CN108156175B - Method for accessing shared storage information under cloud computing platform - Google Patents
Method for accessing shared storage information under cloud computing platform Download PDFInfo
- Publication number
- CN108156175B CN108156175B CN201810061041.XA CN201810061041A CN108156175B CN 108156175 B CN108156175 B CN 108156175B CN 201810061041 A CN201810061041 A CN 201810061041A CN 108156175 B CN108156175 B CN 108156175B
- Authority
- CN
- China
- Prior art keywords
- data
- web application
- application
- key
- cluster
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The invention provides a method for accessing shared storage information under a cloud computing platform, which comprises the following steps: analyzing the terminal access address to acquire the access authentication information; judging the type of the access data according to the authentication information, and if the type is control data, processing the control data by a main control module of the private cloud; and if the type is the transaction data, forwarding the address request to a cluster engine of the private cloud, and processing the transaction data by the cluster engine. The invention provides an access method for shared storage information under a cloud computing platform, which is used for instantiating a space of a basic cluster environment of the cloud platform, so that system resources of a cluster are more fully utilized, and the problem of time consumption caused by a private cloud utilizing a virtual machine is solved. The private data are isolated from the cluster nodes, the isolation of the private data among verified applications is guaranteed, and the security of private storage is guaranteed.
Description
Technical Field
The invention relates to cloud computing, in particular to an access method for shared storage information under a cloud computing platform.
Background
The affairs processed by the mobile terminal extend from the traditional communication field to the high-safety affairs field such as office, payment and the like. The mobile terminal needs to process information including user account information, personal privacy information, payment order information, private files, and the like. How to effectively ensure the security of private data becomes a difficult problem for mobile terminal equipment to develop safe and private affairs. The existing solution is to encrypt private data by a high-strength cryptographic algorithm and to restrict data access by means of the authority control of the cluster nodes. However, the complexity and openness of the mobile terminal cluster node make it impossible to create a secure operating environment, and the cluster node itself and the application are vulnerable to malicious attacks. In addition, the private data is stored in a common file system in an encrypted mode, and the risk of attack caused by illegal damage exists. Although the trusted partition technology provides a safe and isolated runtime environment for processing private data by an application, a uniform secure access interface cannot be provided for verified application development and web application development, and meanwhile security detection is performed on a web application sending a data secure access request.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a method for accessing shared storage information under a cloud computing platform, which comprises the following steps:
analyzing the terminal access address to acquire the access authentication information;
judging the type of the access data according to the authentication information,
if the type is control data, the main control module of the private cloud processes the control data;
and if the type is the transaction data, forwarding the address request to a cluster engine of the private cloud, and processing the transaction data by the cluster engine.
Preferably, the processing of the transaction data by the cluster engine further includes:
the cluster engine forwards the access request to the specific space instance, and the specific space instance performs transaction processing and returns the transaction processing to the cluster engine.
Preferably, after completing the processing of the transaction data, the method further comprises:
and the cluster engine directly returns the processing result to the mobile terminal.
Preferably, the cluster engine maintains an addressing list that includes web application IDs, scheduling rules, web application running copy addresses, and recent update times.
Preferably, the web application ID is a web application ID deployed in the spatial instance, one web application corresponds to one or more web application running copies, and the web application running copies provide specific processing.
Preferably, the scheduling rule is a processing rule for task scheduling.
Preferably, the web application running copy address is an address used when accessing a space instance application.
Preferably, the web application running copy update time is the most recent update time when the spatial instance application was running.
Compared with the prior art, the invention has the following advantages:
the invention provides an access method for shared storage information under a cloud computing platform, which is used for instantiating a space of a basic cluster environment of the cloud platform, so that system resources of a cluster are more fully utilized, and the problem of time consumption caused by a private cloud utilizing a virtual machine is solved. The private data are isolated from the cluster nodes, the isolation of the private data among verified applications is guaranteed, and the security of private storage is guaranteed.
Drawings
Fig. 1 is a flowchart of a method for accessing shared storage information under a cloud computing platform according to an embodiment of the present invention.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the invention provides a method for accessing shared storage information under a cloud computing platform. Fig. 1 is a flowchart of an access method for shared storage information under a cloud computing platform according to an embodiment of the present invention.
The method comprises the steps that firstly, a task distributor is arranged in a private cloud computing system and is connected with a cluster engine and a main control module, the task distributor is used for controlling access distribution of data and transaction data and authority verification of an access request in a private cloud platform, and the cluster engine is connected with a cluster space instantiation unit; the main control module further comprises an authority control node and a management control node;
for the access allocation of the control data and the transaction data, the specific steps are as follows:
resolving an access address to obtain access authentication information;
and transmitting the authentication information to the main control module, verifying the authentication information by the authority control node of the main control module, and returning the verification result to the task distributor.
If the verification result fails, the task distributor returns failure information to the mobile terminal; if the verification result is successful, the task distributor analyzes the type of the access data and analyzes whether the access data is control data or transaction data;
if the control data is the control data, the main control module processes the control data;
if the transaction data is the transaction data, forwarding the address request to a cluster engine, and processing the transaction data by the cluster engine;
the cluster engine forwards the access request to the specific space instance, the specific space instance performs transaction processing and then returns the transaction processing result to the cluster engine, and the cluster engine returns the processing result to the mobile terminal;
the cluster engine maintains an addressing list in memory, the addressing list including a web application ID, scheduling rules, a web application running copy address, and a most recent update time. The web application ID is a web application ID deployed in the space instance, one web application corresponds to one or more web application running copies, and the web application running copies provide specific processing; the scheduling rule is a processing rule for task scheduling; the web application running copy address is an address used when accessing the space instance application; the web application running copy update time is the latest update time when the space instance application is running;
the specific steps of the treatment are as follows:
after the cluster engine is successfully started, issuing a cluster engine starting success message to the main control module;
the cluster space instantiation unit monitors a successful starting message of a cluster engine, and after receiving the message, the cluster space instantiation unit sends specific information of a running copy of a web application running by the local machine at regular time;
after receiving the message of the cluster space instantiation unit, the cluster engine analyzes a web application ID, a web application running copy address and a port;
if the web application running copy address already exists in the addressing list maintained in the cluster engine memory, the latest update time of the web application running copy is updated.
If the web application running copy address does not exist in the addressing list maintained in the memory by the cluster engine, adding a record in the addressing list maintained in the memory by the cluster scheduling;
according to the address request, the cluster engine analyzes the accessed web application ID; selecting a proper web application running copy for processing according to the ID of the accessed web application and the set scheduling rule; redirecting the access request to the selected web application running copy;
the web application runs the copy processing request, completes specific calling and returns a calling processing result to the cluster engine; the cluster engine returns the calling result to the mobile terminal;
the cluster space instantiation unit performs space instantiation on a cluster, performs overall arrangement on all space instances, records and maintains an application and web application running copy list running in a current platform, and the main control module receives data information, maintains the application and web application running copy list, monitors and feeds back the state of the web application running copy;
the cluster space instantiation unit receives control data forwarded by the main control module and forwards the control data to a response for processing, wherein the control data comprises the steps of obtaining a web application list, constructing a web application, deleting the web application and updating the number of copies;
the cloud cluster is operated and deployed in the cluster space instantiation unit, the operation state of the operation copy is constructed, deleted and monitored according to the message content forwarded by the server, meanwhile, the update information of the operation copy and the resource state of the operation cluster are fed back, and support is provided for the server to process and acquire the web application list, construct the application, delete the application and update the copy number of the application.
Specifically, the specific steps of obtaining the web application list are as follows:
firstly, accessing a database table by a cluster space instantiation unit to acquire an application ID, an application state and a corresponding running copy;
secondly, the cluster space instantiates single vector organization data and returns the single vector organization data to the mobile terminal;
the specific steps for constructing the application are as follows:
firstly, a cluster space instantiation unit sends a message for constructing an application resource request;
secondly, the cluster space instantiation unit monitors the message and obtains the number of running copies which can be constructed by the cluster through calculation;
setting overtime time to obtain a response list within a certain time range, and distributing the copy number requested to be constructed to each cluster node according to the number of the operation copies which can be constructed; the method comprises the following specific steps of allocating the number of configurable running copies to cluster nodes:
i, recording the number of constructed copies distributed to cluster nodes each time;
and ii, if the sum of the number of constructed copies and the number of running copies to be distributed to the cluster node is greater than the number of running copies to be constructed by the application, distributing the number of constructed copies to the cluster node to be equal to the number of running copies of the web application to be constructed by the application minus the number of constructed copies distributed.
Fourthly, sending the number of the running copies of the web application to be constructed to the designated cluster node;
fifthly, the cluster node acquires the mirror image file to construct a running copy, informs the server end after the construction is finished, and registers an access path of the web application running copy in cluster scheduling;
and sixthly, modifying the information in the record data table according to the feedback, and modifying the state of the application into starting after the number of the running copies required by the application is constructed.
The specific steps for deleting the application are as follows:
analyzing a web application ID to be deleted by a space instantiation engine;
the space instantiation engine sends a message for deleting the application;
the cluster node monitors the message of deleting the application, judges whether the cluster in which the cluster is positioned has the running copy of the application after receiving the message, and finishes the operation if the cluster does not have the running copy of the application; and if the running copy of the application exists, deleting the running copy of the application.
The method comprises the following specific steps of updating the number of running copies of the web application:
the space instantiation engine calculates the ID of the web application, the running copy number of the change and the change operation type (increasing or decreasing);
if the operation type is to increase the running copy, constructing an application copy;
if the operation type is to reduce the running copy, the specific operation is as follows:
i. obtaining a current running copy list from the record table;
ii. Randomly selecting a running copy to be deleted;
iii, sending a message to delete the running copy of the web application;
iv, the space instantiation engine cluster node monitors the message, judges whether the cluster in which the space instantiation engine cluster node is located has the running copy after receiving the message, and does not perform any operation if the running copy does not exist; and if the running copy exists, deleting the running copy.
In the process of dispatching the access requests collected by the cloud platform to the target cluster nodes of the cloud platform, firstly, the service performance of all current cluster nodes is calculated according to the fitness function for evaluating the performance of the cluster nodes, the cluster nodes in the cloud platform are subjected to condition filtering according to the terminal request transaction amount, and the cluster nodes with the residual space amount of the cluster nodes larger than the total space amount of the access request set form a set, wherein the set is the integral constraint on the cloud platform. Abstracting k cluster nodes in the cluster node set into k cluster points, clustering the k cluster points with all cluster nodes in the cloud platform respectively, calculating the similarity between the cluster nodes according to the two spatial quantity attributes of the cluster nodes, giving a threshold value according to the similarity, and adding the cluster nodes with the similarity between the cluster nodes within the threshold value into a new set. When the elements in a set no longer change, this set is the final result of the clustering. And finally, scheduling the to-be-processed transaction to the cluster node in the final set.
1: supposing that n cluster nodes form a set H, carrying out constraint condition limitation on all cluster nodes, and limiting the residual space L of the cluster nodesiAs a measuring scaleQuasi, LiThe definition is as follows:
Li=αLc+βLm
wherein α + β ═ 1
LcApplying an amount of space for the web; l ismApplying the amount of space for the verified application; alpha and beta are respectively the weight of the two, the values of the alpha and the beta are determined by learning of a BP neural network, various performance monitoring data of cluster nodes in the whole private cloud are obtained according to the fitness function of the cluster node performance, and the residual space amount of n cluster nodes in the current cloud platform is calculated. The constraint value is defined as: the total amount of space for the set of access requests received during a particular time period, namely:
where LR is expressed as the total amount of space in the access request set,
expressed as the amount of space for the ith transaction in the set of access requests. Defining a null set phi, calculating the total space quantity LR of the access request set, when L isi>And during LR, scheduling the i cluster nodes into a set phi, otherwise, continuously searching, and obtaining the set phi after the n cluster nodes are compared with the constraint value, wherein the set phi is { s }1,s2,s3....,smAnd f, obtaining a set of clustering points, wherein m is less than n.
Step 2: and obtaining the performance value of each cluster node according to the fitness function of the cluster node performance, and scheduling the cluster nodes with relatively good performance into a set phi through the limitation of the constraint value. Let phi be { s ═1,s2,s3....,smThe m cluster nodes are grouped, the web application space residue of the cluster nodes in the set phi is sorted in descending order, and s is assumedjFor the cluster node with the largest remaining web application space, sjAs a clustering point, the formula for calculating the similarity is:
s(si,sj)=1/d(si,sj)
Step 3 with sjFor the cluster point, s is calculatedjAnd similarity values with the elements in the set H. A threshold U is given according to the similarity, and if the similarity is greater than the threshold U, the element is added to the new set Φ'. Then the cluster phi sequentially selects cluster points according to the remaining descending order of the cluster node processors, similarity between the cluster points and elements in the cluster H is respectively calculated, elements with the threshold value larger than U are scheduled into the cluster phi ', iteration is finished when the elements in the cluster phi' are not changed, and the cluster phi 'is a final clustering result, namely phi' ═ s1',s2'...sq', wherein q < m < n.
And 4, step 4: and scheduling the received access request to the cluster node in the set phi ', then processing the transaction set of the request by the cluster node in the set phi', and returning the result to the user after the processing is finished. And starting to process the transaction from the cluster node in the set phi' to finish the processing, and taking the number of the access requests received in the period of time as the next transaction to be processed.
And the authority control node of the main control module allows the web application to send a data private access request to the verified application by calling the management interface. In order to enable the trusted execution environment to perform security detection on the process of the web application when the web application sends a data access request, the permission control node provides fingerprint information of the web application as a check criterion, and the method comprises the following specific implementation steps:
(1) reading webObtaining the Size of the code segment by applying the binary file informationcode;
HASH operation is carried out on binary information of the web application code segment by using HASH algorithm to generate a code segment HASH value HcodeHash (Code), where Code stands for web application Code segment;
size of code segmentcodeAnd code segment HASH value HcodeFingerprint information Fpr as a web applicationapp=(Sizecode||Hcode);
(2) Signing fingerprint information Fpr of a web application using trusted permissionsappGenerating a fingerprint information signature Sgapp=Sg(Sizecode||Hcode);
(3) Signing the fingerprint information SgappTo the specific data segment of the verified application. The authenticated application is an authenticated application that accepts web application data access requests.
When the web application sends a data access request to the verified application, the cluster node sends process exception information of the web application to a trusted isolation area monitoring process of a trusted execution environment; after the monitoring process of the trusted isolation area captures process abnormal information, the process abnormal information of the web application is detected, and the method specifically comprises the following steps:
(1) acquiring process exception information (including an interface calling data address, a process code segment base address, a process code segment size and a verified application ID) of the web application, and loading a web application fingerprint information signature Sg from a specific data segment of the corresponding verified application according to the verified application IDapp;
(2) HASH operation is carried out on code segment data between a process memory address and a process code segment size by using an HASH algorithm, and a code segment HASH value H 'of the web application process is calculated'codeHash (code), get the process fingerprint information Fpr 'of the web application'app=(CodeSize||H'code) (ii) a Wherein Code represents a Code segment of a web application process;
(3) signing Sg of fingerprint information using trusted license public keyappThe verification is carried out to obtain the fingerprint information Fpr of the web applicationapp=(Sizecode||Hcode);
(4) Comparing fingerprint information FprappAnd Fpr'appWhether or not equal. If the web application process is equal to the current web application process, judging that the current web application process is legal, and detecting the position 1 of a state mark; otherwise, judging that the current web application process is illegal, and detecting the position 0 of the state mark;
the detection state flag bit indicates whether the current web application process passes the safety detection, and if the detection flag bit is 1, the detection is passed; otherwise, it indicates a failure.
After completing the security detection, the right control node then implements application data processing and key management, further comprising:
a) the verified application initiates remote call of Data storage operation, and the request parameters comprise verified application ID and private Data to be processedpvAnd cryptographic algorithm Typeen;
b) After receiving the data access request of the verified application, determining whether the remote call can be accepted and processed by judging the detection status flag bit. If the detection state flag bit is 0, rejecting remote calling; if the detection state flag bit is 1, processing remote call;
c) after the safety detection is passed, according to the cryptographic algorithm TypeenInitiating a key generation request;
d) after receiving the key generation request, firstly, according to the cryptographic algorithm TypeenInvoking a KEY generator to generate a random KEY (IDType) for a symmetric cryptographic algorithmen);
Secondly, loading the license public key PK of the verified applicationpyPair cipher algorithm TypeenEncrypting with random KEY KEY to generate KEY encrypted data EPKpy=RSA(PKpy,(ID||KEY));
The license private key PPK of the verified application is then loadedpyEncrypting data EPK to a keypySigning, generating key signature data SPKpy=Sg(PPKpy,EPKpy);
Finally, the key encryption data EPK is indexed by the verified application IDpyAnd key signature data SPKpyStored on a non-volatile memory in the trusted execution environment in a particular organizational manner, and returns the generated random KEY.
Wherein, KeyGenerator is a symmetric key generator algorithm; RSA is a public key encryption algorithm; sg is a public key signature algorithm;
e) after the key is successfully generated, according to the cryptographic algorithm TypeenCalling corresponding symmetric cipher encryption algorithm and using random KEY KEY to secret DatapvEncrypted to generate encrypted data EDatapv=SymEn(KEY,Datapv);
Secondly, the HASH algorithm is used to calculate the HASH value HData for the encrypted datapv=Hash(EDatapv);
Then using the license private key PPK of the verified applicationpySign the HASH value to generate signature data SDatapv=Sg(PPKpy,HDatapv);
Finally the data processing module 103 indexes the encrypted data EData with the verified application IDpvAnd signature data SDatapvStoring the data to a nonvolatile memory in the trusted execution environment according to a specific organization mode, and returning a data storage result to the verified application.
Wherein SymEn is a symmetric encryption algorithm; sg is a public key signature algorithm.
The authority control node of the main control module also controls authentication information verification of the access address and provides a management interface, including acquiring a web application list, constructing an application, deleting the application and updating the number of running copies of the web application, and the specific steps are as follows:
the method comprises the steps that a main control module maintains an application authentication information table, wherein the application authentication information table comprises web application IDs and authentication information;
receiving authentication information; the authentication information includes the following features: the authentication information verification method has the advantages that the length is 128 bits, uniqueness is realized, the time characteristic is realized corresponding to the unique application, and the verification function is realized on the authentication information;
searching whether corresponding application authentication information exists in an application authentication information table;
if the applied authentication information is found, returning success; if the applied authentication information is not found, returning failure;
analyzing the address request parameters and analyzing an operation interface; if the operation type obtains a web application list, constructs an application, deletes the application and updates the running copy number of the web application, the address request is forwarded to a cluster space instantiation engine;
the cluster space instantiation engine performs specific operation and feeds back a processing result to a management control node of the main controller;
and returning the calling result to the mobile terminal by the main controller.
In addition, if the running state of the application is not consistent with the preset state, the space instantiation unit is informed to process, and the steps are as follows:
starting two threads, intercepting an update message issued by a thread interception space instantiation engine, storing the update message in a key value pair system, comparing a preset state and an operation state of an application by a discovery thread, and informing the space instantiation engine of a processing state difference;
the interception thread intercepts the message bus all the time, analyzes the web application ID, the web application running copy access address and the state of the web application running copy after receiving the update information message, and stores the state in a key-value pair system in a key-value pair form;
the discovery thread acquires the preset state and the preset running copy of the current application from the space instantiation engine at regular time, acquires the actual running state of the current application from the system from the key value pair at the same time, judges the difference between the actual running state and the preset state, and informs the space instantiation engine to process, and the specific steps are as follows:
the discovery thread acquires the actual running state of the application from the key value pair system at regular time, and each acquired running state moment is taken as a snapshot;
recording the latest N snapshots of the actual running state of the application, comparing the N snapshots, and if the N snapshots are inconsistent, judging that the current network is unstable or is caused by fault transfer, and not processing under the condition;
and if the N snapshot states are consistent, starting to judge whether the actual running state of the running copy of the web application is consistent with the preset state, and after the judgment is finished, judging whether the number of the copies of the application is consistent with the preset number.
The specific steps for checking whether the actual running state of the running copy is consistent with the preset state are as follows:
i, comparing records in the system one by one with key values according to a web application running copy list provided by a space instantiation engine, and calling a management interface of the space instantiation engine to finish state change if running copy states recorded by the two are inconsistent;
ii, only comparing the running copies of the web application in the running state and the stopping state, and not processing the application in the intermediate state;
case 1: the recorded copies in the space instantiation engine are not in the key-value pair system, and the discovery thread informs the space instantiation engine to newly construct a copy;
case 2: the state of the copy recorded in the space instantiation engine is inconsistent in the key value pair system, and the discovery thread informs the space instantiation engine to modify the state of the copy;
case 3: the spatial instantiation engine has no record, but the key value pair system has updating information, and the discovery thread informs the spatial instantiation engine to remove the copy;
the specific steps of judging whether the number of the copies of the application is consistent with the preset number are as follows:
i, obtaining an expected value of the application running number recorded in the space instantiation unit, and comparing the expected value with the number of copy updating information recorded in the system by using a key value;
ii only compare applications in running and stopped states, other states are not processed.
Possible situations exist when the two are compared, including:
case 1: if the preset number of the copies recorded by the space instantiation engine is more than the number of the copies recorded by the key-value pair system, informing the space instantiation engine to reduce the running copies;
case 2: and if the preset number of the copies recorded by the space instantiation engine is less than the number of the copies recorded by the key-value pair system, informing the space instantiation engine to increase the running copies.
After the application runs the copy data verification tag and is generated, aiming at each copy RjEstablishing a Hash Tree TREEj,TREEjThe leaf nodes of (1) are a set of vector HASH values { H (H (r) } ordered on the primary keyij) H, tree root) of hRj。
Root node HASH value { h } using all replica Hash TREEs TREERjJ is more than or equal to 1 and less than or equal to m to generate a signature Sg1=(IDR|hR) α. The verification tag set and the application run copy hash tree of the same data copy are stored in the same cluster node in the cloud together with the application run copy data.
And the web application simultaneously sends a sampling request to the cluster node data copy for integrity verification. The sampling inspection process comprises the following steps:
(1) a trusted third party verification node for web application delegation determines the number c of vectors to be sampled, c is larger than or equal to 1 and smaller than or equal to N, and a permutation function pi is randomly generatedkeyKey k of1With a random mapping function psikeyKey k of2. The verification node uses the same random permutation function and random mapping function and follows the same key k1,k2Generating a challenge value set C { (i, v)i) C represents the value of the vector key to be validated i e [1, N ∈]And a corresponding random value vi. Where { i } ═ pikey(k)1≤k≤c,{vi}=ψkey(k) K is more than or equal to 1 and less than or equal to c. The verifying node samples information (C, k)1,k2) And sending the data to the cluster node.
(2) After receiving the sampling information sent by the verification node, the cluster nodes generate verification evidence P to prove that each cluster node correctly stores the copy data of the web application. The generated proof of verification P ═ σ, μ,<H(r)ij),Iij>(i,*)∈C,1≤j≤ms }, wherein:
σ is the aggregate tag value of the sample vector, σ ═ Π(i,vi)∈Cσi viValidating tag aggregation values for sampled replica vectors, where σi=Πj∈[1,m]σijThe aggregation label is an aggregation label of homomorphic labels of a plurality of data copies corresponding to the same vector, and sigma belongs to G;
mu is verification information capable of proving that the cluster node stores the sampled data vector of the web application, and for the web application all data copies mu are { mu ═ muj}1≤j≤mWherein the vector data calculation process in each copy is muj=∑(i,vi)∈Cvi·rij;
③IijFor the auxiliary verification path information corresponding to each data copy sampling vector on the hash TREE, the information records all brother node information and position information on a path from a TREE root node to a leaf node corresponding to the sampling data vector.
(3) After the verification node receives a verification value P returned by the cluster node, verifying the correctness of the P:
according to<H(r)ij),Iij>(i,*)∈C,1≤j≤mRunning copy number information with the application, reconstructing V ═ IDR|hR;
Determining whether the information of the check value returned by the web application is correct, and checking whether an equation is established:
e (-) is a bilinear map, and returns true if verification passes, otherwise returns false.
In summary, the invention provides an access method for shared storage information under a cloud computing platform, which instantiates a space of a basic cluster environment of the cloud platform, more fully utilizes system resources of the cluster, and solves the problem of time consumption caused by a private cloud utilizing a virtual machine. The private data are isolated from the cluster nodes, the isolation of the private data among verified applications is guaranteed, and the security of private storage is guaranteed.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.
Claims (8)
1. A method for accessing shared storage information under a cloud computing platform is characterized by comprising the following steps:
analyzing the terminal access address to acquire the access authentication information;
judging the type of the access data according to the authentication information,
if the type is control data, the main control module of the private cloud processes the control data;
if the type is transaction data, forwarding the address request to a cluster engine of the private cloud, and processing the transaction data by the cluster engine;
the master control module comprises an authority control node for controlling authentication information verification of an access address and providing a management interface, wherein the authority control node comprises a web application list, application construction, application deletion and web application running copy number updating;
when the web application sends a data access request to the verified application, the cluster node sends process exception information of the web application to a trusted isolation area monitoring process of a trusted execution environment; after the monitoring process of the trusted isolation area captures process abnormal information, the process abnormal information of the web application is detected, and the method further comprises the following specific steps:
(1) acquiring process abnormal information of the web application, including an interface calling data address, a process code segment base address, a process code segment size and a verified application ID, and loading a web application fingerprint information signature Sg from a specific data segment of the corresponding verified application according to the verified application IDapp;
(2) HASH operation is carried out on code segment data between a process memory address and a process code segment size by using an HASH algorithm, and a code segment HASH value H 'of the web application process is calculated'code= Hash (code) ' get process fingerprint information Fpr ' of web application 'app=(CodeSize||H'code) (ii) a Wherein Code represents a Code segment of a web application process;
(3) signing Sg of fingerprint information using trusted license public keyappThe verification is carried out to obtain the fingerprint information Fpr of the web applicationapp=(Sizecode||Hcode);
(4) Comparing fingerprint information FprappAnd Fpr'appWhether the web application processes are equal or not is judged, if yes, the current web application process is judged to be legal, and the position 1 of the state mark is detected; otherwise, judging that the current web application process is illegal, and detecting the position 0 of the state mark;
the detection state flag bit indicates whether the current web application process passes the safety detection, and if the detection flag bit is 1, the detection is passed; otherwise, the detection is failed;
after completing the security detection, the authority control node implements application data processing and key management, further comprising:
a) the verified application initiates remote call of Data storage operation, and the request parameters comprise verified application ID and private Data to be processedpvAnd cryptographic algorithm Typeen;
b) After receiving a data access request of the verified application, determining whether the remote call can be accepted or not by judging the detection state flag bit, and if the detection state flag bit is 0, rejecting the remote call; if the detection state flag bit is 1, processing remote call;
c) after the safety detection is passed, according to the cryptographic algorithm TypeenInitiating a key generation request;
d) after receiving the key generation request, firstly, according to the cryptographic algorithm TypeenInvoking a KEY generator to generate a random KEY = keyGenerator (IDType) for a symmetric cryptographic algorithmen);
Secondly, loading the license public key PK of the verified applicationpyPair cipher algorithm TypeenEncrypting with random KEY KEY to generate KEY encrypted data EPKpy=RSA(PKpy,(ID||KEY));
The license private key PPK of the verified application is then loadedpyEncrypting data EPK to a keypySigning, generating key signature data SPKpy=Sg(PPKpy,EPKpy);
Finally, the key encryption data EPK is indexed by the verified application IDpyAnd key signature data SPKpyStoring the KEY to a nonvolatile memory in a trusted execution environment according to a specific organization mode, and returning a generated random KEY;
wherein, KeyGenerator is a symmetric key generator algorithm; RSA is a public key encryption algorithm; sg is a public key signature algorithm;
e) after the key is successfully generated, according to the cryptographic algorithm TypeenCalling corresponding symmetric cipher encryption algorithm and using random KEY KEY to secret DatapvEncrypted to generate encrypted data EDatapv=SymEn(KEY,Datapv);
Secondly, the HASH algorithm is used to calculate the HASH value HData for the encrypted datapv=Hash(EDatapv);
Then using the license private key PPK of the verified applicationpySign the HASH value to generate signature data SDatapv=Sg(PPKpy,HDatapv);
Finally, the encrypted data EData is indexed by the verified application IDpvAnd signature data SDatapvNon-volatile storage in trusted execution environment in a particular organizational mannerOn the sexual memory, returning data storage result to the verified application;
wherein SymEn is a symmetric encryption algorithm; sg is a public key signature algorithm.
2. The method of claim 1, wherein the processing of the transaction data by the cluster engine further comprises:
the cluster engine forwards the access request to the specific space instance, and the specific space instance performs transaction processing and returns the transaction processing to the cluster engine.
3. The method of claim 1, after completing processing of the transaction data, further comprising:
and the cluster engine directly returns the processing result to the mobile terminal.
4. The method of claim 1, wherein the cluster engine maintains an addressing list comprising web application IDs, scheduling rules, web application running copy addresses, and recent update times.
5. The method of claim 4, wherein the web application ID is a web application ID deployed in the spatial instance, and wherein one web application corresponds to one or more running copies of the web application, and wherein the running copies of the web application provide specific processing.
6. The method of claim 4, wherein the scheduling rule is a processing rule for task scheduling.
7. The method of claim 4, wherein the web application running copy address is an address used when accessing a space instance application.
8. The method of claim 4, wherein the web application run copy update time is a most recent update time when the spatial instance application was run.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810061041.XA CN108156175B (en) | 2018-01-22 | 2018-01-22 | Method for accessing shared storage information under cloud computing platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810061041.XA CN108156175B (en) | 2018-01-22 | 2018-01-22 | Method for accessing shared storage information under cloud computing platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108156175A CN108156175A (en) | 2018-06-12 |
| CN108156175B true CN108156175B (en) | 2021-05-14 |
Family
ID=62461838
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810061041.XA Active CN108156175B (en) | 2018-01-22 | 2018-01-22 | Method for accessing shared storage information under cloud computing platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108156175B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11080267B2 (en) * | 2018-08-31 | 2021-08-03 | Waymo Llc | Validating road intersections |
| CN111324588A (en) * | 2018-12-17 | 2020-06-23 | 中兴通讯股份有限公司 | File sharing method and device |
| CN109918907B (en) * | 2019-01-30 | 2021-05-25 | 国家计算机网络与信息安全管理中心 | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform |
| CN111953637B (en) * | 2019-05-16 | 2022-08-26 | 阿里巴巴集团控股有限公司 | Application service method and device |
| CN113419671B (en) * | 2021-05-20 | 2022-02-18 | 佛山市禅城区政务服务数据管理局 | Personal data space access control method |
| CN117097568B (en) * | 2023-10-19 | 2024-01-26 | 睿至科技集团有限公司 | Cloud platform and data management method thereof |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102202102A (en) * | 2011-07-05 | 2011-09-28 | 施昊 | Network service polymerization system and polymerization method thereof based on cloud computing configuration |
| CN102831156A (en) * | 2012-06-29 | 2012-12-19 | 浙江大学 | Distributed transaction processing method on cloud computing platform |
| CN104219318A (en) * | 2014-09-15 | 2014-12-17 | 北京联创信安科技有限公司 | Distributed file storage system and method thereof |
| CN104767813A (en) * | 2015-04-08 | 2015-07-08 | 江苏国盾科技实业有限责任公司 | Public bank big data service platform based on openstack |
| CN104901799A (en) * | 2014-03-04 | 2015-09-09 | 中兴通讯股份有限公司 | Method and device for achieving SDN certificate resource configuration |
| CN105282043A (en) * | 2014-06-20 | 2016-01-27 | 中国电信股份有限公司 | Global network load balancing system, device and method |
| CN106569895A (en) * | 2016-10-24 | 2017-04-19 | 华南理工大学 | Construction method of multi-tenant big data platform based on container |
| CN107426034A (en) * | 2017-08-18 | 2017-12-01 | 国网山东省电力公司信息通信公司 | A kind of extensive container scheduling system and method based on cloud platform |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10516669B2 (en) * | 2015-11-12 | 2019-12-24 | Hubstor Inc. | Methods and systems relating to network based storage |
-
2018
- 2018-01-22 CN CN201810061041.XA patent/CN108156175B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102202102A (en) * | 2011-07-05 | 2011-09-28 | 施昊 | Network service polymerization system and polymerization method thereof based on cloud computing configuration |
| CN102831156A (en) * | 2012-06-29 | 2012-12-19 | 浙江大学 | Distributed transaction processing method on cloud computing platform |
| CN104901799A (en) * | 2014-03-04 | 2015-09-09 | 中兴通讯股份有限公司 | Method and device for achieving SDN certificate resource configuration |
| CN105282043A (en) * | 2014-06-20 | 2016-01-27 | 中国电信股份有限公司 | Global network load balancing system, device and method |
| CN104219318A (en) * | 2014-09-15 | 2014-12-17 | 北京联创信安科技有限公司 | Distributed file storage system and method thereof |
| CN104767813A (en) * | 2015-04-08 | 2015-07-08 | 江苏国盾科技实业有限责任公司 | Public bank big data service platform based on openstack |
| CN106569895A (en) * | 2016-10-24 | 2017-04-19 | 华南理工大学 | Construction method of multi-tenant big data platform based on container |
| CN107426034A (en) * | 2017-08-18 | 2017-12-01 | 国网山东省电力公司信息通信公司 | A kind of extensive container scheduling system and method based on cloud platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108156175A (en) | 2018-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108156175B (en) | Method for accessing shared storage information under cloud computing platform | |
| JP2022106942A (en) | Method, electronic device, and storage medium for avoiding or reducing cryptographically stranded resources on block chain network | |
| US10013318B2 (en) | Distributed event correlation system | |
| US10277608B2 (en) | System and method for verification lineage tracking of data sets | |
| CN111488598A (en) | Access control method, device, computer equipment and storage medium | |
| US11170128B2 (en) | Information security using blockchains | |
| US11658982B2 (en) | Efficient authentication in a file system with multiple security groups | |
| US11121876B2 (en) | Distributed access control | |
| US11658978B2 (en) | Authentication using blockchains | |
| CN110290150A (en) | A kind of login validation method and login authentication device of Virtual Private Network VPN | |
| CN108881261B (en) | Service authentication method and system based on block chain technology in container environment | |
| CN114925141B (en) | Cloud primary automation deployment management system and method based on block chain | |
| CN108600149B (en) | Cloud computing high-availability cluster resource management method | |
| US10158623B2 (en) | Data theft deterrence | |
| US20190303935A1 (en) | System and methods for preventing reverse transactions in a distributed environment | |
| CN108270865B (en) | Job scheduling method of high-performance cloud computing platform | |
| US11362806B2 (en) | System and methods for recording codes in a distributed environment | |
| US10341342B2 (en) | Configuration data based fingerprinting for access to a resource | |
| CN115174602A (en) | Data processing method and system applied to fishery management | |
| US20160092886A1 (en) | Methods of authorizing a computer license | |
| CN110602121A (en) | Network key obtaining method and device and computer readable storage medium | |
| CN117040930B (en) | Resource processing method, device, product, equipment and medium of block chain network | |
| CN112947864B (en) | Metadata storage method, apparatus, device and storage medium | |
| US20230412588A1 (en) | Detecting credentials abuse of cloud compute services | |
| CN114663096A (en) | Resource transfer risk identification method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210428 Address after: 3 / F, Sunshine Golf building, 7008 Shennan Avenue, Futian District, Shenzhen, Guangdong 518000 Applicant after: China Securities PENGYUAN credit rating Co.,Ltd. Address before: 610000 Sichuan city of Chengdu province high tech Zone Kyrgyzstan Road No. 666 Building 2 floor 13 No. 2 Applicant before: CHENGDU HUIZHI YUANJING TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |