CN102035849A - Method, equipment and system for realizing resource management in cloud computing - Google Patents
Method, equipment and system for realizing resource management in cloud computing Download PDFInfo
- Publication number
- CN102035849A CN102035849A CN201010604779XA CN201010604779A CN102035849A CN 102035849 A CN102035849 A CN 102035849A CN 201010604779X A CN201010604779X A CN 201010604779XA CN 201010604779 A CN201010604779 A CN 201010604779A CN 102035849 A CN102035849 A CN 102035849A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- resource
- role
- certificate
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Abstract
The invention provides a method, equipment and system for realizing resource management in cloud computing. The method comprises the following steps of: receiving a first message which is sent by user equipment and used for operating resources, wherein the first message carries a digital certificate and requested operation; acquiring an operation list corresponding to the digital certificate according to the correspondence between the digital certificate and characters and the correspondence between the characters and the operation, wherein the correspondence between the digital certificate and characters and the correspondence between the characters and the operation are recorded in advance; and if the requested operation belongs to the operation list, allowing to operate the requested operation. In the embodiment of the invention, decentralized authority and separated domain management can be realized.
Description
Technical field
The present invention relates to the network communications technology, relate in particular to and realize resource management method, equipment and system in a kind of cloud computing.
Background technology
Comprise " cloud " and user terminal in the system for cloud computing with powerful calculating ability, the core concept of cloud computing is exactly by improving constantly the disposal ability of " cloud ", and then the processing that reduces user terminal is born, finally make user terminal be simplified to a simple input-output equipment, and can enjoy the powerful computing ability of " cloud " as required.
In the existing system for cloud computing, the cloud network can distribute the safety certification certificate for the user, and the user adopts this safety certification certificate access cloud network.But existing safety certification certificate just can carry out safety certification to the user, can not realize the Authority and Domain Based Management management.
Summary of the invention
The embodiment of the invention provides and realizes resource management method, equipment and system in a kind of cloud computing, in order to realize that the Authority and Domain Based Management to resource is managed in the cloud computing.
The embodiment of the invention provides in a kind of cloud computing and has realized resource management method, comprising:
First message that being used for of receiving that subscriber equipment sends operates resource is carried digital certificate and requested operation in described first message;
Digital certificate and role's the corresponding relation and the corresponding relation of role and operation according to writing down in advance obtain the operating list corresponding with described digital certificate;
If the operation of described request belongs to described operating list, then allow operation to described request.
The embodiment of the invention provides the equipment of realizing resource management in a kind of cloud computing, comprising:
Receiver module is used to receive that subscriber equipment sends is used for first message that resource is operated, carries digital certificate and requested operation in described first message;
Acquisition module is used for basis digital certificate and role's the corresponding relation and the corresponding relation of role and operation of record in advance, obtains the operating list corresponding with described digital certificate;
Executive Module belongs to described operating list if be used for the operation of described request, then allows the operation to described request.
The embodiment of the invention provides the system that realizes resource management in a kind of cloud computing, comprising:
UPF is used to receive second message that is used to register that subscriber equipment sends, and carries the role of request in described second message; According to the pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation; The digital certificate that distributes is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation;
The cloud management equipment is used to receive that subscriber equipment sends is used for first message that resource is operated, carries digital certificate and requested operation in described first message; According to digital certificate that writes down among the UPF and role's the corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate; If the operation of described request belongs to described operating list, then allow operation to described request.
As shown from the above technical solution, the embodiment of the invention is by adopting digital certificate in visit cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can realize Authority and Domain Based Management management so that have the operation difference that the user of different rights or zones of different can carry out by this digital certificate to the user.
Description of drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the invention, the accompanying drawing of required use is done an introduction simply in will describing embodiment below, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the method flow schematic diagram of first embodiment of the invention;
Fig. 2 is the system configuration schematic diagram of second embodiment of the invention correspondence;
Fig. 3 is the method flow schematic diagram of second embodiment of the invention correspondence;
Fig. 4 is the schematic diagram of diploma system in the embodiment of the invention;
Fig. 5 is the method flow schematic diagram of third embodiment of the invention;
Fig. 6 is the method flow schematic diagram of fourth embodiment of the invention;
Fig. 7 is the method flow schematic diagram of fifth embodiment of the invention;
Fig. 8 is the schematic diagram of application scenarios in the embodiment of the invention;
Fig. 9 is the schematic diagram before and after the resource-sharing in the embodiment of the invention;
Figure 10 is the device structure schematic diagram of sixth embodiment of the invention;
Figure 11 is the system configuration schematic diagram of seventh embodiment of the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Fig. 1 is the method flow schematic diagram of first embodiment of the invention, comprising:
Step 11: the system that realizes resource management in the cloud computing receives that subscriber equipment sends is used for first message that resource is operated, carries digital certificate and requested operation in described first message;
Step 12: the system that realizes resource management in the cloud computing obtains the operating list corresponding with described digital certificate according to the digital certificate and role's the corresponding relation and the corresponding relation of role and operation that write down in advance;
Step 13:, then allow operation to described request if the operation of described request belongs to described operating list.
Present embodiment is by adopting digital certificate in visit cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can realize Authority and Domain Based Management management so that have the operation difference that the user of different rights or zones of different can carry out by this digital certificate to the user.
Fig. 2 is the system configuration schematic diagram of second embodiment of the invention correspondence, comprise subscriber equipment (USER) 21, provide workflow engine (Provisioning Orchestration Engine, POE) 22, user data function (User Profile Function, UPF) entity 23, virtual machine desktop (VDESKTOP) 24 and cloud asset management device 25.Wherein, subscriber equipment 21 can corresponding enterprise, family, individual, for example, with an employed terminal equipment of enterprise as a subscriber equipment.POE 22 is user's the inlets of opening an account, and for example, the user is when registration, and subscriber equipment can send the message that is used to register to UPF by this POE, finishes user's registration at UPF.UPF 23 is used to the user's distribute digital certificate and the resource of application for registration, and preserves mutual corresponding relation.Virtual machine desktop 24 is access interfaces of user, and for example, subscriber equipment passes through this virtual machine desktop to the assigned operation of cloud asset management device request to allocated resource.Cloud asset management device 25 is used to receive subscriber equipment and is used for message to resource operation by what the virtual machine desktop sent, afterwards, authenticate from UPF according to the relevant information of carrying in this message,, then allow subscriber equipment to carry out corresponding operation if by authentication.
Can be for the concrete interaction content between each above-mentioned equipment referring to following method embodiment.
Fig. 3 is the method flow schematic diagram of second embodiment of the invention correspondence, comprising:
Step 31: subscriber equipment sends second message that is used to register to POE, carries the role of request in this second message.
In the present embodiment, in order to realize the Authority and Domain Based Management management, can be for different digital certificates distribute different roles, different roles has different authorities, and different authorities can be carried out different operations, for example, the role can comprise admin, operation, guest, and wherein, admin can carry out all operations, operation can check and retouching operation that guest only can check.Then adopt the user of the digital certificate of admin correspondence can create, delete, revise and check, adopt the user of the digital certificate of operation correspondence to revise and to check, adopt the user of the digital certificate of guest correspondence only can check.
Step 32:POE gives UPF with this second forwards.
After step 33:UPF receives this second message, be this user equipment allocation digital certificate, and recording user equipment and digital certificate and role's corresponding relation.
Wherein, UPF can adopt mode at random, is the different digital certificate of different role assignments, needs the digital certificate that guarantees that different roles is corresponding different.
For example, Fig. 4 is the schematic diagram of diploma system in the embodiment of the invention, referring to Fig. 4, can preserve diploma system in UPF, and this diploma system comprises operating list (PriInfo), role tabulate (RoleInfo) and user list (UserInfo).Comprise n operation (Pri) in the operating list, comprise n role (Role) in role's tabulation, comprise n user (User) in the user list.Be understandable that operation, role, user's number can be different.
Wherein, the composition of each operation can be referring to table 1, and each role's composition can be referring to table 2, and each user's composition can be referring to table 3.
Table 1
| Data | Describe |
| PRIVDESC | Authority is described |
| PRIVID | Permission ID |
| PRIVNAME | Action name |
| SERVICETYPE | The system service type |
Table 2
| Data | Describe |
| ROLEDESC | The role describes |
| ROLEID | Role ID |
| ROLENAME | Role's title |
| PRIVID | Permission ID |
Table 3
| Data | Describe |
| CERTCONTENT | The certificate content |
| CERTID | Certificate ID |
| CREATEDTIME | Creation-time |
| STATUS | Certificate status |
| ROLEID | Role ID |
| RESOWNER | Resource owner |
In above-mentioned three tabulations, operating list and role's tabulation can be pre-configured, and user list can be brought in constant renewal in along with the user device applies digital certificate.For example, when User~1 request role~1, UPF can be digital certificate of its Random assignment (digital certificate of this Random assignment and other roles' digital certificate are inequality), and in the certificate ID item that ID number of its digital certificate is recorded in the table 3.That is, the digital certificate of supposing role~1 correspondence is certificate~1, and then the resource owner in User~1 correspondence table 3 is User~1, and certificate ID is certificate~1, and role ID is role~1.In addition, creation-time is the time when creating digital certificate, the certificate content is meant that the public and private key that the user authenticates is right, can be when Generating Certificate according to presetting the certificate content that (comprising user name, timestamp etc.), condition Generated Certificate, or certificate status can be active inactive, when certificate lost efficacy, the state of certificate will be changed to inactive.
In addition, be understandable that a subscriber equipment can be asked a plurality of roles, obtains a plurality of digital certificates with correspondence, afterwards, these a plurality of digital certificates can be distributed to the different user that uses this subscriber equipment and use.For example, an enterprise can apply for the digital certificate of different role such as corresponding admin, operation, guest, afterwards, the digital certificate of different role correspondence is distributed to different personnel use.
Step 34:UPF returns to subscriber equipment with the digital certificate that distributes by POE.
So far, finished the user and opened an account, afterwards, the operation that subscriber equipment can adopt the digital certificate request of distribution to need.
Step 35: subscriber equipment adopts the digital certificate solicit operation that distributes.
Present embodiment is by for user's distribute digital certificate, and different digital certificates has different roles, can carry out different operations, therefore can realize the Authority and Domain Based Management management.
To be operating as the establishment virtual machine instance, idiographic flow can be referring to Fig. 5 below.
Fig. 5 is the method flow schematic diagram of third embodiment of the invention, and present embodiment is created virtual machine instance with user equipment requests, and referring to Fig. 5, present embodiment comprises:
Step 51: subscriber equipment obtains digital certificate.Particular content can be referring to step 31-34.
Step 52: subscriber equipment sends to the cloud asset management device by the virtual machine desktop and is used for first message that resource is operated, carries digital certificate and requested operation in described first message.
Step 53: the cloud asset management device authenticates this first message.
For example, if first message has been passed through encryption when sending, then the cloud asset management device needs deciphering.In addition, the cloud asset management device can also obtain user profile to UPF, judge this digital certificate whether to this subscriber equipment all with the checking user validation.Enciphering and deciphering algorithm and user validation proof procedure can adopt usual method to realize particularly.
Especially, present embodiment also needs to carry out Authority Verification through after the above-mentioned checking, and is specific as follows:
Step 54: the cloud asset management device obtains the operating list corresponding with this digital certificate from UPF.
Particularly, can at first obtain the role ID corresponding, obtain the permission ID corresponding according to table 2 again, obtain the action name corresponding according to table 1 afterwards with permission ID with role ID with digital certificate according to table 3.The all operations title of this digital certificate correspondence then can be formed operating list.For example, if the role of digital certificate correspondence is admin, then Dui Ying operating list comprises establishment, deletes, revises and checks; If the role of digital certificate correspondence is operation, then Dui Ying operating list comprises modification and checks; If the role of digital certificate correspondence is guest, then Dui Ying operation only comprises and checking.
Step 55: if the operation of described request belongs to described operating list, then allow operation, for example, create virtual machine to described request.
For example, the digital certificate that this user of hypothesis adopts in the present embodiment can be carried out creation operation, and requested operation is establishment virtual machine, then cloud asset management device establishment virtual machine.
In order further to realize data sharing, present embodiment can also comprise:
Step 56: the corresponding relation of cloud asset management device record digital certificate and virtual machine.
Under some scene, may need the mutual mandate between the digital certificate, for example need to use to digital certificate~2 resource allocation under digital certificate~1, to realize resource-sharing.
Present embodiment is by adopting digital certificate access cloud asset management device, and different digital certificates has different roles, can carry out different operations, therefore can realize the Authority and Domain Based Management management.
Fig. 6 is the method flow schematic diagram of fourth embodiment of the invention, and present embodiment uses and is example the virtual machine under a certain digital certificate is distributed to another digital certificate, and referring to Fig. 6, present embodiment comprises:
Step 61: subscriber equipment obtains digital certificate.
Particular content can be referring to step 51.
Step 62: subscriber equipment sends to the cloud asset management device by the virtual machine desktop by subscriber equipment and is used for first message that resource is operated, carries digital certificate and requested operation in this first message.
Wherein, the digital certificate that the hypothesis subscriber equipment obtains in the present embodiment is certificate~1, and requested operation is certificate~1 corresponding virtual machine to be distributed to certificate~2 use.
Step 63: the cloud asset management device authenticates this first message.
Step 64: the cloud asset management device obtains the operating list corresponding with this digital certificate from UPF.
Wherein, the particular content of step 63-64 can be referring to step 53-54.
Step 65: if the operation of described request belongs to described operating list, then allow operation, for example distribute virtual machine to described request.Can the corresponding relation that in the cloud asset management device, increases resource and certificate ID when distributing virtual machine.
For example, if the operation of certificate~1 correspondence comprises Resources allocation, then present embodiment medium cloud asset management device can be distributed to certificate~2 with certificate~1 corresponding virtual machine.
Step 66: the cloud asset management device upgrades the corresponding relation of digital certificate and virtual machine.
For example, original is the corresponding certificate in virtual machine~1~1, but through above-mentioned processing, then the certificate of virtual machine~1 correspondence comprises certificate~1 and certificate~2.
By flow process shown in Figure 6, certificate~2 can have the operating right to the resource under certificate~1, for example, adopt certificate~2 also can operate concrete next embodiment to virtual machine~1.
