy mapping strategy.
3, the reliable virtual organization construction method based on distributed strategy verification according to claim 2, it is characterized in that, according to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy comprises:
Described initial autonomous domain policy comprises initial autonomous territory role's level inheritance;
Described Virtual Organization server policy comprises Virtual Organization's role server level inheritance;
The autonomous domain policy of described target comprises the autonomous territory of target role's level inheritance;
According to the autonomous territory of described one-level mapping policy, secondary mapping policy, initial autonomous territory role's level inheritance, Virtual Organization's role server level inheritance and target role's level inheritance, customizing virtual organizing cooperating strategy.
4, the reliable virtual organization construction method based on distributed strategy verification according to claim 2 is characterized in that, and is effectively regular according to Virtual Organization's coordination strategy, and whether the described Virtual Organization of the checking coordination strategy that distributes is credible, comprising:
The described Virtual Organization effective rule of coordination strategy comprises first rule and second rule;
Described first rule is, in the mapping policy between described initial autonomous territory and the autonomous territory of target, one bar mapping policy chain comprises assigned role at least one described Virtual Organization server, and comprises in the described initial autonomous territory assigned role in assigned role and the autonomous territory of described target;
Described second rule is, described assigned role is included in the closure set that described initial autonomous territory, Virtual Organization's server and the autonomous territory of target are constituted, and does not have the direct mapping policy of the assigned role to the autonomous territory of described target of assigned role in the described initial autonomous territory;
According to described first rule and second rule, whether the described Virtual Organization of the checking coordination strategy that distributes is credible.
5, the reliable virtual organization construction method based on distributed strategy verification according to claim 2 is characterized in that, described distribution verifies that described Virtual Organization coordination strategy comprises:
According to Virtual Organization's server policy, adopt the Warshall algorithm to obtain Virtual Organization's server closure set;
According to initial autonomous domain policy, adopt the Warshall algorithm to obtain the closure set of initial autonomous territory;
According to the autonomous domain policy of target, adopt the Warshall algorithm to obtain the closure set of the autonomous territory of target;
According to the set of described initial autonomous territory closure, the closure set of the autonomous territory of target, Virtual Organization's server closure set, one-level mapping policy and secondary mapping policy, generate the mapping policy complete or collected works;
Whether judge has the mapping policy chain of violating described first rule and/or second rule, if having, then described Virtual Organization coordination strategy is insincere among the described mapping policy complete or collected works.
6, the reliable virtual organization construction method based on distributed strategy verification according to claim 4 is characterized in that, violates the mapping policy chain of described first rule, comprising:
Assigned role at least one described Virtual Organization server, and comprise in the described initial autonomous territory assigned role in the assigned role and another described initial autonomous territory;
Perhaps, comprise assigned role at least one described Virtual Organization server, and comprise in the autonomous territory of a described target assigned role in the assigned role and another described initial autonomous territory.
7, the reliable virtual organization construction method based on distributed strategy verification according to claim 4 is characterized in that, the mapping policy chain of violating described second rule comprises:
Assigned role in the described initial autonomous territory not by assigned role in the described Virtual Organization server, maps directly to assigned role in the autonomous territory of described target.
8, a kind of reliable virtual organization construction device based on distributed strategy verification is characterized in that, comprising:
The mapping policy module is used for the server by Virtual Organization, sets up to start from the mapping policy of controlling between territory and the autonomous territory of target, and stores described mapping policy;
Customized module is connected in described mapping policy module, is used for according to the autonomous domain policy of described mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
The distribution authentication module is connected in described customized module, is used for according to the effective rule of Virtual Organization's coordination strategy, and whether the described Virtual Organization of the checking coordination strategy that distributes is credible;
Make up module, be connected in described distribution authentication module, be used for then according to described Virtual Organization coordination strategy, making up reliable virtual organization if the described Virtual Organization of the checking coordination strategy that distributes is credible.
9, the reliable virtual organization construction device based on distributed strategy verification according to claim 8 is characterized in that, described mapping policy module comprises:
One-level mapping policy unit is used for setting up and starts from the one-level mapping policy of controlling territory assigned role assigned role to Virtual Organization's server, and is stored in described Virtual Organization server;
Secondary mapping policy unit is used for setting up the secondary mapping policy of described Virtual Organization server assigned role assigned role to the autonomous territory of target, and is stored in initial autonomous territory;
The hierarchy mapping policy unit, be connected to described one-level mapping policy unit and secondary mapping policy unit, be used for according to described mapping policy one-level mapping policy and mapping policy secondary mapping policy, set up assigned role in the described initial autonomous territory to the autonomous territory of described target assigned role based on role's hierarchy mapping strategy.
CN2009100879874A 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification Expired - Fee Related CN101594386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100879874A CN101594386B (en) 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100879874A CN101594386B (en) 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification

Publications (2)

Publication Number Publication Date
CN101594386A true CN101594386A (en) 2009-12-02
CN101594386B CN101594386B (en) 2012-07-04

Family

ID=41408823

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100879874A Expired - Fee Related CN101594386B (en) 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification

Country Status (1)

Country Link
CN (1) CN101594386B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664912A (en) * 2012-03-20 2012-09-12 浪潮电子信息产业股份有限公司 Shared method for roles between different clouds
CN102843387A (en) * 2011-06-20 2012-12-26 倪海宇 Cloud computing safety control platform based on safety classification
CN103152420A (en) * 2013-03-11 2013-06-12 汉柏科技有限公司 Method for avoiding single-point-of-failure of Ovirt virtual management platform
CN106341416A (en) * 2016-09-29 2017-01-18 中国联合网络通信集团有限公司 Access method of multi-level data center and multi-level data center
CN107172054A (en) * 2017-05-26 2017-09-15 努比亚技术有限公司 A kind of purview certification method based on CAS, apparatus and system
CN109861980A (en) * 2018-12-29 2019-06-07 阿里巴巴集团控股有限公司 A kind of method and apparatus for establishing trust computing cluster
US11121865B2 (en) 2018-12-12 2021-09-14 Advanced New Technologies Co., Ltd. Method and apparatus for establishing trusted channel between user and trusted computing cluster

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7103784B1 (en) * 2000-05-05 2006-09-05 Microsoft Corporation Group types for administration of networks
CN100518190C (en) * 2006-01-13 2009-07-22 南京邮电大学 Trusted model based dynamic role access control method
CN101242272B (en) * 2008-03-11 2010-10-06 南京邮电大学 Realization method for cross-grid secure platform based on mobile agent and assertion

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843387A (en) * 2011-06-20 2012-12-26 倪海宇 Cloud computing safety control platform based on safety classification
CN102843387B (en) * 2011-06-20 2017-02-01 北京太能沃可网络科技股份有限公司 Cloud computing safety control platform based on safety classification
CN102664912A (en) * 2012-03-20 2012-09-12 浪潮电子信息产业股份有限公司 Shared method for roles between different clouds
CN103152420A (en) * 2013-03-11 2013-06-12 汉柏科技有限公司 Method for avoiding single-point-of-failure of Ovirt virtual management platform
CN106341416A (en) * 2016-09-29 2017-01-18 中国联合网络通信集团有限公司 Access method of multi-level data center and multi-level data center
CN106341416B (en) * 2016-09-29 2019-07-09 中国联合网络通信集团有限公司 A kind of access method at multi-stage data center and multi-stage data center
CN107172054B (en) * 2017-05-26 2020-09-22 睿智合创(北京)科技有限公司 Authority authentication method, device and system based on CAS
CN107172054A (en) * 2017-05-26 2017-09-15 努比亚技术有限公司 A kind of purview certification method based on CAS, apparatus and system
US11121865B2 (en) 2018-12-12 2021-09-14 Advanced New Technologies Co., Ltd. Method and apparatus for establishing trusted channel between user and trusted computing cluster
US11728978B2 (en) 2018-12-12 2023-08-15 Advanced New Technologies Co., Ltd. Method and apparatus for establishing trusted channel between user and trusted computing cluster
CN109861980A (en) * 2018-12-29 2019-06-07 阿里巴巴集团控股有限公司 A kind of method and apparatus for establishing trust computing cluster
US11196741B2 (en) 2018-12-29 2021-12-07 Advanced New Technologies Co., Ltd. Method and apparatus for establishing trusted computing cluster
US11792190B2 (en) 2018-12-29 2023-10-17 Advanced New Technologies Co., Ltd. Method and apparatus for establishing trusted computing cluster

Also Published As

Publication number Publication date
CN101594386B (en) 2012-07-04

Similar Documents

Publication Publication Date Title
US9432350B2 (en) System and method for intelligent workload management
US10057113B2 (en) Techniques for workload coordination
CN101594386B (en) Method and device for constructing reliable virtual organization based on distributed strategy verification
Kamboj et al. User authentication using Blockchain based smart contract in role-based access control
CN104769908A (en) LDAP-based multi-tenant in-cloud identity management system
KR20130046155A (en) Access control system for cloud computing service
CN108701175A (en) User account and enterprise work space correlation are joined
CN101309146B (en) Implementing method of network security system capable of self-updating letter of representation
CN110189440A (en) A kind of smart lock monitoring equipment and its method based on block chain
Zeydan et al. Blockchain-Based Service Orchestration for 5G Vertical Industries in Multicloud Environment
Lin et al. User-managed access delegation for blockchain-driven IoT services
CN113569279B (en) Data processing method, apparatus, device, medium and computer program product
CN113407626B (en) Planning management and control method based on blockchain, storage medium and terminal equipment
Suwarningsih et al. The multi-tenancy queueing system “QuAntri” for public service mall
Yousefnezhad et al. Authentication and access control for open messaging interface standard
Thakur et al. User identity & lifecycle management using LDAP directory server on distributed network
CN104539687B (en) Community cloud resource security sharing method based on trust negotiation
Zou et al. Multi-tenancy access control strategy for cloud services
Obelheiro et al. Role-based access control for CORBA distributed object systems
KR101495562B1 (en) Method And Apparatus for Providing Data Analysis Service
Kim et al. A new cost-saving and efficient method for patch management using blockchain
Hameed et al. A Blockchain-based Decentralised and Dynamic Authorisation Scheme for the Internet of Things
Cheng et al. The blockchain based access control scheme for the Internet of Things
Bakhtiary et al. Combo-Chain: Towards a hierarchical attribute-based access control system for IoT with smart contract and sharding technique
Aziz et al. Management of security policies in virtual organisations

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120704

Termination date: 20170629

CF01 Termination of patent right due to non-payment of annual fee