CN102611699A - Method and system for access control in cloud operation system - Google Patents

Method and system for access control in cloud operation system Download PDF

Info

Publication number
CN102611699A
CN102611699A CN2012100429978A CN201210042997A CN102611699A CN 102611699 A CN102611699 A CN 102611699A CN 2012100429978 A CN2012100429978 A CN 2012100429978A CN 201210042997 A CN201210042997 A CN 201210042997A CN 102611699 A CN102611699 A CN 102611699A
Authority
CN
China
Prior art keywords
user
access
information
system
role
Prior art date
Application number
CN2012100429978A
Other languages
Chinese (zh)
Inventor
房体盈
朱波
朱锦雷
Original Assignee
浪潮(北京)电子信息产业有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 浪潮(北京)电子信息产业有限公司 filed Critical 浪潮(北京)电子信息产业有限公司
Priority to CN2012100429978A priority Critical patent/CN102611699A/en
Publication of CN102611699A publication Critical patent/CN102611699A/en

Links

Abstract

The invention provides a method and system for access control in a cloud operation system. The method comprises the steps of: respectively allocating role information corresponding to a user for each user accessing the cloud operation system; configuring an operation set corresponding to a role for each piece of role information, wherein the operation set records access permission information of the cloud operation system allowing the role to access a functional module; when receiving an access request of some user, obtaining the role information of the user; and according to the operation set corresponding to the role information of the user, controlling the access initiated by the user.

Description

一种云操作系统中访问控制的方法和系统 A method of operating a cloud system and access control system

技术领域 FIELD

[0001] 本发明涉及计算机领域,尤其涉及一种云操作系统中访问控制的方法和系统。 [0001] The present invention relates to computers, and more particularly relates to a method and system for cloud operating system access control.

背景技术 Background technique

[0002] 当前,云计算逐渐被行业认可,云操作系统(云OS)逐渐实现并付诸于实践。 [0002] Currently, the cloud gradually recognized by the industry, the cloud operating system (Cloud OS) gradually implement and put into practice. 在云OS中,为用户提供计算、存储、网络、虚拟资源等服务,由于用户数量将非常多,这就对系统安全方面提出了更高的要求,系统管理的工作也讲非常繁重,如何对用户的访问权限进行安全、合理、高效的管理及面对复杂的权限变更,是云OS面临的一个重要课题。 In the cloud OS, to provide users with computing, storage, networking, virtual resources and other services, due to the very large number of users, which the security system put forward higher requirements, system management also spoke very heavy work, how to user access to safe, rational and efficient management and permission to change the face of the complex, is an important issue facing the cloud OS.

发明内容 SUMMARY

[0003] 本发明提供一种一种云操作系统中访问控制的方法和系统,要解决的技术问题是如何对用户的访问权限进行安全、合理、高效的管理。 [0003] The present invention provides a method and system operating system access control cloud, to solve the technical problem of how to access the user's safety, rational and efficient management.

[0004] 为解决上述技术问题,本发明提供了如下技术方案: [0004] In order to solve the above technical problem, the present invention provides the following technical solutions:

[0005] 一种云操作系统中访问控制的方法,所述云操作系统中的功能模块相互独立,其中所述方法包括: [0005] A method of operating a cloud access control system, the cloud operating system independent functional modules, wherein the method comprises:

[0006] 为访问所述云操作系统的每个用户分别分配该用户对应的角色信息; [0006] assigned a role corresponding to the user information for each user to access the operating system are cloud;

[0007] 为每个角色信息配置该角色所对应的操作集,其中所述操作集记录有所述云操作系统允许该角色对功能模块的访问权限信息; [0007] Configuration of each character of the character set corresponding to the operation, wherein said set of operations is recorded in the cloud operating system allows access to the role information for the function module;

[0008] 当接收到某一用户的访问请求时,获取所述用户的角色信息; [0008] When receiving a user access request to obtain the user's roles;

[0009] 根据所述用户的角色信息所对应的操作集,对所述用户发起的访问进行控制。 [0009] The operation of the user character set information corresponding to the user-initiated access control.

[0010] 优选的,所述方法还具有如下特点:所述为访问所述云操作系统的每个用户分别分配该用户对应的角色信息,包括: [0010] Preferably, the method further has the following features: the cloud for each user to access the operating system assigned respectively corresponding to the user character information, comprising:

[0011 ] 获取用户的身份识别信息; [0011] acquires identification information of the user;

[0012] 根据所述身份识别信息为所述用户分配对应的角色信息。 [0012] assigned to the character information corresponding to the user according to the identification information.

[0013] 优选的,所述方法还具有如下特点:所述根据所述用户的角色信息所对应的操作集,对所述用户发起的访问进行控制,包括: [0013] Preferably, the method further has the following features: the set of operations according to the user character information corresponding to the user-initiated access control, comprising:

[0014] 获取用户的访问信息,其中所述访问信息包括用户要访问的功能模块以及对该功能模块的操作方式; [0014] obtaining access information of the user, wherein the access information comprises a function module to be accessed by a user operation and the function module;

[0015] 判断所述访问信息是否记录在操作集中; [0015] It is determined whether or not the access information is recorded in the operation set;

[0016] 如果所述访问信息记录在操作集中,则允许所述用户发起访问;否则,拒绝所述用户发起访问。 [0016] If the access information is recorded in the centralized operation, initiated by the user is allowed to access; otherwise, rejecting the user to initiate access.

[0017] 优选的,所述方法还具有如下特点:所述方法还包括: [0017] Preferably, the method further has the following features: the method further comprises:

[0018] 接收到用户的角色更改请求后,根据所述角色更改请求,对所述用户的角色信息。 [0018] After receiving the request to change the user's role, the role change request according to the role information for the user.

[0019] 一种云操作系统中访问控制的系统,所述云操作系统中的功能模块相互独立,其中所述系统包括: [0019] Cloud operating system access control system, the cloud operating system independent functional modules, wherein the system comprises:

[0020] 分配装置,用于为访问所述云操作系统的每个用户分别分配该用户对应的角色信[0021] 配置装置,与所述分配装置相连,用于为每个角色信息配置该角色所对应的操作集,其中所述操作集记录有所述云操作系统允许该角色对功能模块的访问权限信息; [0020] The dispensing means for accessing the cloud for each user of the operating system are allocated to the user role corresponding to the channel [0021] configuration means connected to said dispensing means, for configuring the character information for each character the corresponding operation set, wherein the set of operations is recorded in the cloud operating system allows access to the character information of the function module;

[0022] 获取装置,与所述配置装置相连,当接收到某一用户的访问请求时,获取所述用户的角色信息; [0022] The acquisition means, and means coupled to the configuration, when receiving a user access request to obtain the user's roles;

[0023] 控制装置,与所述获取装置相连,用于根据所述用户的角色信息所对应的操作集, 对所述用户发起的访问进行控制。 [0023] control means coupled to said acquiring means according to the operation set for the user character information corresponding to the user-initiated access control.

[0024] 优选的,所述系统还具有如下特点:所述分配装置包括: [0024] Preferably, the system further has the following features: said dispensing means comprises:

[0025] 第一获取模块,用于获取用户的身份识别信息; [0025] The first acquiring module, for acquiring the user identification information;

[0026] 分配模块,用于根据所述身份识别信息为所述用户分配对应的角色信息。 [0026] The allocation module for allocating character information corresponding to the user according to the identification information.

[0027] 优选的,所述系统还具有如下特点:控制装置包括: [0027] Preferably, the system further has the following features: the control means comprises:

[0028] 第二获取模块,用于获取用户的访问信息,其中所述访问信息包括用户要访问的功能模块以及对该功能模块的操作方式; [0028] a second obtaining module, configured to obtain the user's access information, wherein the access information comprises a function module to be accessed by a user operation and the function module;

[0029] 判断模块,与所述第二获取模块相连,用于判断所述访问信息是否记录在操作集中; [0029] The determining module, coupled to said second acquiring module, for determining whether the access information recorded in the operation set;

[0030] 控制模块,与所述判断模块相连,用于如果所述访问信息记录在操作集中,则允许所述用户发起访问;否则,拒绝所述用户发起访问。 [0030] The control module, coupled to the determining means for recording information in a centralized operation if the access is allowed access initiated by the user; otherwise, rejecting the user to initiate access.

[0031] 优选的,所述系统还具有如下特点:所述系统还包括: [0031] Preferably, the system further has the following characteristics: said system further comprises:

[0032] 更新装置,与所述分配装置和获取装置相连,用于在接收到用户的角色更改请求后,根据所述角色更改请求,对所述用户的角色信息。 [0032] updating means and said dispensing means connected to acquisition means for a user after receiving the role change request, a change request according to the character, character information of the user.

[0033] 本发明提供的实施例,通过给用户分配合适的角色,让用户与访问权限相联系,从而使得在访问控制时,借助该角色所对应的操作集来有效控制用户的访问,能够减少授权管理的复杂性,降低管理开销,而且还能为管理员提供一个比较好的实现复杂安全政策的环境。 [0033] The present invention provides in embodiments, by assigning appropriate roles to users, allowing users to access linked, so that when access control, by means of a set of operations of the character corresponding to effectively control a user's access can be reduced the complexity of authorization management, reduce administrative overhead, but also gives administrators a better environment to realize complex security policies.

附图说明 BRIEF DESCRIPTION

[0034] 图I为本发明提供的云操作系统中访问控制的方法实施例的流程示意图; Process cloud operating system embodiment of a method [0034] Figure I of the present invention provides a schematic view of the embodiment of access control;

[0035] 图2为本发明提供的云操作系统中访问控制的系统实施例的结构示意图; Schematic structural diagram of the system cloud operating system [0035] FIG. 2 is provided in the embodiment of access control;

[0036] 图3为图2所示系统中分配装置201的结构示意图; [0036] FIG. 3 is a schematic structural diagram of a system 201 shown in Figure 2 the dispensing device;

[0037] 图4为图2所示系统中控制装置204的结构示意图; [0037] FIG. 4 is a schematic structural diagram of a system 204 shown in Figure 2 control device;

[0038] 图5为图2所示系统的另一结构示意图。 [0038] FIG. 5 is a schematic diagram of another configuration of the system shown in Fig.

具体实施方式 Detailed ways

[0039] 为使本发明的目的、技术方案和优点更加清楚,下面将结合附图及具体实施例对本发明作进一步的详细描述。 [0039] To make the objectives, technical solutions, and advantages of the invention more clearly, the accompanying drawings and the following specific embodiments of the present invention will be further described in detail. 需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。 Incidentally, in the case of no conflict, embodiments and features of the embodiments of the present application may be arbitrarily combined with each other.

[0040] 为解决云OS系统访问控制问题,根据云OS特性,提出了一种改进型的基于角色的访问控制方案,不同的用户根据担当的角色访问不同的功能模块及访问不同的服务器组。 [0040] In order to solve the cloud OS system access control problem, according cloud OS features, proposed role-based access control scheme, an improved, different user access based on roles of different functional modules and access servers group. 具体来说:[0041] 云操作系统为用户提供物理基础设施服务:计算、存储、网络、虚拟资源,面对各种不同的用户,要保证云海OS访问控制的安全与效率,将没有权限的非法用户拒之门外,必须提供一种合理的访问控制机制。 Specifically: [0041] a cloud operating system provides users with physical infrastructure services: computing, storage, networking, virtual resources, face a variety of users, to ensure the safety and efficiency of clouds OS access control, there will be no privileges shut out unauthorized users, you must provide a reasonable access control mechanisms. 不同的用户访问权限不同,访问权限决定了一个用户或程序员是否有权对某一特定资源执行某种操作,基于角色的访问控制能很好的解决这一问题。 Different users different access rights, access permissions determine whether a user or programmer is entitled to perform an operation on a particular resource, role-based access control can be a good solution to this problem.

[0042] 需要说明的是,本文所指的云操作系统中功能模块相互独立的,即不相互耦合,可以理解为单个模块所实现的功能无需调用其他模块的代码信息。 [0042] Incidentally, referred to herein cloud operating system independent functional modules, i.e., not coupled to each other, it can be understood as a single functional module implemented without a call code information to other modules.

[0043] 图I为本发明提供的云操作系统中访问控制的方法实施例的流程示意图。 Schematic flow chart of a method embodiment cloud operating system [0043] Figure I of the present invention provides access control embodiment. 图I所示方法实施例中,所述云操作系统中的功能模块相互独立,其中所述方法实施例包括: Embodiment shown in FIG. I, the cloud operating system independent functional modules method embodiments, wherein the method of an embodiment comprises:

[0044] 步骤101、为访问所述云操作系统的每个用户分别分配该用户对应的角色信息; [0044] Step 101, for each user accessing the cloud operating system assigned a role corresponding to the user information, respectively;

[0045] 具体来说,获取用户的身份识别信息,根据所述身份识别信息为所述用户分配对应的角色信息;例如,可以根据身份识别信息确定该用户在企业内为完成的任务,或者,在企业中的职权和责任,从而根据上述信息为用户设置角色。 [0045] Specifically, obtaining information of the user identity, role assignment information corresponding to the user according to the identification information; for example, identification information for identifying the user within the enterprise as tasks, or can, powers and responsibilities in the enterprise, thereby setting role for the user based on the information.

[0046] 当然,同一个用户可以是多个角色的成员,即同一个用户可以扮演多个角色;同样,一个角色可以拥有多个用户成员 [0046] Of course, the same user may be a member of more than one role, that same user can play multiple roles; likewise, a role can have multiple user members

[0047] 进一步的,用户可以在角色中进行转换,系统可以添加、删除角色。 [0047] Further, the user can switch roles, the system can add, delete roles. 具体来说,通过接收用户的角色更改请求,并根据所述角色更改请求,更新所述用户的角色信息。 In particular, the role change request received by the user, and change request, updating the character information according to the user's role.

[0048] 步骤102、为每个角色信息配置该角色所对应的操作集,其中所述操作集记录有所述云操作系统允许该角色对功能模块的访问权限信息; [0048] Step 102, the operation sets the configuration for each character corresponding to the character information, wherein said set of operations is recorded in the cloud operating system allows access to the role information of functional modules;

[0049] 其中,角色可以看做是一组操作的集合,不同的角色具有不同的操作集,这些操作集可以由安全管理员来分配。 [0049] wherein the group of characters can be seen as a set of operations, different roles have different set of operations, these operations can be assigned by a set of security administrators.

[0050] 其中操作集记录该云操作系统允许该角色对每个功能模块的操作方式,可以为不允许访问、只读、读写均可等。 [0050] wherein the recording operation set cloud operating system permits operation of the character mode for each function block, is not allowed access, read-only, read-write and the like can. 当然,也可以进一步限定对单个模块中的子功能的操作权限。 Of course, it may be further defined operating authority functions in a single module.

[0051] 步骤103、当接收到某一用户的访问请求时,获取所述用户的角色信息; [0051] Step 103, when receiving a user access request to obtain the user's roles;

[0052] 步骤104、根据所述用户的角色信息所对应的操作集,对所述用户发起的访问进行控制。 [0052] Step 104, the user sets an operation corresponding to the character information, the access control user-initiated.

[0053] 具体来说,获取用户的访问信息,其中所述访问信息包括用户要访问的功能模块以及对该功能模块的操作方式;判断所述访问信息是否记录在操作集中;如果所述访问信息记录在操作集中,则允许所述用户发起访问;否则,拒绝所述用户发起访问。 [0053] Specifically, the user acquires the access information, wherein the access information comprises a function module to be accessed by a user operation and the function module; determining whether the access information recorded in the centralized operation; if the access information registered in the operation set, the user is allowed to initiate access; otherwise, rejecting the user to initiate access.

[0054] 当一个用户要求访问系统中某种资源时,系统先获取用户所担当的角色,再判断该用户的角色是否有权限访问该系统资源,进而控制用户访问的功能模块及服务器组,并将没有授权的用户拒之门外。 [0054] When a user requires access to a resource while the system, the system first acquires the role played by the user, and then determines whether the user has permission to access the role of system resources, and thus control function module and the user access the server group, and will be shut out unauthorized users.

[0055] 本发明提供的方法实施例,通过给用户分配合适的角色,让用户与访问权限相联系,从而使得在访问控制时,借助该角色所对应的操作集来有效控制用户的访问,能够减少授权管理的复杂性,降低管理开销,而且还能为管理员提供一个比较好的实现复杂安全政策的环境。 [0055] The embodiment of the method of the present invention provides, by assigning appropriate roles to users, allowing users to access linked, so that when access control, by means of a set of operations of the character corresponding to effectively control a user's access can be reduce the complexity of authorization management, reduce administrative overhead, but also gives administrators a better environment to realize complex security policies.

[0056] 需要说明的是,由于浪潮云海OS用户数量将非常多,系统管理的工作也将非常繁重。 [0056] It should be noted that, due to the number of wave clouds OS users will be very large, system administration work will be very heavy. 为了缓解系统管理的压力,就需要实现系统的分级管理,将管理系统的工作分散,根据这样的需求,浪潮云海OS提出了用户分级、服务器分组及划分功能模块的管理方案。 In order to ease the pressure management system, you need to implement hierarchical management system, decentralized management system will work, according to this demand, the wave of clouds OS presents the user classification, grouping and server management solutions division of functional modules. 其中:[0057] 用户分级;将系统所有用户分为两类:安全管理员、普通管理员。 Where: [0057] User rating; all users of the system will be divided into two categories: security manager, general manager. 安全管理员只可管理普通管理员,可以管理任何用户和角色,对用户和角色进行授权,设置各种约束条件。 Security administrators can only manage general manager, you can manage any users and roles, users and roles are authorized to set various constraints. 普通管理员拥有具体功能模块、具体服务器组的操作权限,操作权限通过角色来赋予。 Ordinary Administrators have specific functional modules, operating authority, operating authority to confer specific server group by role.

[0058] 服务器的服务器分组;根据服务器提供的功能不同,将服务器分为三组:存储节点组、网络节点组、计算节点组。 [0058] The servers in the server group; Depending on the functionality provided by the server, the server will be divided into three groups: the storage node group, the group of network nodes, the computing node group.

[0059] 划分功能模块:基于角色的访问控制的特点,云海OS中的功能模块是根据用户的角色来划分的,即每个功能模块具有相对独立的功能。 [0059] divided functional modules: role-based access control features, clouds OS functional modules are divided according to the user's role, i.e., each functional module has a relatively independent function. 将系统所有的权限在各个子功能模块的基础上进行划分,每个权限都隶属于某一个功能模块。 All permissions system is divided on the basis of the various sub-function modules on each permissions are affiliated with a particular functional module.

[0060] 图2为本发明提供的云操作系统中访问控制的系统实施例的结构示意图。 Schematic structural diagram of the system [0060] FIG cloud operating system 2 of the present invention provides access control embodiment. 结合图I所示的方法实施例,图2所示系统实施例中所述云操作系统中的功能模块相互独立,其中: Method I in conjunction with FIG embodiment shown, the system shown in FIG. 2 embodiment, the cloud operating system independent functional modules, wherein:

[0061] 分配装置201,用于为访问所述云操作系统的每个用户分别分配该用户对应的角色信息; [0061] The dispensing apparatus 201, for each user to access the operating system assigned a cloud character information corresponding to the user, respectively;

[0062] 配置装置202,与所述分配装置201相连,用于为每个角色信息配置该角色所对应的操作集,其中所述操作集记录有所述云操作系统允许该角色对功能模块的访问权限信息; [0062] Configuration device 202, 201 is connected to the dispensing means, arranged for each of the character information of the character set of operations corresponds to, wherein the set of operations is recorded in the cloud the role of the operating system allows the functional modules access to information;

[0063] 获取装置203,与所述配置装置202相连,当接收到某一用户的访问请求时,获取所述用户的角色信息; [0063] The acquisition means 203, coupled to the configuration means 202, when receiving a user access request to obtain the user's roles;

[0064] 控制装置204,与所述获取装置203相连,用于根据所述用户的角色信息所对应的操作集,对所述用户发起的访问进行控制。 [0064] The control device 204, connected to the obtaining means 203, operation set according to the user character information corresponding to the user-initiated access control.

[0065] 图3为图2所示系统中分配装置201的结构示意图。 [0065] Fig 3 a schematic view of apparatus 201 in the system shown in FIG. 2 is assigned. 图3所示分配装置201包括: The dispensing device 201 shown in FIG. 3 comprising:

[0066] 第一获取模块301,用于获取用户的身份识别信息; [0066] a first obtaining module 301, configured to obtain user identification information;

[0067] 分配模块302,用于根据所述身份识别信息为所述用户分配对应的角色信息。 [0067] The allocation module 302, for dispensing to the character information corresponding to the user according to the identification information.

[0068] 图4为图2所示系统中控制装置204的结构示意图。 [0068] FIG. 4 is a schematic structural diagram of a system 204 shown in Figure 2 control device. 图4所示控制装置204包括: The control apparatus 204 shown in FIG. 4 comprising:

[0069] 第二获取模块401,用于获取用户的访问信息,其中所述访问信息包括用户要访问的功能模块以及对该功能模块的操作方式; [0069] The second obtaining module 401, configured to obtain the user's access information, wherein the access information comprises a function module to be accessed by a user operation and the function module;

[0070] 判断模块402,与所述第二获取模块401相连,用于判断所述访问信息是否记录在操作集中; [0070] The determining module 402, and is connected to the second acquisition module 401, configured to judge whether or not the access information recorded in the operation set;

[0071] 控制模块403,与所述判断模块402相连,用于如果所述访问信息记录在操作集中,则允许所述用户发起访问;否则,拒绝所述用户发起访问。 [0071] The control module 403 is connected with the judging module 402, for recording information in a centralized operation if the access is allowed access initiated by the user; otherwise, rejecting the user to initiate access.

[0072] 图5为图2所示系统的另一结构示意图。 [0072] FIG. 5 is a schematic diagram of another configuration of the system shown in Fig. 图5所示系统还包括: The system shown in FIG. 5 further comprising:

[0073] 接收装置501,与所述分配装置201相连,用于接收用户的角色更改请求; [0073] The receiving means 501, the change request 201 is connected with the dispensing device for receiving a user's role;

[0074] 更新装置502,与所述接收装置501和所述获取装置203相连,用于根据所述角色更改请求,更新所述用户的角色信息。 [0074] The updating means 502, connected to the receiving means 501 and the acquisition means 203, a change request, updating the character information according to the user's role.

[0075] 本发明提供的系统实施例,通过给用户分配合适的角色,让用户与访问权限相联系,从而使得在访问控制时,借助该角色所对应的操作集来有效控制用户的访问,能够减少授权管理的复杂性,降低管理开销,而且还能为管理员提供一个比较好的实现复杂安全政策的环境。 [0075] The present invention provides an embodiment, by assigning appropriate roles to users, allowing users to access linked, so that when access control, by means of a set of operations of the character corresponding to effectively control a user's access can be reduce the complexity of authorization management, reduce administrative overhead, but also gives administrators a better environment to realize complex security policies.

[0076] 以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。 [0076] The above are only specific embodiments of the present invention, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the technical scope of the present invention is disclosed, variations may readily occur or Alternatively, it shall fall within the protection scope of the present invention. 因此,本发明的保护范围应以权利要求所述的保护范围为准。 Accordingly, the scope of the present invention should be the scope of the claims and their equivalents.

Claims (8)

1. 一种云操作系统中访问控制的方法,其特征在于,所述云操作系统中的功能模块相互独立,其中所述方法包括:为访问所述云操作系统的每个用户分别分配该用户对应的角色信息;为每个角色信息配置该角色所对应的操作集,其中所述操作集记录有所述云操作系统允许该角色对功能模块的访问权限信息;当接收到某一用户的访问请求时,获取所述用户的角色信息;根据所述用户的角色信息所对应的操作集,对所述用户发起的访问进行控制。 1. A method of operating a cloud access control system, characterized in that said cloud operating system independent functional modules, wherein the method comprises: for each user to access the operating system assigns the cloud each user corresponding to the character information; receiving a user when accessing; each character of the character set of configuration information corresponding to the operation, wherein said set of operations is recorded in the cloud operating system allows the character information access function block is when a request to obtain the user's roles; set according to an operation of the user character information corresponding to the user-initiated access control.
2.根据权利要求I所述的方法,其特征在于,所述为访问所述云操作系统的每个用户分别分配该用户对应的角色信息,包括:获取用户的身份识别信息;根据所述身份识别信息为所述用户分配对应的角色信息。 2. The method as claimed in claim I, wherein the information corresponding to the user roles assigned respectively for each user accessing the cloud operating system, comprising: obtaining identity information of a user; according to the identity character information corresponding to identification information assigned to said user.
3.根据权利要求I所述的方法,其特征在于,所述根据所述用户的角色信息所对应的操作集,对所述用户发起的访问进行控制,包括:获取用户的访问信息,其中所述访问信息包括用户要访问的功能模块以及对该功能模块的操作方式;判断所述访问信息是否记录在操作集中;如果所述访问信息记录在操作集中,则允许所述用户发起访问;否则,拒绝所述用户发起访问。 3. The method as claimed in claim I, wherein the operation set according to the user character information corresponding to the user-initiated access control, comprising: obtaining access information of the user, wherein said access information comprises a function module to be accessed by a user operation and the function module; determining whether the access information is recorded in the operation set; if the access information recorded in the centralized operation, allowing the user to initiate the access; otherwise, denied access initiated by the user.
4.根据权利要求I所述的方法,其特征在于,所述方法还包括:接收到用户的角色更改请求后,根据所述角色更改请求,对所述用户的角色信息。 4. The method as claimed in claim I, wherein said method further comprises: after receiving the request to change the user's role, the role change request according to the role information for the user.
5. 一种云操作系统中访问控制的系统,其特征在于,所述云操作系统中的功能模块相互独立,其中所述系统包括:分配装置,用于为访问所述云操作系统的每个用户分别分配该用户对应的角色信息; 配置装置,与所述分配装置相连,用于为每个角色信息配置该角色所对应的操作集,其中所述操作集记录有所述云操作系统允许该角色对功能模块的访问权限信息;获取装置,与所述配置装置相连,当接收到某一用户的访问请求时,获取所述用户的角色信息;控制装置,与所述获取装置相连,用于根据所述用户的角色信息所对应的操作集,对所述用户发起的访问进行控制。 A cloud operating system access control system, characterized in that said cloud operating system independent functional modules, wherein the system comprising: dispensing means for access to the operating system for each cloud users are assigned the role information corresponding to the user; configuration means, coupled to said dispensing means, arranged for each of the character information corresponding to a set of operations for this role, wherein the set of operations recorded in the operating system allows the cloud role access to the function module information; acquiring means, and means coupled to the configuration, when receiving a user access request to obtain the user's roles; control means, coupled to said acquiring means for the operation of the user character set information corresponding to the user-initiated access control.
6.根据权利要求5所述的系统,其特征在于,所述分配装置包括:第一获取模块,用于获取用户的身份识别信息;分配模块,用于根据所述身份识别信息为所述用户分配对应的角色信息。 6. A system as claimed in claim 5, wherein said dispensing means comprises: a first acquiring module, for acquiring the user identification information; distribution module, according to the identifying information for the user assigned roles corresponding information.
7.根据权利要求5所述的系统,其特征在于,控制装置包括:第二获取模块,用于获取用户的访问信息,其中所述访问信息包括用户要访问的功能模块以及对该功能模块的操作方式;判断模块,与所述第二获取模块相连,用于判断所述访问信息是否记录在操作集中; 控制模块,与所述判断模块相连,用于如果所述访问信息记录在操作集中,则允许所述用户发起访问;否则,拒绝所述用户发起访问。 7. The system according to claim 5, characterized in that the control means comprises: a second acquiring module, configured to obtain the user's access information, wherein the access information includes a user to access the functional blocks and the functional blocks operation mode; determining module, coupled to said second acquiring module, for determining whether the access information recorded in the centralized operation; and a control module connected with the determination module is configured to access information in the recording operation if concentrated, allowing the user access to the initiated; otherwise, rejecting the user to initiate access.
8.根据权利要求5所述的系统,其特征在于,所述系统还包括:更新装置,与所述分配装置和获取装置相连,用于在接收到用户的角色更改请求后,根据所述角色更改请求,对所述用户的角色信息。 8. The system according to claim 5, characterized in that the system further comprises: updating means, and connected to the dispensing device and access means for a user after receiving the role change request, according to the character change request, the role information for the user.
CN2012100429978A 2012-02-22 2012-02-22 Method and system for access control in cloud operation system CN102611699A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012100429978A CN102611699A (en) 2012-02-22 2012-02-22 Method and system for access control in cloud operation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012100429978A CN102611699A (en) 2012-02-22 2012-02-22 Method and system for access control in cloud operation system

Publications (1)

Publication Number Publication Date
CN102611699A true CN102611699A (en) 2012-07-25

Family

ID=46528853

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012100429978A CN102611699A (en) 2012-02-22 2012-02-22 Method and system for access control in cloud operation system

Country Status (1)

Country Link
CN (1) CN102611699A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102904892A (en) * 2012-10-17 2013-01-30 浪潮(北京)电子信息产业有限公司 Security model and security strategy of cloud computing data center operating system
CN103067406A (en) * 2013-01-14 2013-04-24 暨南大学 Access control system and access control method between public cloud and private cloud
CN103716412A (en) * 2014-01-03 2014-04-09 汉柏科技有限公司 Cloud computing system and method and device for controlling user permission through quadratic mapping of cloud computing system
CN104199979A (en) * 2014-09-24 2014-12-10 国云科技股份有限公司 Modeled data source management system and method thereof
CN104994086A (en) * 2015-06-26 2015-10-21 北京京东尚科信息技术有限公司 Database cluster authority control method and device
CN105225072A (en) * 2015-11-05 2016-01-06 浪潮(北京)电子信息产业有限公司 Access management method and system for multiple application systems
CN105721420A (en) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 Access authority control method and reverse agent server
CN105868649A (en) * 2016-03-29 2016-08-17 上海赞越软件服务中心 Synthetic operation mechanism based on role settings

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0697662A1 (en) * 1994-08-15 1996-02-21 International Business Machines Corporation Method and system for advanced role-based access control in distributed and centralized computer systems
CN101340444A (en) * 2008-08-26 2009-01-07 华为技术有限公司 Fireproof wall and server policy synchronization method, system and apparatus
CN101588242A (en) * 2008-05-19 2009-11-25 北京亿企通信息技术有限公司 Method and system for realizing authority management
CN101901465A (en) * 2009-05-26 2010-12-01 北京正辰科技发展有限责任公司 Operational safety based on comprehensive management platform system
CN102004868A (en) * 2009-09-01 2011-04-06 上海杉达学院 Role access control-based information system data storage layer and building method
CN102195956A (en) * 2010-03-19 2011-09-21 富士通株式会社 Cloud service system and user right management method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0697662A1 (en) * 1994-08-15 1996-02-21 International Business Machines Corporation Method and system for advanced role-based access control in distributed and centralized computer systems
CN101588242A (en) * 2008-05-19 2009-11-25 北京亿企通信息技术有限公司 Method and system for realizing authority management
CN101340444A (en) * 2008-08-26 2009-01-07 华为技术有限公司 Fireproof wall and server policy synchronization method, system and apparatus
CN101901465A (en) * 2009-05-26 2010-12-01 北京正辰科技发展有限责任公司 Operational safety based on comprehensive management platform system
CN102004868A (en) * 2009-09-01 2011-04-06 上海杉达学院 Role access control-based information system data storage layer and building method
CN102195956A (en) * 2010-03-19 2011-09-21 富士通株式会社 Cloud service system and user right management method thereof

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102904892A (en) * 2012-10-17 2013-01-30 浪潮(北京)电子信息产业有限公司 Security model and security strategy of cloud computing data center operating system
CN103067406A (en) * 2013-01-14 2013-04-24 暨南大学 Access control system and access control method between public cloud and private cloud
CN103067406B (en) * 2013-01-14 2015-07-22 暨南大学 Access control system and access control method between public cloud and private cloud
CN103716412A (en) * 2014-01-03 2014-04-09 汉柏科技有限公司 Cloud computing system and method and device for controlling user permission through quadratic mapping of cloud computing system
CN104199979A (en) * 2014-09-24 2014-12-10 国云科技股份有限公司 Modeled data source management system and method thereof
CN104994086A (en) * 2015-06-26 2015-10-21 北京京东尚科信息技术有限公司 Database cluster authority control method and device
CN104994086B (en) * 2015-06-26 2018-09-04 北京京东尚科信息技术有限公司 Kinds of database cluster permissions control method and apparatus
CN105225072A (en) * 2015-11-05 2016-01-06 浪潮(北京)电子信息产业有限公司 Access management method and system for multiple application systems
CN105721420A (en) * 2015-12-11 2016-06-29 中国地质调查局发展研究中心 Access authority control method and reverse agent server
CN105721420B (en) * 2015-12-11 2019-04-16 中国地质调查局发展研究中心 Access right control method and Reverse Proxy
CN105868649A (en) * 2016-03-29 2016-08-17 上海赞越软件服务中心 Synthetic operation mechanism based on role settings

Similar Documents

Publication Publication Date Title
Moreno-Vozmediano et al. Iaas cloud architecture: From virtualized datacenters to federated cloud infrastructures
CA2649862C (en) Translating role-based access control policy to resource authorization policy
US8590052B2 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
US20090276774A1 (en) Access control for virtual machines in an information system
Liu Research on cloud computing security problem and strategy
US8850549B2 (en) Methods and systems for controlling access to resources and privileges per process
US8615528B2 (en) Cloud database sharing
JP5592565B2 (en) Control of platform resources using the domain authentication
US8931061B2 (en) Techniques for providing access to data in dynamic shared accounts
CN104335189B (en) Secure access to shared storage resources
US8429716B2 (en) System and method for transparent access and management of user accessible cloud assets
US7475419B1 (en) System and method for controlling access in an interactive grid environment
US8966017B2 (en) Techniques for cloud control and management
CN102307185B (en) Data isolation method used in storage cloud
US8352941B1 (en) Scalable and secure high-level storage access for cloud computing platforms
CN1819526A (en) System and method for user access control to content in a network
CN102571948A (en) Cloud-computing-based platform as a service (PaaS) platform system and implementation method thereof
CN103281306A (en) Virtualized infrastructure platform for cloud data centers
US20140040999A1 (en) Hybrid multi-tenancy cloud platform
CN102571698B (en) A kind of virtual machine access control method, system and apparatus
US8544070B2 (en) Techniques for non repudiation of storage in cloud or shared storage environments
CN103023993B (en) An enterprise information system based on cloud computing
CN103067406A (en) Access control system and access control method between public cloud and private cloud
CN102651775B (en) Shared object management method based on multi-tenant cloud computing, equipment and systems
CN101631116B (en) Distributed dual-license and access control method and system

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C12 Rejection of a patent application after its publication