CN106790026A - A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop - Google Patents
A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop Download PDFInfo
- Publication number
- CN106790026A CN106790026A CN201611157698.3A CN201611157698A CN106790026A CN 106790026 A CN106790026 A CN 106790026A CN 201611157698 A CN201611157698 A CN 201611157698A CN 106790026 A CN106790026 A CN 106790026A
- Authority
- CN
- China
- Prior art keywords
- keytab
- module
- authentication module
- file management
- keytab file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of multi-tenant Dropbox method for authenticating based on Hadoop and system.Methods described includes:Authentication module receives the login configurations data for subscriber checking in client;The authentication module after the receipt, by the login configurations data is activation to kerberos centers keytab file management module;The login configurations data is activation is given unification user right discriminating system by the keytab file management module;Check results are responded to the keytab file management module by the unification user right discriminating system.Method and system are when user performs Hadoop relative programs in client computer in the present invention, by client authentication module, in only once input username and password, you can complete authentication process of the user in two systems, it is ensured that the uniqueness and reliability of authentication process.
Description
Technical field
The present invention relates to network authentication field, more particularly to a kind of multi-tenant Dropbox method for authenticating based on Hadoop and
System.
Background technology
Hadoop (the distributed system architecture of Apache funds club exploitation) provides two kinds of security mechanisms:
Simple and Kerberos.If it is desired to the real security being currently stored on hadoop, it is possible to use what hadoop was supported
Kerberos (network authenticating protocol) security mechanism.Kerberos is that a secure network based on shared key symmetric cryptography is recognized
Card system, it is avoided password (including password hash) in transfers on network, but using password as the key of symmetric cryptography, is led to
Cross to decrypt and verify the identity of user;
It is responsible for providing Ticket (record) and the central server of record mandate is referred to as KDC (Key
Distribution Center), it knows the password of all users and service.One is often added in Kerberos domains (realm)
Individual service or user will add a principal (safety is individual), and each principal has a password.User
The cryptographic consumer of principal oneself remembers that the principal cryptographic services oneself of service record on hard disk (keytab texts
In part);
The similar elis/admin@EXAMPLE.COM of the name of user principal, form is user name/role/realm
Domain.Service the similar ftp/station@EXAMPLE.COM of name of principal, form be Service name/address (supplier)/
Realm domains.
For the multi-tenant Dropbox system for ensureing cluster safety based on Hadoop and by Kerberos, each
User using before Dropbox read-write capability, is required to first carry out kerberos authorization checks on a client, but, it is either defeated
Access customer name password or keytab files, cannot all be carried out integrated with existing Dropbox system.
The content of the invention
In order to overcome the defect of above-mentioned prior art, the technical problem to be solved in the present invention to be to provide a kind of based on Hadoop
Multi-tenant Dropbox method for authenticating and system.
In order to solve the above technical problems, a kind of multi-tenant Dropbox method for authenticating based on Hadoop in the present invention, including:
Authentication module receives the login configurations data for subscriber checking in client;
The authentication module after the receipt, by the login configurations data is activation to kerberos centers keytab file
Management module;
The login configurations data is activation is given unification user right discriminating system by the keytab file management module;
Check results are responded to the keytab file management module by the unification user right discriminating system.
Alternatively, authentication module receives the login configurations data for subscriber checking in the client, including:
The client when detecting Dropbox program and starting, match somebody with somebody by the login for calling authentication module to receive for subscriber checking
Put data.
Alternatively, the unification user right discriminating system by check results respond to the keytab file management module it
Afterwards, also include:
The keytab file management module feeds back corresponding Keytab according to the check results to the authentication module
File.
Specifically, the keytab file management module feeds back correspondence according to the check results to the authentication module
Keytab file after, also include:
The authentication module completes authentication according to the keytab file, obtains Token character strings;
Client initiates Dropbox read-write operation request to Hadoop clusters, and the request carries the Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour
Make.
Specifically, it is described to obtain also including after Token character strings:
The authentication module deletes the keytab file.
In order to solve the above technical problems, a kind of multi-tenant Dropbox right discriminating system based on Hadoop in the present invention, including:
Authentication module in client, for receiving the login configurations data for subscriber checking;And after the receipt, by institute
State keytab file management module of the login configurations data is activation to kerberos centers;
The keytab file management module, for giving unification user right discriminating system by the login configurations data is activation;
The unification user right discriminating system, for check results to be responded into the keytab file management module.
Alternatively, the client also includes:
Calling module, for when the startup of Dropbox program is detected, calling the authentication module to receive for subscriber checking
Login configurations data.
Alternatively, the keytab file management module, is additionally operable to according to the check results, anti-to the authentication module
Present corresponding keytab file.
Specifically, the authentication module, is additionally operable to, according to the keytab file, complete authentication, obtains Token characters
String;
The calling module, is additionally operable to initiate Dropbox read-write operation request to Hadoop clusters, and the request carries described
Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour
Make.
Specifically, the authentication module, is additionally operable to delete the keytab file.
The present invention has the beneficial effect that:
Method and system authenticate mould when user performs Hadoop relative programs in client computer by client in the present invention
Block, only once input username and password, you can complete authentication process of the user in two systems, it is ensured that authentication process
Uniqueness and reliability.
Brief description of the drawings
Fig. 1 is a kind of timing diagram of the multi-tenant Dropbox authentication based on Hadoop in the embodiment of the present invention.
Specific embodiment
In order to solve problem of the prior art, the invention provides a kind of multi-tenant Dropbox method for authenticating based on Hadoop
And system, below in conjunction with accompanying drawing and embodiment, the present invention will be described in further detail.It should be appreciated that described herein
Specific embodiment be only used to explain the present invention, limit the present invention.
As shown in figure 1, a kind of multi-tenant Dropbox method for authenticating based on Hadoop, including:
Authentication module receives the login configurations data for subscriber checking in client;
The authentication module after the receipt, by the login configurations data is activation to kerberos centers keytab file
Management module;
The login configurations data is activation is given unification user right discriminating system by the keytab file management module;
Check results are responded to the keytab file management module by the unification user right discriminating system.
Furtherly, authentication module receives the login configurations data for subscriber checking in the client, including:
The client when detecting Dropbox program and starting, match somebody with somebody by the login for calling authentication module to receive for subscriber checking
Put data.
Furtherly, the unification user right discriminating system by check results respond to the keytab file management module it
Afterwards, also include:
The keytab file management module feeds back corresponding Keytab according to the check results to the authentication module
File.
Specifically, the keytab file management module feeds back correspondence according to the check results to the authentication module
Keytab file after, also include:
The authentication module completes authentication according to the keytab file, obtains Token character strings;
Client initiates Dropbox read-write operation request to Hadoop clusters, and the request carries the Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour
Make.
Specifically, it is described to obtain also including after Token character strings:
The authentication module deletes the keytab file.
The embodiment of the present invention describes a kind of authenticate Kerberos and is organically combined with the right discriminating system of operation system
Mode, when user client computer perform Hadoop relative programs when, by encapsulate client authentication module, it is only once defeated
Access customer name and password, you can complete authentication process of the user in two systems, it is ensured that the uniqueness and reliability of authentication process
Property.
For example, as shown in Figure 1:
1st, after certain User logs in is provided with client computer (i.e. the client) of kerberos, before start-up operation Dropbox, first
Call the authentication client program (i.e. authentication module) of encapsulation, input username and password (i.e. login configurations data), authentication visitor
Username and password is sent to family end program the keytab file management module at Kerberos centers;
2nd, keytab file management module does not carry out user's verification at kerberos centers, but by username and password
It is sent to the unification user right discriminating system of operation system;
3rd, after unification user right discriminating system passes through verification, keytab file management module is fed back to;
4th, the keytab file of the user is fed back to keytab file management module the authentication client program of client computer;
5th, authentication client program replaces the user to complete kinit authentication processes, obtains Token character strings, then will
Keytab file is deleted, it is to avoid be trapped utilization;
6th, client-side program initiates Dropbox read-write operation request by API to Hadoop clusters;
7th, whether effectively, effectively then operation operation returns to operating result to Hadoop clusters verification Token.
Method is avoided and safeguarded respectively in the right discriminating system of Kerberos centers and operation system in the embodiment of the present invention
Two sets of username and passwords;Client obtains the timely keytab files for deleting user after token simultaneously, it is to avoid maliciously copied
Utilize.
The present invention further provides a kind of multi-tenant Dropbox right discriminating system based on Hadoop.
As shown in figure 1, a kind of multi-tenant Dropbox right discriminating system based on Hadoop in the embodiment of the present invention, including:
Authentication module in client, for receiving the login configurations data for subscriber checking;And after the receipt, by institute
State keytab file management module of the login configurations data is activation to kerberos centers;
The keytab file management module, for giving unification user right discriminating system by the login configurations data is activation;
The unification user right discriminating system, for check results to be responded into the keytab file management module.
Furtherly, the client also includes:
Calling module, for when the startup of Dropbox program is detected, calling the authentication module to receive for subscriber checking
Login configurations data.
Furtherly, the keytab file management module, is additionally operable to according to the check results, to the authentication module
Feed back corresponding keytab file.
Specifically, the authentication module, is additionally operable to, according to the keytab file, complete authentication, obtains Token characters
String;
The calling module, is additionally operable to initiate Dropbox read-write operation request to Hadoop clusters, and the request carries described
Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour
Make.
Specifically, the authentication module, is additionally operable to delete the keytab file.
In the embodiment of the present invention system when user client computer perform Hadoop relative programs when, by encapsulate client
Authentication procedure, only once input username and password, you can complete authentication process of the user in two systems, it is ensured that authentication
The uniqueness and reliability of process;Avoid and safeguard that two apply mechanically respectively in the right discriminating system of Kerberos centers and operation system
Name in an account book and password;Client obtains the timely keytab files for deleting user after token simultaneously, it is to avoid by malice copy utilization.
Although This application describes particular example of the invention, those skilled in the art can not depart from the present invention generally
Variant of the invention is designed on the basis of thought.
Those skilled in the art on the basis of present invention is not departed from, go back under the inspiration that the technology of the present invention is conceived
Various improvement can be made to the present invention, this still falls within the scope and spirit of the invention.
Claims (10)
1. a kind of multi-tenant Dropbox method for authenticating based on Hadoop, it is characterised in that methods described includes:
Authentication module receives the login configurations data for subscriber checking in client;
After the receipt, the keytab file by the login configurations data is activation to kerberos centers is managed the authentication module
Module;
The login configurations data is activation is given unification user right discriminating system by the keytab file management module;
Check results are responded to the keytab file management module by the unification user right discriminating system.
2. the method for claim 1, it is characterised in that authentication module is received for subscriber checking in the client
Login configurations data, including:
The client calls authentication module to receive the login configurations number for subscriber checking when the startup of Dropbox program is detected
According to.
3. method as claimed in claim 1 or 2, it is characterised in that the unification user right discriminating system responds check results
After to the keytab file management module, also include:
The keytab file management module feeds back corresponding Keytab texts according to the check results to the authentication module
Part.
4. method as claimed in claim 3, it is characterised in that the keytab file management module is according to the verification knot
Really, after to the corresponding keytab file of authentication module feedback, also include:
The authentication module completes authentication according to the keytab file, obtains Token character strings;
Client initiates Dropbox read-write operation request to Hadoop clusters, and the request carries the Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write operation.
5. method as claimed in claim 4, it is characterised in that described to obtain also including after Token character strings:
The authentication module deletes the keytab file.
6. a kind of multi-tenant Dropbox right discriminating system based on Hadoop, it is characterised in that the system includes:
Authentication module in client, for receiving the login configurations data for subscriber checking;And after the receipt, stepped on described
Record configuration data is sent to the keytab file management module at kerberos centers;
The keytab file management module, for giving unification user right discriminating system by the login configurations data is activation;
The unification user right discriminating system, for check results to be responded into the keytab file management module.
7. system as claimed in claim 6, it is characterised in that the client also includes:
Calling module, for when the startup of Dropbox program is detected, calling the authentication module to receive stepping on for subscriber checking
Record configuration data.
8. system as claimed in claims 6 or 7, it is characterised in that the keytab file management module, is additionally operable to according to institute
Check results are stated, corresponding keytab file is fed back to the authentication module.
9. system as claimed in claim 8, it is characterised in that the authentication module, is additionally operable to according to the keytab file,
Authentication is completed, Token character strings are obtained;
The calling module, is additionally operable to initiate Dropbox read-write operation request to Hadoop clusters, and the request carries the Token
Character string;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write operation.
10. method as claimed in claim 4, it is characterised in that the authentication module, is additionally operable to delete the Keytab texts
Part.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611157698.3A CN106790026B (en) | 2016-12-15 | 2016-12-15 | Hadoop-based multi-tenant network disk authentication method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611157698.3A CN106790026B (en) | 2016-12-15 | 2016-12-15 | Hadoop-based multi-tenant network disk authentication method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106790026A true CN106790026A (en) | 2017-05-31 |
CN106790026B CN106790026B (en) | 2020-07-07 |
Family
ID=58888392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611157698.3A Expired - Fee Related CN106790026B (en) | 2016-12-15 | 2016-12-15 | Hadoop-based multi-tenant network disk authentication method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106790026B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104050201A (en) * | 2013-03-15 | 2014-09-17 | 伊姆西公司 | Method and equipment for managing data in multi-tenant distributive environment |
US9130920B2 (en) * | 2013-01-07 | 2015-09-08 | Zettaset, Inc. | Monitoring of authorization-exceeding activity in distributed networks |
CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
CN104980441A (en) * | 2015-06-26 | 2015-10-14 | 浪潮软件股份有限公司 | Method for implementing tenant authentication mechanism |
CN105183820A (en) * | 2015-08-28 | 2015-12-23 | 广东创我科技发展有限公司 | Multi-tenant supported large data platform and tenant access method |
US9225525B2 (en) * | 2010-02-26 | 2015-12-29 | Red Hat, Inc. | Identity management certificate operations |
-
2016
- 2016-12-15 CN CN201611157698.3A patent/CN106790026B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9225525B2 (en) * | 2010-02-26 | 2015-12-29 | Red Hat, Inc. | Identity management certificate operations |
US9130920B2 (en) * | 2013-01-07 | 2015-09-08 | Zettaset, Inc. | Monitoring of authorization-exceeding activity in distributed networks |
CN104050201A (en) * | 2013-03-15 | 2014-09-17 | 伊姆西公司 | Method and equipment for managing data in multi-tenant distributive environment |
CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
CN104980441A (en) * | 2015-06-26 | 2015-10-14 | 浪潮软件股份有限公司 | Method for implementing tenant authentication mechanism |
CN105183820A (en) * | 2015-08-28 | 2015-12-23 | 广东创我科技发展有限公司 | Multi-tenant supported large data platform and tenant access method |
Non-Patent Citations (1)
Title |
---|
池亚平 等: "OpenStack身份认证机制研究与改进", 《吉林大学学报(信息科学版)》 * |
Also Published As
Publication number | Publication date |
---|---|
CN106790026B (en) | 2020-07-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11606352B2 (en) | Time-based one time password (TOTP) for network authentication | |
US11223614B2 (en) | Single sign on with multiple authentication factors | |
US20210314312A1 (en) | System and method for transferring device identifying information | |
US9628448B2 (en) | User and device authentication in enterprise systems | |
CN108964885B (en) | Authentication method, device, system and storage medium | |
US9240886B1 (en) | Authentication adaptation | |
US9172541B2 (en) | System and method for pool-based identity generation and use for service access | |
CN111371805A (en) | Token-based unified identity authentication interface and method | |
WO2022121461A1 (en) | Method, apparatus and device for constructing token for cloud platform resource access control | |
US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
CN111818088A (en) | Authorization mode management method and device, computer equipment and readable storage medium | |
US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
US11275858B2 (en) | Document signing system for mobile devices | |
CN102571874A (en) | On-line audit method and device in distributed system | |
US10972286B2 (en) | Token-based authentication with signed message | |
CN108512832A (en) | A kind of safe Enhancement Method for OpenStack authentications | |
CN109474431A (en) | Client certificate method and computer readable storage medium | |
US20230016488A1 (en) | Document signing system for mobile devices | |
US20220417020A1 (en) | Information processing device, information processing method, and non-transitory computer readable storage medium | |
CN106790026A (en) | A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop | |
Keil | Social Security | |
CN116248368A (en) | Identity authentication method, system, equipment and storage medium based on block chain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200707 Termination date: 20201215 |