Present embodiment is by adopting digital certificate access cloud asset management device, and different digital certificates has different roles, can carry out different operations, therefore can realize the Authority and Domain Based Management management.In addition, present embodiment can be realized resource-sharing by using to another digital certificate the resource allocation under the digital certificate.
Fig. 7 is the method flow schematic diagram of fifth embodiment of the invention, and present embodiment is operating as example with the digital certificate that is authorized to the resource of digital certificate with authorization privilege, and referring to Fig. 7, present embodiment comprises:
Step 71: subscriber equipment obtains digital certificate.
Step 72: subscriber equipment sends to the cloud asset management device by the virtual machine desktop and is used for first message that resource is operated, carries digital certificate and requested operation in described first message.
Step 73: the cloud asset management device authenticates this first message.
Step 74: the cloud asset management device obtains the operating list corresponding with this digital certificate from UPF.
Step 75: if the operation of described request belongs to described operating list, then allow operation, for example, restart virtual machine to described request.
Wherein, the particular content of step 71-75 is similar to step 61-65, different with step 61-65 is, the digital certificate that adopts among the embodiment shown in Figure 6 is the digital certificate (as certificate~1) with authorization privilege, and the digital certificate that adopts in the present embodiment is the digital certificate (as certificate~2) that is authorized to.
In addition, by flow process shown in Figure 6, upgraded the corresponding relation of resource and digital certificate in the cloud asset management device, so, adopt certificate~2 also can carry out the operation of the authority that certificate~2 have to virtual machine~1, for example, certificate~2 have the authority of restarting virtual machine, requested operation is to restart virtual machine, then adopts certificate~2 can restart virtual machine in the present embodiment.
The digital certificate access that present embodiment is authorized to by employing has the resource under the digital certificate of authorization privilege, has realized resource-sharing.
The said method of the embodiment of the invention can be applied to following scene:
Enterprise-level application: this system applies is in enterprise, company manager is equivalent to USER, employee for the obstructed level of enterprises can apply for obstructed certificate, and the function of the operation of the role of certificate and certificate role correspondence can be by company manager's requirement, and system provides when initialization.USER can give certificate distribution the employee of enterprises different levels, carries out operation accordingly, when occurrences in human life change or the rectification of enterprises structure, only need on-the-fly modify the certificate role that child user is held, and can finish the Authority and Domain Based Management of whole enterprise.
Like this, the management of whole enterprises is managed by certificate fully, flexible operation, simple, efficient administration.Resource-sharing can realize the working delegation of enterprises, and for example: A is B because of going on business delegation of resources, and B just can finish B and holds the operation of the authority of certificate for the A resource so.
Family's level is used: use for family's level, resource-sharing can be played bigger effect.With the family be unit as USER, can apply for different certificate roles according to the user in the family, like this, in one family, all kinsfolks can carry out the different rights operation to same resource.Can realize resource-sharing between the kinsfolk, thereby save resource to greatest extent.
Certainly, the embodiment of the invention is not limited to above-mentioned application, can be applied in the various application, and user's demand is satisfied in the dynamic allotment that can provide.
After the method that adopts the embodiment of the invention, each subscriber equipment can corresponding a plurality of certificates, for example, Fig. 8 is the schematic diagram of application scenarios in the embodiment of the invention, referring to Fig. 8, each subscriber equipment (USER) can corresponding certificate collection, and this certificate is concentrated and comprised a plurality of certificates, the different syndrome writing materials have different authorities, and wherein subscriber equipment for example is enterprise, family, individual.Because certificate has different authorities, therefore the operation difference that can carry out when adopting different certificate can realize the Authority and Domain Based Management management.
In addition, the embodiment of the invention is given another certificate by a certificate with the resource allocation under it, can realize resource-sharing, for example, Fig. 9 is the schematic diagram before and after the resource-sharing in the embodiment of the invention, referring to Fig. 9, before the resource-sharing, USER~1 (corresponding digital certificate is certificate~1) can accessed resources be VM~1, and USER~2 (corresponding digital certificate is certificate~2) can accessed resources be VM~2; After certificate~2 licensed to certificate~1 realization resource-sharing, USER~1 (corresponding digital certificate is certificate~1) can accessed resources be VM~1 and VM~2, and USER~2 (corresponding digital certificate is certificate~2) can accessed resources be VM~2.
In sum, digital certificate in the embodiment of the invention not only can be realized authentication function, in addition by digital certificate is authorized, authorizes to comprise operation and resource, can carry out Authority and Domain Based Management management and resource-sharing by digital certificate, make that the Authority and Domain Based Management operation is more reasonable.The digital certificate that has the Authority and Domain Based Management function by employing can make that the administrative structure of whole system is clearly more demarcated so that insert when the user asks and just can finish generic authentication and service authentication.Resource-sharing simultaneously can be avoided the wasting of resources in the whole system, and the user also can shrink for the integrated demand of resource, thereby saves the user resources benefit, and resource operation is more flexible simultaneously.
Figure 10 is the device structure schematic diagram of sixth embodiment of the invention, comprises receiver module 101, acquisition module 102 and Executive Module 103; Receiver module 101 is used to receive that subscriber equipment sends is used for first message that resource is operated, carries digital certificate and requested operation in described first message; Acquisition module 102 is used for basis digital certificate and role's the corresponding relation and the corresponding relation of role and operation of record in advance, obtains the operating list corresponding with described digital certificate; If Executive Module 103 is used for the operation of described request and belongs to described operating list, then allow operation to described request.
Wherein, when described digital certificate is to have the digital certificate of creating the virtual machine authority, being operating as when creating virtual machine of described request, described Executive Module specifically is used to create and described digital certificate corresponding virtual machine with create right, and the corresponding relation of record digital certificate and virtual machine.
Perhaps, when described digital certificate is to have the digital certificate that distributes authority, being operating as of described request has the digital certificate corresponding virtual machine that distributes authority when distributing to the digital certificate that is authorized to described, described Executive Module specifically be used for described have distribute the digital certificate corresponding virtual machine of authority to distribute to the described digital certificate that is authorized to; The digital certificate that renewal has been write down and the corresponding relation of resource, make and the described corresponding resource of digital certificate that authorization privilege is arranged, related with the described digital certificate that is authorized to, so that subscriber equipment adopts the described digital certificate that is authorized to operate the resource corresponding with the described digital certificate that authorization privilege arranged.
Perhaps, after the digital certificate with authorization privilege is given the digital certificate that is authorized to the resource authorization of correspondence, described Executive Module specifically is used for the authority according to the described digital certificate that is authorized to, and the resource corresponding with described digital certificate with authorization privilege operated.
Present embodiment is by adopting digital certificate in visit cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can realize Authority and Domain Based Management management so that have the operation difference that the user of different rights or zones of different can carry out by this digital certificate to the user.
Figure 11 is the system configuration schematic diagram of seventh embodiment of the invention, comprises UPF 111 and cloud management equipment 112; UPF 111 is used to receive second message that is used to register that subscriber equipment sends, and carries the role of request in described second message; According to the pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation; The digital certificate that distributes is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation; Cloud management equipment 112 is used to receive that subscriber equipment sends is used for first message that resource is operated, carries digital certificate and requested operation in described first message; According to digital certificate that writes down among the UPF and role's the corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate; If the operation of described request belongs to described operating list, then allow this requested operation.
Present embodiment is by adopting digital certificate in visit cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can realize Authority and Domain Based Management management so that have the operation difference that the user of different rights or zones of different can carry out by this digital certificate to the user.
Be understandable that the reference mutually of the correlated characteristic in said method and the equipment.In addition, " first " in the foregoing description, " second " etc. are to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (10)
1. realize resource management method in a cloud computing, it is characterized in that, comprising:
First message that being used for of receiving that subscriber equipment sends operates resource is carried digital certificate and requested operation in described first message;
Digital certificate and role's the corresponding relation and the corresponding relation of role and operation according to writing down in advance obtain the operating list corresponding with described digital certificate;
If the operation of described request belongs to described operating list, then allow operation to described request.
2. method according to claim 1 is characterized in that, also comprises:
Receive second message that is used to register that subscriber equipment sends, carry the role of request in described second message;
According to the pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation;
The digital certificate that distributes is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation.
3. method according to claim 1 and 2 is characterized in that, when described digital certificate is to have a digital certificate of creating the virtual machine authority, and being operating as when creating virtual machine of described request, described permission comprises the operation of described request:
Create and described digital certificate corresponding virtual machine with create right, and the corresponding relation of record digital certificate and virtual machine.
4. method according to claim 1 and 2, it is characterized in that, when described digital certificate is to have the digital certificate that distributes authority, being operating as of described request has the digital certificate corresponding virtual machine that distributes authority when distributing to the digital certificate that is authorized to described, described permission comprises the operation of described request:
Described digital certificate corresponding virtual machine with distribution authority is distributed to the described digital certificate that is authorized to;
The digital certificate that renewal has been write down and the corresponding relation of resource, make and the described corresponding resource of digital certificate that authorization privilege is arranged, related with the described digital certificate that is authorized to, so that subscriber equipment adopts the described digital certificate that is authorized to operate the resource corresponding with the described digital certificate that authorization privilege arranged.
5. method according to claim 1 and 2 is characterized in that, after the digital certificate with authorization privilege was given the digital certificate that is authorized to the resource authorization of correspondence, described permission comprised the operation of described request:
According to the authority of the described digital certificate that is authorized to, the resource corresponding with described digital certificate with authorization privilege operated.
6. realize the equipment of resource management in the cloud computing, it is characterized in that, comprising:
Receiver module is used to receive that subscriber equipment sends is used for first message that resource is operated, carries digital certificate and requested operation in described first message;
Acquisition module is used for basis digital certificate and role's the corresponding relation and the corresponding relation of role and operation of record in advance, obtains the operating list corresponding with described digital certificate;
Executive Module belongs to described operating list if be used for the operation of described request, then allows the operation to described request.
7. equipment according to claim 6, it is characterized in that, when described digital certificate is to have the digital certificate of creating the virtual machine authority, being operating as when creating virtual machine of described request, described Executive Module specifically is used to create and described digital certificate corresponding virtual machine with create right, and the corresponding relation of record digital certificate and virtual machine.
8. equipment according to claim 6, it is characterized in that, when described digital certificate is to have the digital certificate that distributes authority, being operating as of described request has the digital certificate corresponding virtual machine that distributes authority when distributing to the digital certificate that is authorized to described, described Executive Module specifically be used for described have distribute the digital certificate corresponding virtual machine of authority to distribute to the described digital certificate that is authorized to; The digital certificate that renewal has been write down and the corresponding relation of resource, make and the described corresponding resource of digital certificate that authorization privilege is arranged, related with the described digital certificate that is authorized to, so that subscriber equipment adopts the described digital certificate that is authorized to operate the resource corresponding with the described digital certificate that authorization privilege arranged.
9. equipment according to claim 6, it is characterized in that, after the digital certificate with authorization privilege is given the digital certificate that is authorized to the resource authorization of correspondence, described Executive Module specifically is used for the authority according to the described digital certificate that is authorized to, and the resource corresponding with described digital certificate with authorization privilege operated.
10. realize the system of resource management in the cloud computing, it is characterized in that, comprising:
UPF is used to receive second message that is used to register that subscriber equipment sends, and carries the role of request in described second message; According to the pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation; The digital certificate that distributes is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation;
The cloud management equipment is used to receive that subscriber equipment sends is used for first message that resource is operated, carries digital certificate and requested operation in described first message; According to digital certificate that writes down among the UPF and role's the corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate; If the operation of described request belongs to described operating list, then allow operation to described request.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010604779 CN102035849B (en) | 2010-12-23 | 2010-12-23 | Method, equipment and system for realizing resource management in cloud computing |
| PCT/CN2011/075341 WO2011147361A1 (en) | 2010-12-23 | 2011-06-03 | Method, device and system for implementing resource management in cloud computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010604779 CN102035849B (en) | 2010-12-23 | 2010-12-23 | Method, equipment and system for realizing resource management in cloud computing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102035849A true CN102035849A (en) | 2011-04-27 |
| CN102035849B CN102035849B (en) | 2013-12-18 |
Family
ID=43888172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010604779 Active CN102035849B (en) | 2010-12-23 | 2010-12-23 | Method, equipment and system for realizing resource management in cloud computing |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102035849B (en) |
| WO (1) | WO2011147361A1 (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011147361A1 (en) * | 2010-12-23 | 2011-12-01 | 华为技术有限公司 | Method, device and system for implementing resource management in cloud computing |
| CN102291452A (en) * | 2011-08-09 | 2011-12-21 | 北京星网锐捷网络技术有限公司 | Virtual machine management method, cloud management server and cloud system based on cloud strategy |
| CN102577315A (en) * | 2011-12-21 | 2012-07-11 | 华为技术有限公司 | Method, device and system for setting user access to virtual machine |
| CN102903029A (en) * | 2012-09-27 | 2013-01-30 | 广东亿迅科技有限公司 | Domain-partitioned authorization method for cloud computing resources |
| CN102929685A (en) * | 2011-09-15 | 2013-02-13 | 微软公司 | Automated infrastructure provisioning |
| CN102984252A (en) * | 2012-11-26 | 2013-03-20 | 中国科学院信息工程研究所 | Cloud resource access control method based on dynamic cross-domain security token |
| CN103312814A (en) * | 2013-06-28 | 2013-09-18 | 武汉大学 | Method for establishing VNC (virtual network computing) covert channel between cloud management platform and virtual machine terminal user |
| CN103377330A (en) * | 2012-04-23 | 2013-10-30 | 佛山市智慧岛信息技术有限公司 | Virtual resource distribution method and virtual resource distribution system |
| CN104125203A (en) * | 2013-04-26 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Permission management method and system |
| CN104272699A (en) * | 2012-05-02 | 2015-01-07 | 微软公司 | Certificate based connection to cloud virtual machine |
| CN105683913A (en) * | 2013-06-26 | 2016-06-15 | 亚马逊技术有限公司 | Management of computing sessions |
| CN105763638A (en) * | 2016-04-18 | 2016-07-13 | 广州优达信息科技有限公司 | Cloud terminal reverse control system |
| CN106656935A (en) * | 2015-11-03 | 2017-05-10 | 电信科学技术研究院 | Character issuing method, access control method and correlation equipment thereof |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| CN107690770A (en) * | 2015-04-29 | 2018-02-13 | 思杰系统有限公司 | Autonomous private key recovers |
| CN107786341A (en) * | 2017-10-11 | 2018-03-09 | 广东欧珀移动通信有限公司 | Certificate loading method and related product |
| CN108604187A (en) * | 2016-02-09 | 2018-09-28 | 安维智有限公司 | The deploying virtual machine of trustship |
| CN115118480A (en) * | 2022-06-22 | 2022-09-27 | 中电信数智科技有限公司 | Skyline system weight-sharing domain-dividing function realization method and device based on Openstack |
| CN115118480B (en) * | 2022-06-22 | 2024-04-26 | 中电信数智科技有限公司 | Method and device for realizing split-weight split-domain function of Skyline system based on Openstack |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005018254A2 (en) * | 2003-08-12 | 2005-02-24 | Alcatel | Provision of services by reserving resources in a communications network having resource management according to policy rules |
| CN101197026A (en) * | 2007-12-20 | 2008-06-11 | 浙江大学 | Design and storage method for resource and its access control policy in high-performance access control system |
| CN101296230A (en) * | 2008-06-17 | 2008-10-29 | 浙江大学 | Web service security control mechanism based on PKI and PMI |
| CN101350710A (en) * | 2007-07-16 | 2009-01-21 | 华为技术有限公司 | Network system, authority issuing server, authority issuing and executing method |
| CN101425027A (en) * | 2008-11-20 | 2009-05-06 | 上海交通大学 | Virtual machine safety protocol method and system based on TPM |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035849B (en) * | 2010-12-23 | 2013-12-18 | 华为技术有限公司 | Method, equipment and system for realizing resource management in cloud computing |
-
2010
- 2010-12-23 CN CN 201010604779 patent/CN102035849B/en active Active
-
2011
- 2011-06-03 WO PCT/CN2011/075341 patent/WO2011147361A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005018254A2 (en) * | 2003-08-12 | 2005-02-24 | Alcatel | Provision of services by reserving resources in a communications network having resource management according to policy rules |
| CN101350710A (en) * | 2007-07-16 | 2009-01-21 | 华为技术有限公司 | Network system, authority issuing server, authority issuing and executing method |
| CN101197026A (en) * | 2007-12-20 | 2008-06-11 | 浙江大学 | Design and storage method for resource and its access control policy in high-performance access control system |
| CN101296230A (en) * | 2008-06-17 | 2008-10-29 | 浙江大学 | Web service security control mechanism based on PKI and PMI |
| CN101425027A (en) * | 2008-11-20 | 2009-05-06 | 上海交通大学 | Virtual machine safety protocol method and system based on TPM |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011147361A1 (en) * | 2010-12-23 | 2011-12-01 | 华为技术有限公司 | Method, device and system for implementing resource management in cloud computing |
| CN102291452A (en) * | 2011-08-09 | 2011-12-21 | 北京星网锐捷网络技术有限公司 | Virtual machine management method, cloud management server and cloud system based on cloud strategy |
| CN102291452B (en) * | 2011-08-09 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Virtual machine management method, cloud management server and cloud system based on cloud strategy |
| CN102929685A (en) * | 2011-09-15 | 2013-02-13 | 微软公司 | Automated infrastructure provisioning |
| WO2013091196A1 (en) * | 2011-12-21 | 2013-06-27 | 华为技术有限公司 | Method, device, and system for setting user's right to access virtual machine |
| CN102577315A (en) * | 2011-12-21 | 2012-07-11 | 华为技术有限公司 | Method, device and system for setting user access to virtual machine |
| CN103377330A (en) * | 2012-04-23 | 2013-10-30 | 佛山市智慧岛信息技术有限公司 | Virtual resource distribution method and virtual resource distribution system |
| CN103377330B (en) * | 2012-04-23 | 2016-08-17 | 佛山市智慧岛信息技术有限公司 | A kind of virtual resource allocation method and virtual resource allocation system |
| CN104272699A (en) * | 2012-05-02 | 2015-01-07 | 微软公司 | Certificate based connection to cloud virtual machine |
| CN104272699B (en) * | 2012-05-02 | 2018-04-06 | 微软技术许可有限责任公司 | For being connected to the method and system of cloud virtual machine based on certificate |
| US9928101B2 (en) | 2012-05-02 | 2018-03-27 | Microsoft Technology Licensing, Llc | Certificate based connection to cloud virtual machine |
