CN106790026B - Hadoop-based multi-tenant network disk authentication method and system - Google Patents
Hadoop-based multi-tenant network disk authentication method and system Download PDFInfo
- Publication number
- CN106790026B CN106790026B CN201611157698.3A CN201611157698A CN106790026B CN 106790026 B CN106790026 B CN 106790026B CN 201611157698 A CN201611157698 A CN 201611157698A CN 106790026 B CN106790026 B CN 106790026B
- Authority
- CN
- China
- Prior art keywords
- authentication
- configuration data
- keytab file
- module
- file management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The invention discloses a multi-tenant network disk authentication method and system based on Hadoop. The method comprises the following steps: the authentication module in the client receives login configuration data for user verification; after receiving the login configuration data, the authentication module sends the login configuration data to a Keytab file management module of a Kerberos center; the Keytab file management module sends the login configuration data to a unified user authentication system; and the unified user authentication system responds the verification result to the Keytab file management module. According to the method and the system, when the user executes the Hadoop related program on the client, the authentication process of the user on the two systems can be completed only by inputting the user name and the password once through the client authentication module, and the uniqueness and the reliability of the authentication process are ensured.
Description
Technical Field
The invention relates to the field of network authentication, in particular to a Hadoop-based multi-tenant network disk authentication method and system.
Background
Hadoop (distributed system infrastructure developed by the Apache Foundation) provides two security mechanisms: simple and Kerberos. If it is desired to implement security stored on top of hadoop, a hadoop supported kerberos (network authentication protocol) security mechanism may be used. Kerberos is a secure network authentication system based on shared key symmetric encryption, which avoids the transmission of passwords (including password hash) on the network, but takes the passwords as the symmetric encrypted keys to verify the identity of a user by being incapable of decryption;
the central server responsible for managing the issuing of tickets and authorizations of records is called kdc (key distribution center) and knows the passwords of all users and services. In the Kerberos domain (realm), each time a service is added or a user adds a private key (security individual), each private key has a password. The user remembers the password of the user principal, and the service principal password is recorded on a hard disk (in a keytab file);
com, the user's principal is named like this/admin @ example, in the form of username/role/realm domain. Com, the name of the service primary is like ftp/station @ example, in the form of a service name/address (provider)/realm domain.
For a multi-tenant network disk system based on Hadoop and ensuring cluster security through Kerberos, each user needs to perform Kerberos authority verification before using a network disk read-write function on a client, but the system cannot be integrated with the existing network disk system no matter a user name and a password or a Keytab file are input.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a method and a system for authenticating a multi-tenant network disk based on Hadoop.
In order to solve the technical problem, the invention provides a Hadoop-based multi-tenant network disk authentication method, which comprises the following steps:
the authentication module in the client receives login configuration data for user verification;
after receiving the login configuration data, the authentication module sends the login configuration data to a Keytab file management module of a Kerberos center;
the Keytab file management module sends the login configuration data to a unified user authentication system;
and the unified user authentication system responds the verification result to the Keytab file management module.
Optionally, the receiving, by the authentication module in the client, login configuration data for user verification includes:
and when the client detects that the network disk program is started, calling an authentication module to receive login configuration data for user verification.
Optionally, after the unified user authentication system responds the verification result to the Keytab file management module, the method further includes:
and the Keytab file management module feeds back the corresponding Keytab file to the authentication module according to the verification result.
Specifically, after the Keytab file management module feeds back the corresponding Keytab file to the authentication module according to the verification result, the method further includes:
the authentication module completes authentication according to the Keytab file to obtain a Token character string;
a client initiates a network disk read-write operation request to a Hadoop cluster, wherein the request carries the Token character string;
and the Hadoop cluster checks the Token character string, and when the check is passed, the read-write operation is executed.
Specifically, the obtaining of the Token character string further includes:
and the authentication module deletes the Keytab file.
In order to solve the technical problem, the invention provides a Hadoop-based multi-tenant network disk authentication system, which comprises:
the authentication module in the client is used for receiving login configuration data for user verification; after receiving the login configuration data, sending the login configuration data to a Keytab file management module of a Kerberos center;
the Keytab file management module is used for sending the login configuration data to a unified user authentication system;
and the unified user authentication system is used for responding the verification result to the Keytab file management module.
Optionally, the client further includes:
and the calling module is used for calling the authentication module to receive login configuration data for user verification when the network disk program is detected to be started.
Optionally, the Keytab file management module is further configured to feed back the corresponding Keytab file to the authentication module according to the verification result.
Specifically, the authentication module is further configured to complete authentication according to the Keytab file to obtain a Token character string;
the calling module is also used for initiating a network disk read-write operation request to the Hadoop cluster, and the request carries the Token character string;
and the Hadoop cluster checks the Token character string, and when the check is passed, the read-write operation is executed.
Specifically, the authentication module is further configured to delete the Keytab file.
The invention has the following beneficial effects:
according to the method and the system, when the user executes the Hadoop related program on the client, the authentication process of the user on the two systems can be completed only by inputting the user name and the password once through the client authentication module, and the uniqueness and the reliability of the authentication process are ensured.
Drawings
Fig. 1 is a timing diagram of Hadoop-based multi-tenant network disk authentication in an embodiment of the present invention.
Detailed Description
In order to solve the problems in the prior art, the present invention provides a method and a system for authenticating a multi-tenant network disk based on Hadoop, and the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
As shown in fig. 1, a Hadoop-based multi-tenant network disk authentication method includes:
the authentication module in the client receives login configuration data for user verification;
after receiving the login configuration data, the authentication module sends the login configuration data to a Keytab file management module of a Kerberos center;
the Keytab file management module sends the login configuration data to a unified user authentication system;
and the unified user authentication system responds the verification result to the Keytab file management module.
Further, the receiving, by the authentication module in the client, login configuration data for user verification includes:
and when the client detects that the network disk program is started, calling an authentication module to receive login configuration data for user verification.
Further, after the unified user authentication system responds the verification result to the Keytab file management module, the method further includes:
and the Keytab file management module feeds back the corresponding Keytab file to the authentication module according to the verification result.
Specifically, after the Keytab file management module feeds back the corresponding Keytab file to the authentication module according to the verification result, the method further includes:
the authentication module completes authentication according to the Keytab file to obtain a Token character string;
a client initiates a network disk read-write operation request to a Hadoop cluster, wherein the request carries the Token character string;
and the Hadoop cluster checks the Token character string, and when the check is passed, the read-write operation is executed.
Specifically, the obtaining of the Token character string further includes:
and the authentication module deletes the Keytab file.
The embodiment of the invention describes a mode of organically combining Kerberos authentication with an authentication system of a service system, when a user executes a Hadoop related program on a client, the authentication process of the user on two systems can be completed only by inputting a user name and a password once through an encapsulated client authentication module, and the uniqueness and reliability of the authentication process are ensured.
By way of example, as shown in FIG. 1:
1. after a certain user logs in a client (namely a client) provided with Kerberos and before starting to operate a network disk, calling an encapsulated authentication client program (namely an authentication module), inputting a user name and a password (namely login configuration data), and sending the user name and the password to a Keytab file management module of a Kerberos center by the authentication client program;
2. the Keytab file management module does not carry out user verification in a kerberos center, but sends a user name and a password to a unified user authentication system of the service system;
3. the unified user authentication system feeds back the verification to the Keytab file management module after the verification is passed;
4. the Keytab file management module feeds the Keytab file of the user back to an authentication client program of the client;
5. the authentication client program replaces the user to complete a proxy authentication process to obtain a Token character string, and then the Keytab file is deleted to avoid being intercepted and utilized;
6. a client program initiates a network disk read-write operation request to the Hadoop cluster through an API;
7. and the Hadoop cluster checks whether the Token is effective or not, if so, the operation is operated, and an operation result is returned.
The method in the embodiment of the invention avoids respectively maintaining two sets of user names and passwords in the authentication system of the Kerberos center and the service system; meanwhile, the client deletes the keytab file of the user in time after obtaining the token, so that malicious copy and utilization are avoided.
The invention further provides a multi-tenant network disk authentication system based on Hadoop.
As shown in fig. 1, a system for authenticating a multi-tenant network disk based on Hadoop in an embodiment of the present invention includes:
the authentication module in the client is used for receiving login configuration data for user verification; after receiving the login configuration data, sending the login configuration data to a Keytab file management module of a Kerberos center;
the Keytab file management module is used for sending the login configuration data to a unified user authentication system;
and the unified user authentication system is used for responding the verification result to the Keytab file management module.
Further, the client further includes:
and the calling module is used for calling the authentication module to receive login configuration data for user verification when the network disk program is detected to be started.
Furthermore, the Keytab file management module is further configured to feed back the corresponding Keytab file to the authentication module according to the verification result.
Specifically, the authentication module is further configured to complete authentication according to the Keytab file to obtain a Token character string;
the calling module is also used for initiating a network disk read-write operation request to the Hadoop cluster, and the request carries the Token character string;
and the Hadoop cluster checks the Token character string, and when the check is passed, the read-write operation is executed.
Specifically, the authentication module is further configured to delete the Keytab file.
When the system executes the Hadoop related program on the client, the authentication process of the user on the two systems can be completed only by inputting the user name and the password once through the packaged client authentication program, so that the uniqueness and the reliability of the authentication process are ensured; the two sets of user names and passwords are prevented from being respectively maintained in the Kerberos center and the authentication system of the service system; meanwhile, the client deletes the keytab file of the user in time after obtaining the token, so that malicious copy and utilization are avoided.
While this application describes specific examples of the invention, those skilled in the art will appreciate that many modifications are possible in the exemplary embodiments without departing from the inventive concepts herein.
In light of the above teachings, those skilled in the art can make various modifications to the present invention without departing from the scope and spirit of the present invention.
Claims (4)
1. A multi-tenant network disk authentication method based on Hadoop is characterized by comprising the following steps:
the authentication module in the client receives login configuration data for user verification;
after receiving the login configuration data, the authentication module sends the login configuration data to a Keytab file management module of a Kerberos center;
the Keytab file management module sends the login configuration data to a unified user authentication system;
the unified user authentication system responds a verification result to the Keytab file management module;
after the unified user authentication system responds the verification result to the Keytab file management module, the method further includes:
the Keytab file management module feeds back a corresponding Keytab file to the authentication module according to the verification result;
the Keytab file management module feeds back the corresponding Keytab file to the authentication module according to the verification result, and further comprises:
the authentication module completes authentication according to the Keytab file to obtain a Token character string;
a client initiates a network disk read-write operation request to a Hadoop cluster, wherein the request carries the Token character string;
and the Hadoop cluster checks the Token character string, and when the check is passed, the read-write operation is executed.
2. The method of claim 1, wherein the authentication module in the client receives login configuration data for user verification, comprising:
and when the client detects that the network disk program is started, calling an authentication module to receive login configuration data for user verification.
3. The method of claim 1, wherein said obtaining the Token string further comprises:
and the authentication module deletes the Keytab file.
4. A multi-tenant network disk authentication system based on Hadoop is characterized by comprising:
the authentication module in the client is used for receiving login configuration data for user verification; after receiving the login configuration data, sending the login configuration data to a Keytab file management module of a Kerberos center;
the Keytab file management module is used for sending the login configuration data to a unified user authentication system;
the unified user authentication system is used for responding the verification result to the Keytab file management module;
the Keytab file management module is also used for feeding back a corresponding Keytab file to the authentication module according to the verification result;
the authentication module is further used for completing authentication according to the Keytab file to obtain a Token character string;
the client further comprises: the calling module is used for calling the authentication module to receive login configuration data for user verification when the network disk program is detected to be started;
the calling module is also used for initiating a network disk read-write operation request to the Hadoop cluster, and the request carries the Token character string;
and the Hadoop cluster checks the Token character string, and when the check is passed, the read-write operation is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611157698.3A CN106790026B (en) | 2016-12-15 | 2016-12-15 | Hadoop-based multi-tenant network disk authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611157698.3A CN106790026B (en) | 2016-12-15 | 2016-12-15 | Hadoop-based multi-tenant network disk authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106790026A CN106790026A (en) | 2017-05-31 |
| CN106790026B true CN106790026B (en) | 2020-07-07 |
Family
ID=58888392
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611157698.3A Expired - Fee Related CN106790026B (en) | 2016-12-15 | 2016-12-15 | Hadoop-based multi-tenant network disk authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790026B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104050201A (en) * | 2013-03-15 | 2014-09-17 | 伊姆西公司 | Method and equipment for managing data in multi-tenant distributive environment |
| US9130920B2 (en) * | 2013-01-07 | 2015-09-08 | Zettaset, Inc. | Monitoring of authorization-exceeding activity in distributed networks |
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| CN104980441A (en) * | 2015-06-26 | 2015-10-14 | 浪潮软件股份有限公司 | Tenant authentication mechanism realizing method |
| CN105183820A (en) * | 2015-08-28 | 2015-12-23 | 广东创我科技发展有限公司 | Multi-tenant supported large data platform and tenant access method |
| US9225525B2 (en) * | 2010-02-26 | 2015-12-29 | Red Hat, Inc. | Identity management certificate operations |
-
2016
- 2016-12-15 CN CN201611157698.3A patent/CN106790026B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9225525B2 (en) * | 2010-02-26 | 2015-12-29 | Red Hat, Inc. | Identity management certificate operations |
| US9130920B2 (en) * | 2013-01-07 | 2015-09-08 | Zettaset, Inc. | Monitoring of authorization-exceeding activity in distributed networks |
| CN104050201A (en) * | 2013-03-15 | 2014-09-17 | 伊姆西公司 | Method and equipment for managing data in multi-tenant distributive environment |
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| CN104980441A (en) * | 2015-06-26 | 2015-10-14 | 浪潮软件股份有限公司 | Tenant authentication mechanism realizing method |
| CN105183820A (en) * | 2015-08-28 | 2015-12-23 | 广东创我科技发展有限公司 | Multi-tenant supported large data platform and tenant access method |
Non-Patent Citations (1)
| Title |
|---|
| OpenStack身份认证机制研究与改进;池亚平 等;《吉林大学学报(信息科学版)》;20151130;第700-706页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106790026A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11606352B2 (en) | Time-based one time password (TOTP) for network authentication | |
| US20210367795A1 (en) | Identity-Linked Authentication Through A User Certificate System | |
| US8627409B2 (en) | Framework for automated dissemination of security metadata for distributed trust establishment | |
| US20190173873A1 (en) | Identity verification document request handling utilizing a user certificate system and user identity document repository | |
| CN108964885B (en) | Authentication method, device, system and storage medium | |
| US9172541B2 (en) | System and method for pool-based identity generation and use for service access | |
| CN110225050B (en) | JWT token management method | |
| JP2010531516A (en) | Device provisioning and domain join emulation over insecure networks | |
| US9479533B2 (en) | Time based authentication codes | |
| US9479495B2 (en) | Sending authentication codes to multiple recipients | |
| US11663318B2 (en) | Decentralized password vault | |
| US11757877B1 (en) | Decentralized application authentication | |
| US10749689B1 (en) | Language-agnostic secure application development | |
| JP6712707B2 (en) | Server system and method for controlling a plurality of service systems | |
| US10644890B1 (en) | Language-agnostic secure application deployment | |
| CN106790026B (en) | Hadoop-based multi-tenant network disk authentication method and system | |
| JP2016139910A (en) | Authentication system, authentication key management device, authentication key management method and authentication key management program | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
| CN111199035A (en) | Single sign-on method for interface encrypted data transmission | |
| KR102639244B1 (en) | Method, server and system for providing integrated authentication solution based on single sign on | |
| US20230198767A1 (en) | Distribution of one-time passwords for multi-factor authentication via blockchain | |
| Corella et al. | Strong and convenient multi-factor authentication on mobile devices | |
| Aiemworawutikul et al. | Vulnerability Assessment in National Identity Services | |
| Marian et al. | A Technical Investigation towards a Cloud-Based Signature Solution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200707 Termination date: 20201215 |