CN109067756A - A kind of user's synchronization and authority control method suitable for cloudy management - Google Patents
A kind of user's synchronization and authority control method suitable for cloudy management Download PDFInfo
- Publication number
- CN109067756A CN109067756A CN201810948949.2A CN201810948949A CN109067756A CN 109067756 A CN109067756 A CN 109067756A CN 201810948949 A CN201810948949 A CN 201810948949A CN 109067756 A CN109067756 A CN 109067756A
- Authority
- CN
- China
- Prior art keywords
- user
- cloud
- management
- platform
- cloudy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention relates to field of cloud computer technology, particularly relate to that a kind of user suitable for cloudy management is synchronous and authority control method.The present invention defines user management institutional framework in cloudy management platform first, and determines the mapping relations of tissue and cloud platform tenant;Secondly the user in cloudy management platform creation tissue, and synchronous correspond in cloud platform creates user in tenant;Then user function permission is defined in cloudy management platform, periodically to the synchronous user function permission of each cloud platform;Fine granularity control finally is carried out to particular cloud serve resources management range in cloudy management platform, and is synchronized to cloud platform.Cloud platform manager of the present invention manages the institutional framework and user right of oneself on cloudy management platform with unified mode of operation, without being concerned about the difference of each isomery cloud platform user management, it can ensure that the consistency of user and permission when user is directly managed using cloud platform again simultaneously, meet the safety and isolation requirement of user management cloud resource to greatest extent.
Description
Technical field
The present invention relates to field of cloud computer technology, particularly relate to a kind of user's synchronization and permission control suitable for cloudy management
Method processed.
Background technique
With the rapid development of cloud computing, domestic cloud platform producer is more and more, and client would generally select multiple cloud platforms
To run oneself application.On the one hand it is to have the characteristics that due to the service of different cloud platforms respective, is able to satisfy answering for different demands
With operation;Another aspect client wishes standby to application progress calamity by different platform.Cloudy management has been increasingly becoming cloud computing
The trend of development, but current most of cloudy management platform is also in the starting stage;Resource management function is fewer, user
Management is substantially using the mode of single user;I.e. by the accessKey of one administrator of a cloud platform and
Secretkey or user name cryptographic acess cloud platform API.Then there is oneself independent user management mould in cloudy management platform
Block unified user management and rights management.This mode is simply to realize cloudy management, but be unable to satisfy any
Cloud resource regulatory requirement under scene;If user be not synchronized to cloud platform will lead to all users need it is directly flat using cloud
All using the account access with highest permission when platform manages, security of system and resource isolation all have no idea to meet.
Summary of the invention
Present invention solves the technical problem that being to provide a kind of user's synchronization and permission controlling party suitable for cloudy management
Method;It solves in the cloudy management of tradition using cloudy management caused by single user mode adapter tube cloud platform and single cloud management user and power
Limit inconsistence problems;Ensure user security access cloud platform and resource isolation.
The technical solution that the present invention solves above-mentioned technical problem is:
The method includes the following steps:
Step 1: cloudy management platform defines user management institutional framework, and determines that the mapping of tissue and cloud platform tenant are closed
System;
Step 2: the user in cloudy management platform creation tissue, and synchronous correspond in cloud platform creates user in tenant;
Step 3: cloudy management platform defines user function permission, periodically to the synchronous user function permission of each cloud platform;Institute
The user function permission stated refers to the operating right of user management cloud resource, creation Cloud Server including elastic calculation service,
Delete the operating rights such as Cloud Server, booting, shutdown;
Step 4: cloudy management platform carries out fine granularity control to particular cloud serve resources management range, and it is flat to be synchronized to cloud
Platform;Described refers to that user weighs in the function management for possessing resource to the progress fine granularity control of particular cloud serve resources management range
On the basis of limit, scope of resource, the resource usage amount etc. of user's operation are further controlled.
The cloudy management platform refers to the cloud management platform for being managed collectively multiple public clouds or private clound, and cloud platform is
Zhi Yun producer provides the platform of cloud service, including Ali's cloud, Huawei's cloud.
The user management institutional framework, which refers in a unit or enterprise, contains the superior and the subordinate of which department, department
The user that relationship and department include.
The cloud platform tenant is usually multi-tenant mode in public cloud field, and a tenant is equivalent to a cloud account
Number, that is, register user;And private clound field is usually single tenant's mode, an enterprise using private clound is exactly a tenant;
Multi-user can be created under tenant carries out resource management.
Described further controls scope of resource, the resource usage amount etc. of user's operation;It include: certain user
The Cloud Server oneself created can be managed, user can only upload the file of 5G size toward some bucket of object storage.
The method of the present invention is easy to use, and cloud platform manager is managed certainly on cloudy management platform with unified mode of operation
Oneself institutional framework and user right without being concerned about the difference of each isomery cloud platform user management, while can ensure that user is straight again
The consistency of user and permission when being managed using cloud platform is connect, meets the safety of user management cloud resource to greatest extent
With isolation requirement.
Detailed description of the invention
The following further describes the present invention with reference to the drawings:
Fig. 1 is flow chart of the invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing and with actual implementation case
Example is made further to explain in detail, this case study on implementation illustrates that other cloud platforms are only needed tenant to synchronize Ali's cloud user
And customer relationship corresponds to, same effect can be realized in calling platform API.As shown in Figure 1, specific implementation process is as follows:
1, cloudy management platform defines user management institutional framework, and determines the mapping relations of tissue and cloud platform tenant.
(1) two primary departments: department A and department B are established
Establish tier-2 department: A1, A2, B1, structure are as follows
-- department A
-- department A1
-- department A2
-- department B
-- department B1
(2) cloud platform creates two tenants: cloud account A, cloud account B
There are the superior and the subordinate's administrative relationships between (3) one tier-2 departments, and the resource of tier-2 department is really the subset of primary department,
Therefore mapping relations are as follows
Department | Tenant |
Department A, A1, A2 | Cloud account A |
Department B, B1 | Cloud account B |
2, the user in cloudy management platform creation tissue, and synchronous correspond in cloud platform creates user in tenant.
(1) user UA and user UA1 is created in department A and department A1 respectively in cloudy management platform;
(2) RAM service is provided in Ali's cloud to be managed collectively the child user in tenant, it is therefore, synchronous in Ali's cloud
Middle creation child user UA and user UA1 calls creation user interface to use the accessKey and secretkey of cloud account A
Https: //ram.aliyuncs.com/? Action=CreateUser&UserName=UA
Https: //ram.aliyuncs.com/? Action=CreateUser&UserName=UA1
3, cloudy management platform defines user function permission, periodically to the synchronous user function permission of each cloud platform.
(1) cloudy management platform creates the planning of Internet resources and is managed collectively by primary department, sets UA as level-one portion
Door administrator, and possess VPC creation permission.Tier-2 department user UA1 only has access right.
(2) function privilege of Ali's cloud child user is set.The usual batch setting of cloudy management platform feature permission, in order to true
The quick response for protecting cloudy management platform operation, can synchronize the function privilege of different cloud services in batches using timed task.
Create authorization policy:
Https: //ram.aliyuncs.com/? Action=CreatePolicy
&PolicyName=primary department administrator
&PolicyDocument=" Statement ": [" Action ": [" vpc:* "], " Effect ":
"Allow","Resource":["acs:vpc:*:*:*"]}],"Version":"1"}
Https: //ram.aliyuncs.com/? Action=CreatePolicy
&PolicyName=tier-2 department user
&PolicyDocument=" Statement ": [" Action ": [" vpc: " List* ",
"vpc:Get*"],"Effect":"Allow","Resource":["acs:vpc:*:*:*"]}],
"Version":"1"}
Authorization:
Https: //ram.aliyuncs.com/? Action=AttachPolicyToUser
&PolicyType=Custom
&PolicyName=primary department administrator
&UserName=UA
Https: //ram.aliyuncs.com/? Action=AttachPolicyToUser
&PolicyType=Custom
&PolicyName=tier-2 department user
&UserName=UA1
4, cloudy management platform carries out fine granularity control to particular cloud serve resources management range, and is synchronized to cloud platform.
(1) cloudy management platform, which limits user UA1, can only manage the Cloud Server of oneself, look into first in cloudy management platform
Which Cloud Server Select instanceId from instanceTable where owner=user UA1 can manage out
User UA1and platform=aliyun
(2) Cloud Server of above-mentioned inquiry can only be managed in the restriction of Ali's cloud platform construction strategy and license to user by synchronizing
UA1
Https: //ram.aliyuncs.com/? Action=CreatePolicy
The self-built Cloud Server of &PolicyName=
&PolicyDocument=" Statement ": [" Action ": [" ecs:* "], " Effect ":
"Allow","Resource":["acs:ecs:*:*:instance/inst-001",
"acs:ecs:*:*:instance/inst-002"]}],"Version":"1"}
Https: //ram.aliyuncs.com/? Action=AttachPolicyToUser
&PolicyType=Custom
The self-built Cloud Server of &PolicyName=
&UserName=UA1.
Claims (7)
1. a kind of user's synchronization and authority control method suitable for cloudy management, it is characterised in that: the method includes such as
Lower step:
Step 1: cloudy management platform defines user management institutional framework, and determines the mapping relations of tissue and cloud platform tenant;
Step 2: the user in cloudy management platform creation tissue, and synchronous correspond in cloud platform creates user in tenant;
Step 3: cloudy management platform defines user function permission, periodically to the synchronous user function permission of each cloud platform;Described
User function permission refers to the operating right of user management cloud resource, creation Cloud Server, deletion including elastic calculation service
The operating rights such as Cloud Server, booting, shutdown;
Step 4: cloudy management platform carries out fine granularity control to particular cloud serve resources management range, and is synchronized to cloud platform;
Described refers to user in the function management permission for possessing resource the progress fine granularity control of particular cloud serve resources management range
On the basis of, scope of resource, the resource usage amount etc. of user's operation are further controlled.
2. according to the method described in claim 1, it is characterized by: the cloudy management platform refers to the multiple public affairs of unified management
There is the cloud management platform of cloud or private clound, cloud platform refers to that cloud producer provides the platform of cloud service, including Ali's cloud, Huawei's cloud.
3. according to the method described in claim 1, it is characterized by: the user management institutional framework refer to a unit or
The user which department, the relationship between superior and subordinate of department and department include is contained in enterprise.
4. according to the method described in claim 2, it is characterized by: the user management institutional framework refer to a unit or
The user which department, the relationship between superior and subordinate of department and department include is contained in enterprise.
5. method according to any one of claims 1 to 4, it is characterised in that: the cloud platform tenant leads in public cloud
Domain is usually multi-tenant mode, and a tenant is equivalent to a cloud account, i.e. registration user;And private clound field is usually single rents
Family mode, an enterprise using private clound are exactly a tenant;Multi-user can be created under tenant carries out resource management.
6. method according to any one of claims 1 to 4, it is characterised in that: the scope of resource to user's operation,
Resource usage amount etc. is further controlled;Include: certain user can only manage oneself creation Cloud Server, user can only be past
Some bucket of object storage uploads the file of 5G size.
7. according to the method described in claim 5, it is characterized by: described use the scope of resource of user's operation, resource
Amount etc. is further controlled;It include: that certain user can only manage the Cloud Server of oneself creation, user can only store toward object
Some bucket upload 5G size file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810948949.2A CN109067756A (en) | 2018-08-20 | 2018-08-20 | A kind of user's synchronization and authority control method suitable for cloudy management |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810948949.2A CN109067756A (en) | 2018-08-20 | 2018-08-20 | A kind of user's synchronization and authority control method suitable for cloudy management |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109067756A true CN109067756A (en) | 2018-12-21 |
Family
ID=64686525
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810948949.2A Withdrawn CN109067756A (en) | 2018-08-20 | 2018-08-20 | A kind of user's synchronization and authority control method suitable for cloudy management |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109067756A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109525605A (en) * | 2019-01-03 | 2019-03-26 | 杭州数梦工场科技有限公司 | A kind of account management method, device, system and computer readable storage medium |
CN110233750A (en) * | 2019-05-15 | 2019-09-13 | 咪咕文化科技有限公司 | private cloud management system and method |
CN110704851A (en) * | 2019-09-18 | 2020-01-17 | 上海联蔚信息科技有限公司 | Public cloud data processing method and device |
CN110825452A (en) * | 2019-10-10 | 2020-02-21 | 国云科技股份有限公司 | Cloud service adaptation module management method for multi-cloud management |
CN111181975A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Account management method, device, equipment and storage medium |
CN111538592A (en) * | 2020-04-21 | 2020-08-14 | 上海思询信息科技有限公司 | Method for realizing enterprise multi-user resource management by OpenStack single tenant |
CN114095475A (en) * | 2020-12-28 | 2022-02-25 | 京东科技控股股份有限公司 | Data processing method, device, electronic equipment, system and storage medium |
CN114257590A (en) * | 2021-12-10 | 2022-03-29 | 中信银行股份有限公司 | Cloud platform user information synchronization method and system |
CN114285865A (en) * | 2021-12-28 | 2022-04-05 | 天翼云科技有限公司 | Access authority control system for sharing cloud hard disk |
CN115801833A (en) * | 2022-11-16 | 2023-03-14 | 浙江九州云信息科技有限公司 | Enterprise-level public cloud resource management method and system |
CN115834576A (en) * | 2022-10-21 | 2023-03-21 | 济南浪潮数据技术有限公司 | Cross-platform data distribution method and system based on multi-cloud nanotube |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
US20150113546A1 (en) * | 2013-10-18 | 2015-04-23 | Power-All Networks Limited | Server and method for managing application services |
CN105323282A (en) * | 2014-07-28 | 2016-02-10 | 神州数码信息系统有限公司 | Enterprise application deployment and management system for multiple tenants |
CN105550854A (en) * | 2016-01-26 | 2016-05-04 | 中标软件有限公司 | Access control device of cloud environment management platform |
CN107819863A (en) * | 2017-11-16 | 2018-03-20 | 郑州云海信息技术有限公司 | A kind of Explore of Unified Management Ideas and device of cloud platform user |
CN107992767A (en) * | 2017-11-29 | 2018-05-04 | 国云科技股份有限公司 | A kind of authority control method based on more cloud platforms |
CN108092806A (en) * | 2017-12-11 | 2018-05-29 | 国云科技股份有限公司 | A kind of administration of multiple roles method based on cloudy platform |
-
2018
- 2018-08-20 CN CN201810948949.2A patent/CN109067756A/en not_active Withdrawn
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
US20150113546A1 (en) * | 2013-10-18 | 2015-04-23 | Power-All Networks Limited | Server and method for managing application services |
CN105323282A (en) * | 2014-07-28 | 2016-02-10 | 神州数码信息系统有限公司 | Enterprise application deployment and management system for multiple tenants |
CN105550854A (en) * | 2016-01-26 | 2016-05-04 | 中标软件有限公司 | Access control device of cloud environment management platform |
CN107819863A (en) * | 2017-11-16 | 2018-03-20 | 郑州云海信息技术有限公司 | A kind of Explore of Unified Management Ideas and device of cloud platform user |
CN107992767A (en) * | 2017-11-29 | 2018-05-04 | 国云科技股份有限公司 | A kind of authority control method based on more cloud platforms |
CN108092806A (en) * | 2017-12-11 | 2018-05-29 | 国云科技股份有限公司 | A kind of administration of multiple roles method based on cloudy platform |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109525605B (en) * | 2019-01-03 | 2021-07-27 | 杭州数梦工场科技有限公司 | Account management method, device and system and computer readable storage medium |
CN109525605A (en) * | 2019-01-03 | 2019-03-26 | 杭州数梦工场科技有限公司 | A kind of account management method, device, system and computer readable storage medium |
CN110233750A (en) * | 2019-05-15 | 2019-09-13 | 咪咕文化科技有限公司 | private cloud management system and method |
CN110704851A (en) * | 2019-09-18 | 2020-01-17 | 上海联蔚信息科技有限公司 | Public cloud data processing method and device |
CN110825452A (en) * | 2019-10-10 | 2020-02-21 | 国云科技股份有限公司 | Cloud service adaptation module management method for multi-cloud management |
CN111181975A (en) * | 2019-12-31 | 2020-05-19 | 奇安信科技集团股份有限公司 | Account management method, device, equipment and storage medium |
CN111538592A (en) * | 2020-04-21 | 2020-08-14 | 上海思询信息科技有限公司 | Method for realizing enterprise multi-user resource management by OpenStack single tenant |
CN114095475A (en) * | 2020-12-28 | 2022-02-25 | 京东科技控股股份有限公司 | Data processing method, device, electronic equipment, system and storage medium |
CN114257590A (en) * | 2021-12-10 | 2022-03-29 | 中信银行股份有限公司 | Cloud platform user information synchronization method and system |
CN114285865A (en) * | 2021-12-28 | 2022-04-05 | 天翼云科技有限公司 | Access authority control system for sharing cloud hard disk |
CN114285865B (en) * | 2021-12-28 | 2023-08-08 | 天翼云科技有限公司 | Access authority control system for shared cloud hard disk |
CN115834576A (en) * | 2022-10-21 | 2023-03-21 | 济南浪潮数据技术有限公司 | Cross-platform data distribution method and system based on multi-cloud nanotube |
CN115801833A (en) * | 2022-11-16 | 2023-03-14 | 浙江九州云信息科技有限公司 | Enterprise-level public cloud resource management method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109067756A (en) | A kind of user's synchronization and authority control method suitable for cloudy management | |
US7568022B2 (en) | Automated display of an information technology system configuration | |
CN108377200B (en) | LDAP and SLURM-based cloud user management method and system | |
US9736029B2 (en) | Device and a method for managing access to a pool of computer and network resources made available to an entity by a cloud computing system | |
CN107682285A (en) | A kind of isomery cloud platform unified resource authorization method | |
EP2510473A1 (en) | Unified user login for co-location facilities | |
CN101951377A (en) | Hierarchical authorization management method and device | |
US8312515B2 (en) | Method of role creation | |
US11126460B2 (en) | Limiting folder and link sharing | |
CN105550854A (en) | Access control device of cloud environment management platform | |
CN105164660A (en) | Cloud based service design inheritance | |
US11032178B2 (en) | System and method for creating, deploying, and administering distinct virtual computer networks | |
CN107659450A (en) | Distribution method, distributor and the storage medium of big data cluster resource | |
CN104301149A (en) | Multi-data-center permission management method and system | |
US20060259955A1 (en) | Attribute-based allocation of resources to security domains | |
CN114650170B (en) | Cross-cluster resource management method, device, equipment and storage medium | |
CN106599718B (en) | The control method and device of information access rights | |
CN109067736B (en) | Method for user/employee to obtain mailbox account in system | |
CN111950866B (en) | Role-based multi-tenant organization structure management system, method, equipment and medium | |
KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
CN110798354A (en) | Multi-cloud-based VDC resource management method | |
CN111818090B (en) | Authority management method and system on SaaS platform | |
CN111191256B (en) | Method and device for configuring user permission | |
US11418509B2 (en) | Cloud architecture to secure privacy of personal data | |
CN113051335A (en) | Transformation method for private cloud multi-tenant shared application system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20181221 |
|
WW01 | Invention patent application withdrawn after publication |