CN110784433B - User access processing method, device and equipment - Google Patents
User access processing method, device and equipment Download PDFInfo
- Publication number
- CN110784433B CN110784433B CN201810858360.3A CN201810858360A CN110784433B CN 110784433 B CN110784433 B CN 110784433B CN 201810858360 A CN201810858360 A CN 201810858360A CN 110784433 B CN110784433 B CN 110784433B
- Authority
- CN
- China
- Prior art keywords
- user
- password
- authority
- cloud
- account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The application discloses a user access processing method, device and equipment. The method comprises the following steps: acquiring an access request initiated by a target account in a cloud platform, wherein the access request is used for requesting access to a cloud service with an independent account management system; verifying the target account number based on the authority corresponding to the access request and the authority of the role of the user associated with the target account number in the cloud service; responding to the access request based on the verification result. Therefore, the account (cloud account for short) of the cloud platform is associated with the user (service user for short) with the authority matched with the cloud service, so that the user can directly access the cloud service after logging in by using the cloud account.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a user access processing method, apparatus, and device.
Background
With the continuous maturity of cloud computing and artificial intelligence, more and more cloud services are available on a cloud platform, such as: data storage services, data computing services, and the like.
Currently, when a user accesses a cloud service, the user needs to input a cloud account to log in a cloud platform, and then input an account of the cloud service.
Therefore, there is a need to provide a more efficient user access handling scheme.
Disclosure of Invention
The embodiment of the specification provides a user access processing method, device and equipment, which are used for solving the problem that a cloud service cannot be accessed by using a cloud account.
An embodiment of the present specification further provides a user access processing method, including:
acquiring an access request initiated by a target account in a cloud platform, wherein the access request is used for requesting access to a cloud service with an independent account management system;
verifying the target account number based on the authority corresponding to the access request and the authority of the role of the user associated with the target account number in the cloud service;
responding to the access request based on the verification result.
An embodiment of the present specification further provides a user access processing apparatus, including:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring an access request initiated by a target account in a cloud platform, and the access request is used for requesting to access cloud services with an independent account management system;
the first verification module is used for verifying the target account number based on the authority corresponding to the access request and the authority of the role of the user associated with the target account number in the cloud service;
and the first response module is used for responding the access request based on the verification result.
An embodiment of the present specification further provides an electronic device, including:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the steps of:
acquiring an access request initiated by a target account in a cloud platform, wherein the access request is used for requesting access to a cloud service with an independent account management system;
verifying the target account based on the authority corresponding to the access request and the authority of the role of the user associated with the target account in the cloud service;
responding to the access request based on the verification result.
The present specification embodiments also provide a computer readable storage medium storing one or more programs which, when executed by an electronic device including a plurality of application programs, cause the electronic device to perform the steps of:
acquiring an access request initiated by a target account in a cloud platform, wherein the access request is used for requesting access to a cloud service with an independent account management system;
verifying the target account number based on the authority corresponding to the access request and the authority of the role of the user associated with the target account number in the cloud service;
responding to the access request based on the verification result.
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
the association relationship is established between the cloud account and the user with the authority matched with the cloud account in the cloud service, so that the cloud service can be accessed based on the authority of the role of the service user with the association relationship with the cloud account after the cloud account is input, and the user name and the password of the service user do not need to be provided. Compared with the prior art, the efficiency of accessing the cloud service by the user can be effectively improved, and further the user experience is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic diagram of an application scenario provided in the present specification;
fig. 2 is a schematic flowchart of a user access processing method provided in embodiment 1 of the present specification;
fig. 3 is a schematic flowchart of step 24 in a user access processing method provided in embodiment 1 of the present specification;
fig. 4 is a schematic diagram of a first implementation manner of a step of establishing an association relationship in a user access processing method provided in embodiment 1 of the present specification;
fig. 5 is a schematic diagram of a second implementation manner of a step of establishing an association relationship in a user access processing method provided in embodiment 1 of the present specification;
fig. 6 is an interaction diagram of a user access processing method provided in embodiment 2 of the present specification;
fig. 7 is an interaction diagram of a user access processing method provided in embodiment 3 of the present specification;
fig. 8 is a schematic structural diagram of a user access processing device provided in embodiment 4 of the present specification;
fig. 9 is a schematic structural diagram of an electronic device provided in embodiment 5 of this specification.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As stated in the background section, because the account system of the cloud platform and the account system of the cloud service are not consistent, when accessing the cloud service, a user needs to input a cloud account to log in the cloud platform first and then input a service account, which causes problems of difficulty and poor experience when accessing the cloud service.
Based on the above, the invention provides a user access processing method, which is characterized in that an association relationship between a cloud account and a service user with matched authority is established, so that when an access request initiated by the cloud account is received, the cloud account is verified, and when a verification result is passed, the cloud account is allowed to access cloud services based on the authority of the role of the service user associated with the cloud account. Compared with the prior art, the cloud service can be directly accessed after the cloud account is used for logging in the cloud platform, the user name and the password of the service user do not need to be provided, and the efficiency of accessing the cloud service and the access experience of the user are effectively improved.
The following provides an exemplary description of an application scenario of the present invention with reference to the drawings.
Referring to fig. 1, a schematic diagram of an application scenario is shown, which includes: the system comprises a client, a cloud platform and a cloud service; wherein the content of the first and second substances,
the client is used for inputting a user name and a password of the cloud account number by a user to log in the cloud platform, and further the cloud platform is used for developing the required application and product; initiating an association request for establishing an association relationship between the cloud account and a service user role in the cloud service to a cloud platform;
the cloud platform is used for providing cloud service resources for the user so that the user can develop applications, products and the like; when a user accesses the cloud service by using the cloud account to submit a job, the submitted job is submitted to the cloud service and operated under the service user based on the pre-established association relationship between the cloud account and the service user role.
The cloud platform, also called a cloud computing platform, is composed of software and hardware resources supporting the provided cloud service, and typically may include hardware resources such as servers, storage units, network components, and software resources deployed on the hardware resources. The cloud platform allows developers to either run written programs in the "cloud," use services provided in the "cloud," or both. Wherein "cloud" includes: public clouds, private clouds, hybrid clouds, etc. Cloud computing is a pay-per-use model that provides available, convenient, on-demand network access into a configurable shared pool of computing resources (resources including networks, servers, storage, applications, services) that can be provisioned quickly, with little administrative effort, or interaction with service providers.
Cloud services, an augmentation, usage and interaction model for internet-based related services, typically involve providing dynamically scalable and often virtualized resources over the internet. Specific examples can be: clusters, databases, etc. The cluster is a cluster on the cloud, is a group of mutually independent computers which are interconnected through a high-speed network, forms a group and is managed in a single system mode. Common clusters include: high-availability clusters (HA), Load Balancing Clusters (LBC), High Performance computing clusters (HPC), and the like. The database is an on-cloud database, and can realize the advantages of paying on demand, expanding on demand, high availability, storage integration and the like in order to be optimized or deployed to the database in a virtual computing environment.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Example 1
Fig. 2 is a schematic flowchart of a user access processing method provided in embodiment 1 of this specification, and referring to fig. 2, the method may be executed by a cloud platform, and specifically may include the following steps:
the access request includes a login access request, a read access request, a write access request, and the like. The cloud platform may be a platform in a Pass service mode (referred to as a Pass platform for short), a platform in an ias service mode (referred to as an ias platform for short), and a platform in a SasS service mode (referred to as a SasS platform for short).
Step 24, verifying the target account based on the authority corresponding to the access request and the authority of the role of the user associated with the target account in the cloud service;
it should be noted that, with reference to fig. 3, one implementation of step 24 may be:
it will be appreciated that to increase access security and security verification flexibility, different permission requirements may be configured for different access requests. For example: for read-only access requests, lower permission requirements can be configured; higher authority requirements can be configured for access requests such as node management and job management, or access requests such as node management and job management further initiated by read-only access requests.
if yes, go to step 36; if not, go to step 310;
it will be understood that the implementation of step 32 and step 34 may be exemplified by:
if the target account initiates an access request for managing the sub-accounts, the target account is required to have a management authority, and if the target account is an account with the management authority, the authority of the target account is determined to be matched with the authority required by the access request. Alternatively, the first and second electrodes may be,
assuming that the target account is a sub-account, if an access request for managing the sub-account is initiated, it may be determined that the target account does not have the management authority required by the access request, and therefore does not match the target account.
if yes, go to step 38; if not, go to step 310.
It should be understood that one implementation of step 36 may be:
step S1, acquiring an association relation between a pre-established cloud account and a service user role;
and step S2, determining that the verification result is passed when the target account is determined to have the associated user role based on the association relation.
It is understood that the association relationship may be an association relationship between a cloud account and a service user having matching rights. The method can be embodied by creating a mapping table. The specific implementation mode can be as follows: creating a cloud account table and a service user table; determining the authority of each cloud account in the cloud account table and the authority of each user in the service user table; and establishing a mapping relation between the cloud account and the service user with the matched authority.
The matching authority can be the authority of the role of the cloud account and the authority of the role of the service user. For example: the cloud account with the role as the administrator is matched with the authority of the service user with the role as the administrator, and the cloud account with the role as the operator is matched with the authority of the service user with the role as the operator.
Based on this, when the target account has the associated service user is found from the mapping table, the verification result is determined to be passed.
In addition, the rule for pre-establishing the association relationship may be: the cloud platform actively establishes an association relationship between the cloud account and the service user based on the interaction degree between the cloud account and the service user, for example: for the condition that a user frequently logs in a cloud platform by using a first cloud account and then accesses a cloud service by using a first service user, the cloud platform counts data such as frequency and frequency of the condition to determine the interaction degree between the first cloud account and the first service user, and then automatically establishes an association relationship between the first cloud account and the first service user; the following steps can be also included: the cloud platform passively establishes an association relationship between the cloud account and the service user based on an association request initiated by the cloud account;
for the passive solution, in conjunction with fig. 4, a first implementation manner may be:
step 42, acquiring an association request initiated by an account with management authority in the cloud platform, wherein the association request is used for requesting to associate the target account with a user in the cloud service, and the target account is a sub-account of the account with management authority;
and step 46, responding to the association request based on the verification result. The method specifically comprises the following steps:
when the verification result is that the user passes, associating the target account with the user so that the target account has the authority of the role of the user in the cloud service; and if the verification result is failed, refusing to associate the target account and the user.
It will be appreciated that the present implementation is generally directed to the case where an administrator account is associated with one or more service users on a service for its sub-account.
With reference to fig. 5, a second implementation manner may be:
and step 56, responding to the association request based on the verification result. The method specifically comprises the following steps:
when the verification result is that the user passes, associating the target account with the user so that the target account has the authority of the role of the user in the cloud service; and if the verification result is that the user passes the verification result, rejecting to associate the target account and the user.
It is understood that, compared with the first implementation manner, in the implementation manner, the administrator account issues the authority of the associated service user to the governed sub-account, so that the sub-account can autonomously initiate a request for setting and modifying the associated service user to the cloud platform.
For steps 44 and 54, one implementation may be:
verifying whether the authority of the target account number in the cloud platform is matched with the authority of the role of the user, and if so, determining that the verification result is a pass; if not, determining that the verification result is failed. Therefore, the risk of unauthorized operation can be effectively avoided.
that is, it is determined that the target account has the associated service user's authority on the cloud service, and the target account is allowed to access the cloud service.
And step 310, determining that the verification result is failed.
That is, it is determined that the target account does not have the right to access the cloud service.
And step 26, responding the access request based on the verification result. The method specifically comprises the following steps:
when the verification result is that the cloud service passes, responding to the access request to enable the target account to access the cloud service; and when the verification result is that the cloud service fails, the target account is refused to access the cloud service.
Optionally, in order to improve flexibility of whether the verification permissions are matched, different verification policies may be configured for cloud accounts with different security levels in this embodiment, for example:
verifying the policy 1, if the cloud account number is verified to have the associated service user on the cloud service, determining that the verification is passed, which corresponds to the steps 32 to 38;
verifying a policy 2, and if the cloud account number is verified to have an associated service user on the cloud service, further verifying the validity of the service user; the method specifically comprises the following steps:
verifying whether a certificate of the service user carried in the access request is expired, and if not, determining that the certificate passes the verification; alternatively, the first and second electrodes may be,
and instructing the user to input a user name and/or a password of the service user, verifying whether the user name and/or the password are valid, and if so, determining that the user name and/or the password are verified.
And verifying the strategy 3, after the access request initiated by the cloud account is obtained, determining whether the access request is the access request initiated by the cloud account for the first time, if so, indicating to input the user name and/or the password of the service user, and verifying whether the input user name and/or the password of the user are valid, if so, determining that the verification result is a pass, and when the access request is subsequently initiated, not indicating to input the user name and/or the password of the service user.
And (4) on the basis of the verification strategy 3, setting a validity period for the verification result of the input user name and/or password of the service user. That is, after the access request initiated by the cloud account is obtained, whether the verification validity period of the cloud account is expired or not is verified, if yes, the user name and/or the password of the service user are/is indicated to be input, and whether the input user name and/or the password of the user are/is verified again.
The step of verifying that the user name and the password of the input user are valid may be implemented as follows:
step S1, acquiring a user name and a password of the user role recorded by the cloud service;
step S2, when it is determined that the input user name and password of the user role respectively match the user name and password of the user role recorded by the cloud service, determining that the input user name and password of the user role are valid.
It should be noted that, one implementation manner of step S2 may be:
the cloud platform acquires first password authentication information, wherein the first password authentication information is acquired by encrypting a recorded password of a user by the cloud service in a preset encryption mode; acquiring second password authentication information, wherein the second password authentication information is acquired after the cloud platform encrypts the input password of the user in the preset encryption mode; and when the first password authentication information is determined to be matched with the second password authentication information, determining that the input password of the user is matched with the password of the user recorded by the cloud service. For example:
requesting cloud service to transmit a shadow file through a secure encryption channel; the shadow file carries first password authentication information and an encryption mode, and the encryption mode is preferably a sha512 secure hash algorithm; and the cloud platform hashes the password of the user input by the sub-account by using the same salt character string, and if the hash values are matched, the password is confirmed to be matched.
Another implementation manner of step S2 may be:
the cloud platform sends a password authentication request to the cloud service, wherein the password authentication request carries first password authentication information, and the first password authentication information is obtained after the cloud platform encrypts an input password of a user in a preset encryption mode;
receiving confirmation information returned by the cloud service, determining that an input password of the user is matched with a password of the user recorded by the cloud service based on the confirmation information, wherein the confirmation information is returned when the cloud service encrypts the recorded password of the user based on the preset encryption mode to obtain second password authentication information, and determining that the first password authentication information is matched with the second password authentication information.
The cloud platform sends the first password authentication information and the first encryption mode obtained through encryption to the cloud service; and encrypting the password of the user recorded by the cloud service in the same encryption mode to obtain second password authentication information, comparing the first password authentication information with the second password authentication information, and if the first password authentication information and the second password authentication information are matched, determining that the authentication is passed and returning confirmation information to the cloud platform.
In addition, the security level of the sub-account may be configured by an administrator or the cloud platform based on the role of the cloud account, the manner of accessing the cloud platform, the network environment where the sub-account is located, and other factors, and the authentication policy corresponding to the security level may be flexibly configured by the administrator or the cloud platform, which is not limited herein.
As can be seen, in the embodiment, by establishing the association relationship between the cloud account and the service user with the authority matched with each other, when an access request initiated by the cloud account is received, the cloud account is verified based on the association relationship, and when a verification result is that the access request is passed, the authority of the role of the service user associated with the cloud account allows access to the cloud service. Compared with the prior art, the cloud service can be accessed by using the cloud account number without providing the user name and the password of the service user, so that the cloud service access efficiency and the user experience are effectively improved.
Example 2
Fig. 6 is an interaction schematic diagram of a user access processing method provided in embodiment 2 of the present specification, and referring to fig. 6, the following describes the method by exemplifying a cloud platform as a Pass platform and a cloud service as a cluster service:
62, an administrator initiates an association request to the Pass platform through a client;
the association request associates the sub-account of the administrator with the cluster user; suppose that the association request carries the sub-accounts 1 and 2 and the identification information of the cluster users 1 and 2, and is used for associating the sub-account 1 with the cluster user 1 and associating the sub-account 2 with the cluster user 2.
Step 64, the Pass platform verifies the sub-account number based on the authority of the cluster user; the method specifically comprises the following steps:
and the Pass platform verifies whether the authority of the role of the sub account number 1 on the Pass platform is matched with the authority of the role of the cluster user 1 on the cluster, and if so, the verification is determined to be passed. For example: the role of the sub account 1 is a common user, and the role of the cluster user 1 in the cluster is a job administrator, so that the verification fails and the sub account 1 cannot be associated with the cluster user 1.
Step 66, returning the correlation result;
it is understood that if the verification result is passed, a result of successful association is returned; and if the verification result is failed, returning a result of failed association.
Step 68, logging in the Pass platform by the sub account number 1 through the client;
step 610, the sub account number 1 submits a first operation to the Pass platform;
step 612, verifying the effectiveness of the cluster users by the Pass platform; the method specifically comprises the following steps:
the Pass platform first determines the authentication policy of the sub account number 1, which may be configured by an administrator or configured by the Pass platform, for example: the first submission job needs to instruct the user to input the user name and/or password of the cluster user and verify the user name and/or password, and after the verification validity period passes, the user needs to be instructed again to input the user name and/or password of the cluster user and verify the user name and/or password.
Then, the cluster user is authenticated based on the authentication policy, and when the authentication result is passed, step 614 is executed.
Therefore, different verification strategies can be set for different sub-accounts, for example, different account verification strategies can be set for accounts which do not need to interact, accounts which run background jobs and accounts which are used by common users and are used for submitting jobs interactively.
614, submitting a first job to the cluster by the Pass platform;
step 616, the cluster runs the first job under the cluster user;
that is, the cluster runs the first job under the cluster user 1 through the corresponding computer node, and thus, the sub-account 1 or the cluster user 1 can view the first job on the cluster.
Step 618, the sub account number 2 submits a second job to the Pass platform through the client;
step 620, submitting a second job to the cluster by the Pass platform;
it will be appreciated that the Pass platform will also authenticate clustered users 2 associated with sub-account 2 before performing step 620.
Step 622, the cluster runs a second job under the cluster user;
that is, the cluster runs the second job under the cluster user 2 through the corresponding computer node, and thus, the sub-account 2 or the cluster user 2 can view the first job on the cluster.
As can be seen, in this embodiment, by establishing an association relationship between a cloud account and a cluster user (a user in a cluster) with matched permissions, when an access request initiated by the cloud account is received, the cloud account is verified based on the association relationship, and when a verification result is that the access request is passed, the cloud account is allowed to access the cluster based on the permissions of roles of the cluster user associated with the cloud account. Compared with the prior art, the cloud account can be used for directly accessing the cluster after logging in the Pass platform, the user name and the password of the cluster user do not need to be provided, and the user experience is effectively improved.
Example 3
Fig. 7 is an interaction schematic diagram of a user access processing method provided in embodiment 3 of this specification, and referring to fig. 7, compared with embodiment 2, this embodiment further issues a right to set and associate a cluster user to a sub-account, so that the sub-account can set and modify the associated cluster user by itself, and the business processing pressure of an administrator is reduced. The method specifically comprises the following steps:
step 72, the sub account sends an association request to the Pass platform through the client;
the association request carries identification information of the sub-account and the cluster user, and is used for requesting association with the cluster user.
Step 74, the Pass platform verifies the sub account number based on the authority of the cluster user; the method specifically comprises the following steps:
the Pass platform determines the role of the cluster user on the cluster and the authority corresponding to the role, determines the role of the sub account number on the Pass platform and the authority corresponding to the role, further compares whether the authorities of the two roles are matched, if yes, determines that the verification result is passed, and establishes the association relationship between the two.
Step 76, returning the correlation result;
it is understood that if the verification result is passed, a message of successful association is returned; and if the verification result is failed, returning a message that the association is not successful.
Step 78, submitting the operation to the Pass platform through the client by the sub account;
step 710, verifying the validity of the cluster user by the Pass platform; the method specifically comprises the following steps:
firstly, determining a verification strategy of a sub-account by a Pass platform, wherein the verification strategy can be configured by an administrator or a Pass platform; for example: the first submission job needs to instruct the user to input the user name and/or password of the cluster user and verify the user name and/or password, and after the verification validity period passes, the user needs to be instructed again to input the user name and/or password of the cluster user and verify the user name and/or password.
Then, the cluster user is authenticated based on the authentication policy, and when the authentication result is passed, step 614 is executed.
Therefore, different verification strategies can be set for different sub-accounts, for example, different account verification strategies can be set for accounts which do not need to interact, accounts which run background jobs and accounts which are used by common users and are used for submitting jobs interactively.
Step 712, submitting the operation to the cluster by the Pass platform;
and 714, running the operation under the cluster user by the cluster through the corresponding computer node.
As can be seen, in this embodiment, by establishing an association relationship between a cloud account and a cluster user (a user in a cluster) whose permissions are matched, when an access request initiated by the cloud account is received, the cloud account is verified based on the association relationship, and when a verification result is that the cloud account is passed, the cloud account is allowed to access the cluster based on the permissions of roles of the cluster users associated with the cloud account. Compared with the prior art, the cloud account can be used for directly accessing the cluster after logging in the Pass platform, the user name and the password of the cluster user do not need to be provided, and the user experience is effectively improved.
In addition, for simplicity of explanation, the above-described method embodiments are described as a series of acts or combinations, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts or steps described, as some steps may be performed in other orders or simultaneously according to the present invention. Furthermore, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Fig. 8 is a schematic structural diagram of a user access processing device provided in embodiment 4 of this specification, and referring to fig. 8, the device may specifically include: a first acquisition module 81, a first verification module 82, and a first response module 83, wherein,
a first obtaining module 81, configured to obtain an access request initiated by a target account in a cloud platform, where the access request is used to request access to a cloud service with an independent account management system;
a first verification module 82, configured to verify the target account based on a right corresponding to the access request and a right of a role of a user associated with the target account in the cloud service;
a first response module 83, configured to respond to the access request based on the verification result.
Optionally, the apparatus further comprises:
a second obtaining module, configured to obtain an association request initiated by an account with a management authority in the cloud platform, where the association request is used to request that the target account is associated with a user in the cloud service, and the target account is a sub-account of the account with the management authority;
the second verification module is used for verifying the target account number based on the authority of the role of the user;
and the second response module is used for responding to the association request based on the verification result.
Optionally, the apparatus further comprises:
a third obtaining module, configured to obtain an association request initiated by a target account, where the association request is used to request that the target account be associated with a user in the cloud service;
the third verification module is used for verifying the target account number based on the authority of the role of the user;
and the third response module is used for responding to the association request based on the verification result.
Optionally, the second verification module or the third verification module is specifically configured to:
and verifying whether the authority of the target account number in the cloud platform is matched with the authority of the role of the user in the cloud service, and if so, determining that the verification result is passed.
Optionally, the first verification module is specifically configured to:
verifying whether the authority of the target account in the cloud platform is matched with the authority required by the access request; if yes, determining that the verification result is passed when the target account number is determined to have the associated user based on the pre-established association relationship between the account number in the cloud platform and the user in the cloud service;
and the association relationship is the association relationship between the account with the matched authority and the user.
Optionally, the apparatus further comprises:
the fourth verification module is used for indicating the user name and the password of the user to be input; and when the input user name and password of the user are verified to be valid, determining that the verification result is passed.
Optionally, the fourth verification module is specifically configured to:
when the access request is determined to be initiated by the target account for the first time, indicating to input a user name and a password of the user; or when the verification validity period of the target account is determined to be expired, indicating to input the user name and the password of the user.
Optionally, the fourth verification module is specifically configured to:
acquiring a user name and a password of the user recorded by the cloud service; and when the input user name and the password of the user are respectively matched with the user name and the password of the user recorded by the cloud service, determining that the input user name and the password of the user are valid.
Optionally, the fourth verification module is specifically configured to:
acquiring first password authentication information, wherein the first password authentication information is acquired after the cloud service encrypts a recorded password of a user in a preset encryption mode; encrypting the input password of the user by adopting the preset encryption mode to obtain second password authentication information; and when the first password authentication information is matched with the second password authentication information, determining that the input password of the user is matched with the password of the user recorded by the cloud service.
Optionally, the fourth verification module is specifically configured to:
sending a password authentication request to the cloud service, wherein the password authentication request carries first password authentication information, and the first password authentication information is obtained by encrypting an input password of a user in a preset encryption mode; receiving confirmation information returned by the cloud service, determining that an input password of the user is matched with a password of the user recorded by the cloud service based on the confirmation information, wherein the confirmation information is returned when the cloud service encrypts the recorded password of the user based on the preset encryption mode to obtain second password authentication information, and determining that the first password authentication information is matched with the second password authentication information.
Optionally, the device is suitable for running on a Pass platform, and the Pass platform is used for providing cloud service resources for users based on the cloud platform; the cloud service resources include: clusters and databases.
As can be seen, in the embodiment, by establishing an association relationship between a cloud account and a service user (a user in a cloud service) whose authority is matched, when an access request initiated by the cloud account is received, the cloud account is verified based on the association relationship, and when a verification result is that the access request is passed, the authority of a role of the service user associated with the cloud account allows access to the cloud service. Compared with the prior art, the cloud service can be accessed by using the cloud account number without providing the user name and the password of the service user, so that the cloud service access efficiency and the user experience are effectively improved.
In addition, as for the device embodiment, since it is basically similar to the method embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment. Further, it should be noted that, among the respective components of the apparatus of the present invention, the components thereof are logically divided according to the functions to be realized, but the present invention is not limited thereto, and the respective components may be newly divided or combined as necessary.
Example 5
Fig. 9 is a schematic structural diagram of an electronic device provided in embodiment 5 of this specification, and referring to fig. 9, the electronic device includes a processor, an internal bus, a network interface, a memory, and a nonvolatile memory, and may also include hardware required by other services. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to form the user access processing device on the logic level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
The network interface, the processor and the memory may be interconnected by a bus system. The bus may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
The memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both read-only memory and random access memory, and provides instructions and data to the processor. The Memory may include a Random-Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least 1 disk Memory.
The processor is used for executing the program stored in the memory and specifically executing:
acquiring an access request initiated by a target account in a cloud platform, wherein the access request is used for requesting access to a cloud service with an independent account management system;
verifying the target account number based on the authority corresponding to the access request and the authority of the role of the user associated with the target account number in the cloud service;
responding to the access request based on the verification result.
The method performed by the user access processing device or manager (Master) node according to the embodiment shown in fig. 8 of the present application may be applied to or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, etc. as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
The user access processing device may also perform the methods of fig. 2-7 and implement the methods performed by the administrator node.
Based on the same invention creation, the embodiment of the present application further provides a computer readable storage medium, which stores one or more programs that, when executed by an electronic device including a plurality of application programs, cause the electronic device to execute the user access processing method provided by the corresponding embodiment of fig. 2 to 7.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The foregoing description of specific embodiments has been presented for purposes of illustration and description. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (13)
1. A user access processing method, the method comprising:
acquiring an access request initiated by a target account in a cloud platform, wherein the access request is used for requesting access to a cloud service with an independent account management system;
verifying the target account based on the authority corresponding to the access request and the authority of the role of the user associated with the target account in the cloud service;
responding to the access request based on the verification result;
wherein, based on the authority corresponding to the access request and the authority of the role of the user associated with the target account in the cloud service, the verifying the target account comprises:
determining the authority required by the access request, wherein the authority requirements configured by different access requests are different;
verifying whether the authority of the target account in the cloud platform is matched with the authority required by the access request;
if yes, determining that the verification result is passed when the target account is determined to have the associated user based on a pre-established association relationship between the account in the cloud platform and the user in the cloud service, wherein the association relationship is an association relationship between the account with the matching authority and the user, and the matching authority refers to the fact that the authority of the role of the account in the cloud platform is matched with the authority of the role of the user in the cloud service.
2. The method of claim 1, wherein prior to verifying the target account number, further comprising:
acquiring an association request initiated by an account with management authority in the cloud platform, wherein the association request is used for requesting to associate the target account with a user in the cloud service, and the target account is a sub-account of the account with management authority;
verifying the target account number based on the authority of the role of the user;
responding to the association request based on the verification result.
3. The method of claim 1, wherein prior to verifying the target account number, further comprising:
acquiring an association request initiated by a target account, wherein the association request is used for requesting to associate the target account with a user in the cloud service;
verifying the target account number based on the authority of the role of the user;
responding to the association request based on the verification result.
4. The method of claim 2 or 3, wherein verifying the target account number based on the permissions of the user's role comprises:
and verifying whether the authority of the target account number in the cloud platform is matched with the authority of the role of the user in the cloud service, and if so, determining that the verification result is passed.
5. The method of claim 1, further comprising:
instructing to input a user name and a password of the user;
and when the input user name and password of the user are verified to be valid, determining that the verification result is passed.
6. The method of claim 5, wherein instructing entry of a username and password for the user comprises:
when the access request is determined to be initiated by the target account for the first time, indicating to input a user name and a password of the user;
alternatively, the first and second electrodes may be,
and when the verification validity period of the target account is determined to be expired, indicating to input the user name and the password of the user.
7. The method of claim 5, wherein verifying that the entered username and password of the user are valid comprises:
acquiring a user name and a password of the user recorded by the cloud service;
and when the input user name and the password of the user are respectively matched with the user name and the password of the user recorded by the cloud service, determining that the input user name and the password of the user are valid.
8. The method of claim 7, wherein determining that the entered username and password of the user match the username and password, respectively, of the user of the cloud service record comprises:
acquiring first password authentication information, wherein the first password authentication information is acquired after the cloud service encrypts a recorded password of a user in a preset encryption mode;
encrypting the input password of the user by adopting the preset encryption mode to obtain second password authentication information;
and when the first password authentication information is matched with the second password authentication information, determining that the input password of the user is matched with the password of the user recorded by the cloud service.
9. The method of claim 7, wherein determining that the entered username and password of the user match the username and password, respectively, of the user of the cloud service record comprises:
sending a password authentication request to the cloud service, wherein the password authentication request carries first password authentication information, and the first password authentication information is obtained by encrypting an input user password in a preset encryption mode;
receiving confirmation information returned by the cloud service, determining that an input password of the user is matched with a password of the user recorded by the cloud service based on the confirmation information, wherein the confirmation information is returned when the cloud service encrypts the recorded password of the user based on the preset encryption mode to obtain second password authentication information, and determining that the first password authentication information is matched with the second password authentication information.
10. The method of claim 1, adapted for execution on a Pass platform, the Pass platform being a cloud platform in Pass service mode for providing cloud service resources for users;
the cloud service resources include: clusters and databases.
11. A user access processing apparatus comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring an access request initiated by a target account in a cloud platform, and the access request is used for requesting to access cloud services with an independent account management system;
the first verification module is used for verifying the target account number based on the authority corresponding to the access request and the authority of the role of the user associated with the target account number in the cloud service;
a first response module for responding to the access request based on the verification result;
wherein the first verification module is specifically configured to:
determining the authority required by the access request, wherein the authority requirements configured by different access requests are different;
verifying whether the authority of the target account in the cloud platform is matched with the authority required by the access request;
if yes, determining that the verification result is passed when the target account is determined to have the associated user based on a pre-established association relationship between the account in the cloud platform and the user in the cloud service, wherein the association relationship is an association relationship between the account with the matching authority and the user, and the matching authority refers to the fact that the authority of the role of the account in the cloud platform is matched with the authority of the role of the user in the cloud service.
12. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of any one of claims 1-10.
13. A computer readable storage medium storing one or more programs which, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of any of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810858360.3A CN110784433B (en) | 2018-07-31 | 2018-07-31 | User access processing method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810858360.3A CN110784433B (en) | 2018-07-31 | 2018-07-31 | User access processing method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110784433A CN110784433A (en) | 2020-02-11 |
| CN110784433B true CN110784433B (en) | 2022-08-23 |
Family
ID=69383127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810858360.3A Active CN110784433B (en) | 2018-07-31 | 2018-07-31 | User access processing method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110784433B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111324875A (en) * | 2020-02-17 | 2020-06-23 | 支付宝(杭州)信息技术有限公司 | User data operation authority control and account management method, device and system |
| CN111369255B (en) * | 2020-02-28 | 2023-04-11 | 上海高仙自动化科技发展有限公司 | User management method and device, electronic equipment and storage medium |
| CN111400765B (en) * | 2020-03-25 | 2021-11-02 | 支付宝(杭州)信息技术有限公司 | Private data access method and device and electronic equipment |
| CN111539006A (en) * | 2020-04-26 | 2020-08-14 | 北京思特奇信息技术股份有限公司 | Authority management and control method and device |
| CN112437123B (en) * | 2020-11-09 | 2024-04-09 | 北京京东尚科信息技术有限公司 | Resource management method, device, computer system and readable storage medium |
| CN112383556B (en) * | 2020-11-17 | 2023-04-21 | 珠海大横琴科技发展有限公司 | Data processing method and device |
| CN112532723B (en) * | 2020-11-27 | 2023-04-18 | 北京浪潮数据技术有限公司 | Account management method, cloud management layer, equipment and medium |
| CN113065108B (en) * | 2021-04-16 | 2022-05-17 | 支付宝(杭州)信息技术有限公司 | User permission management and application running method and device |
| CN113296798B (en) * | 2021-05-31 | 2022-04-15 | 腾讯科技(深圳)有限公司 | Service deployment method, device and readable storage medium |
| CN113592436B (en) * | 2021-07-09 | 2024-02-06 | 上海云轴信息科技有限公司 | Cloud service management method and equipment based on government cloud platform |
| CN113923023B (en) * | 2021-10-09 | 2024-04-05 | 京东科技信息技术有限公司 | Authority configuration and data processing method, device, electronic equipment and medium |
| CN114297598B (en) * | 2022-02-23 | 2022-07-05 | 阿里云计算有限公司 | User permission processing method and device |
| CN114979262B (en) * | 2022-04-25 | 2024-04-19 | 阿里云计算有限公司 | Access method and system |
| CN115174174B (en) * | 2022-06-24 | 2024-04-12 | 百融至信(北京)科技有限公司 | Method and device for controlling electronic management platform |
| CN117692258A (en) * | 2024-02-02 | 2024-03-12 | 新亿成科技(江苏)有限公司 | Security access control method, system and readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739708A (en) * | 2011-04-07 | 2012-10-17 | 腾讯科技(深圳)有限公司 | System and method for accessing third party application based on cloud platform |
| CN106936772A (en) * | 2015-12-29 | 2017-07-07 | 中国移动通信集团湖南有限公司 | A kind of access method, the apparatus and system of cloud platform resource |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170230419A1 (en) * | 2016-02-08 | 2017-08-10 | Hytrust, Inc. | Harmonized governance system for heterogeneous agile information technology environments |
| CN107104931A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | A kind of access control method and platform |
| CN105871854B (en) * | 2016-04-11 | 2018-11-20 | 浙江工业大学 | Adaptive cloud access control method based on dynamic authorization mechanism |
| CN106446638A (en) * | 2016-10-14 | 2017-02-22 | 郑州云海信息技术有限公司 | Cloud computing operation system security access method and device |
| CN108259422B (en) * | 2016-12-29 | 2021-07-16 | 中兴通讯股份有限公司 | Multi-tenant access control method and device |
-
2018
- 2018-07-31 CN CN201810858360.3A patent/CN110784433B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739708A (en) * | 2011-04-07 | 2012-10-17 | 腾讯科技(深圳)有限公司 | System and method for accessing third party application based on cloud platform |
| CN106936772A (en) * | 2015-12-29 | 2017-07-07 | 中国移动通信集团湖南有限公司 | A kind of access method, the apparatus and system of cloud platform resource |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110784433A (en) | 2020-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110784433B (en) | User access processing method, device and equipment | |
| WO2018077169A1 (en) | Image repository authorization, access and management method, server, and client | |
| US9635035B2 (en) | Managing user authentication in association with application access | |
| US11019068B2 (en) | Quorum-based access management | |
| AU2015289493B2 (en) | Tiered connection pooling methods, systems and computer readable storage media | |
| WO2018145605A1 (en) | Authentication method and server, and access control device | |
| US9507927B2 (en) | Dynamic identity switching | |
| US9225744B1 (en) | Constrained credentialed impersonation | |
| WO2018121445A1 (en) | Multi-tenant access control method and apparatus | |
| CN109587126B (en) | User authentication method and system | |
| US20230370265A1 (en) | Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control | |
| US10511584B1 (en) | Multi-tenant secure bastion | |
| US11368462B2 (en) | Systems and method for hypertext transfer protocol requestor validation | |
| US10803190B2 (en) | Authentication based on client access limitation | |
| CN111680308B (en) | File sharing method, method for controlling shared file, device and terminal thereof | |
| US9742759B2 (en) | Seamless authentication mechanism for user processes and web services residing on common host | |
| US20140007197A1 (en) | Delegation within a computing environment | |
| US20150281282A1 (en) | Application signature authorization | |
| US9576150B1 (en) | Validating a user of a virtual machine for administrator/root access | |
| AU2013377954B2 (en) | System and method for validating SCEP certificate enrollment requests | |
| US20220417240A1 (en) | Virtual Machine Provisioning and Directory Service Management | |
| US11146379B1 (en) | Credential chaining for shared compute environments | |
| US20200145459A1 (en) | Centralized authentication and authorization | |
| CN111444483A (en) | Authentication method, device and equipment | |
| US11336438B2 (en) | Remote approval and execution of restricted operations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40023175 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |