CN102347959A

CN102347959A - Resource access system and method based on identity and session

Info

Publication number: CN102347959A
Application number: CN2011103697273A
Authority: CN
Inventors: 汤传斌; 熊丽
Original assignee: Transoft Network Sci-Tech (shanghai) Co Ltd
Current assignee: Transoft Network Sci-Tech (shanghai) Co Ltd
Priority date: 2011-11-18
Filing date: 2011-11-18
Publication date: 2012-02-08
Anticipated expiration: 2031-11-18
Also published as: CN102347959B; WO2013071890A1

Abstract

The invention discloses a resource access system and method based on identity and session. The system comprises a client, a session management center, a resource center and an identity manager. The client sends a service request and defines resource information required by implementing the service request. The session management center receives the service request, creates a streaming session according to the service request and creating a control session according the streaming session, negotiates the resource required by the streaming session with the service provider required by the session control, and routes the request to the resource center. The resource center comprises an entity server, a network and a storage; the resource center receives the service request and manages the operation of request; the virtual machine on the entity server operates the service request and feeds the operation result back to the client. The identity manager manages the identity information of objects, such as the resource, the service provider, the session, the application and the like, and also manages the life cycle of the identity information.

Description

Resource access system and method based on identity and session

Technical field

The present invention relates to the computer system application field, more particularly, relate to and comprise a plurality of servers, network, system's scene of storage proposes a kind of resource access system based on identity and session.

Background technology

The service operation that how to utilize data center's resource to support enterprise is the matter of utmost importance that data center's management is considered.Especially make rapid progress in technical development, under the situation that application model emerges in an endless stream, the various device of data center; Comprise server, storage, equipment such as network are bought many more more; Present blast trend, the planning mode of a professional a set of equipment has formed numerous equipment isolated islands; Make these equipment seldom be fully used, caused the serious waste of resource; On the other hand, MRP and service operation are separated, and MRP is with the mode of off-line (off-line); Service operation is then with the mode of online (on-line); Constantly can not shared resource between the business, traditional manual mode makes that also professional deployment cycle is elongated, influences the efficient of enterprise.At this moment, how to provide resource provisioning professional effectively, promptly realize resource share, dynamically supply with and the automation of operation flow just seems particularly important.At this moment just need powerful, as a to grow with each passing hour management method and a system, reply " new problem " better, to the data center in addition effectively, comprehensively management.

Current, virtually almost become the indispensable a kind of application of data center, more and more users begins data center is transferred in the virtualized environment.Show that according to the up-to-date research of authoritative institution 90% enterprise has implemented Intel Virtualization Technology to a certain extent.This has brought new proposition also for data center's management tool.How to design effective resource provision method and system in the epoch of virtual " propagating its belief on a large scale ", keep and promote the usefulness of data center's management?

When dynamically supplying with data center's resource as required, service quality guarantees it is to need the matter of utmost importance that solves, the concurrency processing of request, and resource multiplexing, the multiplexing of service is the key that promotes efficient, this just need use identity and session management.To these problems; Have many solutions to be suggested, specially the patent No. is US 7,860; 975; The United States Patent (USP) that is entitled as " System and method for secu re sticky routing of requests within a server farm " has proposed a kind of upstream equipment that adopts in the server farm, like load equalizer or router, comes the method for route request to server.Wherein server adopts a kind of safe and unique ID or how definite request of from request, obtaining handles the session (session) of those requests through the network address of server farm route.This method can solve the problem of the server that routes requests to data center, but does not solve the problem through control session aspect route requests, and the visit that relates to virtual resource is not arranged yet.The patent No. is US 7,930,734; The United States Patent (USP) that is entitled as " Method and system for creating and tracking network session " has proposed the method for a kind of establishment and tracking network session, through collecting the identity information of authentication, network address information; And network addressing information; And bind these information in the central database of session manager, and constitute the conversation recording of a reaction customer access network, be used for detecting in real time unusual generations such as invasion.This method also is the communication aspect of BlueDrama, and the control of relating to aspect is not arranged.The patent No. is US 7; 953; 918, the United States Patent (USP) that is entitled as " Service Bus linking method and service bus for linking plurality of service buses together " has proposed a kind of service bus link method and a kind ofly has been linked at method together to a large amount of service bus.This method is used node identity symbol mark service bus, the position of identity symbol and service bus joined in the bus node form, and the renewal form.This method is intended to solve the Identity Management of service bus itself, and the Identity Management of resource mentioned (various software and hardware resources) and application program is not arranged.Also have some telecommunications companies will control session and separate, but its protocol stack includes only the communication resource, relates to computational resource, even virtual computational resource with the words that fail to be convened for lack of a quorum.

Summary of the invention

The present invention is directed to these problems; Especially under the network example environment of data center; The thought that ISP in the conventional telecommunications is separated with resource provider is incorporated into the visit of enterprise data center's resource; Realize separating of load and control session, and adopt the identity of these resources of identity management method management.

Technical scheme of the present invention is: the present invention has disclosed a kind of resource access system based on identity and session, comprising:

Client, client send services request and this services request resource needed information is carried out in definition;

The session management center; Receive the services request that said client is sent; Create according to this services request and to fail to be convened for lack of a quorum words and to create the control session according to the words that fail to be convened for lack of a quorum, consult to fail to be convened for lack of a quorum words required resource and the required ISP of control session, and route requests to resource center;

Resource center; Comprise property server, network and memory; The one or more empty machines of operation on the said property server, resource center receives the operation of said services request and management request, and said empty machine moves said services request and the result that will move feeds back to client;

Identity manager, communicating by letter with session administrative center and resource center is connected, the identity information of the object of identity manager management resource, ISP, session, application, identity manager is also managed the life cycle of said identity information.

According to an embodiment of the resource access system based on identity and session of the present invention, said session management center comprises:

The words that fail to be convened for lack of a quorum manager receives the services request that said client is sent, and creates the fail to be convened for lack of a quorum words and the required resource of words of consulting to fail to be convened for lack of a quorum according to this services request, and the words that fail to be convened for lack of a quorum manager is transmitted said services request;

Acting server; The words manager is communicated by letter and is connected with failing to be convened for lack of a quorum; Acting server receives the services request of being transmitted by the words manager that fails to be convened for lack of a quorum and keeps connecting, and acting server obtains the frame stream conversation information that the words manager that fails to be convened for lack of a quorum is created, the services request that the acting server scheduling is concurrent;

The control session manager is connected with proxy server communication, obtains frame stream conversation information and creates control session and the required ISP of negotiation control session according to frame stream conversation information from acting server, and the control session manager is transmitted said services request;

Service bus is connected to said control session manager, and links to each other with a plurality of ISPs, between the ISP, transmits request and control session identity information;

Conversation database is preserved services request and is fed back to the words that fail to be convened for lack of a quorum the process of client, controls session and user session information from resource center from the result that client is sent to empty machine operation and the operation of resource center.

According to an embodiment of the resource access system based on identity and session of the present invention, the said words manager that fails to be convened for lack of a quorum comprises:

The words that fail to be convened for lack of a quorum maker is created the also life cycle of management flow session of words that fails to be convened for lack of a quorum for the services request that receives, and the words that fail to be convened for lack of a quorum maker is also consulted the words resource needed that fails to be convened for lack of a quorum;

Flow signaling plane, communicating by letter with the words maker that fails to be convened for lack of a quorum is connected, and is formed by the communication protocol stack between the resource of being participated in the words process that fails to be convened for lack of a quorum, and separates physical resource and dynamic resource in the said resource.

According to an embodiment of the resource access system based on identity and session of the present invention, said stream signaling plane comprises:

The I/O link circuit resource, the protocol stack that local network port resource and computational resource form, wherein the computational resource protocol stack comprises local physical computing work stack, empty machine manager, local logical calculated work stack.

According to an embodiment of the resource access system based on identity and session of the present invention, said acting server comprises:

Application container is preserved the solicited message relevant with said services request, comprises IP address, port numbers, agreement.

According to an embodiment of the resource access system based on identity and session of the present invention, said control session manager comprises:

Conversation controller, according to the life cycle that the said words that fail to be convened for lack of a quorum are created the control session and managed the control session, conversation controller also consults to carry out the needed ISP of this control session;

The control signaling plane is formed by the communication protocol stack between the ISP who is participated in the control conversation procedure, and the control signaling plane separates the ISP with resource provider.

Embodiment according to the resource access system based on identity and session of the present invention; Said property server comprises server resource management device, hardware structure, empty machine manager and several empty machines; The operation of said server resource management management services request on empty machine, the said empty machine of empty machine manager administration;

Said network packet includes network explorer, the network resource manager network resource administration also carries out networking to the empty machine in the property server;

Said memory comprises the SRM device, SRM management storage resources.

According to an embodiment of the resource access system based on identity and session of the present invention, said identity manager comprises:

The handle solving system is found the solution the position of confirming resource and the relation between each object that services request relates to through tree structure and graphic structure;

Maker for the resource and the ISP of each definition generates unique identity information, is each session, use and generate identity information;

Register, for each object is registered to identity manager, it is that object generates identity that Register calls maker;

Identity store is stored the identity information of various objects, comprises session, ISP, resource, application.

The present invention has also disclosed a kind of resource access method based on identity and session, and said method comprises:

A upstream flow session manager receives the resource request of client;

This words manager that fails to be convened for lack of a quorum is created the words that fail to be convened for lack of a quorum that are used to consult to carry out client's load resource requirement for request, and will ask to send to the upstream agent server with frame stream conversation information;

This acting server is acted on behalf of a plurality of requests as transfer, and will ask to mail to upper reaches control session manager with frame stream conversation information;

This control session manager is talked about being used to of being associated and is consulted to control the ISP's of services request control session with above-mentioned failing to be convened for lack of a quorum for this request generates one;

Control session manager and upper reaches service bus are mutual; Service bus links to each other with a plurality of ISPs; Request and control session identity information are transmitted between a plurality of ISPs through service bus, and route requests to the property server at downstream sources center through the ISP;

One or more empty machines are arranged on the property server, the operation of explorer management request on empty machine, empty machine operation described request and the result that will move feed back to client.

According to an embodiment of the resource access method based on identity and session of the present invention, said method further comprises:

The words that fail to be convened for lack of a quorum manager is created the words that fail to be convened for lack of a quorum, and the accesses identity manager, obtains to fail to be convened for lack of a quorum the words identity;

Acting server is created virtual application, and the accesses identity manager, finds the solution service through relation, obtains the virtual application identity that is associated with the above-mentioned words identity that fails to be convened for lack of a quorum;

The control session manager is created the control session that is associated with the words that fail to be convened for lack of a quorum, and the accesses identity manager is found the solution service through relation, obtains the control session identity that is associated with the above-mentioned words identity that fails to be convened for lack of a quorum.

Explorer accesses identity manager obtains unique identity of resource, and can find the position of resource according to unique identity of resource through the address service of finding the solution.

After acting server receives the request and frame stream conversation information of the words controller transmission that fails to be convened for lack of a quorum, continue to keep TCP/UDP to be connected with failing to be convened for lack of a quorum between the words controller;

Request is broken off acting server and is connected with the TCP/UDP that fails to be convened for lack of a quorum between the words controller, and directly operation result is returned client through being redirected after operation is got up on the empty machine on the property server of resource center.

The words that fail to be convened for lack of a quorum manager is created the words that fail to be convened for lack of a quorum, and generates the stream signaling plane, separates physical resource and dynamic resource demand, and controls the logic core net of generation as required.

The control session manager is created the control session, generates control session plane, according to the request needs ISP is carried out any dynamic combined, generates a plurality of ISPs plane.

Use bridge joint to set up the identity corresponding relation of empty machine and the various virtual resources on it.

For empty machine is provided with two identity, one is empty machine self, and another is to quote identity, and the assembly above pointing to is set up the identity corresponding relation of empty machine and inter-module.

Resource access system based on identity and session of the present invention can be under the network example environment of data center; The thought that ISP in the conventional telecommunications is separated with resource provider is incorporated in the visit of enterprise data center's resource; Realize separating of load and control session, and adopt the identity of these resources of identity management method management.

Description of drawings

The present invention above-mentioned and that other characteristic, character and advantage will become through the description below in conjunction with accompanying drawing and embodiment will be more obvious, identical in the accompanying drawings Reference numeral is represented identical characteristic all the time, wherein:

Fig. 1 is the structured flowchart of the resource access system based on identity and session according to an embodiment of the invention.

Fig. 2 is the general flow chart of the course of work of the resource access system based on identity and session according to an embodiment of the invention, describes and sends application request from the user, moves the whole process of returning client to application example.

Fig. 3 is the words plane graph that fails to be convened for lack of a quorum in the resource access system based on identity and session according to an embodiment of the invention, has embodied the communication resource and computational resource protocol stack that client's load need pass through.

Fig. 4 is mutual based on acting server in the resource access system of identity and session and control session management according to an embodiment of the invention, and the block diagram of control session manager.

Fig. 5 is according to an embodiment of the invention based on the mutual flow chart of acting server in the resource access system of identity and session with the control session management.

Fig. 6 is the part storage organization based on the conversation database of store session relation in the resource access system of identity and session according to an embodiment of the invention.

Fig. 7 is the structured flowchart based on identity manager in the resource access system of identity and session according to an embodiment of the invention.

Fig. 8 is that the description block diagram of (Relationship Resolution Service Implementation) is implemented in the service of finding the solution of the relation in the identity manager of Fig. 7.

Fig. 9 is the relation statement figure of the address resolution (Address Resolution) in the identity manager among Fig. 7.

Figure 10 is according to an embodiment of the invention based on the flow chart that uses identity manager in the resource access system of identity and session.

Embodiment

Fig. 1 is the structured flowchart of the resource access system based on identity and session according to an embodiment of the invention.With reference to shown in Figure 1, the present invention has disclosed a kind of resource access system based on identity and session, comprising: client 11, session management center 12, resource center 14, identity manager 13.

Client 11 sends services request and this services request resource needed information is carried out in definition.

Session management center 12 receives the services request that client 11 is sent, and in the present invention, services request also can be referred to as application request.Session management center 12 is created according to this services request and is failed to be convened for lack of a quorum words and create the control session according to the words that fail to be convened for lack of a quorum, session management center 12 consult to fail to be convened for lack of a quorum words required resource and the required ISP of control session, and route requests to resource center.

Resource center 14 comprises property server, network and memory, the one or more empty machines of operation on the property server.Resource center 14 receives the operation of services request and management request, and empty machine operation service request and the result that will move feed back to client 11.

Identity manager 13 is communicated by letter with session administrative center and resource center and is connected, the identity information of objects such as identity manager 13 management resources, ISP, session, application, and identity manager 13 is also managed the life cycle of identity information.

With reference to shown in Figure 1, session management center 12 comprises: the words that fail to be convened for lack of a quorum manager 121, acting server 122, control session manager 123 and and conversation database 125.The real-time BlueDrama of the words that fail to be convened for lack of a quorum manager 121 management, the words that fail to be convened for lack of a quorum manager 121 receives the services request that client 11 is sent, and creates the fail to be convened for lack of a quorum words and the required resource of words of consulting to fail to be convened for lack of a quorum according to this services request, and the words that fail to be convened for lack of a quorum manager 121 is transmitted services request.In the embodiment shown in fig. 1, the words manager 121 that fails to be convened for lack of a quorum comprises fail to be convened for lack of a quorum words maker 1211 and stream signaling plane 1212.The words that fail to be convened for lack of a quorum maker 1211 is created the also life cycle of management flow session of words that fails to be convened for lack of a quorum for the services request that receives, and the words that fail to be convened for lack of a quorum maker 1211 also consults to fail to be convened for lack of a quorum the words resource needed, i.e. the required resource of run user load.Stream signaling plane 1212 is connected with words maker 1211 communications that fail to be convened for lack of a quorum, and forms physical resource and dynamic resource in stream signaling plane 1212 separate resources by the communication protocol stack between the resource of being participated in the words process that fails to be convened for lack of a quorum.Acting server 122 is connected with words manager 121 communications that fail to be convened for lack of a quorum; Acting server 122 is go-between or the brokers between user and resource; Acting server can be discerned user's request; Acting server 122 receives the services request of being transmitted by the words manager 121 that fails to be convened for lack of a quorum and keeps connecting, and acting server 122 obtains the frame stream conversation information that the words manager that fails to be convened for lack of a quorum is created, the concurrent services request of acting server 122 scheduling.In the embodiment shown in fig. 1, acting server 122 comprises application container 1221, and application container 1221 is preserved the solicited message relevant with services request, comprises IP address, port numbers, agreement.Control session manager 123 is connected with acting server 122 communications; Control session manager 123 obtains frame stream conversation information and creates the control corresponding session and the required ISP of negotiation control session from acting server 122, promptly controls user's requested service supplier.Control session manager 123 is transmitted services request.In the embodiment shown in fig. 1, control session manager 123 comprises conversation controller 1231 and control signaling plane 1232.Conversation controller 1231 is created the also life cycle of management control session of control session according to the words that fail to be convened for lack of a quorum, and conversation controller 1231 is also consulted the needed ISP of control session.Control signaling plane 1232 is formed by the communication protocol stack between the ISP who is participated in the control conversation procedure, and control signaling plane 1232 separates the ISP with resource provider.Service bus 124 is connected to control session manager 123, and service bus 124 realizes that by the middleware architecture service bus comprises event-driven and message engine, and links to each other with a plurality of ISPs.Conversation database is preserved services request and is fed back to the words that fail to be convened for lack of a quorum the process of client, controls session and user session information from resource center from the result that client is sent to empty machine operation and the operation of resource center.Conversation database 125 is preserved services request and is fed back to the words that fail to be convened for lack of a quorum the process of client 11, controls session and user session information from resource center 14 from the result that client 11 is sent to empty machine operation and the operation of resource center 14.Conversation database 125 may operate on one or more servers.

Continuation is with reference to figure 1, and the property server 141 in the resource center 14 comprises server resource management device 1411, hardware structure 1412, empty machine manager 1413 and several empty machines 1414.1411 operations of management service request on empty machine of server resource management device, the empty machine 1414 of empty machine manager 1413 management.Network 142 comprises network resource manager 1421, and network resource manager 1421 network resource administrations also carry out networking to the empty machine in the property server 141 1414.Memory 143 comprises SRM device 1431, and SRM device 1431 managing memory sources also provide stores service for various information such as empty machine image.

With reference to shown in Figure 1, identity manager 13 comprises handle solving system 131, maker 132, Register 133 and identity store 134.Handle solving system 131 is found the solution the position of confirming resource and the relation between each object that services request relates to through tree structure and graphic structure.Maker 132 generates unique identity information for the resource of each definition and ISP, and maker 132 also is each real-time session, uses to generate identity information.Register 133 is registered to identity manager for object, and it is that object generates identity that Register calls maker.The identity information of the various objects of identity store 134 storages comprises session, ISP, resource, application etc.

Continue with reference to shown in Figure 1, should move as follows based on the resource access system of identity and session: client 11 can be the user, and client 11 is sent a services request, creates lamp such as request, and the required resource information of lamp is created in definition.Services request arrives the words managers (streaming session manager) 121 that fail to be convened for lack of a quorum in the session management center 12 earlier; Session maker (session creator) 1211 in the words that the fail to be convened for lack of a quorum manager 121 is created the words (session) that fail to be convened for lack of a quorum for this services request; Consult to carry out the required resource of user's load, and the life cycle of managing conversation.Communication protocol stack between the resource of being participated in the words that the fail to be convened for lack of a quorum process forms stream signaling plane 1212, can separate physical resource and dynamic resource demand, the logic core net that control generates as required.The words manager 121 that fails to be convened for lack of a quorum here can be four to seven layer switch or application delivery controller, specifically can be equipment such as F5 LTM, Cisco ACE.The words that fail to be convened for lack of a quorum manager 12 transfers a request to acting server (broker) 122 through the TCP/UDP agreement, and keeps this TCP/UDP to connect.Acting server 122 is go-between or the brokers between user and resource; Receiving plane is to the application client request, and user's solicited message is comprised IP, port; Information such as protocol are deposited in application container 1221, and 122 pairs of concurrency requests of acting server are dispatched.Acting server 122 then mails to control session manager (controlling session manager) 123 to request, and control session manager 123 is made up of conversation controller 1231 and control signaling plane 1232.Conversation controller 1231 is created relevant control session according to the words that fail to be convened for lack of a quorum, and consults the required ISP of control session, promptly controls user's requested service supplier, and the life cycle of managing conversation.Communication protocol stack between the ISP who is participated in the control conversation procedure forms control signaling plane 1232, can the ISP be separated with resource provider, and any dynamic combined of ISP is provided as required.Control session manager 123 links to each other with service bus 124, and service bus 124 is by the technology realization of middleware architecture, through event-driven and message engine, and the structure of the software architecture that provides for Enterprise SOA.In the present invention, each ISP links to each other with service bus 124, and user's request and session identity are propagated between the ISP through service bus.Processing (process) and certain strategy through the ISP; Finally route requests to the server 141 in the resource center 14; For the intermediation of the acting server 122 of front, property server 141 is hardware devices of final operation request.Hardware structure 1412, empty machine manager 1413 and several empty machines 1414 are arranged on each property server 141, also have server resource management device 1411.Network resource manager 1421 network resource administrations in the network 142 and to the networking of empty machine, SRM device 1431 managing memory sources in the memory 143.Services request is finally moved on several the empty machines 1414 on the property server 141 through server resource management device 1411, and the operation of an empty machine instance need be used Internet resources and storage resources simultaneously.After services request is moved, the result is directly turned back to client 11, this is the transmission course of load, breaking the simultaneously words manager 12 that fails to be convened for lack of a quorum is connected with the TCP/UDP of acting server (broker) between 122, controls the signaling procedure end.The words that fail to be convened for lack of a quorum, the control session, information such as user conversation all are stored in the conversation database 125, and the data in the conversation database 125 can exist in the internal memory or on the disk.Session manager and identity manager alternately with the identity that obtains session and information stores that session is relevant in conversation database.The life cycle of identity manager 13 management identity informations (ID), promptly the generation of identity information is kept; Deletion, identity manager 13 is by handle solving system (handle resolution system) 131, maker (Generator) 132; Register (Registry) 133; Identity store (Store) 134 is formed, and handle solving system 131 is cores of identity manager 13, mainly solves the position and application relation of resource through tree structure and graphic structure.Register 133 management resources are to identity manager 13 registrations, and maker 132 is the object generation identity symbol of each definition according to certain rule.Identity store 134 is the data storage centers in the identity manager 13, and the identity information of objects such as storage resources, ISP, session, application is found the solution information, information such as configuration service.In one or more preferred embodiments of the present invention, when the request that arrives host resource manager 1411 was start VM (starting empty machine), host resource manager 1411 need obtain the URL of empty machine from identity manager 13.Empty machine mirror image leaves in the storage (shared storage) 143, when request is create Vm (creating empty machine), need will use the SRM device 1431 in the storage 143 here from storing the URL that obtains empty machine template 143.

Fig. 2 is the general flow chart of the course of work of the resource access system based on identity and session according to an embodiment of the invention, describes and sends application request from the user, moves the whole process of returning client to application example.Concrete steps are following:

Step 201, the user sends application request (user's request application comprises IP, port, protocol etc.), and the application request here is a services request,, such as creating a lamp, request resource;

Whether step 202, judges be through Certificate Authority, if pass through, request transfers to 203, otherwise request transfers to 201;

Step 203; Request arrives the words manager that fails to be convened for lack of a quorum, and the words that fail to be convened for lack of a quorum manager generates a session (session), accesses identity manager for request; Obtain the words identity (streaming session ID) that fails to be convened for lack of a quorum, the words that will fail to be convened for lack of a quorum identity is deposited in the record of the words form that fails to be convened for lack of a quorum;

Step 204, the words that the fail to be convened for lack of a quorum manager words identity (streaming session ID) of will ask and fail to be convened for lack of a quorum are transferred to the acting server as virtual server (fake server), and keep the TCP/UDP connection; Keeping this purpose of connecting is in order request to be transferred to the control signaling procedure, to realize effective control of request, route; And the service quality assurance etc.; About acting server, can regard go-between or broker between user and resource as, acting server can be discerned user's request; And with request be transferred to the back treatment system, will in Fig. 4, specify;

Step 205, acting server accesses identity manager is found the solution service through relation; Obtain to talk about the virtual application identity that identity is associated with above-mentioned failing to be convened for lack of a quorum; The words identity (streaming session ID) of will asking and fail to be convened for lack of a quorum simultaneously send to the control session manager, regard whole system as an application program of the request of execution here, regard request as application request (APP) that the user sends to application program; Request is sent by the user; When arriving acting server, the application request of this moment is the user oriented application that the user describes, and also is referred to as the virtual application request;

Step 206; The control session manager is created a relevant control session (controlling session) according to the words that fail to be convened for lack of a quorum for request; And the accesses identity manager, find the solution service through relation, obtain and the relevant control session identity (Controlling session ID) of words identity that fails to be convened for lack of a quorum;

Step 207; The control session manager calls service bus; Service bus is converted into application program through a plurality of ISPs that are attached thereto with virtual applications; The control request trend, the control session is transmitted between the ISP through service bus, routes requests to simultaneously on the property server of resource center;

Step 208, the execution of the explorer management application request on the server is obtained the required resource of execution application request through the accesses identity manager;

Step 209 judges whether resource is ready to, if resource all set, then is transferred to step 211, otherwise is transferred to step 210;

Step 210 is waited for, until resource all set;

Step 211 is carried out request, generates an application example (APP INSTANT);

Step 212, the payload of the words manager administration operation that fails to be convened for lack of a quorum, and being connected for this request foundation of disconnection and acting server with TCP/UDP;

Step 213, the result that request is carried out directly returns to the client through being redirected (redirect), behind the conversation end, discharges relevant with it resource information.

Fig. 3 is the words plane graph that fails to be convened for lack of a quorum in the resource access system based on identity and session according to an embodiment of the invention, has embodied the communication resource and computational resource protocol stack that client's load need pass through.In the words plane that fails to be convened for lack of a quorum, the execution of client's load 38 at first needs computational resource, and under virtualized environment, computational resource can be divided into virtual computational resource and physical computing resource.Virtual computational resource is exactly our usually said empty machine, and specifically the mode with empty machine file provides.In protocol stack, be in local logical calculated work stack 37.Below the local logical calculated work stack 37 management and the empty machine manager VMM 36 that controls empty machine; VMM 36 provides the exchange and the arbitration of computational resource, and local physical computing work stack 35, i.e. physical resource on the server are arrived in local logic working stack 37 mappings (map); Specifically can be the CPU on the server; Memory, disk, equipment such as I/O.Certainly, also can be with local physical computing work stack 35 mappings (map) to local logic working stack 37.Client's load 38 has obtained physical resource and just can really move.Need between the load alternately, transmission, the Internet resources that at this moment just need be used to communicate by letter comprise local network port resource and IO link circuit resource.Communication between the load at first communicates through local port resource and TCP/UDP port 34; Level according to communication protocol stack; Successively be mapped to the network service of the IP layer 33 in the IO link; The data link communication of data link layer 32 up to the transmission of the physical media 31 of the bottom, has just been accomplished whole communication process this moment.And operation result turned back to client, communication process is managed through the words manager that fails to be convened for lack of a quorum, thereby has guaranteed the operation and the service quality of the network example of client's load.Physical resource and dynamic resource demand can be separated in these words planes (signaling network) that fail to be convened for lack of a quorum, and realize the supply as required of resource.

Fig. 4 is mutual based on acting server in the resource access system of identity and session and control session management according to an embodiment of the invention, and the block diagram of control session manager.The words managers 41 (or application delivery controller) that fail to be convened for lack of a quorum generate the words that fail to be convened for lack of a quorum; The address of the words that fail to be convened for lack of a quorum in the manager 41 and the server pools required resource of words that can dynamic-configuration fails to be convened for lack of a quorum is some application messages that the user pays close attention in the request (user oriented application request) of sending owing to the user, such as IP; Port; Protocol etc., these information can not provide exactly towards the application of resource and describe, and the words that fail to be convened for lack of a quorum manager 41 cannot route requests on the concrete server according to these information to be carried out; So earlier request is turned to a virtual server (fake server), promptly acting server 42.Acting server 42 is equivalent to the broker between user and resource, wherein comprises an application container 421, and the application message of user request is deposited in the inside, i.e. virtual application, from virtual application 1 to virtual application n.Here regard whole system as an application program of the request of execution; Regard request as application request (APP) that the user sends to application program, request is sent by the user, when arriving acting server; The application request of this moment is the user oriented application that the user describes, and also is referred to as virtual application; When request process ISP's processing arrived resource, application request will become the application towards resource of describing resource requirement, also is referred to as to use.Acting server 42 is forwarded to control session manager 43 (coming the trend of control request) with request; Conversation controller 431 in the control session manager 43 is created and the relevant control session of words that fails to be convened for lack of a quorum for this request; Consult to carry out the communication between user's requested service supplier, and the life cycle of managing conversation.Communication protocol stack between the ISP who is participated in the control conversation procedure forms control signaling plane 432; Can the ISP be separated with resource provider; Any dynamic combined of ISP is provided as required, promptly dynamically generates a plurality of ISPs plane, from ISP plane 4321; ISP plane 4322 is to ISP plane 432n.Control session manager 43 links to each other with service bus 44, and service bus 44 is by the technology realization of middleware architecture, through event-driven and message engine, and the structure of the software architecture that provides for Enterprise SOA.In the present invention, each ISP that the ISP gathers in 441 links to each other with service bus 44, and in service bus 44 times registration, service bus 44 controls and manage mutual between these ISPs, service route, protocol conversion etc.User's request and session identity are propagated between the ISP through service bus.The ISP here is a plurality of functional modules that application service is provided of support and optimizing resources visit, like service enabler, and service factory; The functional module of virtual resource management is like empty machine manager 4411, storage manager 4412, network manager 4413 etc.; And the functional module of some lifting performances, like monitor, NMS etc.Control session manager 43 operates on the central server.Visit to the ISP realizes through agency 45; Agency (agent) 45 is all arranged on each ISP; Agency 45 monitors request, after just request being dispatched request is sent to corresponding ISP, can realize the concurrency processing of request through acting on behalf of 45.Processing (process) and certain strategy through the ISP finally route requests to the property server in the resource center, and property server is for the acting server of front.

Fig. 5 is according to an embodiment of the invention based on the mutual flow chart of acting server in the resource access system of identity and session with the control session manager.Detailed process is following:

Step 501, the words that fail to be convened for lack of a quorum manager sends to acting server with request;

Step 502 judges whether through Certificate Authority, if through Certificate Authority, then be transferred to step 503, judges otherwise turn back to step 502 again;

Step 503 judges whether it is the request of concurrency, if be transferred to step 504, otherwise be transferred to step 505;

Step 504, the application container in the acting server is dispatched request;

Step 505, acting server is dealt into the control session manager with this request;

Step 506, conversation controller is created one for this request and is talked about relevant control session with failing to be convened for lack of a quorum;

Step 507, control session identity (Controlling session ID) is transmitted between a plurality of ISPs (service provider) through service bus, thereby forms control signaling plane (service provider plane);

Step 508 judges whether that a plurality of requests ask to use a service (service) simultaneously, if be transferred to step 510, otherwise be transferred to step 509;

Step 509, service bus is request distribution services supplier (service provider);

Step 510, the agency (agent) on the ISP (service provider) that service bus is registered down is request distribution services (service).Through this process, can route requests on the property server and carry out, even the real physical resource of request visit.

Fig. 6 is the part storage organization based on the conversation database of store session relation in the resource access system of identity and session according to an embodiment of the invention.Storage is a plurality of sessions (session) related tables in the conversation database 6, by the words form 61 that fails to be convened for lack of a quorum, and control session form 62, user conversation form 63, and session relationship form 64 is formed.The user sends application request, and in the present invention, the application of user request is resource, in order to realize the corresponding a plurality of requests of a user, and resource multiplexing, service (service) multiplexing separates into the words that fail to be convened for lack of a quorum with the session of user's request, controls session, user conversation.The network address and the network addressing identity information that fail to be convened for lack of a quorum words form 61 main storage flow sessions and bind together with the words that fail to be convened for lack of a quorum; The words identity (streaming session ID) that fails to be convened for lack of a quorum is specifically arranged; Network identity (Network ID); Input/output port identity (I/O ID), wherein ID obtains through the accesses identity manager.Network ID comprises network equipment switch, the identity of router etc., and I/O ID is meant the identity of port, can find these resource addresses through identity.The words that fail to be convened for lack of a quorum form is corresponding to I/O link circuit resource and local network port resource part in the words plane that fails to be convened for lack of a quorum.The control session is the session about the control aspect; The 62 main storage control sessions of control session form and with control binding session ISP's identity information together; Controlling session ID and a plurality of service provider ID are specifically arranged, and its ID is provided by identity manager.Control session form is corresponding to the control signaling plane.User conversation is the session (session) of user's request application (app), representes user (user) and used the relation between (app), and the component relation of using (app).The identity information of user conversation form 63 main these objects of storage specifically has User session ID, User ID, App ID, vApp ID, Domain ID, Component ID, VM ID, Server ID, Storage ID.Relation therebetween is a dynamic relationship.These ID pass through identity manager and obtain, and through the handle system representation relation wherein in the identity manager, will in the figure of back, specify.The words that fail to be convened for lack of a quorum, the control session, user conversation is three aspects of a request, between contact is closely arranged, at this moment just need session relationship forms (session relationship table) 64 represent the relation between them.Because we can consider that the application (app) that the user asks is a services request; So with the major key of service conversation identity (service session ID) as relation table; Other attribute field has User session Id, streaming session ID, controlling session ID; These attributes all are the major keys of the several forms in front, thereby the session (session) of these separation is associated in the request.When creating session (session), the relevant deposit data of session (session) is at conversation database (Session Store), when accomplishing when stopping a session (session), then need discharge corresponding resource.Session identity (Session ID) is interim the establishment, and other resource identity (ID) comprises that data center's resource and ISP's identity (ID) all are constant; When a session (session) finishes; Need the session (session) in the deletion temporary table, and discharge corresponding resource, this process is equivalent to subscribe to; Subscribe to and finish, discharge resource.

Fig. 7 is the structured flowchart based on identity manager in the resource access system of identity and session according to an embodiment of the invention.The core of identity manager 7 is handle solving systems 71 and deposits identity information and the ID warehouse of various managing configuration information (ID store) 72; Identity accords with mark; Wherein constant object such as resource; The ISP has a unique constant identity symbol, and dynamic object such as session etc. all have an interim identity symbol.Consistency (persistence) is guaranteed by handle solving system (handle resolution system) 71.Handle solving system (Handle resolution system) 71 is by quoting enforcement (reference Implementation) 711; Agreement (protocol) 712; NameSpace (Namaspace) 713; 714 4 parts of management service (Administrative Service) are formed, and wherein quote enforcement (Reference Implementation) the 711st, and the core of handle solving system (handle resolution system) 71 provides service of finding the solution and distributed classification service.Distributed classification service 7113 receives dissimilar concurrency requests; According to the type of request, to behind the request scheduling address service of finding the solution (Address Resolution service) 7111 or the relation service of finding the solution (Relationship resolution service) 7112 being mail in request.The tree structure that address relationship is arranged in the address service of finding the solution (Address Resolution Service) 7111 finds the position of resource according to the resource identity through this structural relation.The relation service of finding the solution (Relationship Resolution Service) 7112 is found the solution service through relation; There is user (User) the inside, uses the structure of relation between (app), resource (resource), the session (session) etc., and these objects are coupled together effectively; Owing to the more complicated that concerns therebetween, often there is the relationship map of multi-to-multi, then can adopt tree, various structures such as figure are described.When finding the solution in the user capture system (resolution) or management process (Administrative process), just need use 712 couples of clients of agreement (Protocol) and carry out authentication.NameSpace (Namespace) the 713rd, the type name of a large amount of dissimilar identity symbols; Also comprise grammars for concrete object name; Can divide different NameSpaces according to type, a plurality of different concrete names are arranged under each NameSpace 713 territory.The various configuration admin service that management service (Administrative service) 714 provides in the system.Identity information is deposited in the identity manager 7 in ID warehouse (ID Store) the 72nd, the memory of various information such as managing configuration information, and various resources, process is used, and the identity of service etc. all is stored in the ID warehouse 72.In one or more preferred embodiments of the present invention, identity manager is that session manager and explorer provide identity service, and service is found the solution in relation service of finding the solution and address, for finding the solution each relation between objects, seeks resource location and provides support.Identity manager operates on the ID server.

Fig. 8 is the description block diagram that the relation service of finding the solution (Relationship Resolution Service) in the identity manager of Fig. 7 is implemented.Relation of the present invention is found the solution execution mode 81 and is made up of object identity symbol 811, object factory 812 and 813 3 parts of the service of finding the solution.Wherein 811 expressions of object identity symbol is the identity of object, and the object here both can be the resource of data center, like empty machine; Server etc.; Also can be to use (app), territory (domain), the application relation of assembly users such as (component) request etc.; Can also be various sessions (session), also can be the hypervisor (also can be referred to as the ISP) in the system.What object factory 812 was explained is the attribute to each object, the description of characteristic etc.Find the solution and serve 813 by data type (Data type) 8131, structural elements data (structural metadata) 8132, and meta object (Meta-objects) 8133 is formed; Structural elements data 8132 have been described the structural relation between each object; Because relation is very complicated, there is the situation of multi-to-multi, can use a plurality of application (app) simultaneously like a user; An application (app) can be used by a plurality of users simultaneously; Thereby adopt graph structure to represent, can guarantee from top object reference to following object the adduction relationship of multi-to-multi that also can be like this from following object reference to top object.Metadata is meant the object about object, and data type is to classification of Data.List the main object that to find the solution in 82, comprised user (user) 821, used (app) 822, territory (domain) 823, assembly (component) 824, virtual resource (virtual resource) 825, physical resource (physical resource) 826 etc.Relation between these objects also is a user conversation (session) relation, and in a user conversation, a user 821 can use a plurality of application (app) 822 simultaneously; An application (app) can be used by a plurality of users 821 simultaneously; Corresponding (domain) 823, one territories, a territory of an application (app) 822 (domain) 823 are made up of a plurality of assemblies (component) 824, owing to assembly (component) the 824th, only comprise the special territory (domain) 823 of an empty machine instance (VM instance); Corresponding empty machine VM in a territory (component) 823 then; An empty machine VM can be quoted by a plurality of territories (component) 823, and the corresponding a plurality of physical resources of VM are like cpu; Memory, nic etc.Two ID are arranged among the VM, and one is Vm self, and another is Reference ID, the assembly 824 above pointing to, the identity corresponding relation that foundation and assembly are 824.83 is that a user asks to move needed main resource, comprises VM 831, and LUN 832, and Raid 833, and vswitch 834, and Nic 835 waits the relation between these resources to identify through ID.

Fig. 9 is the relation statement figure of the address resolution (Address Resolution) in the identity manager among Fig. 7.In identity manager, each resource is all carried out unique identity marks, each resource all has unique identity marks symbol; A variable logic identity (logical ID) is arranged simultaneously,, be different from domain name system here to set up the logical relation between the resource; Domain name system is corresponding with IP; And each ID is unique constant, so no matter where resource moves to, can find it through ID.The address is found the solution through tree structure and is realized, is the inheritance from the root to the leaf on identity.With the data center is example, and data center 91 can be divided into a plurality of groups 92, one groups to be had on 93, one main frames 93 of a plurality of main frames for 92 times a plurality of empty machines 94 are arranged; Use vCPU 951 in the empty machine 94, vMemory 952, and vNic 953; VHBA 954 resources such as virtual hardware such as grade, the virtual hardware resource is mapped to corresponding physical hardware resources CPU 971 through empty machine manager VMM, and Memory 972; Nic 973, HBA974, and physical hardware devices can corresponding a plurality of virtual hardware equipment; Wherein, vNic 953 is connected to the vSwitch 96 among the empty machine manager VMM, and one or more vSwitch 96 can be arranged among the VMM; A vSwitch 96 connects a plurality of vnic 953, and vswitch 953 is connected to physics Nic 973, is connected to again on the Switch (switch) 98 through Nic 973; A Switch (switch) 98 can connect a plurality of Nic 973, that is a plurality of main frame 93, can also be connected to shared storage (shared storage) 99 through Switch 98.For bottom; Resource on the main frame; Use Tap Bridge to set up the identity corresponding relation of empty machine 94 and the various virtual resources on it, on the empty machine a plurality of vSwitch 96 can be arranged, divide and don't bother about different vlan; The virtual machine that is connected on the different vswitch is divided among the different vlan, and a vswitch can connect the different virtual machine on the different main frames.When the address of the ID request resource through resource, the request arrival address is found the solution service, and service solves the resource place through the identity of resource position is found the solution in the address.

Figure 10 is according to an embodiment of the invention based on the flow chart that uses identity manager in the resource access system of identity and session.Specifically comprise following step:

Step 1001, client is sent request, and is transferred to step 1002;

Step 1002, request arrives identity manager, and is transferred to step 1003;

Step 1003 judges whether the object of being asked is registered, if registration is transferred to step 1004, otherwise is transferred to step 1008 in identity manager;

Step 1004 is inquired about the handle solving system according to ID, and is transferred to step 1005 in identity manager;

Step 1005 judges whether the query resource address, if be transferred to step 1006, otherwise be transferred to step 1010;

Step 1006 finds the position of resource through the address service of finding the solution, and is transferred to step 1007;

Step 1007 returns to the requesting party with positional information, finishes;

Step 1008 is used the Register registry object, and is transferred to step 1009;

Step 1009, maker is this Object Creation deletion identity symbol ID according to object type and character string rule, and is transferred to step 1004;

Step 1010 finds the object of relation through the relation service of finding the solution, and is transferred to step 1011;

Step 1011 returns to the requesting party with relationship object information, finishes.

The foregoing description provides to being familiar with personnel in this area and realizes or use of the present invention; Being familiar with those skilled in the art can be under the situation that does not break away from invention thought of the present invention; The foregoing description is made various modifications or variation; Thereby protection scope of the present invention do not limit by the foregoing description, and should be the maximum magnitude that meets the inventive features that claims mention.

Claims

1. the resource access system based on identity and session is characterized in that, comprising:

2. the resource access system based on identity and session as claimed in claim 1 is characterized in that, said session management center comprises:

3. the resource access system based on identity and session as claimed in claim 2 is characterized in that, the said words manager that fails to be convened for lack of a quorum comprises:

4. the resource access system based on identity and session according to claim 3 is characterized in that, said stream signaling plane comprises:

5. the resource access system based on identity and session as claimed in claim 2 is characterized in that said acting server comprises:

Application container is preserved the solicited message relevant with said services request, comprises I P address, port numbers, agreement.

6. the resource access system based on identity and session as claimed in claim 2 is characterized in that, said control session manager comprises:

7. the resource access system based on identity and session as claimed in claim 1 is characterized in that,

Said property server comprises server resource management device, hardware structure, empty machine manager and several empty machines, the operation of said server resource management management services request on empty machine, the said empty machine of empty machine manager administration;

Said memory comprises the SRM device, SRM management storage resources.

8. the resource access system based on identity and session as claimed in claim 1 is characterized in that said identity manager comprises:

9. the resource access method based on identity and session is characterized in that, said method comprises:

A upstream flow session manager receives the resource request of client;

10. the resource access method based on identity and session as claimed in claim 9 is characterized in that, said method further comprises:

11. the resource access method based on identity and session as claimed in claim 9 is characterized in that, said method further comprises:

12. the resource access method based on identity and session as claimed in claim 9 is characterized in that, said method further comprises:

13. the resource access method based on identity and session according to claim 9 is characterized in that, said method further comprises:

14. the resource access method based on identity and session according to claim 9 is characterized in that, said method further comprises:

15. the resource access method based on identity and session according to claim 9 is characterized in that, said method further comprises: