CN102035849B - Method, equipment and system for realizing resource management in cloud computing - Google Patents

Method, equipment and system for realizing resource management in cloud computing Download PDF

Info

Publication number
CN102035849B
CN102035849B CN 201010604779 CN201010604779A CN102035849B CN 102035849 B CN102035849 B CN 102035849B CN 201010604779 CN201010604779 CN 201010604779 CN 201010604779 A CN201010604779 A CN 201010604779A CN 102035849 B CN102035849 B CN 102035849B
Authority
CN
China
Prior art keywords
digital certificate
resource
role
request
subscriber equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 201010604779
Other languages
Chinese (zh)
Other versions
CN102035849A (en
Inventor
祁小波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 201010604779 priority Critical patent/CN102035849B/en
Publication of CN102035849A publication Critical patent/CN102035849A/en
Priority to PCT/CN2011/075341 priority patent/WO2011147361A1/en
Application granted granted Critical
Publication of CN102035849B publication Critical patent/CN102035849B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Abstract

The invention provides a method, equipment and system for realizing resource management in cloud computing. The method comprises the following steps of: receiving a first message which is sent by user equipment and used for operating resources, wherein the first message carries a digital certificate and requested operation; acquiring an operation list corresponding to the digital certificate according to the correspondence between the digital certificate and characters and the correspondence between the characters and the operation, wherein the correspondence between the digital certificate and characters and the correspondence between the characters and the operation are recorded in advance; and if the requested operation belongs to the operation list, allowing to operate the requested operation. In the embodiment of the invention, decentralized authority and separated domain management can be realized.

Description

Realize method, the equipment and system of resource management in cloud computing
Technical field
The present invention relates to the network communications technology, relate in particular to method, the equipment and system of realizing resource management in a kind of cloud computing.
Background technology
System for cloud computing comprises " cloud " and the user terminal with powerful calculating ability, the core concept of cloud computing is exactly by improving constantly the disposal ability of " cloud ", and then the processing load of minimizing user terminal, finally make user terminal be simplified to a simple input-output equipment, and can enjoy as required the powerful computing ability of " cloud ".
In existing system for cloud computing, the cloud network can be user assignment safety certification certificate, and the user adopts this safety certification certificate access cloud network.But existing safety certification certificate just can carry out safety certification to the user, can not realize the Authority and Domain Based Management management.
Summary of the invention
The embodiment of the present invention is to provide method, the equipment and system of realizing resource management in a kind of cloud computing, in order to realize that in cloud computing, the Authority and Domain Based Management to resource is managed.
The embodiment of the present invention provides a kind of method that realizes resource management in cloud computing, comprising:
Receive the first message for resource is operated that subscriber equipment sends, carry the operation of digital certificate and request in described the first message;
According to pre-recorded digital certificate and role's corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate;
If the operation of described request belongs to described operating list, allow the operation to described request.
The embodiment of the present invention provides the equipment of realizing resource management in a kind of cloud computing, comprising:
Receiver module, for receiving first message for resource is operated of subscriber equipment transmission, carry the operation of digital certificate and request in described the first message;
Acquisition module, for the digital certificate according to pre-recorded and role's corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate;
Executive Module, if belong to described operating list for the operation of described request, allow the operation to described request.
The embodiment of the present invention provides the system that realizes resource management in a kind of cloud computing, comprising:
UPF, for receiving second message for registration of subscriber equipment transmission, carry the role of request in described the second message; According to pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation; The digital certificate of distribution is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation;
The cloud management equipment, for receiving first message for resource is operated of subscriber equipment transmission, carry the operation of digital certificate and request in described the first message; According to the digital certificate recorded in UPF and role's corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate; If the operation of described request belongs to described operating list, allow the operation to described request.
As shown from the above technical solution, the embodiment of the present invention by adopting digital certificate in access cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can, so that there is the operation difference that the user of different rights or zones of different can carry out, realize the Authority and Domain Based Management management to the user by this digital certificate.
The accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, in below describing embodiment, the accompanying drawing of required use is briefly described, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The method flow schematic diagram that Fig. 1 is first embodiment of the invention;
Fig. 2 is system configuration schematic diagram corresponding to second embodiment of the invention;
Fig. 3 is method flow schematic diagram corresponding to second embodiment of the invention;
The schematic diagram that Fig. 4 is diploma system in the embodiment of the present invention;
The method flow schematic diagram that Fig. 5 is third embodiment of the invention;
The method flow schematic diagram that Fig. 6 is fourth embodiment of the invention;
The method flow schematic diagram that Fig. 7 is fifth embodiment of the invention;
The schematic diagram that Fig. 8 is application scenarios in the embodiment of the present invention;
Fig. 9 is the schematic diagram before and after resource-sharing in the embodiment of the present invention;
The device structure schematic diagram that Figure 10 is sixth embodiment of the invention;
The system configuration schematic diagram that Figure 11 is seventh embodiment of the invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making under the creative work prerequisite the every other embodiment obtained, belong to the scope of protection of the invention.
The method flow schematic diagram that Fig. 1 is first embodiment of the invention comprises:
Step 11: the system that realizes resource management in cloud computing receives the first message for resource is operated that subscriber equipment sends, and carries the operation of digital certificate and request in described the first message;
Step 12: realize in cloud computing that the system of resource management, according to pre-recorded digital certificate and role's corresponding relation and the corresponding relation of role and operation, obtains the operating list corresponding with described digital certificate;
Step 13: if the operation of described request belongs to described operating list, allow the operation to described request.
The present embodiment by adopting digital certificate in access cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can, so that there is the operation difference that the user of different rights or zones of different can carry out, realize the Authority and Domain Based Management management to the user by this digital certificate.
Fig. 2 is system configuration schematic diagram corresponding to second embodiment of the invention, comprise subscriber equipment (USER) 21, provide workflow engine (Provisioning Orchestration Engine, POE) 22, user data function (User Profile Function, UPF) entity 23, virtual machine desktop (VDESKTOP) 24 and cloud asset management device 25.Wherein, subscriber equipment 21 can corresponding enterprise, family, individual, and for example, the terminal equipment that an enterprise is used is as a subscriber equipment.POE 22 is user's the entrances of opening an account, and for example, the user is when registration, and subscriber equipment can send the message for registration to UPF by this POE, at the UPF completing user, registers.UPF 23 is used to user assignment digital certificate and the resource of application for registration, and preserves mutual corresponding relation.Virtual machine desktop 24 is access interfaces of user, and for example, subscriber equipment is the assigned operation to allocated resource by this virtual machine table facing cloud asset management device request.Cloud asset management device 25 for receive that subscriber equipment sends by the virtual machine desktop for the message to resource operation, afterwards, authenticated from UPF according to the relevant information of carrying in this message, if by authentication, allow subscriber equipment to carry out corresponding operation.
Can be referring to following embodiment of the method for the concrete interaction content between each above-mentioned equipment.
Fig. 3 is method flow schematic diagram corresponding to second embodiment of the invention, comprising:
Step 31: subscriber equipment sends the second message for registration to POE, carries the role of request in this second message.
In the present embodiment, in order to realize the Authority and Domain Based Management management, can distribute different roles for different digital certificates, different roles has different authorities, and different authorities can be carried out different operations, for example, the role can comprise admin, operation, guest, and wherein, admin can carry out all operations, operation can be checked and retouching operation, and guest only can check.Adopt the user of the digital certificate that admin is corresponding can create, delete, revise and check, adopt the user of the digital certificate that operation is corresponding to revise and to check, adopt the user of the digital certificate that guest is corresponding only can check.
Step 32:POE is transmitted to UPF by this second message.
After step 33:UPF receives this second message, be this user equipment allocation digital certificate, and recording user equipment and digital certificate and role's corresponding relation.
Wherein, UPF can adopt random mode, is the different digital certificate of different role assignments, needs the digital certificate that guarantees that different roles is corresponding different.
For example, the schematic diagram that Fig. 4 is diploma system in the embodiment of the present invention, referring to Fig. 4, can preserve diploma system in UPF, this diploma system comprises operating list (PriInfo), role's list (RoleInfo) and user list (UserInfo).Operating list comprises n operation (Pri), and role's list comprises n role (Role), and user list comprises n user (User).Be understandable that, operation, role, user's number can be different.
Wherein, the composition of each operation can be referring to table 1, and each role's composition can be referring to table 2, and each user's composition can be referring to table 3.
Table 1
Data Describe
PRIVDESC Authority is described
PRIVID Permission ID
PRIVNAME Action name
SERVICETYPE The system service type
Table 2
Data Describe
ROLEDESC Role delineation
ROLEID Role ID
ROLENAME Role's title
PRIVID Permission ID
Table 3
Data Describe
CERTCONTENT The certificate content
CERTID Certificate ID
CREATEDTIME Creation-time
STATUS Certificate status
ROLEID Role ID
RESOWNER Resource owner
In above-mentioned three lists, operating list and role's list can be pre-configured, and user list can be constantly updated along with the user device applies digital certificate.For example, when User~1 request role~1, UPF can be digital certificate of its Random assignment (digital certificate of this Random assignment is not identical with other roles' digital certificate), and by the certificate ID item be recorded in table 3 for No. ID of its digital certificate.That is, the digital certificate of supposing role~1 correspondence is certificate~1, and the resource owner in the corresponding table 3 in User~1 is User~1, and certificate ID is certificate~1, and role ID is role~1.In addition, creation-time is the time while creating digital certificate, the certificate content refers to the public and private key pair that the user is authenticated, can be according to the preset certificate content that (comprising user name, timestamp etc.), condition Generated Certificate when Generating Certificate, or certificate status can be active inactive, when certificate lost efficacy, the state of certificate will be set to inactive.
In addition, be understandable that, a subscriber equipment can be asked a plurality of roles, with correspondence, obtains a plurality of digital certificates, afterwards, the plurality of digital certificate can be distributed to the different user that uses this subscriber equipment and use.For example, an enterprise can apply for the digital certificate of the different role such as corresponding admin, operation, guest, and afterwards, by different role, corresponding digital certificate is distributed to different librarian uses.
Step 34:UPF returns to subscriber equipment by the digital certificate of distribution by POE.
So far, completed the user and opened an account, afterwards, the operation that subscriber equipment can adopt the digital certificate request of distribution to need.
Step 35: subscriber equipment adopts the digital certificate solicit operation distributed.
The present embodiment is by for the user assignment digital certificate, and different digital certificates has different roles, can carry out different operations, therefore can realize the Authority and Domain Based Management management.
Below, to be operating as the establishment virtual machine instance, idiographic flow can be referring to Fig. 5.
The method flow schematic diagram that Fig. 5 is third embodiment of the invention, the present embodiment creates virtual machine instance with user equipment requests, and referring to Fig. 5, the present embodiment comprises:
Step 51: subscriber equipment obtains digital certificate.Particular content can be referring to step 31-34.
Step 52: subscriber equipment sends the first message for resource is operated by virtual machine table facing cloud asset management device, carries the operation of digital certificate and request in described the first message.
Step 53: the cloud asset management device is authenticated this first message.
For example, if the first message has been passed through encryption when sending, the cloud asset management device needs deciphering.In addition, the cloud asset management device can also obtain user profile to UPF, judges that whether this digital certificate is all with authenticating users to this subscriber equipment.Enciphering and deciphering algorithm and user validation proof procedure can adopt usual method to realize particularly.
Especially, the present embodiment, after above-mentioned checking, also needs to carry out Authority Verification, specific as follows:
Step 54: the cloud asset management device obtains the operating list corresponding with this digital certificate from UPF.
Particularly, can at first according to table 3, obtain the role ID corresponding with digital certificate, then obtain the permission ID corresponding with role ID according to table 2, obtain the action name corresponding with permission ID according to table 1 afterwards.The all operations title that this digital certificate is corresponding can form operating list.For example, if role corresponding to digital certificate is admin, corresponding operating list comprises establishment, deletes, revises and checks; If the role that digital certificate is corresponding is operation, corresponding operating list comprises modification and checks; If the role that digital certificate is corresponding is guest, corresponding operation only comprises and checking.
Step 55: if the operation of described request belongs to described operating list, allow the operation to described request, for example, create virtual machine.
For example, the digital certificate that in the present embodiment, this user of hypothesis adopts can be carried out creation operation, and request be operating as the establishment virtual machine, the cloud asset management device creates virtual machine.
In order further to realize data sharing, the present embodiment can also comprise:
Step 56: the cloud asset management device records the corresponding relation of digital certificate and virtual machine.
May need the mutual mandate between digital certificate under some scene, for example need that the resource under digital certificate~1 is distributed to digital certificate~2 and use, to realize resource-sharing.
The present embodiment is by adopting digital certificate access cloud asset management device, and different digital certificates has different roles, can carry out different operations, therefore can realize the Authority and Domain Based Management management.
The method flow schematic diagram that Fig. 6 is fourth embodiment of the invention, the present embodiment take that the virtual machine under a certain digital certificate is distributed to another digital certificate uses is example, and referring to Fig. 6, the present embodiment comprises:
Step 61: subscriber equipment obtains digital certificate.
Particular content can be referring to step 51.
Step 62: subscriber equipment sends the first message for resource is operated by subscriber equipment by virtual machine table facing cloud asset management device, carries the operation of digital certificate and request in this first message.
Wherein, the digital certificate that in the present embodiment, the hypothesis subscriber equipment obtains is certificate~1, and the operation of request is the virtual machine of certificate~1 correspondence to be distributed to certificate~2 use.
Step 63: the cloud asset management device is authenticated this first message.
Step 64: the cloud asset management device obtains the operating list corresponding with this digital certificate from UPF.
Wherein, the particular content of step 63-64 can be referring to step 53-54.
Step 65: if the operation of described request belongs to described operating list, allow the operation to described request, for example distribute virtual machine.When distributing virtual machine, can be to increase the corresponding relation of resource and certificate ID in the cloud asset management device.
For example, if the operation of certificate~1 correspondence comprises Resources allocation, the present embodiment medium cloud asset management device can be distributed to certificate~2 by the virtual machine of certificate~1 correspondence.
Step 66: the cloud asset management device upgrades the corresponding relation of digital certificate and virtual machine.
For example, original is the corresponding certificate in virtual machine~1~1, but, through above-mentioned processing, the certificate of virtual machine~1 correspondence comprises certificate~1 and certificate~2.
By the flow process shown in Fig. 6, certificate~2 can have the operating right to the resource under certificate~1, for example, adopt certificate~2 also can be operated virtual machine~1, concrete next embodiment.
The present embodiment is by adopting digital certificate access cloud asset management device, and different digital certificates has different roles, can carry out different operations, therefore can realize the Authority and Domain Based Management management.In addition, the present embodiment is distributed to another digital certificate by the resource by under a digital certificate and is used, and can realize resource-sharing.
The method flow schematic diagram that Fig. 7 is fifth embodiment of the invention, the present embodiment is operating as example with the digital certificate that is authorized to the resource of digital certificate with authorization privilege, and referring to Fig. 7, the present embodiment comprises:
Step 71: subscriber equipment obtains digital certificate.
Step 72: subscriber equipment sends the first message for resource is operated by virtual machine table facing cloud asset management device, carries the operation of digital certificate and request in described the first message.
Step 73: the cloud asset management device is authenticated this first message.
Step 74: the cloud asset management device obtains the operating list corresponding with this digital certificate from UPF.
Step 75: if the operation of described request belongs to described operating list, allow the operation to described request, for example, restart virtual machine.
Wherein, the particular content of step 71-75 is similar to step 61-65, different from step 61-65 is, the digital certificate adopted in embodiment shown in Fig. 6 is the digital certificate (as certificate~1) with authorization privilege, and the digital certificate adopted in the present embodiment is the digital certificate (as certificate~2) be authorized to.
In addition, by the flow process shown in Fig. 6, upgraded the corresponding relation of resource and digital certificate in the cloud asset management device, so, adopt certificate~2 also can carry out the operation of the authority that certificate~2 have to virtual machine~1, for example, certificate~2 have the authority of restarting virtual machine, the operation of request is to restart virtual machine, in the present embodiment, adopts certificate~2 can restart virtual machine.
The digital certificate access that the present embodiment is authorized to by employing has the resource under the digital certificate of authorization privilege, has realized resource-sharing.
The said method of the embodiment of the present invention can be applied to following scene:
Enterprise-level application: this system applies is in enterprise, company manager is equivalent to USER, employee for the obstructed level of enterprises can apply for obstructed certificate, and the function of the operation that the role of certificate and certificate role are corresponding can be by company manager's requirement, and system provides when initialization.USER can be by certificate distribution the employee to the enterprises different levels, carry out operation accordingly, when occurrences in human life change or enterprises structure reform, only need to on-the-fly modify the certificate role that child user is held, can complete the Authority and Domain Based Management of whole enterprise.
Like this, the management of whole enterprises is managed by certificate fully, flexible operation, simple, efficient administration.Resource-sharing can realize the working delegation of enterprises, and for example: A is B because going on business delegation of resources, and B just can complete B and holds the operation of the authority of certificate for the A resource so.
Family's level application: for family's level application, resource-sharing can be played larger effect.Using family as unit as USER, can apply for according to the user in family different certificate roles, like this, in one family, all kinsfolks can carry out the different rights operation to same resource.Can realize resource-sharing between the kinsfolk, thus saving resource to greatest extent.
Certainly, the embodiment of the present invention is not limited to above-mentioned application, can be applied in various application, and the dynamic allotment that can provide meets user's demand.
After the method that adopts the embodiment of the present invention, each subscriber equipment can corresponding a plurality of certificates, for example, the schematic diagram that Fig. 8 is application scenarios in the embodiment of the present invention, referring to Fig. 8, each subscriber equipment (USER) can a corresponding certificate collection, and this certificate is concentrated and comprised a plurality of certificates, the different syndrome writing materials have different authorities, and wherein subscriber equipment is for example enterprise, family, individual.Because certificate has different authorities, the operation difference that can carry out while adopting different certificate, therefore can realize the Authority and Domain Based Management management.
In addition, the embodiment of the present invention is distributed to another certificate by a certificate by the resource under it, can realize resource-sharing, for example, Fig. 9 is the schematic diagram before and after resource-sharing in the embodiment of the present invention, referring to Fig. 9, before resource-sharing, the resource that USER~1 (corresponding digital certificate is certificate~1) can be accessed is VM~1, and the resource that USER~2 (corresponding digital certificate is certificate~2) can access is VM~2; After certificate~2 license to certificate~1 and realize resource-sharing, the resource that USER~1 (corresponding digital certificate is certificate~1) can be accessed is VM~1 and VM~2, and the resource that USER~2 (corresponding digital certificate is certificate~2) can access is VM~2.
In sum, digital certificate in the embodiment of the present invention not only can be realized authentication function, in addition by digital certificate is authorized, authorizes and comprises operation and resource, can carry out Authority and Domain Based Management management and resource-sharing by digital certificate, make the Authority and Domain Based Management operation more reasonable.The digital certificate that has the Authority and Domain Based Management function by employing, can, so that just can complete generic authentication and service authentication during the access user request, make the administrative structure of whole system clearly more demarcated.Resource-sharing simultaneously can be avoided the wasting of resources in whole system, and the user also can shrink for the integrated demand of resource, thereby saves the user resources benefit, and resource operation is more flexible simultaneously.
The device structure schematic diagram that Figure 10 is sixth embodiment of the invention, comprise receiver module 101, acquisition module 102 and Executive Module 103; Receiver module 101, for receiving first message for resource is operated of subscriber equipment transmission, carries the operation of digital certificate and request in described the first message; Acquisition module 102, for the digital certificate according to pre-recorded and role's corresponding relation and the corresponding relation of role and operation, obtains the operating list corresponding with described digital certificate; If Executive Module 103 belongs to described operating list for the operation of described request, allow the operation to described request.
Wherein, when described digital certificate is to have the digital certificate that creates the virtual machine authority, being operating as while creating virtual machine of described request, described Executive Module is specifically for creating the virtual machine corresponding with the described digital certificate with create right, and records the corresponding relation of digital certificate and virtual machine.
Perhaps, when described digital certificate is to have the digital certificate that distributes authority, being operating as when described virtual machine corresponding to digital certificate with distribution authority distributed to the digital certificate be authorized to of described request, described Executive Module is specifically for distributing to the described digital certificate be authorized to by described virtual machine corresponding to digital certificate with distribution authority; The digital certificate that renewal has been recorded and the corresponding relation of resource, make the resource corresponding with the described digital certificate that authorization privilege arranged, associated with the described digital certificate be authorized to, so that subscriber equipment adopts the described digital certificate be authorized to can the resource corresponding with the described digital certificate that authorization privilege arranged be operated.
Perhaps, after the digital certificate with authorization privilege gives by corresponding resource authorization the digital certificate be authorized to, described Executive Module is specifically for the authority according to the described digital certificate be authorized to, and the resource corresponding with the described digital certificate with authorization privilege operated.
The present embodiment by adopting digital certificate in access cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can, so that there is the operation difference that the user of different rights or zones of different can carry out, realize the Authority and Domain Based Management management to the user by this digital certificate.
The system configuration schematic diagram that Figure 11 is seventh embodiment of the invention, comprise UPF 111 and cloud management equipment 112; UPF 111, for receiving second message for registration of subscriber equipment transmission, carries the role of request in described the second message; According to pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation; The digital certificate of distribution is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation; Cloud management equipment 112, for receiving first message for resource is operated of subscriber equipment transmission, is carried the operation of digital certificate and request in described the first message; According to the digital certificate recorded in UPF and role's corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate; If the operation of described request belongs to described operating list, allow the operation to this request.
The present embodiment by adopting digital certificate in access cloud resource, the role that this digital certificate is corresponding different, the operation that different roles is corresponding different, therefore, can, so that there is the operation difference that the user of different rights or zones of different can carry out, realize the Authority and Domain Based Management management to the user by this digital certificate.
Be understandable that the reference mutually of the correlated characteristic in said method and equipment.In addition, " first " in above-described embodiment, " second " etc. are for distinguishing each embodiment, and do not represent the quality of each embodiment.
One of ordinary skill in the art will appreciate that: realize that the hardware that all or part of step of said method embodiment can be relevant by program command completes, aforesaid program can be stored in computer read/write memory medium, this program, when carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment, the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: its technical scheme that still can put down in writing aforementioned each embodiment is modified, or part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (9)

1. realize the method for resource management in a cloud computing, it is characterized in that, comprising:
Receive the second message for registration that subscriber equipment sends, carry the role of request in described the second message;
According to pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation, wherein, the digital certificate that different roles is corresponding different;
The digital certificate of distribution is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation;
Receive the first message for resource is operated that subscriber equipment sends, carry the operation of digital certificate and request in described the first message;
According to pre-recorded digital certificate and role's corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate;
If the operation of described request belongs to described operating list, allow the operation to described request.
2. method according to claim 1, is characterized in that, when described digital certificate is to have a digital certificate that creates the virtual machine authority, and being operating as while creating virtual machine of described request, the operation of described permission to described request comprises:
Create the virtual machine corresponding with the described digital certificate with create right, and record the corresponding relation of digital certificate and virtual machine.
3. method according to claim 1, it is characterized in that, when described digital certificate is to have the digital certificate that distributes authority, being operating as when described virtual machine corresponding to digital certificate with distribution authority distributed to the digital certificate be authorized to of described request, the operation of described permission to described request comprises:
Described virtual machine corresponding to digital certificate with distribution authority distributed to the described digital certificate be authorized to;
The digital certificate that renewal has been recorded and the corresponding relation of resource, make with described the resource that the digital certificate that distributes authority is corresponding arranged, associated with the described digital certificate be authorized to, so that subscriber equipment adopts the described digital certificate be authorized to can be to described, having the resource that the digital certificate that distributes authority is corresponding to be operated.
4. method according to claim 1, is characterized in that, after the digital certificate with authorization privilege gives by corresponding resource authorization the digital certificate be authorized to, the operation of described permission to described request comprises:
According to the authority of the described digital certificate be authorized to, to described, there is the resource that the digital certificate that distributes authority is corresponding and operated.
5. realize the equipment of resource management in a cloud computing, it is characterized in that, comprising:
Receiver module, for receiving second message for registration of subscriber equipment transmission, carry the role of request in described the second message;
Executive Module, for the corresponding relation of the role according to pre-configured and digital certificate, be described user equipment allocation digital certificate, and record digital certificate and role's corresponding relation, wherein, and the digital certificate that different roles is corresponding different; The digital certificate of distribution is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation;
Described receiver module, also, for receiving first message for resource is operated of subscriber equipment transmission, carry the operation of digital certificate and request in described the first message;
Acquisition module, for the digital certificate according to pre-recorded and role's corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate;
Described Executive Module, if also for the operation of described request, belong to described operating list, allow the operation to described request.
6. equipment according to claim 5, it is characterized in that, when described digital certificate is to have the digital certificate that creates the virtual machine authority, being operating as while creating virtual machine of described request, described Executive Module is specifically for creating the virtual machine corresponding with the described digital certificate with create right, and records the corresponding relation of digital certificate and virtual machine.
7. equipment according to claim 5, it is characterized in that, when described digital certificate is to have the digital certificate that distributes authority, being operating as when described virtual machine corresponding to digital certificate with distribution authority distributed to the digital certificate be authorized to of described request, described Executive Module is specifically for distributing to the described digital certificate be authorized to by described virtual machine corresponding to digital certificate with distribution authority; The digital certificate that renewal has been recorded and the corresponding relation of resource, make with described the resource that the digital certificate that distributes authority is corresponding arranged, associated with the described digital certificate be authorized to, so that subscriber equipment adopts the described digital certificate be authorized to can be to described, having the resource that the digital certificate that distributes authority is corresponding to be operated.
8. equipment according to claim 5, it is characterized in that, after the digital certificate with authorization privilege gives by corresponding resource authorization the digital certificate be authorized to, described Executive Module is specifically for the authority according to the described digital certificate be authorized to, and the resource corresponding with the described digital certificate with authorization privilege operated.
9. realize the system of resource management in a cloud computing, it is characterized in that, comprising:
UPF, for receiving second message for registration of subscriber equipment transmission, carry the role of request in described the second message; According to pre-configured role and the corresponding relation of digital certificate, be described user equipment allocation digital certificate, and the corresponding relation that records digital certificate and role is wherein, the digital certificate that different roles is corresponding different; The digital certificate of distribution is sent to described subscriber equipment, so that described subscriber equipment adopts described digital certificate solicit operation;
The cloud management equipment, for receiving first message for resource is operated of subscriber equipment transmission, carry the operation of digital certificate and request in described the first message; According to the digital certificate recorded in UPF and role's corresponding relation and the corresponding relation of role and operation, obtain the operating list corresponding with described digital certificate; If the operation of described request belongs to described operating list, allow the operation to described request.
CN 201010604779 2010-12-23 2010-12-23 Method, equipment and system for realizing resource management in cloud computing Active CN102035849B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN 201010604779 CN102035849B (en) 2010-12-23 2010-12-23 Method, equipment and system for realizing resource management in cloud computing
PCT/CN2011/075341 WO2011147361A1 (en) 2010-12-23 2011-06-03 Method, device and system for implementing resource management in cloud computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010604779 CN102035849B (en) 2010-12-23 2010-12-23 Method, equipment and system for realizing resource management in cloud computing

Publications (2)

Publication Number Publication Date
CN102035849A CN102035849A (en) 2011-04-27
CN102035849B true CN102035849B (en) 2013-12-18

Family

ID=43888172

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010604779 Active CN102035849B (en) 2010-12-23 2010-12-23 Method, equipment and system for realizing resource management in cloud computing

Country Status (2)

Country Link
CN (1) CN102035849B (en)
WO (1) WO2011147361A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9729321B2 (en) * 2015-04-29 2017-08-08 Citrix Systems, Inc. Autonomous private key recovery
CN102035849B (en) * 2010-12-23 2013-12-18 华为技术有限公司 Method, equipment and system for realizing resource management in cloud computing
CN102291452B (en) * 2011-08-09 2013-11-20 北京星网锐捷网络技术有限公司 Virtual machine management method, cloud management server and cloud system based on cloud strategy
US20130074064A1 (en) * 2011-09-15 2013-03-21 Microsoft Corporation Automated infrastructure provisioning
CN102577315A (en) * 2011-12-21 2012-07-11 华为技术有限公司 Method, device and system for setting user access to virtual machine
CN103377330B (en) * 2012-04-23 2016-08-17 佛山市智慧岛信息技术有限公司 A kind of virtual resource allocation method and virtual resource allocation system
US9210162B2 (en) * 2012-05-02 2015-12-08 Microsoft Technology Licensing, Llc Certificate based connection to cloud virtual machine
CN102903029A (en) * 2012-09-27 2013-01-30 广东亿迅科技有限公司 Domain-partitioned authorization method for cloud computing resources
CN102984252B (en) * 2012-11-26 2015-04-08 中国科学院信息工程研究所 Cloud resource access control method based on dynamic cross-domain security token
CN104125203B (en) * 2013-04-26 2019-03-26 腾讯科技(深圳)有限公司 Right management method and system
US20150019705A1 (en) * 2013-06-26 2015-01-15 Amazon Technologies, Inc. Management of computing sessions
CN103312814B (en) * 2013-06-28 2016-03-30 武汉大学 The method for building up of VNC concealed channel between cloud management platform and virtual machine terminal user
CN106656935A (en) * 2015-11-03 2017-05-10 电信科学技术研究院 Character issuing method, access control method and correlation equipment thereof
US10255092B2 (en) * 2016-02-09 2019-04-09 Airwatch Llc Managed virtual machine deployment
CN107276965B (en) * 2016-04-07 2021-05-14 阿里巴巴集团控股有限公司 Authority control method and device of service discovery component
CN105763638A (en) * 2016-04-18 2016-07-13 广州优达信息科技有限公司 Cloud terminal reverse control system
CN107786341B (en) * 2017-10-11 2019-11-29 Oppo广东移动通信有限公司 Certificate loading method and mobile terminal and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197026A (en) * 2007-12-20 2008-06-11 浙江大学 Design and storage method for resource and its access control policy in high-performance access control system
CN101296230A (en) * 2008-06-17 2008-10-29 浙江大学 Web service security control mechanism based on PKI and PMI
CN101350710A (en) * 2007-07-16 2009-01-21 华为技术有限公司 Network system, authority issuing server, authority issuing and executing method
CN101425027A (en) * 2008-11-20 2009-05-06 上海交通大学 Virtual machine safety protocol method and system based on TPM

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2858900B1 (en) * 2003-08-12 2006-01-06 Cit Alcatel PROVIDING RESOURCE RESERVATION SERVICES WITHIN A RESOURCE MANAGEMENT COMMUNICATIONS NETWORK THROUGH POLICY RULES
CN102035849B (en) * 2010-12-23 2013-12-18 华为技术有限公司 Method, equipment and system for realizing resource management in cloud computing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350710A (en) * 2007-07-16 2009-01-21 华为技术有限公司 Network system, authority issuing server, authority issuing and executing method
CN101197026A (en) * 2007-12-20 2008-06-11 浙江大学 Design and storage method for resource and its access control policy in high-performance access control system
CN101296230A (en) * 2008-06-17 2008-10-29 浙江大学 Web service security control mechanism based on PKI and PMI
CN101425027A (en) * 2008-11-20 2009-05-06 上海交通大学 Virtual machine safety protocol method and system based on TPM

Also Published As

Publication number Publication date
WO2011147361A1 (en) 2011-12-01
CN102035849A (en) 2011-04-27

Similar Documents

Publication Publication Date Title
CN102035849B (en) Method, equipment and system for realizing resource management in cloud computing
CN110032865B (en) Authority management method, device and storage medium
CN107579958B (en) Data management method, device and system
CN100502307C (en) Integrated user safety management method and device
CN102947797B (en) The online service using directory feature extending transversely accesses and controls
CN111090622B (en) Cloud storage information processing system and method based on dynamic encryption RBAC model
AU2010256810B2 (en) Workgroup key wrapping for community of interest membership authentication
CN101610256B (en) License information transfer request, transfer method and assign method and devices therefor
CN108259422B (en) Multi-tenant access control method and device
CN106302334B (en) Access role obtaining method, device and system
US20150134953A1 (en) Method and apparatus for offering cloud-based hsm services
CN103620556A (en) Binding applications to device capabilities
CN102307114A (en) Management method of network
CN112639737A (en) Method and apparatus for managing cloud services using smart contracts and blockchains in a cloud provider federation
CN102427447A (en) Method of sharing identity authentication information among tax cloud computing systems
CN108306972A (en) A kind of cloud cryptographic service method, platform, system and computer readable storage medium
CN103347090A (en) Software license management system based on enterprise network
CN111181719B (en) Hierarchical access control method and system based on attribute encryption in cloud environment
CN112954000A (en) Privacy information management method and system based on block chain and IPFS technology
Fugkeaw Achieving privacy and security in multi-owner data outsourcing
CN106411941B (en) Safety certification resource allocation and management method under a kind of cloud environment
CN107749862A (en) A kind of data encryption centrally stored method, server, user terminal and system
CN111190700B (en) Cross-domain security access and resource control method for virtualized equipment
CN104866774A (en) Method and system for managing account authorities
CN110708298A (en) Method and device for centralized management of dynamic instance identity and access

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220208

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Patentee after: Huawei Cloud Computing Technology Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.