CN106790026A - A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop - Google Patents

A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop Download PDF

Info

Publication number
CN106790026A
CN106790026A CN201611157698.3A CN201611157698A CN106790026A CN 106790026 A CN106790026 A CN 106790026A CN 201611157698 A CN201611157698 A CN 201611157698A CN 106790026 A CN106790026 A CN 106790026A
Authority
CN
China
Prior art keywords
keytab
module
authentication module
file management
keytab file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611157698.3A
Other languages
Chinese (zh)
Other versions
CN106790026B (en
Inventor
金暐
云晓春
舒敏
邹潇湘
董琳
彭义刚
高昕
王锟
王中华
李海灵
李佳
侯美佳
王坤
徐娟娟
曹强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201611157698.3A priority Critical patent/CN106790026B/en
Publication of CN106790026A publication Critical patent/CN106790026A/en
Application granted granted Critical
Publication of CN106790026B publication Critical patent/CN106790026B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of multi-tenant Dropbox method for authenticating based on Hadoop and system.Methods described includes:Authentication module receives the login configurations data for subscriber checking in client;The authentication module after the receipt, by the login configurations data is activation to kerberos centers keytab file management module;The login configurations data is activation is given unification user right discriminating system by the keytab file management module;Check results are responded to the keytab file management module by the unification user right discriminating system.Method and system are when user performs Hadoop relative programs in client computer in the present invention, by client authentication module, in only once input username and password, you can complete authentication process of the user in two systems, it is ensured that the uniqueness and reliability of authentication process.

Description

A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop
Technical field
The present invention relates to network authentication field, more particularly to a kind of multi-tenant Dropbox method for authenticating based on Hadoop and System.
Background technology
Hadoop (the distributed system architecture of Apache funds club exploitation) provides two kinds of security mechanisms: Simple and Kerberos.If it is desired to the real security being currently stored on hadoop, it is possible to use what hadoop was supported Kerberos (network authenticating protocol) security mechanism.Kerberos is that a secure network based on shared key symmetric cryptography is recognized Card system, it is avoided password (including password hash) in transfers on network, but using password as the key of symmetric cryptography, is led to Cross to decrypt and verify the identity of user;
It is responsible for providing Ticket (record) and the central server of record mandate is referred to as KDC (Key Distribution Center), it knows the password of all users and service.One is often added in Kerberos domains (realm) Individual service or user will add a principal (safety is individual), and each principal has a password.User The cryptographic consumer of principal oneself remembers that the principal cryptographic services oneself of service record on hard disk (keytab texts In part);
The similar elis/admin@EXAMPLE.COM of the name of user principal, form is user name/role/realm Domain.Service the similar ftp/station@EXAMPLE.COM of name of principal, form be Service name/address (supplier)/ Realm domains.
For the multi-tenant Dropbox system for ensureing cluster safety based on Hadoop and by Kerberos, each User using before Dropbox read-write capability, is required to first carry out kerberos authorization checks on a client, but, it is either defeated Access customer name password or keytab files, cannot all be carried out integrated with existing Dropbox system.
The content of the invention
In order to overcome the defect of above-mentioned prior art, the technical problem to be solved in the present invention to be to provide a kind of based on Hadoop Multi-tenant Dropbox method for authenticating and system.
In order to solve the above technical problems, a kind of multi-tenant Dropbox method for authenticating based on Hadoop in the present invention, including:
Authentication module receives the login configurations data for subscriber checking in client;
The authentication module after the receipt, by the login configurations data is activation to kerberos centers keytab file Management module;
The login configurations data is activation is given unification user right discriminating system by the keytab file management module;
Check results are responded to the keytab file management module by the unification user right discriminating system.
Alternatively, authentication module receives the login configurations data for subscriber checking in the client, including:
The client when detecting Dropbox program and starting, match somebody with somebody by the login for calling authentication module to receive for subscriber checking Put data.
Alternatively, the unification user right discriminating system by check results respond to the keytab file management module it Afterwards, also include:
The keytab file management module feeds back corresponding Keytab according to the check results to the authentication module File.
Specifically, the keytab file management module feeds back correspondence according to the check results to the authentication module Keytab file after, also include:
The authentication module completes authentication according to the keytab file, obtains Token character strings;
Client initiates Dropbox read-write operation request to Hadoop clusters, and the request carries the Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour Make.
Specifically, it is described to obtain also including after Token character strings:
The authentication module deletes the keytab file.
In order to solve the above technical problems, a kind of multi-tenant Dropbox right discriminating system based on Hadoop in the present invention, including:
Authentication module in client, for receiving the login configurations data for subscriber checking;And after the receipt, by institute State keytab file management module of the login configurations data is activation to kerberos centers;
The keytab file management module, for giving unification user right discriminating system by the login configurations data is activation;
The unification user right discriminating system, for check results to be responded into the keytab file management module.
Alternatively, the client also includes:
Calling module, for when the startup of Dropbox program is detected, calling the authentication module to receive for subscriber checking Login configurations data.
Alternatively, the keytab file management module, is additionally operable to according to the check results, anti-to the authentication module Present corresponding keytab file.
Specifically, the authentication module, is additionally operable to, according to the keytab file, complete authentication, obtains Token characters String;
The calling module, is additionally operable to initiate Dropbox read-write operation request to Hadoop clusters, and the request carries described Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour Make.
Specifically, the authentication module, is additionally operable to delete the keytab file.
The present invention has the beneficial effect that:
Method and system authenticate mould when user performs Hadoop relative programs in client computer by client in the present invention Block, only once input username and password, you can complete authentication process of the user in two systems, it is ensured that authentication process Uniqueness and reliability.
Brief description of the drawings
Fig. 1 is a kind of timing diagram of the multi-tenant Dropbox authentication based on Hadoop in the embodiment of the present invention.
Specific embodiment
In order to solve problem of the prior art, the invention provides a kind of multi-tenant Dropbox method for authenticating based on Hadoop And system, below in conjunction with accompanying drawing and embodiment, the present invention will be described in further detail.It should be appreciated that described herein Specific embodiment be only used to explain the present invention, limit the present invention.
As shown in figure 1, a kind of multi-tenant Dropbox method for authenticating based on Hadoop, including:
Authentication module receives the login configurations data for subscriber checking in client;
The authentication module after the receipt, by the login configurations data is activation to kerberos centers keytab file Management module;
The login configurations data is activation is given unification user right discriminating system by the keytab file management module;
Check results are responded to the keytab file management module by the unification user right discriminating system.
Furtherly, authentication module receives the login configurations data for subscriber checking in the client, including:
The client when detecting Dropbox program and starting, match somebody with somebody by the login for calling authentication module to receive for subscriber checking Put data.
Furtherly, the unification user right discriminating system by check results respond to the keytab file management module it Afterwards, also include:
The keytab file management module feeds back corresponding Keytab according to the check results to the authentication module File.
Specifically, the keytab file management module feeds back correspondence according to the check results to the authentication module Keytab file after, also include:
The authentication module completes authentication according to the keytab file, obtains Token character strings;
Client initiates Dropbox read-write operation request to Hadoop clusters, and the request carries the Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour Make.
Specifically, it is described to obtain also including after Token character strings:
The authentication module deletes the keytab file.
The embodiment of the present invention describes a kind of authenticate Kerberos and is organically combined with the right discriminating system of operation system Mode, when user client computer perform Hadoop relative programs when, by encapsulate client authentication module, it is only once defeated Access customer name and password, you can complete authentication process of the user in two systems, it is ensured that the uniqueness and reliability of authentication process Property.
For example, as shown in Figure 1:
1st, after certain User logs in is provided with client computer (i.e. the client) of kerberos, before start-up operation Dropbox, first Call the authentication client program (i.e. authentication module) of encapsulation, input username and password (i.e. login configurations data), authentication visitor Username and password is sent to family end program the keytab file management module at Kerberos centers;
2nd, keytab file management module does not carry out user's verification at kerberos centers, but by username and password It is sent to the unification user right discriminating system of operation system;
3rd, after unification user right discriminating system passes through verification, keytab file management module is fed back to;
4th, the keytab file of the user is fed back to keytab file management module the authentication client program of client computer;
5th, authentication client program replaces the user to complete kinit authentication processes, obtains Token character strings, then will Keytab file is deleted, it is to avoid be trapped utilization;
6th, client-side program initiates Dropbox read-write operation request by API to Hadoop clusters;
7th, whether effectively, effectively then operation operation returns to operating result to Hadoop clusters verification Token.
Method is avoided and safeguarded respectively in the right discriminating system of Kerberos centers and operation system in the embodiment of the present invention Two sets of username and passwords;Client obtains the timely keytab files for deleting user after token simultaneously, it is to avoid maliciously copied Utilize.
The present invention further provides a kind of multi-tenant Dropbox right discriminating system based on Hadoop.
As shown in figure 1, a kind of multi-tenant Dropbox right discriminating system based on Hadoop in the embodiment of the present invention, including:
Authentication module in client, for receiving the login configurations data for subscriber checking;And after the receipt, by institute State keytab file management module of the login configurations data is activation to kerberos centers;
The keytab file management module, for giving unification user right discriminating system by the login configurations data is activation;
The unification user right discriminating system, for check results to be responded into the keytab file management module.
Furtherly, the client also includes:
Calling module, for when the startup of Dropbox program is detected, calling the authentication module to receive for subscriber checking Login configurations data.
Furtherly, the keytab file management module, is additionally operable to according to the check results, to the authentication module Feed back corresponding keytab file.
Specifically, the authentication module, is additionally operable to, according to the keytab file, complete authentication, obtains Token characters String;
The calling module, is additionally operable to initiate Dropbox read-write operation request to Hadoop clusters, and the request carries described Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write behaviour Make.
Specifically, the authentication module, is additionally operable to delete the keytab file.
In the embodiment of the present invention system when user client computer perform Hadoop relative programs when, by encapsulate client Authentication procedure, only once input username and password, you can complete authentication process of the user in two systems, it is ensured that authentication The uniqueness and reliability of process;Avoid and safeguard that two apply mechanically respectively in the right discriminating system of Kerberos centers and operation system Name in an account book and password;Client obtains the timely keytab files for deleting user after token simultaneously, it is to avoid by malice copy utilization.
Although This application describes particular example of the invention, those skilled in the art can not depart from the present invention generally Variant of the invention is designed on the basis of thought.
Those skilled in the art on the basis of present invention is not departed from, go back under the inspiration that the technology of the present invention is conceived Various improvement can be made to the present invention, this still falls within the scope and spirit of the invention.

Claims (10)

1. a kind of multi-tenant Dropbox method for authenticating based on Hadoop, it is characterised in that methods described includes:
Authentication module receives the login configurations data for subscriber checking in client;
After the receipt, the keytab file by the login configurations data is activation to kerberos centers is managed the authentication module Module;
The login configurations data is activation is given unification user right discriminating system by the keytab file management module;
Check results are responded to the keytab file management module by the unification user right discriminating system.
2. the method for claim 1, it is characterised in that authentication module is received for subscriber checking in the client Login configurations data, including:
The client calls authentication module to receive the login configurations number for subscriber checking when the startup of Dropbox program is detected According to.
3. method as claimed in claim 1 or 2, it is characterised in that the unification user right discriminating system responds check results After to the keytab file management module, also include:
The keytab file management module feeds back corresponding Keytab texts according to the check results to the authentication module Part.
4. method as claimed in claim 3, it is characterised in that the keytab file management module is according to the verification knot Really, after to the corresponding keytab file of authentication module feedback, also include:
The authentication module completes authentication according to the keytab file, obtains Token character strings;
Client initiates Dropbox read-write operation request to Hadoop clusters, and the request carries the Token character strings;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write operation.
5. method as claimed in claim 4, it is characterised in that described to obtain also including after Token character strings:
The authentication module deletes the keytab file.
6. a kind of multi-tenant Dropbox right discriminating system based on Hadoop, it is characterised in that the system includes:
Authentication module in client, for receiving the login configurations data for subscriber checking;And after the receipt, stepped on described Record configuration data is sent to the keytab file management module at kerberos centers;
The keytab file management module, for giving unification user right discriminating system by the login configurations data is activation;
The unification user right discriminating system, for check results to be responded into the keytab file management module.
7. system as claimed in claim 6, it is characterised in that the client also includes:
Calling module, for when the startup of Dropbox program is detected, calling the authentication module to receive stepping on for subscriber checking Record configuration data.
8. system as claimed in claims 6 or 7, it is characterised in that the keytab file management module, is additionally operable to according to institute Check results are stated, corresponding keytab file is fed back to the authentication module.
9. system as claimed in claim 8, it is characterised in that the authentication module, is additionally operable to according to the keytab file, Authentication is completed, Token character strings are obtained;
The calling module, is additionally operable to initiate Dropbox read-write operation request to Hadoop clusters, and the request carries the Token Character string;
The Hadoop clusters are verified to the Token character strings, when verification passes through, perform the read-write operation.
10. method as claimed in claim 4, it is characterised in that the authentication module, is additionally operable to delete the Keytab texts Part.
CN201611157698.3A 2016-12-15 2016-12-15 Hadoop-based multi-tenant network disk authentication method and system Expired - Fee Related CN106790026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611157698.3A CN106790026B (en) 2016-12-15 2016-12-15 Hadoop-based multi-tenant network disk authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611157698.3A CN106790026B (en) 2016-12-15 2016-12-15 Hadoop-based multi-tenant network disk authentication method and system

Publications (2)

Publication Number Publication Date
CN106790026A true CN106790026A (en) 2017-05-31
CN106790026B CN106790026B (en) 2020-07-07

Family

ID=58888392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611157698.3A Expired - Fee Related CN106790026B (en) 2016-12-15 2016-12-15 Hadoop-based multi-tenant network disk authentication method and system

Country Status (1)

Country Link
CN (1) CN106790026B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050201A (en) * 2013-03-15 2014-09-17 伊姆西公司 Method and equipment for managing data in multi-tenant distributive environment
US9130920B2 (en) * 2013-01-07 2015-09-08 Zettaset, Inc. Monitoring of authorization-exceeding activity in distributed networks
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN104980441A (en) * 2015-06-26 2015-10-14 浪潮软件股份有限公司 Method for implementing tenant authentication mechanism
CN105183820A (en) * 2015-08-28 2015-12-23 广东创我科技发展有限公司 Multi-tenant supported large data platform and tenant access method
US9225525B2 (en) * 2010-02-26 2015-12-29 Red Hat, Inc. Identity management certificate operations

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9225525B2 (en) * 2010-02-26 2015-12-29 Red Hat, Inc. Identity management certificate operations
US9130920B2 (en) * 2013-01-07 2015-09-08 Zettaset, Inc. Monitoring of authorization-exceeding activity in distributed networks
CN104050201A (en) * 2013-03-15 2014-09-17 伊姆西公司 Method and equipment for managing data in multi-tenant distributive environment
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN104980441A (en) * 2015-06-26 2015-10-14 浪潮软件股份有限公司 Method for implementing tenant authentication mechanism
CN105183820A (en) * 2015-08-28 2015-12-23 广东创我科技发展有限公司 Multi-tenant supported large data platform and tenant access method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
池亚平 等: "OpenStack身份认证机制研究与改进", 《吉林大学学报(信息科学版)》 *

Also Published As

Publication number Publication date
CN106790026B (en) 2020-07-07

Similar Documents

Publication Publication Date Title
US11606352B2 (en) Time-based one time password (TOTP) for network authentication
US11223614B2 (en) Single sign on with multiple authentication factors
US20210314312A1 (en) System and method for transferring device identifying information
US9628448B2 (en) User and device authentication in enterprise systems
CN108964885B (en) Authentication method, device, system and storage medium
US9240886B1 (en) Authentication adaptation
US9172541B2 (en) System and method for pool-based identity generation and use for service access
CN111371805A (en) Token-based unified identity authentication interface and method
WO2022121461A1 (en) Method, apparatus and device for constructing token for cloud platform resource access control
US10601809B2 (en) System and method for providing a certificate by way of a browser extension
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
US20170104748A1 (en) System and method for managing network access with a certificate having soft expiration
US11275858B2 (en) Document signing system for mobile devices
CN102571874A (en) On-line audit method and device in distributed system
US10972286B2 (en) Token-based authentication with signed message
CN108512832A (en) A kind of safe Enhancement Method for OpenStack authentications
CN109474431A (en) Client certificate method and computer readable storage medium
US20230016488A1 (en) Document signing system for mobile devices
US20220417020A1 (en) Information processing device, information processing method, and non-transitory computer readable storage medium
CN106790026A (en) A kind of multi-tenant Dropbox method for authenticating and system based on Hadoop
Keil Social Security
CN116248368A (en) Identity authentication method, system, equipment and storage medium based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200707

Termination date: 20201215