CN107480509A - O&M safety auditing system logs in vessel process, system, equipment and storage medium - Google Patents
O&M safety auditing system logs in vessel process, system, equipment and storage medium Download PDFInfo
- Publication number
- CN107480509A CN107480509A CN201710863832.XA CN201710863832A CN107480509A CN 107480509 A CN107480509 A CN 107480509A CN 201710863832 A CN201710863832 A CN 201710863832A CN 107480509 A CN107480509 A CN 107480509A
- Authority
- CN
- China
- Prior art keywords
- container
- host
- auditing system
- safety auditing
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
- G06F16/2448—Query languages for particular applications; for extensibility, e.g. user defined types
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention provides a kind of O&M safety auditing system to log in vessel process, system, equipment and storage medium, this method includes the container access request that O&M safety auditing system obtains user, and container access request includes the first identification information of the container that user accesses;O&M safety auditing system obtained from container information storage database user ask access container corresponding to host's machine information and in corresponding host container the second identification information;O&M safety auditing system passes through SSH protocol entries to host;The host logs on to corresponding container according to the second identification information authorized user of container.Using technical scheme, container mirror image need not manage key and private key, so as to avoid unnecessary management of process and encapsulation, reduce the management cost of container in itself without encapsulating SSHD services, container again;The mandate of container simultaneously, the security control logged in, operation audit are all completed by O&M safety auditing system, the safety of full-scope safeguards container in use.
Description
Technical field
The present invention relates to image identification technical field, more particularly to one kind to reduce container maintenance cost and ensure that container logs in
The O&M safety auditing system of security logs in vessel process, system, equipment and storage medium.
Background technology
With developing rapidly for Internet information technique, various information system and networking products emerge in an endless stream.Especially exist
In big-and-middle-sized physical mechanism, the IT system of Fast Construction is just from the operation system of former tradition closing to large-scale key business system
System extension, involved application type also increase increasingly, and application of the large enterprise to container also increasingly turns into development trend.At present
More common technology is docker in container, and docker is an engine increased income, and easily can create one for any application
Individual lightweight, transplantable, self-centered container.Container is to use sandbox mechanism completely, is not had between each other any
Interface.
Docker types are mainly docker linux at present, in order that the login control of container meets enterprise's production service
Device safety management standard, prior art are to service container content SSHD, and user logs in container by key to request, and container is again
Serviced using SSHD to key to verifying, so as to determine whether that user logs in.SSHD services are to be based on SSH
The service of (Secure Sheel, security service agreement), it is reliable at present, aims at telnet session and other networks clothes
Business provides the agreement of safeguard protection.Docker containers are created by Docker mirror images.When therefore, using this kind of mode, container
It is also required to encapsulate corresponding SSHD services in mirror image.
However, during using this kind of technology, container needs maintenance key pair and SSHD process services, the login mode of container and
Common linux servers are identical, therefore add container cost taken by themselves, and login mode is dumb.
The content of the invention
For the problems of the prior art, it is an object of the invention to provide a kind of O&M safety auditing system to log in container
Method, system, equipment and storage medium, reduce the cost of container maintenance key pair and SSHD services, while make it that container is compatible
O&M safety auditing system logs in.
The embodiment of the present invention provides a kind of appearance safe login method, and methods described comprises the following steps:
O&M safety auditing system obtains the container access request of user, and the container access request includes what user accessed
First identification information of container;
O&M safety auditing system sends data inquiry request to information of container data storage storehouse, is deposited from the information of container
Store up and host's machine information corresponding to the container that user's request accesses and the container in corresponding host are obtained in database
Second identification information;
O&M safety auditing system passes through SSH protocol entries to the host;
Authorized user's log on command is performed in the host, it is corresponding that authorized user logs on to second identification information
Container.
Alternatively, the first identification information of the container is the IP address of container;Second identification information of the container is
The ID number of container;Obtained in the information of container data storage storehouse.
Alternatively, SSHD services are provided with the host;
The O&M safety auditing system, to the host, is comprised the following steps by SSH protocol entries:
The O&M safety auditing system sends logging request by SSH agreements to the host;
The host verifies the key or password in the logging request of the O&M safety auditing system;
If the verification passes, then the host allows the O&M safety auditing system to log in;
If authentication failed, the host is refused the O&M safety auditing system and logged in.
Alternatively, the host performs docker exec orders according to the second identification information of the container, authorizes and uses
Family logs on to corresponding container.
Alternatively, after user exits the login of the container, that is, the login of the host is exited.
Alternatively, the host logs in the shell process of the process replacement host of container using user.
Alternatively, the host increases exec before authorized user logs in the order of container so that user logs in container
Process substitute the shell process of the host.
Alternatively, also comprise the following steps:
The O&M safety auditing system carries out authentication to the user for sending container access request;
If the verification passes, then sending data query to information of container data storage storehouse into O&M safety auditing system please
The step of asking;
If authentication failed, O&M safety auditing system refuses the container access request of user.
Alternatively, the O&M safety auditing system is accessed by the application program in the information of container data storage storehouse and connect
Mouth carries out data interaction with the information of container data storage storehouse.
Alternatively, the corresponding relation of host and container in the information of container data storage storehouse, and container is in host
The second identification information in machine real-time update with the Real-Time Scheduling of container;
The O&M safety auditing system is obtained by the application program access interface in the information of container data storage storehouse
Current time user ask access container corresponding to host's machine information and in corresponding host container second mark
Know information.
Alternatively, the operation data of the O&M safety auditing system record and audit user in a reservoir.
The embodiment of the present invention also provides a kind of O&M safety auditing system and logs in containment system, for realizing described O&M
Safety auditing system logs in vessel process, and the system includes information of container thesaurus, for reservoir host's machine and pair of container
It should be related to, and the second identification information of each container that each host includes;O&M safety auditing system, bag
Include:Access request acquisition module, for obtaining the container access request of user, the container access request includes what user accessed
First identification information of container;Information of container enquiry module, for sending data inquiry request to information of container data storage storehouse,
Host's machine information corresponding to the container that user asks to access is obtained from the information of container data storage storehouse and is being corresponded to
Host in container the second identification information;Host login module, for by SSH protocol entries to the host,
Authorized user's log on command is performed in host, authorized user logs on to container corresponding to second identification information.
Alternatively, the O&M safety auditing system also includes SIM, for accessing sending container
The user of request carries out authentication;If the verification passes, then into O&M safety auditing system to information of container data storage
Storehouse sends the step of data inquiry request;If authentication failed, the container of O&M safety auditing system refusal user accesses please
Ask.
Alternatively, the host logs in the shell process of the process replacement host of container using user, to cause
After user exits the login of the container, that is, exit the login of the host.
The embodiment of the present invention also provides a kind of O&M safety auditing system and logs in tankage, including processor;Memory,
Wherein it is stored with the executable instruction of the processor;
Wherein, the processor is configured to perform described O&M security audit system via the executable instruction is performed
System logs in the step of vessel process.
The embodiment of the present invention also provides a kind of computer-readable recording medium, for storage program, it is characterised in that described
The step of described O&M safety auditing system logs in vessel process is realized when program is performed.
It should be appreciated that the general description and following detailed description of the above are only exemplary and explanatory, not
The disclosure can be limited.
Under O&M safety auditing system login vessel process, system, equipment and storage medium provided by the present invention have
Row advantage:
By setting SSHD to service in host, O&M safety auditing system first logs into corresponding to container the present invention
Host, then allow user to log on to container by host again, container mirror image without encapsulate SSHD services again, container in itself without
Key and private key need to be managed, so as to avoid unnecessary management of process and encapsulation, reduces the management cost of container;This hair simultaneously
It is bright so that container compatibility O&M safety auditing system logs in, the mandate of container, the security control logged in, operation audit are all by transporting
Dimension safety auditing system is completed, the safety of full-scope safeguards container in use.
Brief description of the drawings
The detailed description made by reading with reference to the following drawings to non-limiting example, further feature of the invention,
Objects and advantages will become more apparent upon.
Fig. 1 is that the O&M safety auditing system of one embodiment of the invention logs in the flow chart of vessel process;
Fig. 2 be one embodiment of the invention information of container data storage storehouse in relation signal corresponding to host and container
Figure;
Fig. 3 is that the O&M safety auditing system of one embodiment of the invention signs in the flow chart of host;
Fig. 4 is that the O&M safety auditing system of an instantiation of the invention logs in the timing diagram of vessel process;
Fig. 5 is that the O&M safety auditing system of one embodiment of the invention logs in the structural representation of containment system;
Fig. 6 is the structural representation of the O&M safety auditing system of one embodiment of the invention;
Fig. 7 is that the O&M safety auditing system of one embodiment of the invention logs in the structural representation of tankage;
Fig. 8 is the structural representation of the computer-readable recording medium of one embodiment of the invention.
Embodiment
Example embodiment is described more fully with referring now to accompanying drawing.However, example embodiment can be with a variety of shapes
Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, these embodiments are provided so that the disclosure will more
Fully and completely, and by the design of example embodiment comprehensively it is communicated to those skilled in the art.Described feature, knot
Structure or characteristic can be incorporated in one or more embodiments in any suitable manner.
In addition, accompanying drawing is only the schematic illustrations of the disclosure, it is not necessarily drawn to scale.Identical accompanying drawing mark in figure
Note represents same or similar part, thus will omit repetition thereof.Some block diagrams shown in accompanying drawing are work(
Can entity, not necessarily must be corresponding with physically or logically independent entity.These work(can be realized using software form
Energy entity, or these functional entitys are realized in one or more hardware modules or integrated circuit, or at heterogeneous networks and/or place
These functional entitys are realized in reason device device and/or microcontroller device.
In order to solve the problems, such as that O&M safety auditing system is docked in docker lightweights, SSHD is not encapsulated in container mirror image,
The maintenance cost to logging in key and SSH services is reduced, compatible O&M is logged in based on container parametersization the invention provides one kind
The scheme of safety auditing system.
As shown in figure 1, log in the flow chart of vessel process for the O&M safety auditing system of one embodiment of the invention.It is described
O&M safety auditing system logs in vessel process and comprised the following steps:
S100:O&M safety auditing system obtains the container access request of user, and the container access request includes user
First identification information of the container of access;
S200:O&M safety auditing system sends data inquiry request to information of container data storage storehouse, from the container
In information storage database obtain user ask access container corresponding to host's machine information and in corresponding host
Second identification information of container;
S300:O&M safety auditing system passes through SSH protocol entries to the host;
SSH is Secure Shell abbreviation, made by IETF network group (Network Working Group)
It is fixed;SSH is the security protocol established on the basis of application layer.SSH is relatively reliable at present, aims at telnet session and other nets
Network service provides the agreement of security.The information leakage problem in remote management procedures can be effectively prevented using SSH agreements.It is logical
Cross and use SSH, the data of all transmission can be encrypted in user, and so " go-between " this attack pattern is impossible to reality
It is existing, and DNS deceptions and IP spoofing can be prevented.Using SSH, an also extra benefit is exactly that the data transmitted are
Through overcompression, it is possible to accelerate the speed of transmission.SSH has many functions, and it can both replace Telnet, can be again
FTP, PoP, even PPP provides " passage " of a safety.
S400:Authorized user's log on command is performed in the host, authorized user logs on to second identification information
Corresponding container.
Further, the first identification information of the container can be the IP address of container;Second mark of the container
Information can be the ID number of container;Corresponding to the O&M safety auditing system obtains from the information of container data storage storehouse
The IP address of host.I.e. user is that the IP address based on container makes requests on, O&M is examined safely when request logs in container
Meter systems go information of container data storage after the access request of the IP address comprising container is received according to the IP address of container
Inquired about in storehouse, the information of each host is stored with information of container data storage storehouse and container that each host includes
Information, can inquire about to obtain the appearance of the IP address and container of host in the host from container information storage database
Device ID.Therefore, O&M safety auditing system can ask to log in host according to the IP of host, can be with after logging in host
The order of authorized user's login is run according to Container ID so that user can enter in container to be operated accordingly.
Therefore, by using technical scheme, it is only necessary to SSHD services are disposed in host, and need not in container
SSHD services are disposed, container mirror image is also just without encapsulating installation SSHD services, and without managing key and private key, it is unnecessary to avoid
Management of process and encapsulation, reduce the management cost of container.
As shown in Fig. 2 show the corresponding relation of the container stored in information of container data storage storehouse and host.Wherein
It can include multiple containers in each host.And the container that each host includes may not be fixed.Such as
User can realize the scheduling of container by Mesos (a kind of general cluster manager dual system).Same container can be same
Dynamically floated on the different hosts machine of stored reservoir, such as dotted line direction is dispatched along figure.Alternatively, information of container data storage storehouse
Application programming interface (API) can be provided, it is allowed to which O&M safety auditing system inquires about newest record information.Application program
DLL, it is exactly the agreement of software systems difference part linking.Because the scale of software in recent years is increasingly huge, usually
The system complexity is needed to be divided into small part, the design of DLL is particularly significant.Good Interface design can be with
Interdepending for system components is reduced, improves the cohesion of component units, the degree of coupling between component units is reduced, so as to carry
The maintainability and autgmentability of high system.That is second identification information (such as Container ID, but not limited to this) of the container in host
Can with the Real-Time Scheduling of container real-time update;The O&M safety auditing system can store number by the information of container
According to storehouse application program access interface obtain current time user ask access container corresponding to host's machine information and
Second identification information of container in corresponding host.
As shown in figure 3, further, due to being provided with SSHD services in the host;The O&M security audit system
System, to the host, is comprised the following steps by SSH protocol entries:
S310:The O&M safety auditing system sends logging request by SSH agreements to the host;Logging request
It is middle to need to include SSH keys or password that the O&M safety auditing system is held;Can effectively it be prevented remotely using SSH agreements
Information leakage problem during management.
S320:The host verifies the key or password in the logging request of the O&M safety auditing system;Due to
SSHD services are provided with the host, therefore host can carry out verification of correctness to key or password, judge with this
Whether O&M safety auditing system has permission login;
S330:If the verification passes, then the host allows the O&M safety auditing system to log in, further O&M
The order that authorized user logs in container can be performed in safety auditing system;
S340:If authentication failed, the host is refused the O&M safety auditing system and logged in, then user is also
It can not log on in container, realize the security protection logged in user.
Further, the host performs docker exec orders according to the second identification information of the container, authorizes
User logs on to corresponding container.
In actual applications, the host can perform exec docker exec-ti<Container ID>--
User root sh orders.Wherein:
Before docker orders plus exec is in order to prevent user from obtaining the authority of host after exiting from container, to host
The safety of machine is ensured.I.e. described host uses docker exec-ti<Container ID>-- user root sh's
Process substitutes the shell process of the host.So that after user exits the login of the container, that is, exit stepping on for the host
Record.
-- ti corresponds to the second identification information of container, and this is sentenced exemplified by Container ID.
-- user is used to specify the account into the user of container.
O&M safety auditing system, i.e., under a specific network environment, in order to Logistics networks and data not by from
Internal validated user does not conform to the rule system failure brought of operation and leaking data, and use various technological means real-time collectings and
The system mode of each part, security incident, network activity in network environment are monitored, so as to concentrated alarm, record, is divided
Analysis, a kind of technological means of processing.Its functionally, it combines two big trunk of core system O&M and security audit management and control
Function, realized from technology, by cutting off direct access of the terminal computer to network and server resource, and use agreement
The mode of agency, access of the terminal computer to network and server is taken over.Therefore, using technical scheme, hold
The login of device compatibility O&M safety auditing system, the mandate of container, the security control logged in and operation audit can be all by transporting
Dimension safety auditing system is completed.
Further, O&M safety auditing system of the invention logs in vessel process and can also comprised the following steps:
The O&M safety auditing system carries out authentication to the user for sending container access request;
If the verification passes, then sending data query to information of container data storage storehouse into O&M safety auditing system please
The step of asking;As long as O&M safety auditing system has also passed through the checking of host, user, which can be signed in in container, to be performed
Operation;
If authentication failed, O&M safety auditing system refuses the container access request of user, and user can not log in
Operation is performed into container.
I.e. in the embodiment, the checking and management and control of user identity are carried out in O&M safety auditing system, convenient system
One management, and the checking of user identity need not be carried out in host and container end, alleviate the burden of host and container.
Further, O&M safety auditing system of the invention logs in vessel process and can also examined safely including the O&M
Meter systems record and the step of audit user's operation datas in a reservoir, further ensure the security of user's operation.
As shown in figure 4, log in the timing diagram of vessel process for the O&M safety auditing system of an instantiation of the invention.Should
Instantiation is only a citing, can also there is some other deformations in actual applications, belongs to the protection model of the present invention
Within enclosing.
Specifically, the O&M safety auditing system of the specific example logs in vessel process and comprised the following steps:
(1) user logs in O&M safety auditing system, during O&M safety auditing system is signed in, O&M safety
Auditing system needs to verify the identity of user, is proved to be successful, and continues subsequent step, authentication failed, then refuses user's
Log in;
After user logs in the success of O&M safety auditing system, ask to access appearances of the container IP as 1.1.1.1 using root authority
Device;Root authority, one kind of System Privileges, is also root authority, can be understood as a concept with SYSTEM authorities, but be higher than
Administrator right, root are the super keepe user accounts in Linux and unix systems, and this account possesses entirely
The sovereign power of system, all objects he can operate.Obtain root authority after mean that have been obtained for be
The highest authority of system, at this time you can perform to any file (including system file) in system all increase, deletes, changes, looks into
Operation.It is only for example herein, not limited to this in practical application.
(2) O&M safety auditing system calls the application programming interface inquiry 1.1.1.1 of information of container thesaurus to work as
Host and Container ID corresponding to preceding;
(3) O&M safety auditing system signs in host using franchise account SSH;
(4) exec docker exec-ti are performed in host<Container ID>-- user root sh orders, award
Power user is signed in in container.
(5) the shell process of container is successfully got, user can be signed in in container, perform corresponding operation.
Therefore, vessel process is logged in by using the O&M safety auditing system of the present invention, container mirror image is pacified without encapsulating
Fill SSHD services, container need not manage key and private key, avoid unnecessary management of process and encapsulation, reduce the management of container into
This, while container compatibility O&M safety auditing system is logged in, the mandate of container, the security control logged in, operation audit are complete
Completed by O&M safety auditing system in portion.In addition, different from prior art, container of the invention independently forms a kind equipment
OS types, linux docker, rather than container login mode in the prior art and common linux server logs mode phase
Together.The present invention takes full advantage of the particularity of the different and container of container and common linux servers in itself, by container and host
The login of machine combines well.
As shown in figure 5, the embodiment of the present invention, which also provides a kind of O&M safety auditing system, logs in containment system, for realizing
Described O&M safety auditing system logs in vessel process, and the system includes information of container thesaurus 100 and O&M is examined safely
Meter systems 200, wherein the information of container thesaurus 100 is stored with the corresponding relation of host 300 and container 400, and respectively
Second identification information of each container that the individual host includes;O&M safety auditing system 200 is the login of container, peace
Full control, access, log audit is authorized to provide support.
As shown in fig. 6, show the structure of the O&M safety auditing system of one embodiment of the invention.The O&M peace
Full auditing system includes access request acquisition module 210, and for obtaining the container access request of user 500, the container accesses
Request includes the first identification information of the container of user's access;Information of container enquiry module 220, for storing number to information of container
Data inquiry request is sent according to storehouse 100, user is obtained from the information of container data storage storehouse and asks the container institute of access right
Host's machine information for answering and in corresponding host container the second identification information;And host login module 230, use
In by SSH protocol entries to the host 300, authorized user's log on command is performed in host 300, authorized user 500
Log on to container 400 corresponding to second identification information.
Further, the O&M safety auditing system 200 can also include SIM 240, for pair
The user for sending container access request carries out authentication;If the verification passes, then into O&M safety auditing system 200 to appearance
Device information storage database 100 sends the step of data inquiry request;If authentication failed, O&M safety auditing system 200
Refuse the container access request of user 500.I.e. O&M safety auditing system 200 except as user log in container bridge it
Outside, it is also necessary to the identity of user is verified, ensures the security that container logs in.
Further, the host 300 is entered using the shell of the process replacement host 300 of user's login container
Journey so that after user 500 exits the login of the container 400, that is, exit the login of the host 300.Concrete mode, can
So that by using as described above before docker orders in a manner of increase exec, user to be logged in the process substituted host of container
The shell process of machine, when user exits the login of container, i.e., at the end of user logs in the process of container, also exit host simultaneously
Machine, user is avoided to get the authority of host after exiting from container, to the peace of other containers on host and host
Full property is protected.
Containment system is logged in by using the O&M safety auditing system of the present invention, passes through the He of information of container thesaurus 100
The matching relationship of O&M safety auditing system 200, O&M safety auditing system 200 is it is to be understood that the IP address of target container, just
The IP address of host and the ID of container where target container can be got;Pass through O&M safety auditing system 200 and place
The cooperation of main frame 300, host 300 can be verified to O&M safety auditing system 200, after being verified, host 200
The order of authorized user's login can be performed, so as to allow a user to log into target container, to realize the purpose of container login.
User identity is verified by O&M safety auditing system 200, by host 200 to O&M safety auditing system 200
Itself verified, ensure that the security that container logs in.And in container mirror image without encapsulate again SSHD service, container also without
Key and private key need to be managed, reduces the management cost of container.
The embodiment of the present invention also provides a kind of O&M safety auditing system and logs in tankage, including processor;Memory,
Wherein it is stored with the executable instruction of the processor;Wherein, the processor is configured to via the execution executable instruction
To perform the step of described O&M safety auditing system logs in vessel process.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or
Program product.Therefore, various aspects of the invention can be implemented as following form, i.e.,:It is complete hardware embodiment, complete
The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.), or hardware and software, can unite here
Referred to as " circuit ", " module " or " platform ".
The electronic equipment 600 according to the embodiment of the invention is described referring to Fig. 7.The electronics that Fig. 7 is shown
Equipment 600 is only an example, should not bring any restrictions to the function and use range of the embodiment of the present invention.
As shown in fig. 7, electronic equipment 600 is showed in the form of universal computing device.The component of electronic equipment 600 can wrap
Include but be not limited to:At least one processing unit 610, at least one memory cell 620, (including the storage of connection different platform component
Unit 620 and processing unit 610) bus 630, display unit 640 etc..
Wherein, the memory cell is had program stored therein code, and described program code can be held by the processing unit 610
OK so that the processing unit 610 perform described in the above-mentioned electronic prescription circulation processing method part of this specification according to this
The step of inventing various illustrative embodiments.For example, the step of processing unit 610 can perform as shown in fig. 1.
The memory cell 620 can include the computer-readable recording medium of volatile memory cell form, such as random access memory
Unit (RAM) 6201 and/or cache memory unit 6202, it can further include read-only memory unit (ROM) 6203.
The memory cell 620 can also include program/practical work with one group of (at least one) program module 6205
Tool 6204, such program module 6205 includes but is not limited to:Operating system, one or more application program, other programs
Module and routine data, the realization of network environment may be included in each or certain combination in these examples.
Bus 630 can be to represent the one or more in a few class bus structures, including memory cell bus or storage
Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures
Local bus.
Electronic equipment 600 can also be with one or more external equipments 700 (such as keyboard, sensing equipment, bluetooth equipment
Deng) communication, the equipment communication interacted with the electronic equipment 600 can be also enabled a user to one or more, and/or with causing
Any equipment that the electronic equipment 600 can be communicated with one or more of the other computing device (such as router, modulation /demodulation
Device etc.) communication.This communication can be carried out by input/output (I/O) interface 650.Also, electronic equipment 600 can be with
By network adapter 660 and one or more network (such as LAN (LAN), wide area network (WAN) and/or public network,
Such as internet) communication.Network adapter 660 can be communicated by bus 630 with other modules of electronic equipment 600.Should
Understand, although not shown in the drawings, can combine electronic equipment 600 uses other hardware and/or software module, including it is but unlimited
In:Microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and number
According to backup storage platform etc..
As described above, logging in tankage by the O&M safety auditing system of the present invention performs above-mentioned O&M security audit
During system login vessel process, container mirror image need not manage key and private key, avoid not without encapsulating installation SSHD services, container
Necessary management of process and encapsulation, reduce the management cost of container, while container compatibility O&M safety auditing system logged in,
The mandate of container, the security control logged in, operation audit are all completed by O&M safety auditing system, and full-scope safeguards container logs in
Security.
The embodiment of the present invention also provides a kind of computer-readable recording medium, and for storage program, described program is performed
The step of O&M safety auditing system described in Shi Shixian logs in vessel process.In some possible embodiments, the present invention
Various aspects be also implemented as a kind of form of program product, it includes program code, when described program product is in terminal
When being run in equipment, described program code is used to make the terminal device perform the above-mentioned electronic prescription circulation processing side of this specification
Described in method part according to the step of various illustrative embodiments of the invention.
With reference to shown in figure 8, the program product for being used to realize the above method according to the embodiment of the present invention is described
800, it can use portable compact disc read only memory (CD-ROM) and including program code, and can in terminal device,
Such as run on PC.However, the program product not limited to this of the present invention, in this document, readable storage medium storing program for executing can be with
Be it is any include or the tangible medium of storage program, the program can be commanded execution system, device either device use or
It is in connection.
Described program product can use any combination of one or more computer-readable recording mediums.Computer-readable recording medium can be readable letter
Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example can be but be not limited to electricity, magnetic, optical, electromagnetic, infrared ray or
System, device or the device of semiconductor, or any combination above.The more specifically example of readable storage medium storing program for executing is (non exhaustive
List) include:It is electrical connection, portable disc, hard disk, random access memory (RAM) with one or more wires, read-only
Memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read only memory
(CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
The computer-readable recording medium can include believing in a base band or as the data that a carrier wave part is propagated
Number, wherein carrying readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetism
Signal, optical signal or above-mentioned any appropriate combination.Readable storage medium storing program for executing can also be any beyond readable storage medium storing program for executing
Computer-readable recording medium, the computer-readable recording medium can send, propagate either transmit for being used by instruction execution system, device or device or
Person's program in connection.The program code included on readable storage medium storing program for executing can be transmitted with any appropriate medium, bag
Include but be not limited to wireless, wired, optical cable, RF etc., or above-mentioned any appropriate combination.
Can being combined to write the program operated for performing the present invention with one or more programming languages
Code, described program design language include object oriented program language-Java, C++ etc., include routine
Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user
Perform on computing device, partly perform on a user device, the software kit independent as one performs, is partly calculated in user
Its upper side point is performed or performed completely in remote computing device or server on a remote computing.It is remote being related to
In the situation of journey computing device, remote computing device can pass through the network of any kind, including LAN (LAN) or wide area network
(WAN) user calculating equipment, is connected to, or, it may be connected to external computing device (such as utilize ISP
To pass through Internet connection).
As described above, when running the program in the computer-readable recording medium using external equipment, can also realize
Reduce the management cost of container, and the purpose of the login safety of full-scope safeguards container.
Under O&M safety auditing system login vessel process, system, equipment and storage medium provided by the present invention have
Row advantage:
By setting SSHD to service in host, O&M safety auditing system first logs into corresponding to container the present invention
Host, then allow user to log on to container by host again, container mirror image without encapsulate SSHD services again, container in itself without
Key and private key need to be managed, so as to avoid unnecessary management of process and encapsulation, reduces the management cost of container;This hair simultaneously
It is bright so that container compatibility O&M safety auditing system logs in, the mandate of container, the security control logged in, operation audit are all by transporting
Dimension safety auditing system is completed, the safety of full-scope safeguards container in use.
Above content is to combine specific preferred embodiment further description made for the present invention, it is impossible to is assert
The specific implementation of the present invention is confined to these explanations.For general technical staff of the technical field of the invention,
On the premise of not departing from present inventive concept, some simple deduction or replace can also be made, should all be considered as belonging to the present invention's
Protection domain.
Claims (16)
1. a kind of O&M safety auditing system logs in vessel process, it is characterised in that comprises the following steps:
O&M safety auditing system obtains the container access request of user, and the container access request includes the container that user accesses
The first identification information;
O&M safety auditing system sends data inquiry request to information of container data storage storehouse, and number is stored from the information of container
According in storehouse obtain user ask access container corresponding to host's machine information and in corresponding host container second
Identification information;
O&M safety auditing system passes through SSH protocol entries to the host;
Authorized user's log on command is performed in the host, authorized user logs on to appearance corresponding to second identification information
Device.
2. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that the of the container
One identification information is the IP address of container;Second identification information of the container is the ID number of container;The O&M security audit
System obtained from the information of container data storage storehouse corresponding to host IP address.
3. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that in the host
It is provided with SSHD services;
The O&M safety auditing system, to the host, is comprised the following steps by SSH protocol entries:
The O&M safety auditing system sends logging request by SSH agreements to the host;
The host verifies the key or password in the logging request of the O&M safety auditing system;
If the verification passes, then the host allows the O&M safety auditing system to log in;
If authentication failed, the host is refused the O&M safety auditing system and logged in.
4. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that the host root
Docker exec orders are performed according to the second identification information of the container, authorized user logs on to corresponding container.
5. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that user exits described
After the login of container, that is, exit the login of the host.
6. O&M safety auditing system according to claim 5 logs in vessel process, it is characterised in that the host is adopted
The shell process of the process replacement host of container is logged in user.
7. O&M safety auditing system according to claim 6 logs in vessel process, it is characterised in that the host exists
Authorized user increases exec before logging in the order of container so that the shell that user logs in the process replacement host of container enters
Journey.
8. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that also includes following step
Suddenly:
The O&M safety auditing system carries out authentication to the user for sending container access request;
If the verification passes, then data inquiry request is sent into O&M safety auditing system to information of container data storage storehouse
Step;
If authentication failed, O&M safety auditing system refuses the container access request of user.
9. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that the O&M safety
Application program access interface and the information of container data storage storehouse of the auditing system by the information of container data storage storehouse
Carry out data interaction.
10. O&M safety auditing system according to claim 9 logs in vessel process, it is characterised in that the container letter
The corresponding relation of host and container in data storage storehouse is ceased, and second identification information of the container in host is with container
Real-Time Scheduling and real-time update;
The O&M safety auditing system is obtained current by the application program access interface in the information of container data storage storehouse
Moment user ask access container corresponding to host's machine information and in corresponding host container second mark letter
Breath.
11. O&M safety auditing system according to claim 10 logs in vessel process, it is characterised in that also includes:
The operation data of the O&M safety auditing system record and audit user in a reservoir.
12. a kind of O&M safety auditing system logs in containment system, for realizing the fortune any one of claim 1 to 11
Dimension safety auditing system logs in vessel process, it is characterised in that the system includes:
Information of container thesaurus, for reservoir host's machine and the corresponding relation of container, and each host includes
Second identification information of each container;
O&M safety auditing system, including:
Access request acquisition module, for obtaining the container access request of user, the container access request accesses including user
Container the first identification information;
Information of container enquiry module, for sending data inquiry request to information of container data storage storehouse, from the information of container
User is obtained in data storage storehouse and asks host's machine information corresponding to the container of access and the container in corresponding host
The second identification information;
Host login module, for being believed by SSH protocol entries to the host, and according to the second of the container the mark
Breath authorized user logs on to corresponding container;Authorized user's log on command is performed in host, authorized user logs on to described the
Container corresponding to two identification informations.
13. O&M safety auditing system according to claim 12 logs in containment system, it is characterised in that the O&M peace
Full auditing system also includes:
SIM, for carrying out authentication to the user for sending container access request;
If the verification passes, then data inquiry request is sent into O&M safety auditing system to information of container data storage storehouse
Step;
If authentication failed, O&M safety auditing system refuses the container access request of user.
14. O&M safety auditing system according to claim 13 logs in containment system, it is characterised in that the host
The process that container is logged in using user substitutes the shell process of the host so that after user exits the login of the container,
Exit the login of the host.
15. a kind of O&M safety auditing system logs in tankage, it is characterised in that including:
Processor;
Memory, wherein being stored with the executable instruction of the processor;
Wherein, the processor is configured to come any one of 1 to 11 institute of perform claim requirement via the execution executable instruction
The O&M safety auditing system stated logs in the step of vessel process.
16. a kind of computer-readable recording medium, for storage program, it is characterised in that power is realized when described program is performed
Profit requires the step of O&M safety auditing system any one of 1 to 11 logs in vessel process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710863832.XA CN107480509A (en) | 2017-09-22 | 2017-09-22 | O&M safety auditing system logs in vessel process, system, equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710863832.XA CN107480509A (en) | 2017-09-22 | 2017-09-22 | O&M safety auditing system logs in vessel process, system, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107480509A true CN107480509A (en) | 2017-12-15 |
Family
ID=60586736
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710863832.XA Pending CN107480509A (en) | 2017-09-22 | 2017-09-22 | O&M safety auditing system logs in vessel process, system, equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107480509A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108076063A (en) * | 2017-12-25 | 2018-05-25 | 天津理工大学 | Network O&M auditing method, server terminal and client based on block chain |
CN108429638A (en) * | 2018-02-22 | 2018-08-21 | 北京奇艺世纪科技有限公司 | A kind of server O&M method, apparatus, system and electronic equipment |
CN108958892A (en) * | 2018-08-14 | 2018-12-07 | 郑州云海信息技术有限公司 | A kind of method and apparatus creating the container for deep learning operation |
CN110278127A (en) * | 2019-07-02 | 2019-09-24 | 成都安恒信息技术有限公司 | A kind of Agent dispositions method and system based on secure transfer protocol |
CN111125759A (en) * | 2019-12-19 | 2020-05-08 | 上海上讯信息技术股份有限公司 | Database login account shielding method and device and electronic equipment |
CN111125039A (en) * | 2018-10-30 | 2020-05-08 | 华为技术有限公司 | Method and device for generating operation log |
CN111526189A (en) * | 2020-04-13 | 2020-08-11 | 恒安嘉新(北京)科技股份公司 | Equipment monitoring method and device, computer equipment and storage medium |
CN112350870A (en) * | 2020-11-11 | 2021-02-09 | 杭州飞致云信息科技有限公司 | Operation and maintenance safety auditing method and device for container cluster system |
CN113468579A (en) * | 2021-07-23 | 2021-10-01 | 挂号网(杭州)科技有限公司 | Data access method, device, equipment and storage medium |
CN114050911A (en) * | 2021-09-27 | 2022-02-15 | 度小满科技(北京)有限公司 | Container remote login method and system |
CN114070856A (en) * | 2020-07-29 | 2022-02-18 | 顺丰科技有限公司 | Data processing method, device and system, operation and maintenance auditing equipment and storage medium |
US11394533B2 (en) | 2019-12-25 | 2022-07-19 | General Data Technology Co., Ltd. | Method for storing database security audit records |
WO2022237447A1 (en) * | 2021-05-10 | 2022-11-17 | 中兴通讯股份有限公司 | Operation and maintenance method, apparatus, and system, server, electronic device, and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105872019A (en) * | 2016-03-23 | 2016-08-17 | 北京搜狐新媒体信息技术有限公司 | Method and device for logging in Docker container by Web end |
CN106383852A (en) * | 2016-08-30 | 2017-02-08 | 中国民生银行股份有限公司 | Docker container-based log acquisition method and apparatus |
CN106685949A (en) * | 2016-12-24 | 2017-05-17 | 上海七牛信息技术有限公司 | Container access method, container access device and container access system |
CN106844489A (en) * | 2016-12-24 | 2017-06-13 | 上海七牛信息技术有限公司 | A kind of file operation method, device and system |
-
2017
- 2017-09-22 CN CN201710863832.XA patent/CN107480509A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105872019A (en) * | 2016-03-23 | 2016-08-17 | 北京搜狐新媒体信息技术有限公司 | Method and device for logging in Docker container by Web end |
CN106383852A (en) * | 2016-08-30 | 2017-02-08 | 中国民生银行股份有限公司 | Docker container-based log acquisition method and apparatus |
CN106685949A (en) * | 2016-12-24 | 2017-05-17 | 上海七牛信息技术有限公司 | Container access method, container access device and container access system |
CN106844489A (en) * | 2016-12-24 | 2017-06-13 | 上海七牛信息技术有限公司 | A kind of file operation method, device and system |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108076063A (en) * | 2017-12-25 | 2018-05-25 | 天津理工大学 | Network O&M auditing method, server terminal and client based on block chain |
CN108429638A (en) * | 2018-02-22 | 2018-08-21 | 北京奇艺世纪科技有限公司 | A kind of server O&M method, apparatus, system and electronic equipment |
CN108429638B (en) * | 2018-02-22 | 2021-12-10 | 北京奇艺世纪科技有限公司 | Server operation and maintenance method, device and system and electronic equipment |
CN108958892A (en) * | 2018-08-14 | 2018-12-07 | 郑州云海信息技术有限公司 | A kind of method and apparatus creating the container for deep learning operation |
CN111125039A (en) * | 2018-10-30 | 2020-05-08 | 华为技术有限公司 | Method and device for generating operation log |
CN111125039B (en) * | 2018-10-30 | 2022-06-10 | 华为技术有限公司 | Method and device for generating operation log |
CN110278127A (en) * | 2019-07-02 | 2019-09-24 | 成都安恒信息技术有限公司 | A kind of Agent dispositions method and system based on secure transfer protocol |
CN110278127B (en) * | 2019-07-02 | 2020-12-01 | 成都安恒信息技术有限公司 | Agent deployment method and system based on secure transmission protocol |
CN111125759A (en) * | 2019-12-19 | 2020-05-08 | 上海上讯信息技术股份有限公司 | Database login account shielding method and device and electronic equipment |
US11394533B2 (en) | 2019-12-25 | 2022-07-19 | General Data Technology Co., Ltd. | Method for storing database security audit records |
CN111526189A (en) * | 2020-04-13 | 2020-08-11 | 恒安嘉新(北京)科技股份公司 | Equipment monitoring method and device, computer equipment and storage medium |
CN114070856A (en) * | 2020-07-29 | 2022-02-18 | 顺丰科技有限公司 | Data processing method, device and system, operation and maintenance auditing equipment and storage medium |
CN114070856B (en) * | 2020-07-29 | 2023-11-28 | 顺丰科技有限公司 | Data processing method, device, system, operation and maintenance auditing equipment and storage medium |
CN112350870A (en) * | 2020-11-11 | 2021-02-09 | 杭州飞致云信息科技有限公司 | Operation and maintenance safety auditing method and device for container cluster system |
WO2022237447A1 (en) * | 2021-05-10 | 2022-11-17 | 中兴通讯股份有限公司 | Operation and maintenance method, apparatus, and system, server, electronic device, and medium |
CN113468579A (en) * | 2021-07-23 | 2021-10-01 | 挂号网(杭州)科技有限公司 | Data access method, device, equipment and storage medium |
CN114050911A (en) * | 2021-09-27 | 2022-02-15 | 度小满科技(北京)有限公司 | Container remote login method and system |
CN114050911B (en) * | 2021-09-27 | 2023-05-16 | 度小满科技(北京)有限公司 | Remote login method and system for container |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107480509A (en) | O&M safety auditing system logs in vessel process, system, equipment and storage medium | |
CN107634951A (en) | Docker vessel safeties management method, system, equipment and storage medium | |
US20200021615A1 (en) | Container authorization policies for network trust | |
US10833949B2 (en) | Extension resource groups of provider network services | |
CN105991734B (en) | A kind of cloud platform management method and system | |
US9491183B1 (en) | Geographic location-based policy | |
US11764961B2 (en) | Techniques for using signed nonces to secure cloud shells | |
CN107533608A (en) | Credible renewal | |
CN104718526A (en) | Secure mobile framework | |
US10762193B2 (en) | Dynamically generating and injecting trusted root certificates | |
CN110197058A (en) | Unified internal control method for managing security, system, medium and electronic equipment | |
CN110463163A (en) | For providing the on-demand method and system for waking up access to conversation server | |
US11374792B2 (en) | Techniques for utilizing multiple network interfaces for a cloud shell | |
US20200159555A1 (en) | Provider network service extensions | |
CN110036385A (en) | Mixed mode cloud On-premise (ON-PREMISE) secure communication | |
US11170080B2 (en) | Enforcing primary and secondary authorization controls using change control record identifier and information | |
CN106537873A (en) | Establishing secure computing devices for virtualization and administration | |
WO2023132997A1 (en) | Quorum-based authorization | |
CN116018580B (en) | Techniques for instance persistence data across cloud shells | |
CN115314257A (en) | Authentication method and device of file system, electronic equipment and computer storage medium | |
US20240007465A1 (en) | Controlling access to components of a software-defined data center in a hybrid environment | |
US11722489B2 (en) | Management of shared authentication credentials | |
CN111683053B (en) | Cloud platform security network architecture | |
US20230109109A1 (en) | Applications as resource principals or service principals | |
WO2023055734A1 (en) | Applications as resource principals or service principals |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171215 |