| CN102903029A (en) * | 2012-09-27 | 2013-01-30 | 广东亿迅科技有限公司 | Domain-partitioned authorization method for cloud computing resources |
| CN102984252A (en) * | 2012-11-26 | 2013-03-20 | 中国科学院信息工程研究所 | Cloud resource access control method based on dynamic cross-domain security token |
| CN102984252B (en) * | 2012-11-26 | 2015-04-08 | 中国科学院信息工程研究所 | Cloud resource access control method based on dynamic cross-domain security token |
| CN104125203B (en) * | 2013-04-26 | 2019-03-26 | 腾讯科技(深圳)有限公司 | Right management method and system |
| CN104125203A (en) * | 2013-04-26 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Permission management method and system |
| CN105683913A (en) * | 2013-06-26 | 2016-06-15 | 亚马逊技术有限公司 | Management of computing sessions |
| CN103312814B (en) * | 2013-06-28 | 2016-03-30 | 武汉大学 | The method for building up of VNC concealed channel between cloud management platform and virtual machine terminal user |
| CN103312814A (en) * | 2013-06-28 | 2013-09-18 | 武汉大学 | Method for establishing VNC (virtual network computing) covert channel between cloud management platform and virtual machine terminal user |
| CN107690770B (en) * | 2015-04-29 | 2019-04-16 | 思杰系统有限公司 | Autonomous private key restores |
| CN107690770A (en) * | 2015-04-29 | 2018-02-13 | 思杰系统有限公司 | Autonomous private key recovers |
| CN106656935A (en) * | 2015-11-03 | 2017-05-10 | 电信科学技术研究院 | Character issuing method, access control method and correlation equipment thereof |
| CN108604187A (en) * | 2016-02-09 | 2018-09-28 | 安维智有限公司 | The deploying virtual machine of trustship |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| CN105763638A (en) * | 2016-04-18 | 2016-07-13 | 广州优达信息科技有限公司 | Cloud terminal reverse control system |
| CN107786341A (en) * | 2017-10-11 | 2018-03-09 | 广东欧珀移动通信有限公司 | Certificate loading method and related product |
| US10419599B2 (en) | 2017-10-11 | 2019-09-17 | Guangdong Oppo Mobile Telecommunications Corp. | Certificate loading method and related product |
| CN107786341B (en) * | 2017-10-11 | 2019-11-29 | Oppo广东移动通信有限公司 | Certificate loading method and mobile terminal and computer readable storage medium |
| US10659599B2 (en) | 2017-10-11 | 2020-05-19 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Certificate loading method and related product |
| CN115118480A (en) * | 2022-06-22 | 2022-09-27 | 中电信数智科技有限公司 | Skyline system weight-sharing domain-dividing function realization method and device based on Openstack |
| CN115118480B (en) * | 2022-06-22 | 2024-04-26 | 中电信数智科技有限公司 | Method and device for realizing split-weight split-domain function of Skyline system based on Openstack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102035849B (en) | 2013-12-18 |
| WO2011147361A1 (en) | 2011-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102035849B (en) | Method, equipment and system for realizing resource management in cloud computing | |
| CN110032865B (en) | Authority management method, device and storage medium | |
| RU2598324C2 (en) | Means of controlling access to online service using conventional catalogue features | |
| AU2010256810B2 (en) | Workgroup key wrapping for community of interest membership authentication | |
| CN111090622B (en) | Cloud storage information processing system and method based on dynamic encryption RBAC model | |
| CN100502307C (en) | Integrated user safety management method and device | |
| US10666647B2 (en) | Access to data stored in a cloud | |
| CN101610256B (en) | License information transfer request, transfer method and assign method and devices therefor | |
| US20150134953A1 (en) | Method and apparatus for offering cloud-based hsm services | |
| US20120272063A1 (en) | Method and system for digital rights management of documents | |
| CN112805961A (en) | Privacy preserving mobile as a service supported by blockchains | |
| CN102427447A (en) | Method of sharing identity authentication information among tax cloud computing systems | |
| CN102307114A (en) | Management method of network | |
| CN103347090A (en) | Software license management system based on enterprise network | |
| WO2015108536A1 (en) | Mapping tenant groups to identity management classes | |
| US10616225B2 (en) | Controlling access rights of a document using enterprise digital rights management | |
| CN102667803A (en) | Method and device for operating a virtual machine in accordance with an associated information on assignment of rights | |
| JP2006099779A (en) | Right management | |
| CN103095482B (en) | Program development maintenance system | |
| Murala et al. | Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud | |
| Fugkeaw | Achieving privacy and security in multi-owner data outsourcing | |
| CN106411941B (en) | Safety certification resource allocation and management method under a kind of cloud environment | |
| CN107749862A (en) | A kind of data encryption centrally stored method, server, user terminal and system | |
| CN106911721B (en) | Entrepreneurship registration data processing platform based on cloud computing | |
| CN110708298A (en) | Method and device for centralized management of dynamic instance identity and access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220208 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Patentee after: Huawei Cloud Computing Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |