CN107577538B - Container resource management method and system - Google Patents

Container resource management method and system Download PDF

Info

Publication number
CN107577538B
CN107577538B CN201710995539.9A CN201710995539A CN107577538B CN 107577538 B CN107577538 B CN 107577538B CN 201710995539 A CN201710995539 A CN 201710995539A CN 107577538 B CN107577538 B CN 107577538B
Authority
CN
China
Prior art keywords
container
user
information
target
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710995539.9A
Other languages
Chinese (zh)
Other versions
CN107577538A (en
Inventor
李铭轩
魏进武
张呈宇
张基恒
博格利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201710995539.9A priority Critical patent/CN107577538B/en
Publication of CN107577538A publication Critical patent/CN107577538A/en
Application granted granted Critical
Publication of CN107577538B publication Critical patent/CN107577538B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明提供的容器资源管理方法及系统,通过接收第一用户发送的容器创建请求,其中容器创建请求包括权限信息和需求信息,根据权限信息和需求信息创建容器,对容器进行注册,获得容器注册信息列表,接收第二用户发送的对目标容器的访问请求,根据访问请求和容器注册信息列表确定目标容器的权限信息,根据目标容器的权限信息执行访问请求。从而可在创建容器时,直接将容器的权限信息封装在容器中,进而可在用户访问容器时,直接根据容器中的权限信息执行访问,避免现有技术中由容器资源管理系统为用户分配容器的权限,一旦权限分配机制发生崩塌而造成的用户访问机制的紊乱的问题,保证了容器内的数据安全。

Figure 201710995539

The container resource management method and system provided by the present invention receive a container creation request sent by a first user, wherein the container creation request includes permission information and requirement information, create a container according to the permission information and requirement information, register the container, and obtain the container registration The information list receives an access request to the target container sent by the second user, determines the permission information of the target container according to the access request and the container registration information list, and executes the access request according to the permission information of the target container. Therefore, when creating a container, the permission information of the container can be directly encapsulated in the container, and then when the user accesses the container, the access can be directly performed according to the permission information in the container, avoiding the container resource management system in the prior art to allocate the container to the user. Once the permission allocation mechanism collapses, the user access mechanism is disordered, which ensures the data security in the container.

Figure 201710995539

Description

Container resource management method and system
Technical Field
The invention relates to the field of data security, in particular to a container management method and system.
Background
With the advent of the digital information age, the container technology is utilized to complete cloud storage, which becomes a hot spot. How to manage multi-tenant based container resources becomes a research focus.
Generally, multiple containers will share resources on the host, such as computing, storage, networks, and the like. Before a user accesses a container, the container resource management system of the system layer needs to allocate the authority for the user, and then the operating system of the application layer judges whether the user accesses the authority of the corresponding container. Therefore, in the existing container resource management method, the access right of the user to the container is allocated by the container resource management system, and once the right allocation mechanism collapses, the access mechanism of the tenant is disturbed, and the data security in the container is seriously affected.
Disclosure of Invention
The invention provides a container management method and a system, aiming at the problems that an access authority distribution mechanism of the existing container management system is easy to collapse and the data security in a container is seriously influenced.
In one aspect, the present invention provides a container management method, including:
receiving a container creation request sent by a first user, wherein the container creation request comprises authority information and requirement information;
creating a container according to the authority information and the requirement information;
registering the container to obtain a container registration information list;
receiving an access request sent by a second user to the target container;
determining the authority information of the target container according to the access request and the container registration information list;
and executing the access request according to the authority information of the target container.
Further, the creating a container according to the authority information and the requirement information includes:
encrypting the authority information to obtain container annotation information;
and creating a container copy according to the requirement information, and packaging the container annotation information and the container copy to obtain the container.
Further, the container registration information list includes container identifiers and corresponding container addresses of the containers; the access request includes a target container identification;
correspondingly, the determining the authority information of the target container according to the access request and the container registration information list includes:
determining the container address of the target container according to the target container identifier and the container identifier of each container in the container registration information list;
pulling up the target container according to the container address of the target container and acquiring container annotation information of the target container;
and decrypting the container annotation information of the target container to obtain the authority information of the target container.
Further, before the receiving the container creation request sent by the first user, the method further includes:
receiving an identity authentication request sent by a first user, and performing security authentication on the user identity of the first user; when the user identity authentication request of the first user passes, sending an authentication passing message to the first user, so that the first user sends the container creation request after receiving the authentication passing message;
before receiving the access request sent by the second user, the method further includes:
receiving an identity authentication request sent by a second user, and performing security authentication on the user identity of the second user; and when the user identity authentication request of the second user passes, sending an authentication passing message to the second user, so that the second user sends the access request after receiving the authentication passing message.
Further, the authority information includes user identifications and corresponding operation authorities; the access request comprises a second user identification and an access operation;
correspondingly, the executing the access request according to the authority information of the target container includes:
judging whether a target user identifier matched with a second user identifier exists in all user identifiers of the authority information of the target container;
if so, judging whether the access operation of the second user is matched with the operation authority corresponding to the target user identification; and if so, executing the access operation.
Further, the requirement information includes a container copy number and/or a container configuration parameter.
The invention also provides a container resource management system, comprising:
the receiving and sending unit is used for receiving a container creating request sent by a first user, wherein the container creating request comprises authority information and requirement information; the system is also used for receiving an access request sent by a second user to the target container;
the container creating unit is used for creating a container according to the authority information and the requirement information; registering the container to obtain a container registration information list;
the container access unit is used for determining the authority information of the target container according to the access request and the container registration information list; and executing the access request according to the authority information of the target container.
Further, the container creating unit is specifically configured to:
encrypting the authority information to obtain container annotation information;
and creating a container copy according to the requirement information, and packaging the container annotation information and the container copy to obtain the container.
Further, the container registration information list includes container identifiers and corresponding container addresses of the containers; the access request includes a target container identification;
correspondingly, the container access unit is specifically configured to: determining the container address of the target container according to the target container identifier and the container identifier of each container in the container registration information list; pulling up the target container according to the container address of the target container and acquiring container annotation information of the target container; and decrypting the container annotation information of the target container to obtain the authority information of the target container.
Further, the container resource management system further includes: an identity authentication unit;
the identity authentication unit is used for carrying out security authentication on the user identity of the first user; the system is also used for carrying out security authentication on the user identity of the second user;
correspondingly, the transceiver unit is further configured to receive an identity authentication request sent by the first user before receiving the container creation request sent by the first user; when the identity authentication unit determines that the user identity authentication request of the first user passes, the transceiver unit is further configured to send an authentication passing message to the first user, so that the first user sends the container creation request after receiving the authentication passing message;
the receiving and sending unit is further used for receiving an identity authentication request sent by the second user before receiving the access request sent by the second user; when the identity authentication unit determines that the user identity authentication request of the second user passes, the transceiver unit is further configured to send an authentication passing message to the second user, so that the second user sends the access request after receiving the authentication passing message.
Further, the authority information includes user identifications and corresponding operation authorities; the access request comprises a second user identification and an access operation;
correspondingly, the container access unit is specifically configured to: judging whether a target user identifier matched with a second user identifier exists in all user identifiers of the authority information of the target container; if so, judging whether the access operation of the second user is matched with the operation authority corresponding to the target user identification; and if so, executing the access operation.
Further, the requirement information includes a container copy number and/or a container configuration parameter.
The method and the system for managing the container resources provided by the invention receive a container creation request sent by a first user, wherein the container creation request comprises authority information and demand information, create a container according to the authority information and the demand information, register the container to obtain a container registration information list, receive an access request sent by a second user to a target container, determine the authority information of the target container according to the access request and the container registration information list, and execute the access request according to the authority information of the target container. Therefore, when the container is created, the authority information of the container can be directly packaged in the container, and then when a user accesses the container, the user can directly perform access according to the authority information in the container, so that the problem that in the prior art, the authority of the container is allocated to the user by a container resource management system, once the authority allocation mechanism collapses, the user access mechanism is disordered is solved, and the data security in the container is ensured.
Drawings
Fig. 1 is a flowchart illustrating a container resource management method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a container resource management method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a container resource management system according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention.
Fig. 1 is a schematic flowchart of a container resource management method according to an embodiment of the present invention, and as shown in fig. 1, the container resource management method according to the embodiment of the present invention includes the following steps:
step 101, receiving a container creation request sent by a first user, wherein the container creation request comprises authority information and requirement information.
The execution body of the present invention may specifically be a container management system, and the physical form of the execution body may be a terminal device composed of hardware such as a processor, a memory, a logic circuit, and an electronic chip.
Specifically, the container management system may receive a container creation request sent by a first user, the container creation request including rights information of a container to be created and requirement information of the container to be created. The authority information may specifically be information or identification indicating that the container has access authority, container modification authority, and the like related to container management authority, and the requirement information may specifically be inherent attributes of the container, such as the number of copies of the container, and/or configuration parameters of the container.
In addition, the receiving mode for receiving the container creation request sent by the first user can be realized by adopting a mode of receiving instruction input, for example, a visual interaction interface is provided for the first user, so that the first user can input related information at a specified position of the visual interaction interface; it is also possible to receive, for example, directly an instruction code input by the first user; the receiving of the container creation request sent by the first user may also be implemented by those skilled in the art in other ways, and the invention is not limited to this.
And 102, creating a container according to the authority information and the requirement information.
And 103, registering the container to obtain a container registration information list.
Specifically, the authority of the created container may be determined according to authority information input by the first user, and the container matched with the requirement information may be created according to the requirement information. Subsequently, the created container is registered, and a container registration information list is obtained. The container registration information list not only includes information of the container created by the first user, but also includes information of containers created by other users.
And 104, receiving an access request sent by a second user to the target container.
In particular, the container management system may receive an access request for a target container sent by a second user. The access request may specifically be a request for performing operations such as data storage, data reading, container status checking, container configuration modification, and container deletion on the target container. In addition, the second user may be the same user as the first user or a different user from the first user, which is not limited in the present invention.
In addition, the receiving mode for receiving the access request sent by the second user can be realized by adopting a mode of receiving instruction input, for example, a visual interactive interface is provided for the second user, so that the second user can input the related access request at the specified position of the visual interactive interface; it is also possible to receive, for example, directly an instruction code input by the second user; the receiving of the container creation request sent by the second user may also be implemented by those skilled in the art in other ways, and the invention is not limited to this.
And step 105, determining the authority information of the target container according to the access request and the container registration information list.
And 106, executing the access request according to the authority information of the target container.
Specifically, according to the received access request of the second user to the target container, the information of the corresponding target container may be queried and found in the container registration information list, and then the authority information of the target container may be obtained according to the information of the target container. And then, judging whether the second user has the authority to access the target container according to the authority information of the target container, if so, executing the access request, and if not, returning a message of denying access to the second user.
That is to say, in the container resource management method provided in the first embodiment of the present invention, after receiving an access request of a second user to a target container, right information prestored in the target container may be directly obtained, and whether to execute the access request of the second user is determined according to the right information, so as to avoid a data security risk caused by that, in the prior art, after receiving the access request of the second user to the target container, a container right needs to be allocated to the second user in a system layer to determine whether the second user has a right to access the container.
Preferably, to further ensure data security, before receiving the container creation request sent by the first user in step 101, the identity of the first user may also be securely authenticated. Specifically, the method comprises the following steps: receiving an identity authentication request sent by a first user, and performing security authentication on the user identity of the first user; and when the user identity authentication request of the first user passes, sending an authentication passing message to the first user, so that the first user sends a container creation request after receiving the authentication passing message.
Further, the authentication mode may specifically adopt certificate authentication or key authentication, for example, the container resource management system may send a user certificate or a user key to the user for the user to complete identity authentication by using the user certificate or the user key, or the third-party authentication system may send the user certificate or the user key to the user, and send a system certificate or a system key matched with the user certificate to the container resource management system for the container resource management system to complete identity authentication of the user. Further, when the first user is authenticated, an authentication pass message may be sent to the first user for the first user to send a container creation request after receiving the authentication pass message; when the first user is not authenticated, an authentication failure message can be sent to the first user, and the first user can reinitiate the identity authentication request according to the authentication failure message.
Preferably, to further ensure data security, before receiving the access request sent by the second user in step 104, the method may further include: receiving an identity authentication request sent by a second user, and performing security authentication on the user identity of the second user; and when the user identity authentication request of the second user passes, sending an authentication passing message to the second user, so that the second user sends an access request after receiving the authentication passing message.
Similarly, the authentication mode may specifically adopt certificate authentication or key authentication, for example, the container resource management system may send a user certificate or a user key to the user for the user to complete identity authentication by using the user certificate or the user key, or the third-party authentication system may send the user certificate or the user key to the user, and send a system certificate or a system key matched with the user certificate to the container resource management system for the container resource management system to complete identity authentication of the user. Further, when the second user is authenticated, an authentication pass message may be sent to the second user for the second user to send an access request after receiving the authentication pass message; when the second user is not authenticated, an authentication failure message can be sent to the second user, and the second user can reinitiate the identity authentication request according to the authentication failure message.
In the container resource management method provided by the embodiment of the invention, a container creation request sent by a first user is received, wherein the container creation request includes authority information and requirement information, a container is created according to the authority information and the requirement information, a container registration information list is obtained by registering the container, an access request sent by a second user to a target container is received, the authority information of the target container is determined according to the access request and the container registration information list, and the access request is executed according to the authority information of the target container. Therefore, when the container is created, the authority information of the container can be directly packaged in the container, and then when a user accesses the container, the user can directly perform access according to the authority information in the container, so that the problem that in the prior art, the authority of the container is allocated to the user by a container resource management system, once the authority allocation mechanism collapses, the user access mechanism is disordered is solved, and the data security in the container is ensured.
On the basis of the first embodiment, in order to further explain the container resource management method provided by the present invention, fig. 2 is a schematic flow chart of a container resource management method provided by a second embodiment of the present invention.
As shown in fig. 2, the container resource management method includes:
step 201, receiving a container creation request sent by a first user, wherein the container creation request includes authority information and requirement information.
Similar to the embodiment, the container management system may receive a container creation request sent by the first user, where the container creation request includes rights information of a container to be created and requirement information of the container to be created. The authority information may specifically be information or identification indicating that the container has access authority, container modification authority, and the like related to container management authority, and the requirement information may specifically be inherent attributes of the container, such as the number of copies of the container, and/or configuration parameters of the container.
In addition, the receiving mode for receiving the container creation request sent by the first user can be realized by adopting a mode of receiving instruction input, for example, a visual interaction interface is provided for the first user, so that the first user can input related information at a specified position of the visual interaction interface; it is also possible to receive, for example, directly an instruction code input by the first user; the receiving of the container creation request sent by the first user may also be implemented by those skilled in the art in other ways, and the invention is not limited to this.
Step 202, encrypting the authority information to obtain the container annotation information.
Step 203, creating a container copy according to the requirement information, and encapsulating the container annotation information and the container copy to obtain a container.
Specifically, the authority information may be encrypted by using an encryption technique to generate the container annotation information, for example, an encryption technique such as symmetric key encryption or asymmetric key encryption may be used, which is not limited in the present invention.
In addition, a container copy is created according to the requirement information, and the container annotation information and the container copy are packaged to obtain the container.
For example, when the requirement information includes the number of container copies, container copies with the same number as the number of the container copies may be created, and the container annotation information and each container copy are encapsulated to obtain a container; when the requirement information includes container configuration parameters, container copies may be created according to the container configuration parameters, where the container configuration parameters may specifically be container storage capacity, container thread number, and the like, and the container annotation information and each container copy are encapsulated to obtain a container.
Step 204, registering the containers to obtain a container registration information list, wherein the container registration information list comprises container identifications and corresponding container addresses of the containers.
Specifically, the created container is registered, and a container registration information list is obtained. The container registration information list not only includes information of the container created by the first user, but also includes information of containers created by other users, wherein the information of the container includes a container identifier and a container address, and in addition, the information obtained by extracting keywords from container annotation information can be included.
Step 205, receiving an access request to the target container sent by the second user, wherein the access request includes the target container identifier.
In particular, the container management system may receive an access request for a target container sent by a second user. Wherein, the access request includes the target container identifier. In addition, the access request is a request for performing operations such as data storage, data reading, container status checking, container configuration modification, container deletion and the like on the target container. In addition, the second user may be the same user as the first user or a different user from the first user, which is not limited in the present invention.
In addition, the receiving mode for receiving the access request sent by the second user can be realized by adopting a mode of receiving instruction input, for example, a visual interactive interface is provided for the second user, so that the second user can input the related access request at the specified position of the visual interactive interface; it is also possible to receive, for example, directly an instruction code input by the second user; the receiving of the container creation request sent by the second user may also be implemented by those skilled in the art in other ways, and the invention is not limited to this.
Step 206, determining the container address of the target container according to the target container identifier and the container identifier of each container in the container registration information list.
And step 207, pulling up the target container according to the container address of the target container and acquiring the container annotation information of the target container.
And step 208, decrypting the container annotation information of the target container to obtain the authority information of the target container.
Specifically, in steps 206 to 208, after receiving the access request for the target container sent by the second user, the container resource management system compares the target container identifier in the access request with the container identifiers of the containers in the container registration information list one by one, and determines, in the container registration information list, the container address corresponding to the container identifier matching the target container identifier, where the container address is the container address of the target container. According to the acquired container address of the target container, the target container can be pulled up from the container resource pool, and the container annotation information packaged in the target container is read. The container annotation information is decrypted using a decryption technique that matches the encryption technique in step 202 and rights information for the target container is obtained.
And step 209, executing the access request according to the authority information of the target container.
Specifically, whether the second user has the right to access the target container is judged according to the right information of the target container, if so, the access request can be executed, and if not, a message of denying access can be returned to the second user.
Further, the authority information may specifically include each user identifier and corresponding operation authority, for example, the first user identifier and corresponding authority to modify and delete the container, and to store and read the data in the container, and also includes a third user identifier and corresponding authority to read the data in the container, and in addition, the user identifiers may adopt a single user identifier manner, that is, one identifier for one user, or a group identifier manner, that is, a plurality of users share one group identifier, which is not limited in this invention. Correspondingly, the access request further includes a second user identifier and an access operation, where the access operation may specifically be operations of storing data, reading data, deleting a container, modifying a container, and the like. Step 209 may specifically be to determine whether there is a target user identifier matching the second user identifier in the user identifiers of the authority information of the target container. If the authority information of the target container has a target user identifier matched with the second user identifier, acquiring an operation authority corresponding to the target user identifier, and judging whether the access operation of the second user is matched with the operation authority corresponding to the target user identifier; and if so, executing the access operation.
Preferably, in order to facilitate management of each container, the present invention further receives container operation state information sent by the container, so that the container resource management system counts and summarizes the operation state of the container to the user, thereby facilitating the user to manage the container.
Preferably, to further ensure data security, before receiving the container creation request sent by the first user in step 201, the method may further include: receiving an identity authentication request sent by a first user, and performing security authentication on the user identity of the first user; and when the user identity authentication request of the first user passes, sending an authentication passing message to the first user, so that the first user sends a container creation request after receiving the authentication passing message.
Further, the authentication mode may specifically adopt certificate authentication or key authentication, for example, the container resource management system may send a user certificate or a user key to the user for the user to complete identity authentication by using the user certificate or the user key, or the third-party authentication system may send the user certificate or the user key to the user, and send a system certificate or a system key matched with the user certificate to the container resource management system for the container resource management system to complete identity authentication of the user. Further, when the first user is authenticated, an authentication pass message may be sent to the first user for the first user to send a container creation request after receiving the authentication pass message; when the first user is not authenticated, an authentication failure message can be sent to the first user, and the first user can reinitiate the identity authentication request according to the authentication failure message.
Preferably, to further ensure data security, before receiving the access request sent by the second user in step 205, the method may further include: receiving an identity authentication request sent by a second user, and performing security authentication on the user identity of the second user; and when the user identity authentication request of the second user passes, sending an authentication passing message to the second user, so that the second user sends an access request after receiving the authentication passing message.
Similarly, the authentication mode may specifically adopt certificate authentication or key authentication, for example, the container resource management system may send a user certificate or a user key to the user for the user to complete identity authentication by using the user certificate or the user key, or the third-party authentication system may send the user certificate or the user key to the user, and send a system certificate or a system key matched with the user certificate to the container resource management system for the container resource management system to complete identity authentication of the user. Further, when the second user is authenticated, an authentication pass message may be sent to the second user for the second user to send an access request after receiving the authentication pass message; when the second user is not authenticated, an authentication failure message can be sent to the second user, and the second user can reinitiate the identity authentication request according to the authentication failure message.
The container resource management method provided by the second embodiment of the present invention receives a container creation request sent by a first user, where the container creation request includes authority information and requirement information, creates a container according to the authority information and the requirement information, registers the container, obtains a container registration information list, receives an access request sent by a second user for a target container, determines authority information of the target container according to the access request and the container registration information list, and executes the access request according to the authority information of the target container. Therefore, when the container is created, the authority information of the container can be directly packaged in the container, and then when a user accesses the container, the user can directly perform access according to the authority information in the container, so that the problem that in the prior art, the authority of the container is allocated to the user by a container resource management system, once the authority allocation mechanism collapses, the user access mechanism is disordered is solved, and the data security in the container is ensured.
Fig. 3 is a schematic structural diagram of a container management system according to a third embodiment of the present invention, which is used to solve the problem that an access right allocation mechanism in the prior art is prone to collapse and seriously affects data security in a container.
As shown in fig. 3, the container management system includes:
the transceiving unit 10 is configured to receive a container creation request sent by a first user, where the container creation request includes authority information and requirement information; and is also used for receiving an access request sent by a second user to the target container.
The container creating unit 20 is configured to create a container based on the authority information and the requirement information; and registering the container to obtain a container registration information list.
The container access unit 30 is used for determining the authority information of the target container according to the access request and the container registration information list; and executing the access request according to the authority information of the target container.
Preferably, the container creation unit 20 is specifically configured to: encrypting the authority information to obtain container annotation information; and creating a container copy according to the requirement information, and packaging the container annotation information and the container copy to obtain the container.
Preferably, the container registration information list includes a container identifier and a corresponding container address of each container; the access request includes a target container identification; the container access unit 30 is specifically configured to determine a container address of the target container according to the target container identifier and the container identifier of each container in the container registration information list; pulling up the target container according to the container address of the target container and acquiring container annotation information of the target container; and decrypting the container annotation information of the target container to obtain the authority information of the target container.
Preferably, the authority information includes each user identifier and corresponding operation authority; the access request comprises a second user identification and an access operation; the container access unit 30 is specifically configured to determine whether a target user identifier matching the second user identifier exists in each user identifier of the authority information of the target container; if so, judging whether the access operation of the second user is matched with the operation authority corresponding to the target user identification; and if so, executing the access operation.
Preferably, the requirement information comprises a container copy number and/or a container configuration parameter.
Further, in order to further ensure data security, the container resource management system provided by the invention further comprises an identity authentication unit;
the identity authentication unit is used for carrying out security authentication on the user identity of the first user; the system is also used for carrying out security authentication on the user identity of the second user;
correspondingly, the transceiver unit 10 is further configured to receive an identity authentication request sent by the first user before receiving the container creation request sent by the first user; when the identity authentication unit determines that the user identity authentication request of the first user passes, the transceiving unit 10 is further configured to send an authentication passing message to the first user, so that the first user sends a container creation request after receiving the authentication passing message;
the transceiving unit 10 is further configured to receive an identity authentication request sent by the second user before receiving the access request sent by the second user; when the identity authentication unit determines that the user identity authentication request of the second user passes, the transceiving unit 10 is further configured to send an authentication pass message to the second user, so that the second user sends the access request after receiving the authentication pass message.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process and corresponding beneficial effects of the system described above may refer to the corresponding process in the foregoing method embodiments, and are not described herein again.
The method and the system for managing the container resources provided by the invention receive a container creation request sent by a first user, wherein the container creation request comprises authority information and requirement information, create a container according to the authority information and the requirement information, register the container to obtain a container registration information list, receive an access request sent by a second user for a target container, determine the authority information of the target container according to the access request and the container registration information list, and execute the access request according to the authority information of the target container. Therefore, when the container is created, the authority information of the container can be directly packaged in the container, and then when a user accesses the container, the user can directly perform access according to the authority information in the container, so that the problem that in the prior art, the authority of the container is allocated to the user by a container resource management system, once the authority allocation mechanism collapses, the user access mechanism is disordered is solved, and the data security in the container is ensured.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1.一种容器资源管理方法,其特征在于,包括:1. A container resource management method, comprising: 接收第一用户发送的容器创建请求,其中所述容器创建请求包括权限信息和需求信息;receiving a container creation request sent by a first user, wherein the container creation request includes permission information and requirement information; 根据所述权限信息和所述需求信息创建容器;Create a container according to the permission information and the requirement information; 对所述容器进行注册,获得容器注册信息列表;Register the container to obtain a container registration information list; 接收第二用户发送的对目标容器的访问请求;receiving an access request to the target container sent by the second user; 根据所述访问请求和所述容器注册信息列表确定所述目标容器的权限信息;Determine the permission information of the target container according to the access request and the container registration information list; 根据所述目标容器的权限信息执行所述访问请求;Execute the access request according to the permission information of the target container; 所述根据所述权限信息和所述需求信息创建容器,包括:对所述权限信息进行加密,获得容器注解信息;根据所述需求信息创建容器副本,并对所述容器注解信息和所述容器副本进行封装,获得所述容器;The creating a container according to the permission information and the requirement information includes: encrypting the permission information to obtain container annotation information; creating a container copy according to the requirement information, and creating an annotation information for the container and the container The copy is encapsulated to obtain the container; 所述容器注册信息列表包括各容器的容器标识和对应的容器地址;所述访问请求包括目标容器标识;The container registration information list includes container identifiers and corresponding container addresses of each container; the access request includes target container identifiers; 相应的,所述根据所述访问请求和所述容器注册信息列表确定所述目标容器的权限信息,包括:根据所述目标容器标识和所述容器注册信息列表中的各容器的容器标识确定所述目标容器的容器地址;根据所述目标容器的容器地址拉起所述目标容器并获取所述目标容器的容器注解信息;对所述目标容器的容器注解信息进行解密,获得所述目标容器的权限信息。Correspondingly, the determining the permission information of the target container according to the access request and the container registration information list includes: determining the target container according to the target container identification and the container identification of each container in the container registration information list. the container address of the target container; pull up the target container according to the container address of the target container and obtain the container annotation information of the target container; decrypt the container annotation information of the target container to obtain the container annotation information of the target container permission information. 2.根据权利要求1所述的容器资源管理方法,其特征在于,所述接收第一用户发送的容器创建请求之前,还包括:2. The container resource management method according to claim 1, wherein before receiving the container creation request sent by the first user, the method further comprises: 接收第一用户发送的身份认证请求,并对第一用户的用户身份进行安全认证;当所述第一用户的用户身份认证请求通过时,向所述第一用户发送认证通过消息,以供所述第一用户在接收到认证通过消息之后发送所述容器创建请求;Receive the identity authentication request sent by the first user, and perform security authentication on the user identity of the first user; when the user identity authentication request of the first user is passed, send an authentication pass message to the first user for all The first user sends the container creation request after receiving the authentication pass message; 所述接收第二用户发送的访问请求之前,还包括:Before receiving the access request sent by the second user, the method further includes: 接收第二用户发送的身份认证请求,并对第二用户的用户身份进行安全认证;当所述第二用户的用户身份认证请求通过时,向所述第二用户发送认证通过消息,以供所述第二用户在接收到认证通过消息之后发送所述访问请求。Receive the identity authentication request sent by the second user, and perform security authentication on the user identity of the second user; when the user identity authentication request of the second user is passed, send an authentication pass message to the second user for all users. The second user sends the access request after receiving the authentication pass message. 3.根据权利要求1所述的容器资源管理方法,其特征在于,所述权限信息包括各用户标识和对应的操作权限;所述访问请求包括第二用户标识和访问操作;3. The container resource management method according to claim 1, wherein the authority information comprises each user identifier and corresponding operation authority; the access request comprises a second user identifier and an access operation; 相应的,所述根据所述目标容器的权限信息执行所述访问请求,包括:Correspondingly, performing the access request according to the permission information of the target container includes: 判断所述目标容器的权限信息的各用户标识中是否有与第二用户标识匹配的目标用户标识;Judging whether there is a target user identifier matching the second user identifier in each user identifier of the permission information of the target container; 若是,则判断所述第二用户的访问操作是否与所述目标用户标识对应的操作权限匹配;若匹配,则执行所述访问操作。If yes, then determine whether the access operation of the second user matches the operation authority corresponding to the target user identifier; if so, execute the access operation. 4.根据权利要求1-3任一项所述的容器资源管理方法,其特征在于,所述需求信息包括容器副本数量和/或容器配置参数。4 . The container resource management method according to claim 1 , wherein the requirement information includes the number of container replicas and/or a container configuration parameter. 5 . 5.一种容器资源管理系统,其特征在于,包括:5. A container resource management system, comprising: 收发单元,用于接收第一用户发送的容器创建请求,其中所述容器创建请求包括权限信息和需求信息;还用于接收第二用户发送的对目标容器的访问请求;a transceiver unit, configured to receive a container creation request sent by a first user, wherein the container creation request includes permission information and demand information; and is also configured to receive an access request to the target container sent by a second user; 容器创建单元,用于根据所述权限信息和所述需求信息创建容器;对所述容器进行注册,获得容器注册信息列表;a container creation unit, configured to create a container according to the permission information and the requirement information; register the container to obtain a container registration information list; 容器访问单元,用于根据所述访问请求和所述容器注册信息列表确定所述目标容器的权限信息;根据所述目标容器的权限信息执行所述访问请求;a container access unit, configured to determine permission information of the target container according to the access request and the container registration information list; execute the access request according to the permission information of the target container; 所述容器创建单元,具体用于:The container creation unit is specifically used for: 对所述权限信息进行加密,获得容器注解信息;Encrypting the permission information to obtain container annotation information; 根据所述需求信息创建容器副本,并对所述容器注解信息和所述容器副本进行封装,获得所述容器;Create a container copy according to the requirement information, and encapsulate the container annotation information and the container copy to obtain the container; 所述容器注册信息列表包括各容器的容器标识和对应的容器地址;所述访问请求包括目标容器标识;The container registration information list includes container identifiers and corresponding container addresses of each container; the access request includes target container identifiers; 相应的,所述容器访问单元,具体用于:根据所述目标容器标识和所述容器注册信息列表中的各容器的容器标识确定所述目标容器的容器地址;根据所述目标容器的容器地址拉起所述目标容器并获取所述目标容器的容器注解信息;对所述目标容器的容器注解信息进行解密,获得所述目标容器的权限信息。Correspondingly, the container access unit is specifically configured to: determine the container address of the target container according to the target container identification and the container identification of each container in the container registration information list; according to the container address of the target container Pull up the target container and obtain the container annotation information of the target container; decrypt the container annotation information of the target container to obtain the permission information of the target container. 6.根据权利要求5所述的容器资源管理系统,其特征在于,还包括:身份认证单元;6. The container resource management system according to claim 5, further comprising: an identity authentication unit; 所述身份认证单元用于对第一用户的用户身份进行安全认证;还用于对第二用户的用户身份进行安全认证;The identity authentication unit is used for performing security authentication on the user identity of the first user; and is also used for performing security authentication on the user identity of the second user; 相应的,所述收发单元还用于在接收第一用户发送的容器创建请求之前,接收第一用户发送的身份认证请求;当所述身份认证单元确定第一用户的用户身份认证请求通过时,所述收发单元还用于向所述第一用户发送认证通过消息,以供所述第一用户在接收到认证通过消息之后发送所述容器创建请求;Correspondingly, the transceiver unit is further configured to receive the identity authentication request sent by the first user before receiving the container creation request sent by the first user; when the identity authentication unit determines that the user identity authentication request of the first user has passed, The transceiver unit is further configured to send an authentication pass message to the first user, so that the first user sends the container creation request after receiving the authentication pass message; 所述收发单元还用于在接收第二用户发送的访问请求之前,接收第二用户发送的身份认证请求;当所述身份认证单元确定所述第二用户的用户身份认证请求通过时,所述收发单元还用于向所述第二用户发送认证通过消息,以供所述第二用户在接收到认证通过消息之后发送所述访问请求。The transceiver unit is further configured to receive the identity authentication request sent by the second user before receiving the access request sent by the second user; when the identity authentication unit determines that the user identity authentication request of the second user is passed, the The transceiver unit is further configured to send an authentication pass message to the second user, so that the second user sends the access request after receiving the authentication pass message. 7.根据权利要求5所述的容器资源管理系统,其特征在于,所述权限信息包括各用户标识和对应的操作权限;所述访问请求包括第二用户标识和访问操作;7. The container resource management system according to claim 5, wherein the authority information comprises each user identifier and corresponding operation authority; the access request comprises a second user identifier and an access operation; 相应的,所述容器访问单元,具体用于:判断所述目标容器的权限信息的各用户标识中是否有与第二用户标识匹配的目标用户标识;若是,则判断所述第二用户的访问操作是否与所述目标用户标识对应的操作权限匹配;若匹配,则执行所述访问操作。Correspondingly, the container access unit is specifically configured to: determine whether each user identifier of the permission information of the target container has a target user identifier that matches the second user identifier; if so, determine the access of the second user Whether the operation matches the operation authority corresponding to the target user identifier; if so, execute the access operation. 8.根据权利要求5-7任一项所述的容器资源管理系统,其特征在于,所述需求信息包括容器副本数量和/或容器配置参数。8 . The container resource management system according to claim 5 , wherein the requirement information includes the number of container replicas and/or container configuration parameters. 9 .
CN201710995539.9A 2017-10-23 2017-10-23 Container resource management method and system Active CN107577538B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710995539.9A CN107577538B (en) 2017-10-23 2017-10-23 Container resource management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710995539.9A CN107577538B (en) 2017-10-23 2017-10-23 Container resource management method and system

Publications (2)

Publication Number Publication Date
CN107577538A CN107577538A (en) 2018-01-12
CN107577538B true CN107577538B (en) 2020-03-31

Family

ID=61036846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710995539.9A Active CN107577538B (en) 2017-10-23 2017-10-23 Container resource management method and system

Country Status (1)

Country Link
CN (1) CN107577538B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108182095A (en) * 2018-01-16 2018-06-19 湖北省楚天云有限公司 A kind of application dispositions method, device and equipment
CN108319872B (en) * 2018-01-16 2020-05-22 湖北省楚天云有限公司 Method, device and equipment for generating closed container
CN111490981B (en) * 2020-04-01 2022-02-01 广州虎牙科技有限公司 Access management method and device, bastion machine and readable storage medium
CN112162825A (en) * 2020-10-12 2021-01-01 北京首都在线科技股份有限公司 Equipment configuration method, device, equipment and storage medium
CN113472845B (en) * 2021-05-27 2023-05-09 四川大学华西医院 A medical IoT intelligent system based on container technology
CN113641456B (en) * 2021-08-18 2023-06-13 中国联合网络通信集团有限公司 Deployment method, device and system of data cluster
CN115185605A (en) * 2022-07-18 2022-10-14 支付宝(杭州)信息技术有限公司 A business execution method, device, storage medium and electronic device
CN117519911B (en) * 2024-01-04 2024-04-19 珠海星云智联科技有限公司 Automatic injection system, method, device, cluster and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847045A (en) * 2016-01-04 2016-08-10 中国电子科技网络信息安全有限公司 Application packaging system and management method based on Docker container
CN106557690A (en) * 2016-11-29 2017-04-05 北京元心科技有限公司 Method and apparatus for managing multi-container system
CN106970822A (en) * 2017-02-20 2017-07-21 阿里巴巴集团控股有限公司 A kind of container creation method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9524150B2 (en) * 2014-12-15 2016-12-20 Kirsten Ingmar Heiss System and method for software development using graphical tree structures
CN105160269A (en) * 2015-08-13 2015-12-16 浪潮电子信息产业股份有限公司 Method and apparatus for accessing data in Docker container
KR102294568B1 (en) * 2015-08-19 2021-08-26 삼성에스디에스 주식회사 Method and apparatus for security checking of image for container

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847045A (en) * 2016-01-04 2016-08-10 中国电子科技网络信息安全有限公司 Application packaging system and management method based on Docker container
CN106557690A (en) * 2016-11-29 2017-04-05 北京元心科技有限公司 Method and apparatus for managing multi-container system
CN106970822A (en) * 2017-02-20 2017-07-21 阿里巴巴集团控股有限公司 A kind of container creation method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
访问Docker仓库;wade&luffy;《https://www.cnblogs.com/wade-luffy/p/6497502.html》;20170303;第1-3页 *

Also Published As

Publication number Publication date
CN107577538A (en) 2018-01-12

Similar Documents

Publication Publication Date Title
CN107577538B (en) Container resource management method and system
CN110213276B (en) Authorization verification method under micro-service architecture, server, terminal and medium
US8505084B2 (en) Data access programming model for occasionally connected applications
KR102257320B1 (en) Monitoring of memory page transitions between hypervisors and virtual machines
KR102407066B1 (en) Managing privileges of different entities for an integrated circuit
CN111723383B (en) Data storage and verification method and device
CN112513857A (en) Personalized cryptographic security access control in a trusted execution environment
US10027658B1 (en) Seamless provision of secret token to cloud-based assets on demand
TW201025001A (en) Managing access to an address range in a storage device
CN108628658A (en) A kind of licence managing method and device of container
CN109040134B (en) Information encryption design method and related device
CN107729758B (en) Secure processor for multi-tenant cloud workloads
US20150205973A1 (en) Method and apparatus for providing data sharing
EP3384423B1 (en) Device with multiple roots of trust
JP2020514863A (en) Certificate acquisition method, authentication method and network device
TW201337631A (en) Sensitive information leakage prevention system, sensitive information leakage prevention method, and computer-readable recording medium
TWI696134B (en) Business processing method and device
KR20150032970A (en) Storage unit for offering security function and method thereof
WO2022126644A1 (en) Model protection device, method, and computing device
CN110096881A (en) Malice calls means of defence, device, equipment and computer-readable medium
CN118627055A (en) Validated isolated runtime environment for enhanced secure computing within compute instances
US20240362370A1 (en) Access Control System and a Data Storage Device
US11146556B2 (en) Methods and systems for contiguous utilization of individual end-user-based cloud-storage subscriptions
US20240323192A1 (en) Method, apparatus, and computer-readable recording medium for controlling execution of event stream-based container workload in cloud environment
CN107391028B (en) Virtual volume authority control method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant