Summary of the invention
The application provides the access control method, device and desktop cloud terminal equipment of a kind of desktop cloud, to improve user's body
It tests.
In a first aspect, providing a kind of access control method of desktop cloud characterized by comprising the safety of desktop cloud
Login module detects that USBkey removes event, and the USBkey removes USBkey needed for event is used to indicate login desktop cloud
It is removed from desktop cloud terminal equipment;The secure log module determines that the USBkey is mapped to and provides the void of the desktop cloud
In quasi- machine;The secure log module controls the desktop cloud and is in the accessiable state that can be accessed by desktop cloud user.
In the embodiment of the present application, secure log module is after detecting USBkey removal event, and the USBkey is removed
Event is to be mapped to the virtual machine of desktop cloud due to USBkey to trigger, then secure log module control desktop cloud is in and can visit
The state asked, in the access control scheme for avoiding traditional desktop cloud, during logging in desktop cloud by USBkey,
After USBkey is mapped to virtual machine, secure log module is mistakenly considered USBkey and is removed, and causes to control desktop cloud and be in forbid
Access state is conducive to the user experience for improving desktop cloud.
In one possible implementation, the method also includes: the secure log module receives the desktop cloud
The first instruction information that client is sent, the first instruction information are used to indicate the USBkey and move from the virtual machine
It removes;The secure log module, which controls the desktop cloud and is in, forbids forbidding access state by what the desktop cloud user accessed.
It is above-mentioned forbid access state may include interrupt desktop cloud desktop protocol, and/or control desktop cloud terminal at
In screen lock state.Certainly, after the desktop protocol for only interrupting desktop cloud, user can still operate desktop cloud terminal device, but
It is that can not log in desktop cloud, at this point, desktop cloud terminal equipment is similar to traditional PC machine.
In the embodiment of the present application, secure log module is knowing USBkey by being communicated with desktop cloud client
After removing in virtual machine, control desktop cloud, which is in, forbids access state, is conducive to the security performance for improving desktop cloud.
In one possible implementation, the secure log module determines that the USBkey is mapped to and provides the table
In the virtual machine of face cloud, comprising: the secure log module obtains the state of the USBkey, and the state of the USBkey is to reflect
It is incident upon in the virtual machine.
In one possible implementation, before the secure log module obtains the state of the USBkey, institute
State method further include: the secure log module receives the second indication information that the client of the desktop cloud is sent, and described the
Two instruction information are used to indicate the USBkey from the desktop cloud terminal device map to the virtual machine;The secure log
Module modifies the state of the USBkey according to the instruction information.
It should be noted that the state of above-mentioned secure log module modification USBkey can also occur at the desktop cloud
Before secure log module detects USBkey removal event, to improve the accuracy that secure log module obtains USBkey, keep away
It when having exempted from the state of the also unmodified USBkey of secure log module, has been detected by USBkey and removes event, be conducive to improve peace
The accuracy of full login module control desktop cloud access.
In one possible implementation, the secure log module determines that the USBkey is mapped by USB
Into the virtual machine that the desktop cloud is provided, comprising: the record of desktop cloud terminal equipment described in the secure log module polls
Under facility inventory, record has the port for accessing the USBkey;The secure log module determines that the USBkey maps to institute
It states in virtual machine.
In one possible implementation, the method also includes: the secure log module determines the USBkey
The desktop cloud terminal equipment is mapped to from the virtual machine;The secure log module control the desktop cloud be in forbid by
Access state is forbidden in the desktop cloud user access.
In the embodiment of the present application, secure log module determines that USBkey maps to desktop cloud terminal equipment from virtual machine,
It then controls desktop cloud and is in the state for forbidding access, to improve the safety of desktop cloud.
Second aspect provides a kind of access control apparatus of desktop cloud, which includes for executing the above method
Modules.
The third aspect provides a kind of desktop cloud terminal equipment, including processor and memory.The memory is based on storing
Calculation machine program, the processor from memory for calling and running the computer program, so that the controller executes above-mentioned side
Method.
Fourth aspect, provides a kind of computer program product, and the computer program product includes: computer program generation
Code, when the computer program code is run on computers, so that computer executes the method in above-mentioned various aspects.
It should be noted that above-mentioned computer program code can be stored in whole or in part on the first storage medium,
Wherein the first storage medium can be packaged together with processor, can also be individually encapsulated with processor, the application to this not
Make specific limit.
5th aspect, provides a kind of computer-readable medium, the computer-readable medium storage has program code, works as institute
When stating computer program code and running on computers, so that computer executes the method in above-mentioned various aspects.
Specific embodiment
Below in conjunction with attached drawing, the technical solution in the application is described.
Fig. 1 is the schematic diagram for the desktop cloud system that the embodiment of the present application uses.Desktop cloud system 100 shown in FIG. 1 includes
Desktop cloud terminal equipment 110 and desktop cloud platform 120.
Desktop cloud terminal equipment 110, for being desktop cloud for providing user interface.It can be in desktop cloud terminal equipment
It is provided with secure log module 111 and desktop cloud client 112.
For example, desktop cloud terminal equipment 110 can be thin-client or other any equipment being connected with network.Thin visitor
Family end (or thin terminal) has carried out the transcoding of hardware-level to built-in storage, and the unique information of transcoding algorithm and hardware is tied up
It is fixed.TC system can reinforce Linux insertion OS or Windows insertion OS, TC without being locally stored using simplifying.
Secure log module 111, for controlling the access state of desktop cloud, wherein access state includes in can be by
Desktop cloud user access accessiable state and forbid desktop cloud user access forbid access state.
Desktop cloud client 112, also known as desktop protocol client, for the desktop protocol server-side with desktop cloud platform into
Row communication, establishes desktop protocol channel.
Desktop cloud platform 120, for desktop cloud resource to be managed and dispatched.Such as it can be cloud management Fusion
Manager, interface, the interface of virtual platform and the boundary of hardware management system of unified integrated desktop cloud service maintenance system
Face.By taking Huawei's desktop cloud platform as an example, desktop cloud platform may include web-page interface (web interface, WI), Huawei's desktop
Controller (Huawei desktop controller), GaussDB, ITA node, License node etc..
WI: providing Web login interface for user, when user initiates logging request, by the log-on message of user (after encryption
Username and password) be transmitted to HDC, the virtual machine list that HDC is provided is presented to the user by WI, for user access virtual machine mention
For entrance.
Huawei's desktop control (HDC): being the core component of desktop cloud management system, completes the granting of virtual desktop business,
Virtual desktop management, virtual desktop log in management, the policy management capability of virtual machine.
GaussDB: providing database for ITA, HDC, for storing data information, for example, being associated with of virtual machine and user,
Desktop group, virtual machine naming rule, timing task information.
ITA node: ITA provides interface and Portal function for the virtual IT assets of user management, realize virtual machine creating with
The functions such as distribution, virtual machine state management, virtual machine image management, virtual desktop system Operation and Maintenance.
License node: the management of desktop cloud License and delivery system, License server are accessed for controller
The number of users of desktop cloud.
TC management: thin terminal is managed concentratedly, including edition upgrading, condition managing, information monitoring, log management
Deng.
It is traditional based on USBkey log in desktop cloud during, in order to obtain access virtual machine permission, need by
USBkey is mapped in virtual machine from desktop cloud client, at this point, for desktop cloud client, due to can't detect
USBkey then can carry out screen locking operation to desktop cloud client, can not visit again desktop cloud client to control desktop cloud user.
But the case where USBkey is mapped to virtual machine by this reality, it is only for authentication is carried out in virtual machine, so as to
Family can choose the access that virtual machine carries out desktop cloud.This case where USBkey is mapped into virtual machine with due to physics extract
USBkey, log off desktop cloud the case where it is different, in this scene, user still needs to access desktop cloud, and the use
There is the permission of access desktop cloud at family (USBkey is still inserted in desktop cloud client).
Therefore, in order to avoid in above-mentioned scene, since USBkey maps to virtual machine, and cause desktop cloud to be in and forbid
Access state, this application provides a kind of access control method of desktop cloud, according to USBkey whether be mapped to virtual machine into
Row login authentication, so that the state for controlling desktop cloud is that accessiable state still forbids access state.
The method for describing the embodiment of the present application below in conjunction with Fig. 2.Fig. 2 is a kind of access of desktop cloud of the embodiment of the present application
The schematic flow chart of control method.It should be understood that method shown in Fig. 2 can secure log module 111 as shown in Figure 1 hold
Row.
210, the secure log module of desktop cloud detects that USBkey removes event, and the USBkey removes event for referring to
Show that USBkey needed for logging in desktop cloud is removed from desktop cloud terminal equipment.
