CN110414213A - A kind of method and device to rights management in operation management system based on keycloak - Google Patents
A kind of method and device to rights management in operation management system based on keycloak Download PDFInfo
- Publication number
- CN110414213A CN110414213A CN201910740325.6A CN201910740325A CN110414213A CN 110414213 A CN110414213 A CN 110414213A CN 201910740325 A CN201910740325 A CN 201910740325A CN 110414213 A CN110414213 A CN 110414213A
- Authority
- CN
- China
- Prior art keywords
- keycloak
- resource
- management system
- user
- groups
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The method and device to rights management in operation management system based on keycloak that the invention discloses a kind of, belong to cloud platform delivery and O&M field, technical problems to be solved fully meet operation maintenance personnel to the use demand of operation management system while how being to the management of the data permission of resource, technical solution are as follows: 1. the method steps are as follows: S1, based on keycloak by the configuration of groups, realize the succession of user role;S2, the authentication mechanism by keycloak, control the identifying procedure of operation management system user, and realization controls resource, the permission of operation management system entirety, specifically include: S201, resource management;S202, authorization policy management;S203, strategy execution.2. the device includes user role after bearing unit and identifying procedure control unit, user role is used to realize the succession of user role by the configuration of groups based on keycloak after bearing unit;Identifying procedure control unit is used for the authentication mechanism by keycloak, controls the identifying procedure of operation management system user.
Description
Technical field
The present invention relates to cloud platform deliver with O&M field, it is specifically a kind of based on keycloak to operation management
The method and device of rights management in system.
Background technique
Traditional Rights Management System includes four parts, user, role, module, resource.In the table design of database,
This four tables are called the entity table of Rights Management System, as long as this four entity tables are worked it out, the framework of Rights Management System
Just build completely, such Rights Management System translates into Chinese and is exactly: Rights Management System is to judge user or role couple
Whether any resource has such a system of what function.
However the management in rights management only for the data permission of resource can not fully meet operation maintenance personnel pair
The use demand of operation management system.As administrator, it is also necessary to which operation maintenance personnel controls the operation of operation management system
Management, Rights Management System traditional so are just unable to satisfy the demand of operation management.
The patent document of Patent No. CN109818968A discloses one kind and realizes that single-point is stepped on the basis of existing WEB application
The method of record;In the network profile of the application system on existing WEB application basis before other filter, addition
Keycloak filter filter adds transfer after keycloak filter filter before other filter
Filter, transfer filter filter all requests, while obtaining the keycloak safety of keycloak filter filter up and down
Text refreshes access_token using the refesh_token in keycloak safe context, calls underlying virtual platform
When call access_token, utilize access_token complete log in.But the technical solution cannot weigh the data of resource
Operation maintenance personnel is fully met while the management of limit to the use demand of operation management system.
Summary of the invention
Technical assignment of the invention is to provide a kind of side to rights management in operation management system based on keycloak
Method and device, to fully meet operation maintenance personnel to operation management system while how solution to the management of the data permission of resource
Use demand the problem of.
Technical assignment of the invention realizes in the following manner, it is a kind of based on keycloak in operation management system
The method of rights management, the method steps are as follows:
S1, based on keycloak by the configuration of groups, realize the succession of user role;
S2, the authentication mechanism by keycloak, control the identifying procedure of operation management system user, realization pair
Resource, the permission of operation management system entirety are controlled, and are specifically included:
S201, resource management;
S202, authorization policy management;
S203, strategy execution.
Preferably, realizing the succession of user role by the configuration of groups based on keycloak in the step S1
Specific step is as follows:
S101, into keycloak administration page, realms, clients, groups, user are carried out in keycloak
The creation of role;
S102, for groups belonging to user configuration, while configuring corresponding role for groups, allow users to inherit
The role attribute or be individually for the corresponding role of user configuration that groups is possessed.
More preferably, realms, clients, groups, user role are carried out in the step S101 in keycloak
It is groups belonging to user configuration in creation and step S102, while configures the detailed process of corresponding role for groups
It is as follows:
(1), realm is created;
(2), client is created, each module is a client-app;
(3), role is created;
(4), groups is created, while configuring Role Information for newly created groups;
(5), user is created, while being newly created user configuration groups information or directly configuring Role Information.
More preferably, the creation realm includes the following two kinds situation:
If 1., multiple modules use different user rights, divide multiple and different realm;
If 2., multiple modules share a set of user right, share the same realm.
Preferably, specific step is as follows for resource management in the step S201:
S20101, specified Keycloak wish the content of protection, typically represent web application or one group one or more
Service;
S20102, Resource Server is managed using Keycloak management console, enables any registered client and answers
It uses program as Resource Server, and starts to manage resources to be protected and range.
More preferably, resource is webpage, RESTFul resource, file or EJB in file system in the step S20102;
One group of resource (just as the class in Java) of resource representation indicates single specific resources.
Preferably, in the step S202 authorization policy management particular content are as follows: defining Resource Server and will protect
After all resources of shield, permission and strategy are set;Policy definition access or execution resource or range operate the condition that must satisfy,
The condition that policy definition access or execution resource or range operation must satisfy is unrelated with the content that it is protected, policy definition access
Execute resource or the condition that must satisfy of range operation be it is general, reuse to construct permission or more complicated strategy;For example,
The user that only allow to authorize role " User Premium " accesses one group of resource, and the RBAC (access of based role can be used
Control);Permission combines and specifies resources to be protected or range content with the resource of protection and be granted or denied permission must
The strategy that must meet.
More preferably, in the S203 strategy execution be related to practical execution Resource Server authorization decision steps necessary,
Particular content is as follows: forcing point or PEP to realize by enabling strategy on Resource Server, which forces point or PEP energy
It is enough to be communicated with authorization server, it requests authorization data and the decision and permission returned according to Resource Server is controlled to protected money
The access in source;Keycloak provides built-in PolicyEnforcer (strategy execution device) and realizes, uses Policy Enforcer
Application program is protected, the platform of application program operation is specifically dependent upon.
A kind of device to rights management in operation management system based on keycloak, the device include,
User role realizes the succession of user role for the configuration based on keycloak by groups after bearing unit;
Identifying procedure control unit, the certification for the authentication mechanism by keycloak, to operation management system user
Process is controlled, and realization controls resource, the permission of operation management system entirety.
Preferably, the identifying procedure control unit includes,
Resource management module typically represents web application or one group for specifying Keycloak to wish the content of protection
One or more service;Resource Server is managed using Keycloak management console, any registered client is enabled and answers
It uses program as Resource Server, and starts to manage resources to be protected and range.
Permission and plan is arranged after defining Resource Server and all resources to be protected in authorization policy management module
Slightly;Policy definition access or execution resource or range operate the condition that must satisfy, and permission combines and refers to the resource of protection
Determine resources to be protected or range content and is granted or denied the strategy that permission must satisfy.
Policy enforcement module, for forcing point or PEP to realize by enabling strategy on Resource Server, the strategy is strong
System point or PEP can be communicated with authorization server, the decision and permission control requesting authorization data and being returned according to Resource Server
Make the access to locked resource.
Wherein, the open source identity of keycloak:RedHat and access rwan management solution RWAN;
Realms: field, field manage a batch, user, certificate, role, group etc., and a user can only belong to and can step on
Land a to domain is independent of each other between domain, and domain can only manage the user below it;
Clients: client is an entity, and keycloak can be requested to carry out authentication, most of feelings to user
Under condition, client be apply or service be desirable for keycloak protect oneself and provide a single-sign-on solution party
Case;Client is also possible to an entity, requests identity information or an access information, can thus call other
The application or service of keycloak protection;
Groups: group can be with one group of user, can also be by role mapping into role, and it is subsequent that user can become group member
Hold the role with group.
The method and device to rights management in operation management system based on keycloak of the invention has following excellent
Point:
(1), the present invention be based on operation management personnel using operation management system demand propose based on
Keycloak operates fortune to operation maintenance personnel by configuring affiliated grouping and the role of user, realization from login system to operation maintenance personnel
The permission processing for tieing up management system whole process also achieves while realizing data permission management to function privilege
Management, simultaneously as the feature of keycloak micro services formula, is also provided just for operational system based on the publication of micro services framework
It is prompt;
(2), the present invention is based on keycloak by the configuration of groups, realizes the succession of user role;Pass through simultaneously
The authentication mechanism of keycloak controls the identifying procedure of operation management system user, realizes whole to operation management system
Resource, the permission of body, including data permission and function privilege are controlled, and the safety of user data management and hidden is improved
Property, while the standardization and privacy of identifying procedure are improved, ensure the safety of system.
Detailed description of the invention
The following further describes the present invention with reference to the drawings.
Attached drawing 1 is the method flow block diagram to rights management in operation management system based on keycloak;
Attached drawing 2 is user right illustraton of model;
Attached drawing 3 is the schematic diagram of keycloak implementation strategy.
Specific embodiment
Referring to Figure of description and specific embodiment to it is of the invention it is a kind of based on keycloak to operation management system
The method and device of middle rights management is described in detail below.
Embodiment 1:
As shown in Fig. 1, the method to rights management in operation management system of the invention based on keycloak, the party
Steps are as follows for method:
S1, based on keycloak by the configuration of groups, realize the succession of user role;
S2, the authentication mechanism by keycloak, control the identifying procedure of operation management system user, realization pair
Resource, the permission of operation management system entirety are controlled, and are specifically included:
S201, resource management;
S202, authorization policy management;
S203, strategy execution.
The specific steps of the succession of user role are realized such as by the configuration of groups based on keycloak in step S1
Under:
S101, into keycloak administration page, realms, clients, groups, user are carried out in keycloak
The creation of role;
S102, for groups belonging to user configuration, while configuring corresponding role for groups, allow users to inherit
The role attribute or be individually for the corresponding role of user configuration that groups is possessed.
As shown in Fig. 2, realms, clients, groups, user role are carried out in step S101 in keycloak
Creation and step S102 in for groups belonging to user configuration, while configuring for groups the specific mistake of corresponding role
Journey is as follows:
(1), realm is created;Including the following two kinds situation:
If 1., multiple modules use different user rights, divide multiple and different realm;
If 2., multiple modules share a set of user right, share the same realm;
(2), client is created, each module is a client-app;
(3), role is created;
(4), groups is created, while configuring Role Information for newly created groups;
(5), user is created, while being newly created user configuration groups information or directly configuring Role Information.
Specific step is as follows for resource management in step S201:
S20101, specified Keycloak wish the content of protection, typically represent web application or one group one or more
Service;
S20102, Resource Server is managed using Keycloak management console, enables any registered client and answers
It uses program as Resource Server, and starts to manage resources to be protected and range;Resource is webpage, RESTFul resource, file
File or EJB in system;One group of resource (just as the class in Java) of resource representation indicates single specific resources.
The particular content of authorization policy management in step S202 are as follows: define Resource Server and all resources to be protected
Afterwards, permission and strategy are set;Policy definition access or execution resource or range operate the condition that must satisfy, policy definition access
Or execute resource or the condition that must satisfy of range operation is unrelated with the content that it is protected, policy definition access or execution resource or
The condition that must satisfy of range operation be it is general, reuse to construct permission or more complicated strategy;For example, only to allow to authorize
The user of role " User Premium " accesses one group of resource, and RBAC (access control based roles) can be used;Permission with
The resource of protection combines and specifies resources to be protected or range content and is granted or denied the strategy that permission must satisfy.
As shown in Fig. 3, in S203 strategy execution be related to practical execution Resource Server authorization decision steps necessary,
Particular content is as follows: forcing point or PEP to realize by enabling strategy on Resource Server, which forces point or PEP energy
It is enough to be communicated with authorization server, it requests authorization data and the decision and permission returned according to Resource Server is controlled to protected money
The access in source;Keycloak provides built-in Policy Enforcer (strategy execution device) and realizes, uses Policy
Enforcer protects application program, is specifically dependent upon the platform of application program operation.
Embodiment 2:
The device to rights management in operation management system based on keycloak of the invention, the device include,
User role realizes the succession of user role for the configuration based on keycloak by groups after bearing unit;
Identifying procedure control unit, the certification for the authentication mechanism by keycloak, to operation management system user
Process is controlled, and realization controls resource, the permission of operation management system entirety.
Identifying procedure control unit includes,
Resource management module typically represents web application or one group for specifying Keycloak to wish the content of protection
One or more service;Resource Server is managed using Keycloak management console, any registered client is enabled and answers
It uses program as Resource Server, and starts to manage resources to be protected and range.
Permission and plan is arranged after defining Resource Server and all resources to be protected in authorization policy management module
Slightly;Policy definition access or execution resource or range operate the condition that must satisfy, and permission combines and refers to the resource of protection
Determine resources to be protected or range content and is granted or denied the strategy that permission must satisfy.
Policy enforcement module, for forcing point or PEP to realize by enabling strategy on Resource Server, the strategy is strong
System point or PEP can be communicated with authorization server, the decision and permission control requesting authorization data and being returned according to Resource Server
Make the access to locked resource.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (10)
1. a kind of method to rights management in operation management system based on keycloak, which is characterized in that this method step
It is as follows:
S1, based on keycloak by the configuration of groups, realize the succession of user role;
S2, the authentication mechanism by keycloak, control the identifying procedure of operation management system user, realize to O&M
Resource, the permission of management system entirety are controlled, and are specifically included:
S201, resource management;
S202, authorization policy management;
S203, strategy execution.
2. the method to rights management in operation management system according to claim 1 based on keycloak, feature
It is, the specific steps of the succession of user role is realized such as by the configuration of groups based on keycloak in the step S1
Under:
S101, into keycloak administration page, realms, clients, groups, user role are carried out in keycloak
Creation;
S102, for groups belonging to user configuration, while configuring corresponding role for groups, allow users to inherit
The role attribute or be individually for the corresponding role of user configuration that groups is possessed.
3. the method to rights management in operation management system according to claim 2 based on keycloak, feature
It is, carries out the creation and step of realms, clients, groups, user role in the step S101 in keycloak
It is groups belonging to user configuration in rapid S102, while for groups configures corresponding role detailed process is as follows:
(1), realm is created;
(2), client is created, each module is a client-app;
(3), role is created;
(4), groups is created, while configuring Role Information for newly created groups;
(5), user is created, while being newly created user configuration groups information or directly configuring Role Information.
4. the method to rights management in operation management system according to claim 3 based on keycloak, feature
It is, the creation realm includes the following two kinds situation:
If 1., multiple modules use different user rights, divide multiple and different realm;
If 2., multiple modules share a set of user right, share the same realm.
5. the method to rights management in operation management system according to claim 1 based on keycloak, feature
It is, specific step is as follows for resource management in the step S201:
S20101, specified Keycloak wish the content of protection, typically represent web application or one group of one or more clothes
Business;
S20102, Resource Server is managed using Keycloak management console, enables any registered client application journey
Sequence starts to manage resources to be protected and range as Resource Server.
6. the method to rights management in operation management system according to claim 5 based on keycloak, feature
It is, resource is webpage, RESTFul resource, file or EJB in file system in the step S20102;Resource representation one
Group resource indicates single specific resources.
7. the method to rights management in operation management system according to claim 1 based on keycloak, feature
It is, the particular content of authorization policy management in the step S202 are as follows: define Resource Server and all resources to be protected
Afterwards, permission and strategy are set;Policy definition access or execution resource or range operate the condition that must satisfy, policy definition access
Or execute resource or the condition that must satisfy of range operation is unrelated with the content that it is protected, policy definition access or execution resource or
The condition that must satisfy of range operation be it is general, reuse to construct permission or more complicated strategy;The resource of permission and protection
It combines and specifies resources to be protected or range content and be granted or denied the strategy that permission must satisfy.
8. the method to rights management in operation management system according to claim 1 based on keycloak, feature
It is, strategy execution is related to the steps necessary of the authorization decision of practical execution Resource Server in the S203, and particular content is such as
Under: force point or PEP to realize by enabling strategy on Resource Server, which forces point or PEP that can take with authorization
Device communication, request authorization data and the decision returned according to Resource Server of being engaged in and permission control the access to locked resource;
Keycloak provides built-in Policy Enforcer and realizes, application program is protected using Policy Enforcer, specifically
Platform depending on application program operation.
9. a kind of device to rights management in operation management system based on keycloak, which is characterized in that the device includes,
User role realizes the succession of user role for the configuration based on keycloak by groups after bearing unit;
Identifying procedure control unit, for the authentication mechanism by keycloak, to the identifying procedure of operation management system user
It is controlled, realization controls resource, the permission of operation management system entirety.
10. the device to rights management in operation management system according to claim 9 based on keycloak, feature
It is, the identifying procedure control unit includes,
Resource management module typically represents web application or one group one for specifying Keycloak to wish the content of protection
Or multiple services;Resource Server is managed using Keycloak management console, enables any registered client application journey
Sequence starts to manage resources to be protected and range as Resource Server.
Permission and strategy is arranged after defining Resource Server and all resources to be protected in authorization policy management module;Plan
Slightly definition access or execution resource or range operates the condition that must satisfy, and permission is combined and specified with the resource of protection and to be protected
The resource or range content of shield and it is granted or denied the strategy that permission must satisfy.
Policy enforcement module, for forcing point or PEP to realize by enabling strategy on Resource Server, which forces point
Or PEP can be communicated with authorization server, the decision and permission control pair requesting authorization data and being returned according to Resource Server
The access of locked resource.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740325.6A CN110414213A (en) | 2019-08-12 | 2019-08-12 | A kind of method and device to rights management in operation management system based on keycloak |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740325.6A CN110414213A (en) | 2019-08-12 | 2019-08-12 | A kind of method and device to rights management in operation management system based on keycloak |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110414213A true CN110414213A (en) | 2019-11-05 |
Family
ID=68366984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910740325.6A Pending CN110414213A (en) | 2019-08-12 | 2019-08-12 | A kind of method and device to rights management in operation management system based on keycloak |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110414213A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111800440A (en) * | 2020-09-08 | 2020-10-20 | 平安国际智慧城市科技股份有限公司 | Multi-policy access control login method and device, computer equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109257209A (en) * | 2018-09-04 | 2019-01-22 | 山东浪潮云投信息科技有限公司 | A kind of data center server centralized management system and method |
| CN109818968A (en) * | 2019-02-28 | 2019-05-28 | 山东浪潮云信息技术有限公司 | A method of single-sign-on is realized on the basis of existing WEB application |
-
2019
- 2019-08-12 CN CN201910740325.6A patent/CN110414213A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109257209A (en) * | 2018-09-04 | 2019-01-22 | 山东浪潮云投信息科技有限公司 | A kind of data center server centralized management system and method |
| CN109818968A (en) * | 2019-02-28 | 2019-05-28 | 山东浪潮云信息技术有限公司 | A method of single-sign-on is realized on the basis of existing WEB application |
Non-Patent Citations (2)
| Title |
|---|
| KEYCLOAK: "auth-services-architecture", 《HTTPS://GITHUB.COM/KEYCLOAK/KEYCLOAK-DOCUMENTATION/BLOB/3.4/AUTHORIZATION_SERVICES/TOPICS/AUTH-SERVICES-ARCHITECTURE.ADOC》 * |
| WESCHEN: "keycloak学习", 《HTTPS://WWW.CNBLOGS.COM/WESCHEN/P/9530044.HTML》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111800440A (en) * | 2020-09-08 | 2020-10-20 | 平安国际智慧城市科技股份有限公司 | Multi-policy access control login method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9787659B2 (en) | Techniques for secure access management in virtual environments | |
| CN106411857B (en) | A kind of private clound GIS service access control method based on virtual isolation mech isolation test | |
| CN109643242A (en) | Safe design and framework for multi-tenant HADOOP cluster | |
| US8844015B2 (en) | Application-access authentication agent | |
| CN108243183A (en) | Integrated control method, system and the computer equipment of gate system | |
| CN105721420B (en) | Access right control method and Reverse Proxy | |
| CN107104931A (en) | A kind of access control method and platform | |
| US20080168532A1 (en) | Role policy management | |
| CN108092945B (en) | Method and device for determining access authority and terminal | |
| EP2021935A1 (en) | Translating role-based access control policy to resource authorization policy | |
| CN101707594A (en) | Single sign on based grid authentication trust model | |
| JPWO2009084601A1 (en) | Access authority management system, access authority management method, and access authority management program | |
| US20080066158A1 (en) | Authorization Decisions with Principal Attributes | |
| CN110135146B (en) | Database authority management method | |
| CN105871880A (en) | Cross-tenant access control method based on trust model in cloud environment | |
| RU2415466C1 (en) | Method of controlling identification of users of information resources of heterogeneous computer network | |
| Azeez et al. | Towards ensuring scalability, interoperability and efficient access control in a multi-domain grid-based environment | |
| CN110414213A (en) | A kind of method and device to rights management in operation management system based on keycloak | |
| KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
| CN115422526B (en) | Role authority management method, device and storage medium | |
| Chandersekaran et al. | Use case based access control | |
| CN116566614A (en) | Access control enforcement architecture for dynamic manufacturing systems | |
| CN107124429B (en) | Network service safety protection method and system based on double data table design | |
| Gkioulos et al. | Enhancing usage control for performance: An architecture for systems of systems | |
| CN103188269B (en) | The control method of access privilege in cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191105 |