It should be noted that USB device used in desktop cloud terminal equipment is varied, including USB flash disk, USBkey etc.,
In order to distinguish, USBkey removes event and the removal event of other USB devices, can pass through the PID/VID information of USBkey
Determine that current removal event is that USBkey removes event or USB removes event.
220, the secure log module determines that the USBkey is mapped in the virtual machine for providing the desktop cloud,
In, mapping can be the mapping modes such as PC/SC mapping or USB mapping.
Above-mentioned USBkey is mapped in the virtual machine for providing desktop cloud, it can be understood as, by the authentication in USBkey
Information is supplied to virtual machine, so that virtual machine determines whether user has the permission using virtual machine according to authentication information.
Optionally, above-mentioned steps 220 include: the state that the secure log module obtains the USBkey, described
The state of USBkey is to map in the virtual machine.
Secure log module can recorde the state of USBkey, detect above-mentioned USBkey by the state judgement of USBkey
When removal event, USBkey is to be mapped to virtual machine from physics extraction or USBkey in desktop cloud terminal equipment.Accordingly
, above-mentioned when being used to indicate USBkey and being mapped to virtual machine, the state of USBkey is properly termed as being located at virtual machine.
The function of the state of above-mentioned record USBkey can be realized by secure log module, but USBkey is mapped to void
The relevant operation of quasi- machine is mainly by the client executing of desktop cloud, that is to say, that needs desktop cloud client notification safe
The state of the current USBkey of login module, so as to the state of secure log module record USBkey.
That is, before the secure log module of the desktop cloud detects USBkey removal event, the method also includes:
The secure log module receives the second indication information that the client of the desktop cloud is sent, and the second indication information is used for
Indicate the USBkey from the desktop cloud terminal device map to the virtual machine;The secure log module is according to the finger
Show that information modifies the state of the USBkey.
It should be noted that the state of above-mentioned desktop cloud client notification secure log module record USBkey, can be
Before USBkey is mapped to virtual machine by desktop cloud client, avoid desktop cloud client by USBkey map to virtual machine it
Afterwards, when also having not enough time to the state of notice secure log module record USBkey, secure log module has been detected by above-mentioned
USBkey removes event, at this point, secure log module is because can not know the state of accurate USBkey, control desktop cloud is in
Forbid access state.Certainly, notify that the state of secure log module USBkey can also be in desktop cloud visitor in the embodiment of the present application
USBkey is mapped to after virtual machine and is carried out by family end, and exactly this execution sequence is possible to that secure log module can be allowed to generate mistake
Sentence.
The communication mechanism of the state of above-mentioned desktop cloud client notification secure log module record USBkey, can be multiplexed behaviour
Make the system event treatment mechanism in system, i.e. desktop cloud client generates USBkey and removes event, removes according to the USBkey
Event generates above-mentioned second indication information, the state of notice secure log module record USBkey.Specifically, above-mentioned to be used to indicate
The system event that USBkey maps to virtual machine, which can order, maps to virtual machine event from desktop cloud client for USBkey
(USBkey FROM TC TO VM EVT)。
Optionally, as one embodiment, step 220 includes: desktop cloud terminal described in the secure log module polls
Under the facility inventory of equipment record, record has the port for accessing the USBkey;Described in the secure log module determines
USBkey is mapped in the virtual machine.
In other operating systems, such as (SuSE) Linux OS, the facility inventory in inquiry operation system can also be passed through
The port information for having USBkey is also recorded under (for example, dev/bus/usb), distinguishing USBkey is mapped in virtual machine, also
It is to be pulled out from desktop cloud terminal equipment.That is, if the port information of USBkey, explanation can not be inquired in facility inventory
USBkey is pulled out from desktop cloud terminal equipment;If the port information of USBkey, explanation can be inquired in facility inventory
USBkey is mapped in virtual machine.
230, the secure log module controls the desktop cloud and is in the addressable shape that can be accessed by desktop cloud user
State.
Above-mentioned desktop cloud is in accessiable state, may include that the desktop protocol of desktop cloud can carry out normal communication, and
And the display screen of the terminal device of desktop cloud is not by screen locking.
In the embodiment of the present application, secure log module is after detecting USBkey removal event, and the USBkey is removed
Event is to be mapped to the virtual machine of desktop cloud due to USBkey to trigger, then secure log module control desktop cloud is in and can visit
The state asked, in the access control scheme for avoiding traditional desktop cloud, during logging in desktop cloud by USBkey,
After USBkey is mapped to virtual machine, secure log module is mistakenly considered USBkey and is removed, and causes to control desktop cloud and be in forbid
Access state is conducive to the user experience for improving desktop cloud.
Optionally, as one embodiment, the method also includes: the secure log module receives the desktop cloud visitor
The first instruction information that family end is sent, the first instruction information are used to indicate the USBkey and remove from the virtual machine;
The secure log module, which controls the desktop cloud and is in, forbids forbidding access state by what the desktop cloud user accessed.
If USBkey is mapped to after virtual machine, secure log module receives the first of desktop cloud client transmission again
Indicate information, instruction USBkey is removed from virtual machine, forbids visiting at this point, secure log module can control desktop cloud and be in
Ask state.
It is above-mentioned forbid access state may include interrupt desktop cloud desktop protocol further can also control desktop
The terminal of cloud is in screen lock state.Certainly, after the desktop protocol for only interrupting desktop cloud, user can still operate desktop cloud end
End equipment, but desktop cloud can not be logged in, at this point, desktop cloud terminal equipment is similar to traditional PC machine.
It should be noted that above-mentioned desktop cloud client sends the mechanism of the first instruction information to secure log module, with
The mechanism that above desktop cloud client sends second indication information to secure log module is identical, can be multiplexed existing behaviour
Make the event processing mechanism in system.Certainly, the system event for triggering second indication information can be named as USBkey from virtual
Event (USBkey REMOVE FROM VM EVT) is removed on machine.
In the embodiment of the present application, secure log module is knowing USBkey by being communicated with desktop cloud client
After removing in virtual machine, control desktop cloud, which is in, forbids access state, is conducive to the security performance for improving desktop cloud.
Optionally, as one embodiment, the method also includes: the secure log module determine the USBkey from
The virtual machine maps to the desktop cloud terminal equipment;The secure log module, which controls the desktop cloud and is in, forbids by institute
That states desktop cloud user access forbids access state.
Above-mentioned secure log module determines that USBkey maps to the mode of desktop cloud terminal equipment from virtual machine, with above-mentioned peace
Full login module determines that mode of the USBkey from desktop cloud terminal device map to virtual machine is identical, for sake of simplicity, not making herein
It is specific to introduce.
The above-mentioned name for being used to indicate the system event that USBkey maps to the desktop cloud terminal equipment from virtual machine can
To be system event (USBkey FROM VM TO TC that USBkey maps to from virtual machine the desktop cloud terminal equipment
EVT)。
Above-mentioned USBkey maps to the system event of the desktop cloud terminal equipment from the virtual machine, can be in desktop
When cloud user wishes to exit virtual machine, at this point, the above-mentioned desktop protocol for forbidding access state that can only disconnect desktop cloud, makes
Must be used to log in virtual machine in desktop cloud terminal equipment, but user still can in the way of operating PC operating table
Face cloud client.Certainly, secure log module can also lock desktop cloud terminal equipment simultaneously, and the embodiment of the present application does not make this
It is specific to limit.
In the embodiment of the present application, secure log module determines that USBkey maps to desktop cloud terminal equipment from virtual machine,
It then controls desktop cloud and is in the state for forbidding access, to improve the safety of desktop cloud.
Optionally, as one embodiment, when logging in desktop cloud terminal equipment, desktop cloud terminal equipment is flat to desktop cloud
When platform sends logging request, the WI positioned at desktop cloud platform can generate a login password at random, return to desktop cloud control
Device caching uses so that subsequent user logs in virtual machine.The effective degree of the above-mentioned password generated at random can be set to 1 time,
It is, each logging request requires a corresponding new login password, virtual safety is logged in improve user.
The access control method for describing the desktop cloud of the embodiment of the present invention in detail above in association with Fig. 1 and Fig. 2, below in conjunction with
Fig. 3 and Fig. 4 describes the device of the embodiment of the present invention in detail.It should be noted that Fig. 3 may be implemented to device shown in Fig. 4
Each step in the above method, for sake of simplicity, details are not described herein.
Fig. 3 is the schematic diagram of the access control apparatus of the desktop cloud of the embodiment of the present application.Device 300 described in Fig. 3 includes
Detection module 310, processing module 320 and control module 330.
Detection module 310, for detecting that USBkey removes event, the USBkey removes event and is used to indicate login table
USBkey needed for the cloud of face is removed from desktop cloud terminal equipment;
Processing module 320, for determining that the USBkey is mapped in the virtual machine for providing the desktop cloud;
Control module 330 is in the accessiable state that can be accessed by desktop cloud user for controlling the desktop cloud.
Optionally, as one embodiment, the control module is also used to: receiving what the desktop cloud client was sent
First instruction information, the first instruction information are used to indicate the USBkey and remove from the virtual machine;Control the table
Face cloud, which is in, to be forbidden forbidding access state by what the desktop cloud user accessed.
Optionally, as one embodiment, the processing module is used for: the state of the USBkey is obtained, it is described
The state of USBkey is to map in the virtual machine.
Optionally, as one embodiment, the processing module is also used to: receiving the client transmission of the desktop cloud
Second indication information, the second indication information are used to indicate the USBkey from the desktop cloud terminal device map to described
Virtual machine;The state of the USBkey is modified according to the instruction information.
Optionally, as one embodiment, the processing module is also used to: inquiring the desktop cloud terminal equipment record
Under facility inventory, record has the port for accessing the USBkey;Determine that the USBkey is mapped in the virtual machine.
Optionally, as one embodiment, the control module is also used to: determining that the USBkey is reflected from the virtual machine
It is incident upon the desktop cloud terminal equipment;It controls the desktop cloud and is in and forbid forbidding access shape by desktop cloud user access
State.
In an alternate embodiment of the invention, above-mentioned apparatus 300 can also be desktop cloud terminal equipment 400, specifically, the detection
Module 310, the processing module 320 and the control module 330 can be processor 420, and described device can also include depositing
Reservoir 410 and input/output interface 430, it is specific as shown in Figure 4.
Fig. 4 is the schematic block diagram of the desktop cloud terminal equipment of the embodiment of the present application.Desktop cloud terminal equipment shown in Fig. 4
400 may include: memory 410, processor 420 and input/output interface 430.Wherein, memory 410,420 and of processor
Input/output interface 430 is connected by internal connecting path, and the memory 410 is for storing program instruction, the processor 420
For executing the program instruction of the memory 420 storage, to control the data and information that input/output interface 430 receives input,
Export the data such as operating result.
It should be understood that in the embodiment of the present application, which can use general central processing unit (Central
Processing Unit, CPU), microprocessor, application specific integrated circuit (Application Specific
Integrated Circuit, ASIC), or one or more integrated circuits, for executing relative program, to realize the application
Technical solution provided by embodiment.
The memory 410 may include read-only memory and random access memory, and to processor 420 provide instruction and
Data.The a part of of processor 420 can also include nonvolatile RAM.For example, processor 420 can also be deposited
Store up the information of device type.
During realization, each step of the above method can pass through the integrated logic circuit of the hardware in processor 420
Or the instruction of software form is completed.The method in conjunction with disclosed in the embodiment of the present application can be embodied directly in hardware processor and hold
Row complete, or in processor hardware and software module combine execute completion.Software module can be located at random access memory,
This fields such as flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register maturation
In storage medium.The storage medium is located at memory 410, and processor 420 reads the information in memory 410, in conjunction with its hardware
The step of completing the above method.To avoid repeating, it is not detailed herein.
It should be understood that the processor can be central processing unit (central processing in the embodiment of the present application
Unit, CPU), which can also be other general processors, digital signal processor (digital signal
Processor, DSP), it is specific integrated circuit (application specific integrated circuit, ASIC), existing
At programmable gate array (field programmable gate array, FPGA) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components etc..General processor can be microprocessor or the processor can also
To be any conventional processor etc..
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure
Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician
Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed
Scope of the present application.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) execute each embodiment the method for the application all or part of the steps.
And storage medium above-mentioned includes: that USB flash disk, mobile hard disk, read-only memory (read-only memory, ROM), arbitrary access are deposited
The various media that can store program code such as reservoir (random access memory, RAM), magnetic or disk.
The above, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, it is any
Those familiar with the art within the technical scope of the present application, can easily think of the change or the replacement, and should all contain
Lid is within the scope of protection of this application.Therefore, the protection scope of the application should be based on the protection scope of the described claims.