CN110839002A - Cloud account opening, authentication and access method and device - Google Patents

Cloud account opening, authentication and access method and device Download PDF

Info

Publication number
CN110839002A
CN110839002A CN201810931000.1A CN201810931000A CN110839002A CN 110839002 A CN110839002 A CN 110839002A CN 201810931000 A CN201810931000 A CN 201810931000A CN 110839002 A CN110839002 A CN 110839002A
Authority
CN
China
Prior art keywords
cloud
alliance
endorsement
user
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810931000.1A
Other languages
Chinese (zh)
Other versions
CN110839002B (en
Inventor
王楠楠
黄国强
罗斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201810931000.1A priority Critical patent/CN110839002B/en
Priority to PCT/CN2019/088169 priority patent/WO2020034700A1/en
Publication of CN110839002A publication Critical patent/CN110839002A/en
Application granted granted Critical
Publication of CN110839002B publication Critical patent/CN110839002B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本申请公开了一种开户认证访问方法,包括:第一云获取用户的第一访问请求,其中,所述第一访问请求包括目标令牌,所述目标令牌由背书主体对所述用户的用户信息进行背书而生成的,所述第一云属于云联盟,所述云联盟包括多朵云;从联盟区块链上获取联盟令牌,并将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果,其中,所述联盟区块链可被所述云联盟中的任意一朵云访问;根据匹配结果确定所述用户为合法用户,并允许所述用户对所述第一云进行访问。上述方法能够实现云联盟的用户可以随意访问云联盟中的任意一朵云的资源。

The present application discloses an account opening authentication access method, which includes: a first cloud obtains a user's first access request, wherein the first access request includes a target token, and the target token is used by an endorsement subject to authenticate the user's Generated by endorsement of user information, the first cloud belongs to the cloud alliance, and the cloud alliance includes multiple clouds; the alliance token is obtained from the alliance blockchain, and the target token and the alliance token are combined. Matching is performed to obtain a matching result, wherein the alliance blockchain can be accessed by any cloud in the cloud alliance; according to the matching result, the user is determined to be a legitimate user, and the user is allowed to access to the cloud. The above method can realize that the user of the cloud alliance can freely access the resources of any cloud in the cloud alliance.

Description

云的开户、认证及访问方法和设备Cloud account opening, authentication and access method and device

技术领域technical field

本申请涉及云技术,尤其涉及一种云的开户、认证及访问方法、设备以及存储介质。The present application relates to cloud technology, and in particular, to a cloud account opening, authentication and access method, device and storage medium.

背景技术Background technique

随着云技术的快速发展,全球范围内出现了越来越多的云。不同云可能由不同的企业运营,如果用户希望访问这些云的资源,就必须在每朵云上都分别注册一个账户,并使用账户登录对应的云,才能够访问账户对应的云的资源。为了打破这些云之间的隔阂,实现资源的共享,人们提出了构建云联盟的设想。With the rapid development of cloud technology, more and more clouds have appeared around the world. Different clouds may be operated by different companies. If users want to access the resources of these clouds, they must register an account on each cloud and use the account to log in to the corresponding cloud before they can access the resources of the cloud corresponding to the account. In order to break the gap between these clouds and realize the sharing of resources, people have proposed the idea of building a cloud alliance.

但是,如何实现云联盟的用户可以随意访问云联盟中的任意一朵云的资源是一个尚未解决的问题。However, how to realize that users of the cloud alliance can freely access the resources of any cloud in the cloud alliance is an unsolved problem.

发明内容SUMMARY OF THE INVENTION

本申请提供了一种访问方法、设备以及存储介质,能够实现云联盟的用户可以访问云联盟中的任意一朵云的资源。The present application provides an access method, device and storage medium, which can realize that a user of a cloud alliance can access the resources of any cloud in the cloud alliance.

第一方面,提供了一种用户对云的访问方法,包括:In a first aspect, a user access method to the cloud is provided, including:

第一云获取用户的第一访问请求,其中,所述第一访问请求包括目标令牌,所述目标令牌由背书主体对所述用户的用户信息进行背书而生成的,所述第一云属于云联盟,所述云联盟包括多朵云;The first cloud obtains the user's first access request, wherein the first access request includes a target token, and the target token is generated by an endorsement subject endorsing the user information of the user, and the first cloud belong to the cloud alliance, and the cloud alliance includes multiple clouds;

从联盟区块链上获取联盟令牌,并将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果,其中,所述联盟区块链可被所述云联盟中的任意一朵云访问;Obtain the alliance token from the alliance blockchain, and match the target token with the alliance token to obtain a matching result, wherein the alliance blockchain can be used by any one of the cloud alliances cloud access;

根据匹配结果确定所述目标用户为合法用户,并允许所述目标用户对所述第一云进行访问。According to the matching result, it is determined that the target user is a legitimate user, and the target user is allowed to access the first cloud.

结合第一方面,第一方面的第一种可能的实施方式中,所述背书主体包括云联盟中的任一云或者第三方公证机构。With reference to the first aspect, in a first possible implementation manner of the first aspect, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

结合第一方面的上述任一方式,第一方面的第二种可能的实施方式中,在第四云和所述第一云是同一朵云的情况下,所述背书主体包括所述第一云;在第四云和所述第一云不是同一朵云的情况下,所述背书主体包括第四云和所述第一云。In combination with any of the foregoing manners of the first aspect, in a second possible implementation manner of the first aspect, in the case that the fourth cloud and the first cloud are the same cloud, the endorsement body includes the first cloud. A cloud; in the case that the fourth cloud and the first cloud are not the same cloud, the endorsement subject includes the fourth cloud and the first cloud.

结合第一方面的上述任一方式,第一方面的第三种可能的实施方式中,所述方法还包括:在所述联盟令牌的生命周期大于失效周期的情况下,所述第一云重新生成新的联盟令牌,并将所述新的联盟令牌上传到所述联盟区块链中。In combination with any of the foregoing manners of the first aspect, in a third possible implementation manner of the first aspect, the method further includes: in the case that the lifetime of the alliance token is greater than the expiration period, the first cloud Regenerate a new federation token and upload the new federation token to the federation blockchain.

结合第一方面的上述任一方式,第一方面的第四种可能的实施方式中,所述方法还包括:In combination with any of the above-mentioned manners of the first aspect, in a fourth possible implementation manner of the first aspect, the method further includes:

接收用户的第二访问请求,其中,所述第二访问请求包括目标令牌;receiving a second access request from the user, wherein the second access request includes a target token;

所述第一云向所述第二云发送所述用户的第二访问请求,其中,所述第二云属于所述云联盟。The first cloud sends the user's second access request to the second cloud, where the second cloud belongs to the cloud alliance.

第二方面,提供了一种云用户的认证方法,包括:In a second aspect, a cloud user authentication method is provided, including:

第三云获取用户的认证请求,其中,所述认证请求包括所述用户的用户信息,所述第三云属于云联盟,所述云联盟包括多朵云;The third cloud obtains the authentication request of the user, wherein the authentication request includes the user information of the user, the third cloud belongs to the cloud alliance, and the cloud alliance includes multiple clouds;

根据所述认证请求向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;Send an endorsement request to the endorsement subject according to the authentication request, and receive an endorsement result returned by the endorsement subject, where the endorsement request includes the user information, and the endorsement result is that the endorsement subject performs an endorsement on the user information. the result obtained by the endorsement;

根据所述背书结果为所述目标用户生成目标令牌;generating a target token for the target user according to the endorsement result;

将所述目标令牌上传至联盟区块链中以作为联盟令牌,所述联盟区块链可被所述云联盟中的任意一朵云访问。The target token is uploaded to the consortium blockchain as a consortium token, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

结合第二方面,第二方面的第二种可能的实施方式中,所述背书主体包括云联盟中的任一云或者第三方公证机构。With reference to the second aspect, in a second possible implementation manner of the second aspect, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

结合第二方面的上述任一方式,第二方面的第三种可能的实施方式中,所述方法还包括:In combination with any of the foregoing manners of the second aspect, in a third possible implementation manner of the second aspect, the method further includes:

确定所述联盟令牌的失效周期,其中,所述失效周期用于在所述联盟令牌的生命周期大于失效周期时,使所述联盟令牌失效。An expiration period of the alliance token is determined, wherein the expiration period is used to invalidate the alliance token when the life cycle of the alliance token is greater than the expiration period.

结合第二方面的上述任一方式,第二方面的第四种可能的实施方式中,所述用户信息包括联盟账号、密码、联盟标识中的一种或者多种。In combination with any of the foregoing manners of the second aspect, in a fourth possible implementation manner of the second aspect, the user information includes one or more of an alliance account number, a password, and an alliance identification.

第三方面,提供一种云用户的开户方法,包括:A third aspect provides an account opening method for a cloud user, including:

第四云接收用户的开户请求,其中,所述开户云属于云联盟,所述云联盟包括多朵云;The fourth cloud receives an account opening request from a user, wherein the account opening cloud belongs to a cloud alliance, and the cloud alliance includes multiple clouds;

根据所述开户请求为所述用户生成用户信息;generating user information for the user according to the account opening request;

向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;Send an endorsement request to the endorsement subject, and receive an endorsement result returned by the endorsement subject, where the endorsement request includes the user information, and the endorsement result is the result obtained by the endorsement subject endorsing the user information;

根据所述背书结果将所述背书结果上传至联盟区块链中,所述联盟区块链可被所述云联盟中的任意一朵云访问。The endorsement result is uploaded to the consortium blockchain according to the endorsement result, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

结合第三方面,第三方面的第一种可能的实施方式中,所述背书主体包括云联盟中的任一云或者第三方公证机构。With reference to the third aspect, in a first possible implementation manner of the third aspect, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

结合第三方面的上述一种方式,第三方面的第二种可能的实施方式中,所述用户信息包括联盟账号、密码、联盟标识中的一种或者多种。In combination with the foregoing one manner of the third aspect, in a second possible implementation manner of the third aspect, the user information includes one or more of an alliance account number, a password, and an alliance identifier.

第四方面,提供了一种访问设备,包括:获取模块、匹配模块以及确定模块,In a fourth aspect, an access device is provided, including: an acquisition module, a matching module, and a determination module,

所述获取模块用于获取用户的第一访问请求,其中,所述第一访问请求包括目标令牌,所述目标令牌由背书主体对所述用户的用户信息进行背书而生成的,所述第一云属于云联盟,所述云联盟包括多朵云;The obtaining module is configured to obtain a user's first access request, wherein the first access request includes a target token, and the target token is generated by an endorsement subject endorsing the user information of the user, and the The first cloud belongs to the cloud alliance, and the cloud alliance includes multiple clouds;

所述匹配模块用于从联盟区块链上获取联盟令牌,并将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果,其中,所述联盟区块链可被所述云联盟中的任意一朵云访问;The matching module is used to obtain the alliance token from the alliance blockchain, and match the target token and the alliance token to obtain a matching result, wherein the alliance blockchain can be used by the cloud Access to any cloud in the alliance;

所述确定模块用于根据匹配结果确定所述目标用户为合法用户,并允许所述目标用户对所述第一云进行访问。The determining module is configured to determine that the target user is a legitimate user according to the matching result, and allow the target user to access the first cloud.

结合第四方面,第四方面的第一种可能的实施方式中,所述背书主体包括云联盟中的任一云或者第三方公证机构。With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

结合第四方面的上述任一方式,第四方面的第二种可能的实施方式中,在第四云和所述第一云是同一朵云的情况下,所述背书主体包括所述第一云;在第四云和所述第一云不是同一朵云的情况下,所述背书主体包括第四云和所述第一云。In combination with any of the foregoing manners of the fourth aspect, in a second possible implementation manner of the fourth aspect, in the case that the fourth cloud and the first cloud are the same cloud, the endorsement body includes the first cloud. A cloud; in the case that the fourth cloud and the first cloud are not the same cloud, the endorsement subject includes the fourth cloud and the first cloud.

结合第四方面的上述任一方式,第四方面的第三种可能的实施方式中,所述方法还包括:在所述联盟令牌的生命周期大于失效周期的情况下,所述第一云重新生成新的联盟令牌,并将所述新的联盟令牌上传到所述联盟区块链中。In combination with any of the foregoing manners of the fourth aspect, in a third possible implementation manner of the fourth aspect, the method further includes: in the case that the lifetime of the alliance token is greater than the expiration period, the first cloud Regenerate a new federation token and upload the new federation token to the federation blockchain.

结合第四方面的上述任一方式,第四方面的第四种可能的实施方式中,所述访问设备还包括接收模块以及发送模块,In combination with any of the above manners of the fourth aspect, in a fourth possible implementation manner of the fourth aspect, the access device further includes a receiving module and a sending module,

所述接收模块还用于接收用户的第二访问请求,其中,所述第二访问请求包括目标令牌;The receiving module is further configured to receive a second access request from the user, wherein the second access request includes a target token;

所述发送模块还用于向所述第二云发送所述用户的第二访问请求,其中,所述第二云属于所述云联盟。The sending module is further configured to send the second access request of the user to the second cloud, where the second cloud belongs to the cloud alliance.

第五方面,提供了一种认证设备,包括:获取模块、发送模块以及生成模块In a fifth aspect, an authentication device is provided, including: an acquiring module, a sending module, and a generating module

所述获取模块用于获取用户的认证请求,其中,所述认证请求包括所述用户的用户信息,所述第三云属于云联盟,所述云联盟包括多朵云;The obtaining module is configured to obtain an authentication request of a user, wherein the authentication request includes user information of the user, the third cloud belongs to a cloud alliance, and the cloud alliance includes multiple clouds;

所述发送模块用于根据所述认证请求向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;The sending module is configured to send an endorsement request to an endorsement subject according to the authentication request, and receive an endorsement result returned by the endorsement subject, wherein the endorsement request includes the user information, and the endorsement result is the endorsement subject The result obtained by endorsing the user information;

所述生成模块用于根据所述背书结果为所述目标用户生成目标令牌;The generating module is configured to generate a target token for the target user according to the endorsement result;

所述发送模块还用于将所述目标令牌上传至联盟区块链中以作为联盟令牌,所述联盟区块链可被所述云联盟中的任意一朵云访问。The sending module is further configured to upload the target token to a consortium blockchain as a consortium token, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

结合第五方面,第五方面的第二种可能的实施方式中,所述背书主体包括云联盟中的任一云或者第三方公证机构。With reference to the fifth aspect, in a second possible implementation manner of the fifth aspect, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

结合第五方面的上述任一方式,第五方面的第三种可能的实施方式中,所述装置还包括确定模块,In combination with any of the foregoing manners of the fifth aspect, in a third possible implementation manner of the fifth aspect, the apparatus further includes a determining module,

所述确定模块用于确定所述联盟令牌的失效周期,其中,所述失效周期用于在所述联盟令牌的生命周期大于失效周期时,使所述联盟令牌失效。The determining module is configured to determine the expiration period of the alliance token, wherein the expiration period is used to invalidate the alliance token when the life cycle of the alliance token is greater than the expiration period.

结合第五方面的上述任一方式,第五方面的第四种可能的实施方式中,所述用户信息包括联盟账号、密码、联盟标识中的一种或者多种。In combination with any of the foregoing manners of the fifth aspect, in a fourth possible implementation manner of the fifth aspect, the user information includes one or more of an alliance account number, a password, and an alliance identification.

第六方面,提供一种开户设备,包括:接收模块、生成模块以及发送模块,In a sixth aspect, an account opening device is provided, comprising: a receiving module, a generating module and a sending module,

所述接收模块用于接收用户的开户请求,其中,所述开户云属于云联盟,所述云联盟包括多朵云;The receiving module is configured to receive an account opening request from a user, wherein the account opening cloud belongs to a cloud alliance, and the cloud alliance includes multiple clouds;

所述生成模块用于根据所述开户请求为所述用户生成用户信息;The generating module is configured to generate user information for the user according to the account opening request;

所述发送模块用于向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;The sending module is configured to send an endorsement request to an endorsement subject, and receive an endorsement result returned by the endorsement subject, wherein the endorsement request includes the user information, and the endorsement result is the endorsement subject's response to the user information. the result of the endorsement;

所述发送模块还用于根据所述背书结果将所述背书结果上传至联盟区块链中,所述联盟区块链可被所述云联盟中的任意一朵云访问。The sending module is further configured to upload the endorsement result to a consortium blockchain according to the endorsement result, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

结合第六方面,第六方面的第一种可能的实施方式中,所述背书主体包括云联盟中的任一云或者第三方公证机构。With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

结合第六方面的上述一种方式,第六方面的第二种可能的实施方式中,所述用户信息包括联盟账号、密码、联盟标识中的一种或者多种。In combination with the foregoing one manner of the sixth aspect, in a second possible implementation manner of the sixth aspect, the user information includes one or more of an alliance account number, a password, and an alliance identifier.

第七方面,提供了一种云系统,包括:多个计算机设备,其中,所述计算机设备包括存储器以及与所述存储器耦合的处理器、通信模块,其中:所述通信模块用于发送或者接收外部发送的数据,所述存储器用于存储程序代码,所述处理器用于调用所述存储器存储的程序代码以执行如第一方面任一项描述的方法。In a seventh aspect, a cloud system is provided, comprising: a plurality of computer devices, wherein the computer devices include a memory, a processor coupled with the memory, and a communication module, wherein: the communication module is used for sending or receiving For externally sent data, the memory is used to store program codes, and the processor is used to call the program codes stored in the memory to execute the method described in any one of the first aspects.

第八方面,提供了一种云系统,包括:多个计算机设备,其中,所述计算机设备包括存储器以及与所述存储器耦合的处理器、通信模块,其中:所述通信模块用于发送或者接收外部发送的数据,所述存储器用于存储程序代码,所述处理器用于调用所述存储器存储的程序代码以执行如第二方面任一项描述的方法。In an eighth aspect, a cloud system is provided, comprising: a plurality of computer devices, wherein the computer devices include a memory, a processor coupled with the memory, and a communication module, wherein: the communication module is used for sending or receiving Externally sent data, the memory is used to store program codes, and the processor is used to call the program codes stored in the memory to execute the method described in any one of the second aspects.

第九方面,提供了一种云系统,包括:多个计算机设备,其中,所述计算机设备包括存储器以及与所述存储器耦合的处理器、通信模块,其中:所述通信模块用于发送或者接收外部发送的数据,所述存储器用于存储程序代码,所述处理器用于调用所述存储器存储的程序代码以执行如第三方面任一项描述的方法。In a ninth aspect, a cloud system is provided, comprising: a plurality of computer devices, wherein the computer devices include a memory, a processor coupled with the memory, and a communication module, wherein: the communication module is used for sending or receiving Externally sent data, the memory is used to store program codes, and the processor is used to call the program codes stored in the memory to execute the method described in any one of the third aspects.

第十方面,提供了一种计算机非瞬态存储介质,包括指令,当所述指令在设备上运行时,使得所述设备执行如第一方面任一项所述的方法。In a tenth aspect, a computer non-transitory storage medium is provided, comprising instructions that, when executed on a device, cause the device to perform the method according to any one of the first aspects.

第十一方面,提供了一种计算机非瞬态存储介质,包括指令,当所述指令在设备上运行时,使得所述设备执行如第二方面任一项所述的方法。In an eleventh aspect, a computer non-transitory storage medium is provided, comprising instructions that, when executed on a device, cause the device to perform the method of any one of the second aspects.

第十二方面,提供了一种计算机非瞬态存储介质,包括指令,当所述指令在设备上运行时,使得所述设备执行如第三方面任一项所述的方法。A twelfth aspect provides a computer non-transitory storage medium comprising instructions that, when executed on a device, cause the device to perform the method of any one of the third aspects.

上述方案中,在用户端需要访问第一云的情况下,第一云接收用户发送的第一访问请求,其中,第一访问请求中包括目标令牌。第一云从联盟区块链上获取联盟令牌,将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果,根据匹配结果确定所述目标用户为合法用户,并允许所述目标用户对所述第一云进行访问。由于目标令牌是由背书主体对所述用户的用户信息进行背书而生成的,具有良好的公信力,因此,只要用户端发送的访问请求中携带了目标令牌,并且,对目标令牌的验证也顺利通过,就可以确定用户的身份是合法的,允许用户进行访问。所以,只要携带了目标令牌,云联盟的用户就可以随意访问云联盟中的任意一朵云的资源。In the above solution, when the user terminal needs to access the first cloud, the first cloud receives the first access request sent by the user, wherein the first access request includes the target token. The first cloud obtains the alliance token from the alliance blockchain, matches the target token and the alliance token to obtain a matching result, determines the target user as a legitimate user according to the matching result, and allows the target The user accesses the first cloud. Since the target token is generated by the endorsement subject's endorsement of the user's user information, it has good credibility. Therefore, as long as the access request sent by the client carries the target token, and the verification of the target token If it is also successfully passed, it can be determined that the user's identity is legitimate and the user is allowed to access. Therefore, as long as the target token is carried, the users of the cloud alliance can freely access the resources of any cloud in the cloud alliance.

附图说明Description of drawings

图1是本申请实施例涉及的一种云联盟的结构示意图;1 is a schematic structural diagram of a cloud alliance involved in an embodiment of the present application;

图2是本申请实施例涉及的另一种云联盟的结构示意图;2 is a schematic structural diagram of another cloud alliance involved in an embodiment of the present application;

图3是本申请提供的一种开户方法的流程交互图;Fig. 3 is a process interaction diagram of an account opening method provided by the present application;

图4是本申请提供的一种认证方法的流程交互图;Fig. 4 is a flow diagram of an authentication method provided by the present application;

图5是本申请提供的一种访问方法的流程交互图;Fig. 5 is a process interaction diagram of an access method provided by the present application;

图6是本申请提供的一种访问方法的流程交互图;Fig. 6 is a process interaction diagram of an access method provided by the present application;

图7是本申请提供的又一种云联盟的结构示意图;7 is a schematic structural diagram of another cloud alliance provided by the present application;

图8是本申请提供的再一种云联盟的结构示意图。FIG. 8 is a schematic structural diagram of still another cloud alliance provided by the present application.

具体实施例specific embodiment

如图1所示,设想中的云联盟包括多朵云,在云联盟之上构建了属于云联盟的联盟区块链,其中,所述联盟区块链可被云联盟中的任意一朵云访问。可以理解,云联盟的规模可以根据实际需要进行设置,例如,云联盟可以是多个企业的云之间构成的联盟,可以是多个城市的云之间构成的联盟,也可以是多个国家的云之间构成的联盟,甚至可以是全球的云之间构成的联盟,此处不作具体限定。As shown in Figure 1, the envisaged cloud alliance includes multiple clouds, and an alliance blockchain belonging to the cloud alliance is constructed on the cloud alliance. The alliance blockchain can be used by any cloud in the cloud alliance. access. It can be understood that the scale of a cloud alliance can be set according to actual needs. For example, a cloud alliance can be an alliance formed between clouds of multiple enterprises, an alliance formed between clouds of multiple cities, or a plurality of countries. The alliance formed between the clouds, or even the alliance formed between the global clouds, is not specifically limited here.

云可以包括多个云节点(见图2中纯白色的圆点)。具体地,云包括至少一个数据中心以及连接数据中心的网络设备。每个数据中心内包括硬件层,例如服务器、存储阵列、网络设备等;以及运行于硬件层之上的软件层。提供云服务的厂商,基于云的软件和硬件资源,向用户提供出租或托管服务,包括计算、存储、网络等硬件服务,或者人工智能、数据库等软件服务。Clouds can include multiple cloud nodes (see the solid white dots in Figure 2). Specifically, the cloud includes at least one data center and network devices connecting the data centers. Each data center includes a hardware layer, such as servers, storage arrays, network devices, etc.; and a software layer running on the hardware layer. Manufacturers that provide cloud services, based on cloud-based software and hardware resources, provide users with rental or hosting services, including hardware services such as computing, storage, and networking, or software services such as artificial intelligence and databases.

联盟区块链包括至少一个排序服务节点(order node)(如图2中纯黑色的圆点)以及连接排序服务节点的记账节点(peer node)(如图2中带点纹的圆点)。其中,排序服务节点可以是由云联盟中的各个云之外的节点组成的,记账节点可以是由云联盟中每个朵云中的部分云节点组合而成的。排序服务节点用于将需要存储到联盟区块链中的信息进行排序,将排序好的信息打包成区块,然后,将打包好的区块广播给所有记账节点。记账节点用于存储打包好的区块。并且,排序服务节点可以指定部分记账节点为背书节点(如图2中带斜纹的圆点)。The consortium blockchain includes at least one order node (the solid black dot in Figure 2) and a peer node connecting the order service node (the dot with dots in Figure 2) . The ordering service node may be composed of nodes other than each cloud in the cloud alliance, and the accounting node may be composed of some cloud nodes in each cloud in the cloud alliance. The ordering service node is used to order the information that needs to be stored in the alliance blockchain, package the sorted information into blocks, and then broadcast the packaged blocks to all accounting nodes. Accounting nodes are used to store packaged blocks. In addition, the ordering service node may designate some accounting nodes as endorsement nodes (as shown in the circle dots with diagonal stripes in Figure 2).

云联盟可以是通过如下方式搭建而成的:云1首先创建云联盟,并制定云联盟需要遵循的智能合约。如果其他的云(例如云2)认可云1制定的智能合约,则其他的云可以加入到云联盟中。在云1创建云联盟的时候,可以在自身的基础上创建联盟区块链,当其他的云加入区块链时,其他的云可以在自己的基础上创建分区块链,并将分区块链与原来的联盟区块链连通,以构成新的联盟区块链。联盟区块链是云联盟的私有区块链,也就是说,当任意一朵云将数据上传至区块链时,上传的数据会被迅速同步至整个联盟区块链中,并可以被云联盟中的其他云下载。应理解,上述搭建方式仅仅是一种示例,不应构成具体限定。The cloud alliance can be built in the following ways: Cloud 1 first creates the cloud alliance and formulates the smart contracts that the cloud alliance needs to follow. If other clouds (such as cloud 2) approve the smart contract formulated by cloud 1, other clouds can join the cloud alliance. When cloud 1 creates a cloud alliance, it can create an alliance blockchain on its own basis. When other clouds join the blockchain, other clouds can create sub-blockchains on their own basis, and divide the sub-blockchains. Connect with the original consortium blockchain to form a new consortium blockchain. The alliance blockchain is the private blockchain of the cloud alliance, that is to say, when any cloud uploads data to the blockchain, the uploaded data will be quickly synchronized to the entire alliance blockchain and can be accessed by the cloud. Other cloud downloads in the league. It should be understood that the above construction method is only an example, and should not constitute a specific limitation.

设想中云联盟的用户就可以随意访问云联盟中的任意一朵云的资源。具体来说,用户可以在云联盟中的任意一朵云上开设联盟账户。在联盟账户开设完毕后,用户可以在云联盟中的任意一朵云上使用联盟账户进行登录并进行身份验证。在验证完成后,用户可以通过联盟账户访问云联盟中的任意一朵云。下面以举例的形式说明两种具体的应用场景:It is envisaged that users of China Cloud Alliance can freely access the resources of any cloud in the cloud alliance. Specifically, users can open an alliance account on any cloud in the cloud alliance. After the alliance account is opened, the user can log in and authenticate with the alliance account on any cloud in the cloud alliance. After the verification is completed, the user can access any cloud in the cloud alliance through the alliance account. The following two specific application scenarios are illustrated in the form of examples:

在第一种场景中,用户在云联盟中的A云上开设联盟账户。然后,用户可以在云联盟中的B云上使用联盟账户进行登录并进行身份验证。在验证完成后,用户可以通过联盟账户访问云联盟中的B云的资源。用户还可以在云联盟中的C云上使用联盟账户进行登录并进行身份验证。在验证完成后,用户可以通过联盟账户访问云联盟中的C云的资源。以此类推,用户可以使用同样的方式访问云联盟中的每一朵云(包括A云)。In the first scenario, the user opens an alliance account on Cloud A in the cloud alliance. Then, the user can log in and authenticate with the alliance account on the B cloud in the cloud alliance. After the verification is completed, the user can access the resources of Cloud B in the cloud alliance through the alliance account. Users can also log in and authenticate with the federation account on the C cloud in the cloud federation. After the verification is completed, the user can access the resources of the C cloud in the cloud alliance through the alliance account. By analogy, users can access each cloud (including A cloud) in the cloud alliance in the same way.

在第二种场景中,用户在云联盟中的A云上开设联盟账户。然后,用户可以在云联盟中的B云上使用联盟账户进行登录并进行身份验证。在验证完成后,用户可以访问B云,以及,可以通过B云去访问云联盟中的每一朵云(包括A云)。In the second scenario, the user opens an alliance account on Cloud A in the cloud alliance. Then, the user can log in and authenticate with the alliance account on the B cloud in the cloud alliance. After the verification is completed, the user can access the B cloud, and can access each cloud (including the A cloud) in the cloud alliance through the B cloud.

其中,用户直接访问的云可以称之为第一云,用户通过第一云访问的云可以称之为第二云,用户验证身份的云可以称之为第三云,用户开设联盟账户的云可以称之为第四云。应理解,上述第一云、第三云和第四云可以是同一朵云;第三云和第四云可以是同一朵云,第一云可以不是同一朵云;第四云和第一云可以是同一朵云,第三云可以不是同一朵云;第一云和第四云可以是同一朵云,第三云可以不是同一朵云;第一云、第三云和第四云可以不是同一朵云,此处不作具体限定。Among them, the cloud directly accessed by the user can be called the first cloud, the cloud accessed by the user through the first cloud can be called the second cloud, the cloud through which the user verifies the identity can be called the third cloud, and the cloud where the user opens an alliance account It can be called the fourth cloud. It should be understood that the above-mentioned first cloud, third cloud and fourth cloud may be the same cloud; the third cloud and the fourth cloud may be the same cloud, and the first cloud may not be the same cloud; the fourth cloud and The first cloud may be the same cloud, and the third cloud may not be the same cloud; the first cloud and the fourth cloud may be the same cloud, and the third cloud may not be the same cloud; The cloud and the fourth cloud may not be the same cloud, which is not specifically limited here.

为了实现用户可以随意访问云联盟中任意一朵云的资源,用户可以携带目标令牌去访问云联盟中任意一朵云。当用户携带目标令牌去访问云联盟中任意一朵云时,被访问的云(第一云)对目标令牌进行验证。在第一云对目标令牌验证通过的情况下,可以确定用户为合法用户,并允许用户进行访问。In order to realize that the user can freely access the resources of any cloud in the cloud alliance, the user can carry the target token to access any cloud in the cloud alliance. When the user carries the target token to access any cloud in the cloud alliance, the visited cloud (the first cloud) verifies the target token. In the case that the first cloud has passed the verification of the target token, it can be determined that the user is a legitimate user, and the user is allowed to access.

用户携带目标令牌就可以去访问云联盟中任意一朵云的原因在于:目标令牌是云联盟的背书主体根据背书策略对用户的用户信息进行背书而生成的令牌。由于目标令牌能够证明背书主体对目标用户的用户信息进行了背书,也就是说,目标令牌能够证明背书主体对目标用户的可信性进行了担保,因此,只要对目标令牌验证通过,就可以确定目标用户为合法用户。其中,所述用户信息包括联盟账号、密码、联盟标识中的一种或者多种。背书主体可以包括云联盟中的任意一朵云或者第三方公证机构。更具体地,在背书主体包括云联盟中的其中一朵云的情况下,背书主体包括该云的背书节点。第三方公证机构可以是云联盟认可的机构,例如,信用卡验证机构以及其他信用机构等等。背书策略可以根据实际需要进行设置,举例来说,在第四云和所述第一云是同一朵云的情况下,所述背书主体包括所述第一云;在第四云和所述第一云不是同一朵云的情况下,所述背书主体包括第四云和所述第一云,此处不作具体限定。应理解,上述用户信息、背书主体和背书策略的举例仅仅是作为一种示例,不应构成具体限定。The reason why the user can access any cloud in the cloud alliance with the target token is that the target token is a token generated by the endorsement subject of the cloud alliance to endorse the user's user information according to the endorsement policy. Since the target token can prove that the endorser has endorsed the user information of the target user, that is to say, the target token can prove that the endorser has guaranteed the credibility of the target user. Therefore, as long as the target token is verified, It can be determined that the target user is a legitimate user. Wherein, the user information includes one or more of alliance account numbers, passwords, and alliance identifiers. The endorsement subject can include any cloud in the cloud alliance or a third-party notary institution. More specifically, in the case where the endorsement subject includes one of the clouds in the cloud consortium, the endorsement subject includes the endorsement node of the cloud. The third-party notary agency may be an agency recognized by the Cloud Alliance, for example, a credit card verification agency and other credit agencies, and so on. The endorsement policy can be set according to actual needs. For example, in the case that the fourth cloud and the first cloud are the same cloud, the endorsement subject includes the first cloud; When the first cloud is not the same cloud, the endorsement subject includes the fourth cloud and the first cloud, which is not specifically limited here. It should be understood that the above examples of user information, endorsement subjects and endorsement policies are only examples and should not constitute specific limitations.

第一云对目标令牌进行验证的过程可以是:第一云获取目标用户的第一访问请求,并从所述第一访问请求中获取索引以及目标令牌。第一云将所述索引发送给联盟区块链。相应地,联盟区块链接收第一云发送的所述索引。联盟区块链根据所述索引查找联盟令牌。联盟区块链将联盟令牌发送给第一云。相应地,第一云接收联盟区块链发送的联盟令牌。第一云将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果。在所述匹配结果为成功匹配时,第一云确定所述目标用户为合法用户,并允许所述目标用户对所述第一云进行访问。The process of verifying the target token by the first cloud may be as follows: the first cloud obtains the first access request of the target user, and obtains the index and the target token from the first access request. The first cloud sends the index to the consortium blockchain. Accordingly, the consortium blockchain receives the index sent by the first cloud. The consortium blockchain looks up the consortium token based on the index. The consortium blockchain sends the consortium token to the first cloud. Accordingly, the first cloud receives the alliance token sent by the alliance blockchain. The first cloud matches the target token and the federation token to obtain a matching result. When the matching result is a successful match, the first cloud determines that the target user is a legitimate user, and allows the target user to access the first cloud.

目标令牌的生成过程可以是:第三云获取用户的认证请求,其中,所述认证请求包括所述用户的用户信息。然后,第三云根据所述认证请求向背书主体发送背书请求。其中,所述背书请求包括所述用户信息。相应地,背书主体接收第三云发送的背书请求。背书主体根据背书策略对用户信息进行背书从而得到背书结果。背书主体将背书结果发送给第三云。相应地,第三云接收所述背书主体返回的背书结果。在背书结果为背书成功时,第三云为所述用户生成目标令牌。第三云将所述目标令牌上传至联盟区块链中以作为联盟令牌。相应地,联盟区块链接收第三云发送的目标令牌,并将所述目标令牌作为联盟令牌进行存储。联盟区块链向第三云发送联盟令牌的索引。相应地,第三云接收联盟区块链发送的索引。第三云将所述目标令牌发送给用户的用户端。相应地,用户的用户端接收第三云发送的所述目标令牌。不难理解,由于联盟区块链具有分布式存储以及去中心化存储的特点,所以,存储在联盟区块链中的联盟令牌是不可能被篡改的,具有极高的可靠性。The generation process of the target token may be: the third cloud obtains an authentication request of the user, wherein the authentication request includes user information of the user. Then, the third cloud sends an endorsement request to the endorsement subject according to the authentication request. Wherein, the endorsement request includes the user information. Accordingly, the endorsement subject receives the endorsement request sent by the third cloud. The endorsement subject endorses the user information according to the endorsement policy to obtain the endorsement result. The endorsement subject sends the endorsement result to the third cloud. Accordingly, the third cloud receives the endorsement result returned by the endorsement subject. When the endorsement result is that the endorsement is successful, the third cloud generates a target token for the user. The third cloud uploads the target token to the consortium blockchain as a consortium token. Accordingly, the alliance blockchain receives the target token sent by the third cloud, and stores the target token as the alliance token. The consortium blockchain sends the index of the consortium token to the third cloud. Accordingly, the third cloud receives the index sent by the consortium blockchain. The third cloud sends the target token to the client of the user. Correspondingly, the user terminal of the user receives the target token sent by the third cloud. It is not difficult to understand that because the alliance blockchain has the characteristics of distributed storage and decentralized storage, the alliance token stored in the alliance blockchain cannot be tampered with and has extremely high reliability.

用户信息的生成过程可以是:开户云接收目标用户的开户请求,其中,开户请求可以包括开户的必要信息,例如,护照号码、身份证号码以及姓名等等中的一种或者多种。然后,开户云根据所述开户请求为所述目标用户生成用户信息。开户云向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果。在背书结果为背书成功时,开户云将所述用户信息上传至联盟区块链中。类似地,由于联盟区块链具有分布式存储以及去中心化存储的特点,所以,存储在联盟区块链中的用户信息具有极高的可靠性。The user information generation process may be: the account opening cloud receives an account opening request from the target user, where the account opening request may include necessary information for opening an account, such as one or more of passport numbers, ID numbers, and names. Then, the account opening cloud generates user information for the target user according to the account opening request. The account opening cloud sends an endorsement request to the endorsement subject, and receives the endorsement result returned by the endorsement subject, where the endorsement request includes the user information, and the endorsement result is obtained by the endorsement subject endorsing the user information. result. When the endorsement result is successful, the account opening cloud uploads the user information to the alliance blockchain. Similarly, since the consortium blockchain has the characteristics of distributed storage and decentralized storage, the user information stored in the consortium blockchain has extremely high reliability.

针对上述的两种不同的应用场景,用户可以携带目标令牌去访问云联盟中任意一朵云可以是通过如下的方式实现的:For the above two different application scenarios, users can carry the target token to access any cloud in the cloud alliance, which can be achieved in the following ways:

针对第一种应用场景来说,用户在云联盟中的A云上开设联盟账户。然后,用户可以在云联盟中的B云上使用联盟账户进行登录并进行身份验证从而生成目标令牌。在验证完成后,用户可以携带目标令牌访问云联盟中的B云的资源。用户还可以在云联盟中的C云上使用联盟账户进行登录并进行身份验证从而生成目标令牌。在验证完成后,用户可以通过携带目标令牌访问云联盟中的C云的资源。以此类推,用户可以使用同样的方式访问云联盟中的每一朵云(包括A云)。For the first application scenario, the user opens an alliance account on Cloud A in the cloud alliance. Then, the user can log in and authenticate with the federated account on the B cloud in the cloud federation to generate the target token. After the verification is completed, the user can carry the target token to access the resources of Cloud B in the cloud alliance. The user can also log in and authenticate with the federation account on the C cloud in the cloud federation to generate the target token. After the verification is completed, the user can access the resources of the C cloud in the cloud alliance by carrying the target token. By analogy, users can access each cloud (including A cloud) in the cloud alliance in the same way.

针对第二种应用场景来说,用户在云联盟中的A云上开设联盟账户。然后,用户可以在云联盟中的B云上使用联盟账户进行登录并进行身份验证从而生成目标令牌。在验证完成后,用户可以携带目标令牌访问B云,以及,可以携带目标令牌去访问云联盟中的每一朵云(包括A云)。For the second application scenario, the user opens an alliance account on Cloud A in the cloud alliance. Then, the user can log in and authenticate with the federated account on the B cloud in the cloud federation to generate the target token. After the verification is completed, the user can carry the target token to access the B cloud, and can carry the target token to access each cloud (including the A cloud) in the cloud alliance.

下面结合图3至图6以及具体的实施例对本发明进行进一步的说明。The present invention will be further described below with reference to FIGS. 3 to 6 and specific embodiments.

如图3所示,图3是本申请提供的一种开户方法的流程交互图。本实施例的开户方法包括:As shown in FIG. 3 , FIG. 3 is a flow interaction diagram of an account opening method provided by the present application. The account opening method of this embodiment includes:

S101:第四云接收用户的开户请求。S101: The fourth cloud receives an account opening request from a user.

在本申请具体的实施例中,所述开户请求包括身份信息,所述开户信息护照号码、身份证号码以及姓名等等中的一种或者多种。In a specific embodiment of the present application, the account opening request includes identity information, one or more of the account opening information passport number, ID number, and name.

S102:第四户云对所述身份信息进行验证。S102: The fourth cloud verifies the identity information.

在本申请具体的实施例中,所述身份信息可以由第四云提交给第三方验证机构进行验证。第三方验证机构可以是具有良好公信力的机构,例如,户政局、公安机关或者银行机构等等,此处不作具体限定。In a specific embodiment of the present application, the identity information may be submitted by the fourth cloud to a third-party verification agency for verification. The third-party verification institution may be an institution with good credibility, such as a household registration bureau, a public security organ, or a banking institution, etc., which is not specifically limited here.

S103:在身份信息验证成功的情况下,第四云为所述用户生成用户信息。S103: In the case that the authentication of the identity information is successful, the fourth cloud generates user information for the user.

在本申请具体的实施例中,所述用户信息包括联盟账户、密码和联盟标识中的一种或者多种。联盟账户可以是用户在云联盟中的通行的账号,也就是说,用户可以在云联盟中的任意一朵云上登录联盟账户。密码是目标用户登录联盟账户时输入的验证信息。联盟标识是云联盟的标识。In a specific embodiment of the present application, the user information includes one or more of an alliance account, a password and an alliance identifier. The alliance account can be the user's common account in the cloud alliance, that is, the user can log in to the alliance account on any cloud in the cloud alliance. The password is the verification information entered by the target user when logging in to the affiliate account. The Alliance Logo is the logo of the Cloud Alliance.

S104:第四云向背书主体发送所述背书请求。相应地,背书主体接收第四云发送的背书请求。S104: The fourth cloud sends the endorsement request to the endorsement subject. Accordingly, the endorsement subject receives the endorsement request sent by the fourth cloud.

在本申请的具体的实施例中,背书请求可以以开户提案的形式发送。具体地,开户云将开户提案上传到联盟区块链,联盟区块链在接收到开户提案之后,将开户提案在整个联盟区块链内进行同步。背书节点接收到开户提案之后,对开户提案进行背书。In a specific embodiment of the present application, the endorsement request may be sent in the form of an account opening proposal. Specifically, the account opening cloud uploads the account opening proposal to the consortium blockchain, and after the consortium blockchain receives the account opening proposal, it synchronizes the account opening proposal within the entire consortium blockchain. After the endorsement node receives the account opening proposal, it endorses the account opening proposal.

S105:背书主体根据背书策略对用户信息进行背书以得到背书结果。S105: The endorsement subject endorses the user information according to the endorsement policy to obtain an endorsement result.

S106:背书主体将背书结果发送给第四云。相应地,第四云接收背书主体发送的背书结果。S106: The endorsement subject sends the endorsement result to the fourth cloud. Accordingly, the fourth cloud receives the endorsement result sent by the endorsement subject.

S107:在背书结果为背书成功时,第四云将背书结果上传联盟区块链。S107: When the endorsement result is successful, the fourth cloud uploads the endorsement result to the alliance blockchain.

S108:第四云向用户的用户端发送用户信息。相应地,用户的用户端接收第四云返回的用户信息。S108: The fourth cloud sends user information to the user terminal of the user. Correspondingly, the user terminal of the user receives the user information returned by the fourth cloud.

如图4所示,图4是本申请提供的一种认证方法的流程交互图。本实施例的认证方法包括:As shown in FIG. 4 , FIG. 4 is a flow interaction diagram of an authentication method provided by the present application. The authentication method of this embodiment includes:

S201:第三云获取用户的认证请求。S201: The third cloud obtains the authentication request of the user.

在本申请具体的实施例中,所述认证请求包括所述用户的用户信息,所述用户信息包括联盟账户、密码和联盟标识中的一种或者多种。In a specific embodiment of the present application, the authentication request includes user information of the user, and the user information includes one or more of an alliance account, a password, and an alliance identifier.

S202:第三云根据联盟账户以及密码对用户的身份进行验证。其中,所述身份信息可以由第三云或者第三方验证机构进行验证。S202: The third cloud verifies the user's identity according to the alliance account and password. The identity information may be verified by a third cloud or a third-party verification agency.

S203:在验证成功的情况下,第三云根据认证请求生成背书请求,其中,所述背书请求包括用户信息。S203: If the verification is successful, the third cloud generates an endorsement request according to the authentication request, where the endorsement request includes user information.

S204:第三云向背书主体提交背书请求。相应地,背书主体接收认证云提交的背书请求。S204: The third cloud submits an endorsement request to the endorsement subject. Accordingly, the endorsement subject receives the endorsement request submitted by the authentication cloud.

在本申请的具体的实施例中,背书请求可以以认证提案的形式发送。具体地,第四云将认证提案上传到联盟区块链,联盟区块链在接收到认证提案之后,将认证提案在整个联盟区块链内进行同步。背书节点接收到认证提案之后,对认证提案进行背书。In specific embodiments of the present application, the endorsement request may be sent in the form of an authentication proposal. Specifically, the fourth cloud uploads the certification proposal to the consortium blockchain, and after receiving the certification proposal, the consortium blockchain synchronizes the certification proposal within the entire consortium blockchain. After the endorsement node receives the certification proposal, it endorses the certification proposal.

S205:背书主体根据背书策略对用户信息进行背书以得到背书结果。S205: The endorsement subject endorses the user information according to the endorsement policy to obtain an endorsement result.

S206:背书主体将背书结果发送给第三云。相应地,第三云接收背书主体发送的背书结果。S206: The endorsement subject sends the endorsement result to the third cloud. Accordingly, the third cloud receives the endorsement result sent by the endorsement subject.

S207:在背书结果为背书成功时,第三云生成目标令牌,并将目标令牌作为联盟令牌。S207: When the endorsement result is that the endorsement is successful, the third cloud generates a target token and uses the target token as an alliance token.

S208:第三云将联盟令牌上传至联盟区块链。相应地,联盟区块链接收第三云发送的联盟令牌。S208: The third cloud uploads the alliance token to the alliance blockchain. Accordingly, the consortium blockchain receives the consortium token sent by the third cloud.

S209:第三云将所述目标令牌发送给用户的用户端。相应地,用户的用户端接收第三云发送的所述目标令牌。S209: The third cloud sends the target token to the client of the user. Correspondingly, the user terminal of the user receives the target token sent by the third cloud.

如图5所示,图5是本申请提供的一种访问方法的流程交互图。本实施例的访问方法包括:As shown in FIG. 5 , FIG. 5 is a flow interaction diagram of an access method provided by the present application. The access method of this embodiment includes:

S301:第一云接收目标用户的第一访问请求,其中,所述第一访问请求包括索引和目标令牌,所述目标令牌是背书主体对所述用户的用户信息进行背书而生成的令牌。S301: The first cloud receives a first access request from a target user, wherein the first access request includes an index and a target token, and the target token is a token generated by an endorsement subject endorsing the user information of the user Card.

S302:第一云向联盟区块链发送索引。相应地,联盟区块链接收第一云发送的索引。S302: First Cloud sends the index to the alliance blockchain. Accordingly, the consortium blockchain receives the index sent by the first cloud.

S303:联盟区块链根据所述索引查找所述索引对应的联盟令牌。S303: The alliance blockchain searches for the alliance token corresponding to the index according to the index.

在本申请的具体的实施例中,联盟区块链中的联盟令牌具有失效周期。其中,在联盟令牌的生命周期小于失效周期的情况下,联盟令牌是有效的;在联盟令牌的生命周期大于或者等于失效周期时,联盟令牌将会失效。联盟令牌的失效周期可以保证联盟令牌不会因为存在的时间太长而导致失去作用,提高联盟令牌的可靠性。In the specific embodiment of this application, the consortium token in the consortium blockchain has an expiration period. Wherein, if the life cycle of the alliance token is less than the expiration period, the alliance token is valid; when the life cycle of the alliance token is greater than or equal to the expiration period, the alliance token will be invalid. The expiration period of the alliance token can ensure that the alliance token will not lose its function due to its existence for too long, and improve the reliability of the alliance token.

S304:联盟区块链向所述第一云发送联盟令牌。相应地,所述第一云接收所述联盟区块链发送的联盟令牌。S304: The alliance blockchain sends the alliance token to the first cloud. Accordingly, the first cloud receives the consortium token sent by the consortium blockchain.

S305:第一云将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果。S305: The first cloud matches the target token and the alliance token to obtain a matching result.

S306:在匹配结果为匹配成功时,第一云确定所述用户为合法用户,并允许所述用户对所述第一云进行访问。S306: When the matching result is that the matching is successful, the first cloud determines that the user is a legitimate user, and allows the user to access the first cloud.

S307:在匹配结果为匹配失败并且失败原因为令牌失效时,第一云重新生成新的联盟令牌。S307: When the matching result is that the matching fails and the failure reason is that the token is invalid, the first cloud regenerates a new alliance token.

S308:第一云将联盟令牌上传至联盟区块链。相应地,联盟区块链接收第一云发送的联盟令牌。S308: First Cloud uploads the alliance token to the alliance blockchain. Accordingly, the alliance blockchain receives the alliance token sent by the first cloud.

如图6所示,图6是本申请提供的一种访问方法的流程交互图。本实施例的访问方法包括:As shown in FIG. 6 , FIG. 6 is a flow interaction diagram of an access method provided by the present application. The access method of this embodiment includes:

S401:第一云向第二云发送用户的第二访问请求,其中,所述第一访问请求包括索引和目标令牌。S401: The first cloud sends a second access request of the user to the second cloud, where the first access request includes an index and a target token.

S402:第二访问云向联盟区块链发送索引。相应地,联盟区块链接收第二云发送的索引。S402: The second access cloud sends the index to the alliance blockchain. Accordingly, the consortium blockchain receives the index sent by the second cloud.

S403:联盟区块链根据所述索引查找所述索引对应的联盟令牌。S403: The alliance blockchain searches for the alliance token corresponding to the index according to the index.

在本申请的具体的实施例中,联盟区块链中的联盟令牌具有失效周期。其中,在联盟令牌的生命周期小于失效周期的情况下,联盟令牌是有效的;在联盟令牌的生命周期大于或者等于失效周期时,联盟令牌将会失效。联盟令牌的失效周期可以保证联盟令牌不会因为存在的时间太长而导致失去作用,提高联盟令牌的可靠性。In the specific embodiment of this application, the consortium token in the consortium blockchain has an expiration period. Wherein, if the life cycle of the alliance token is less than the expiration period, the alliance token is valid; when the life cycle of the alliance token is greater than or equal to the expiration period, the alliance token will be invalid. The expiration period of the alliance token can ensure that the alliance token will not lose its function due to its existence for too long, and improve the reliability of the alliance token.

S404:联盟区块链向所述第二云发送联盟令牌。相应地,所述第二云接收所述联盟区块链发送的联盟令牌。S404: The alliance blockchain sends the alliance token to the second cloud. Accordingly, the second cloud receives the consortium token sent by the consortium blockchain.

S405:第二云将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果。S405: The second cloud matches the target token and the alliance token to obtain a matching result.

S406:在匹配结果为匹配成功时,第二云确定所述用户为合法用户,并允许所述用户对所述第二云进行访问。S406: When the matching result is that the matching is successful, the second cloud determines that the user is a legitimate user, and allows the user to access the second cloud.

S407:在匹配结果为匹配失败并且失败原因为令牌失效时,第二云重新生成新的联盟令牌。S407: When the matching result is that the matching fails and the failure reason is that the token is invalid, the second cloud regenerates a new alliance token.

408:第二云将联盟令牌上传至联盟区块链。相应地,联盟区块链接收第二云发送的联盟令牌。408: The second cloud uploads the alliance token to the alliance blockchain. Accordingly, the consortium blockchain receives the consortium token sent by the second cloud.

参阅图7,图7是是本申请提供的又一种云联盟的结构示意图。本申请的云联盟包括第一云、第三云和第四云,其中,第一云、第三云和第四云之上构建了云联盟区块链。其中,第一云、第三云和第四云可以是完全不同的云,部分相同的云或者完全相同的云,此处不作具体限定。Referring to FIG. 7 , FIG. 7 is a schematic structural diagram of another cloud alliance provided by the present application. The cloud alliance of this application includes the first cloud, the third cloud and the fourth cloud, wherein the cloud alliance blockchain is constructed on the first cloud, the third cloud and the fourth cloud. Wherein, the first cloud, the third cloud and the fourth cloud may be completely different clouds, partially identical clouds or completely identical clouds, which are not specifically limited here.

如图7所示,第一云可以包括多个云节点,每个云节点包括接收模块101、生成模块102以及发送模块130。As shown in FIG. 7 , the first cloud may include multiple cloud nodes, and each cloud node includes a receiving module 101 , a generating module 102 and a sending module 130 .

所述接收模块101用于接收用户的开户请求,其中,所述开户云属于云联盟,所述云联盟包括多朵云;The receiving module 101 is configured to receive an account opening request from a user, wherein the account opening cloud belongs to a cloud alliance, and the cloud alliance includes multiple clouds;

所述生成模块102用于根据所述开户请求为所述用户生成用户信息;The generating module 102 is configured to generate user information for the user according to the account opening request;

所述发送模块103用于向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;The sending module 103 is configured to send an endorsement request to the endorsement subject, and receive an endorsement result returned by the endorsement subject, wherein the endorsement request includes the user information, and the endorsement result is the endorsement subject to the user. the result of the endorsement of the information;

所述发送模块103还用于根据所述背书结果将所述背书结果上传至联盟区块链中,所述联盟区块链可被所述云联盟中的任意一朵云访问。The sending module 103 is further configured to upload the endorsement result to a consortium blockchain according to the endorsement result, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

如图7所示,第三云可以包括多个云节点,每个云节点包括获取模块201、发送模块202以及生成模块203。As shown in FIG. 7 , the third cloud may include multiple cloud nodes, and each cloud node includes an obtaining module 201 , a sending module 202 and a generating module 203 .

所述获取模块201用于获取用户的认证请求,其中,所述认证请求包括所述用户的用户信息,所述第三云属于云联盟,所述云联盟包括多朵云;The obtaining module 201 is configured to obtain an authentication request of a user, wherein the authentication request includes user information of the user, the third cloud belongs to a cloud alliance, and the cloud alliance includes multiple clouds;

所述发送模块202用于根据所述认证请求向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;The sending module 202 is configured to send an endorsement request to an endorsement subject according to the authentication request, and receive an endorsement result returned by the endorsement subject, wherein the endorsement request includes the user information, and the endorsement result is the endorsement The result obtained by the subject's endorsement of the user information;

所述生成模块203用于根据所述背书结果为所述目标用户生成目标令牌;The generating module 203 is configured to generate a target token for the target user according to the endorsement result;

所述发送模块203还用于将所述目标令牌上传至联盟区块链中以作为联盟令牌,所述联盟区块链可被所述云联盟中的任意一朵云访问。The sending module 203 is further configured to upload the target token to a consortium blockchain as a consortium token, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

如图7所示,第四云可以包括多个云节点,每个云节点包括获取模块301、匹配模块302以及确定模块303。As shown in FIG. 7 , the fourth cloud may include multiple cloud nodes, and each cloud node includes an acquisition module 301 , a matching module 302 and a determination module 303 .

所述获取模块301用于获取用户的第一访问请求,其中,所述第一访问请求包括目标令牌,所述目标令牌由背书主体对所述用户的用户信息进行背书而生成的,所述第一云属于云联盟,所述云联盟包括多朵云;The obtaining module 301 is configured to obtain the user's first access request, wherein the first access request includes a target token, and the target token is generated by the endorsement subject's endorsement of the user's user information. The first cloud belongs to a cloud alliance, and the cloud alliance includes multiple clouds;

所述匹配模块302用于从联盟区块链上获取联盟令牌,并将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果,其中,所述联盟区块链可被所述云联盟中的任意一朵云访问;The matching module 302 is configured to obtain the alliance token from the alliance blockchain, and match the target token and the alliance token to obtain a matching result, wherein the alliance blockchain can be used by the Access to any cloud in the cloud alliance;

所述确定模块303用于根据匹配结果确定所述目标用户为合法用户,并允许所述目标用户对所述第一云进行访问。The determining module 303 is configured to determine that the target user is a legitimate user according to the matching result, and allow the target user to access the first cloud.

上述实施例中并没有对第一云、第三云和第四云展开描述,具体请参见图2至图6以及相关陈述,此处不再展开赘述。The first cloud, the third cloud, and the fourth cloud are not described in the above-mentioned embodiment. For details, please refer to FIG. 2 to FIG. 6 and related statements, and details are not repeated here.

参阅图8,图8是是本申请提供的再一种云联盟的结构示意图。本申请的云联盟包括第一云系统、第三云系统和第四云系统,其中,第一云系统、第三云系统和第四云系统之上构建了云联盟区块链。其中,第一云系统、第三云系统和第四云系统可以是不同的云系统,部分相同的云系统或者完全相同的云系统,此处不作具体限定。第一云系统、第三云系统、第四云系统可以属于不同公司,也可以属于相同公司运营的不同国家运营的云。Referring to FIG. 8 , FIG. 8 is a schematic structural diagram of still another cloud alliance provided by the present application. The cloud alliance of the present application includes a first cloud system, a third cloud system and a fourth cloud system, wherein a cloud alliance blockchain is constructed on the first cloud system, the third cloud system and the fourth cloud system. Wherein, the first cloud system, the third cloud system and the fourth cloud system may be different cloud systems, some of the same cloud systems or completely identical cloud systems, which are not specifically limited here. The first cloud system, the third cloud system, and the fourth cloud system may belong to different companies, or may belong to clouds operated by the same company in different countries.

如图8所示,本申请的第一云系统包括多个计算设备,每个计算设备包括一个或多个处理器401、通信接口402和存储器403。其中,处理器401、通信接口402和存储器403之间可以通过总线404连接。As shown in FIG. 8 , the first cloud system of the present application includes a plurality of computing devices, and each computing device includes one or more processors 401 , a communication interface 402 and a memory 403 . The processor 401 , the communication interface 402 and the memory 403 may be connected through a bus 404 .

处理器401包括一个或者多个通用处理器,其中,通用处理器可以是能够处理电子指令的任何类型的设备,包括中央处理器(central processing unit,CPU)、微处理器、微控制器、主处理器、控制器以及专用集成电路(application specific integratedcircuit,ASIC)等等。处理器401执行各种类型的数字存储指令,例如存储在存储器403中的软件或者固件程序,它能使计算设备提供较宽的多种服务。例如,处理器401能够执行程序或者处理数据,以执行本文介绍的方法的部分或者全部。Processor 401 includes one or more general-purpose processors, where a general-purpose processor may be any type of device capable of processing electronic instructions, including a central processing unit (CPU), microprocessor, microcontroller, main Processors, controllers, and application specific integrated circuits (ASICs), etc. Processor 401 executes various types of digitally stored instructions, such as software or firmware programs stored in memory 403, which enable the computing device to provide a wide variety of services. For example, the processor 401 can execute programs or process data to perform some or all of the methods described herein.

通信接口402可以为有线接口(例如以太网接口)或无线接口(例如蜂窝网络接口或使用无线局域网接口),用于与其他计算设备或用户进行通信。Communication interface 402 may be a wired interface (eg, an Ethernet interface) or a wireless interface (eg, a cellular network interface or using a wireless local area network interface) for communicating with other computing devices or users.

存储器403可以包括内部存储器和外部存储器。内部存储器可以包括如下至少一项中的一项或者多项:易失性存储器(例如动态随机存取器(DRAM)、静态RAM(SRAM)、同步动态RAM(SDRAM))和非易失性存储器(例如一次性可编程只读存储器(OTPROM)、可编程ROM(PROM)、可擦除可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)、掩膜ROM、与非(NAND)闪存、或非(NOR)闪存等)。内部存储器可以具有固态驱动器(SSD)的形式。外部存储器还可以包括闪驱,例如高密度闪存、安全数字、微型SD、迷你型SD、极限数据(xD)、存储棒等。外部存储器可以采用集中式存储,也可以采用分布式存储,此处不作具体限定。The memory 403 may include internal memory and external memory. Internal memory may include one or more of at least one of: volatile memory (eg, dynamic random access memory (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM)), and nonvolatile memory (e.g. One Time Programmable Read Only Memory (OTPROM), Programmable ROM (PROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), Mask ROM, NAND (NAND) flash memory, or non-(NOR) flash memory, etc.). The internal memory may be in the form of a solid state drive (SSD). External storage may also include flash drives such as high density flash, secure digital, micro SD, mini SD, extreme data (xD), memory sticks, and the like. The external storage may adopt centralized storage or distributed storage, which is not specifically limited here.

处理器401通过读取存储器403中的程序,可以执行如下步骤:The processor 401 can perform the following steps by reading the program in the memory 403:

通过通信接口402接收用户的开户请求,其中,所述第四云属于云联盟,所述云联盟包括多朵云;Receive an account opening request from a user through the communication interface 402, wherein the fourth cloud belongs to a cloud alliance, and the cloud alliance includes multiple clouds;

通过处理器401根据所述开户请求为所述用户生成用户信息;generating user information for the user according to the account opening request by the processor 401;

通过通信接口402向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;Send an endorsement request to an endorsement subject through the communication interface 402, and receive an endorsement result returned by the endorsement subject, where the endorsement request includes the user information, and the endorsement result is that the endorsement subject endorses the user information The results obtained;

通过通信接口402根据所述背书结果将所述背书结果上传至联盟区块链中,所述联盟区块链可被所述云联盟中的任意一朵云访问。The endorsement result is uploaded to the consortium blockchain through the communication interface 402 according to the endorsement result, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

可选地,所述背书主体包括云联盟中的任一云或者第三方公证机构。Optionally, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

可选地,所述用户信息包括联盟账号、密码、联盟标识中的一种或者多种。Optionally, the user information includes one or more of an alliance account number, a password, and an alliance identification.

如图8所示,本申请的第三云系统的结构与第一云系统相似,包括多个计算设备,每个计算设备包括一个或多个处理器501、通信接口502和存储器503。其中,处理器501、通信接口502和存储器503之间可以通过总线504连接。As shown in FIG. 8 , the structure of the third cloud system of the present application is similar to that of the first cloud system, including multiple computing devices, each computing device including one or more processors 501 , communication interfaces 502 and memory 503 . The processor 501 , the communication interface 502 and the memory 503 may be connected through a bus 504 .

处理器501通过读取存储器503中的程序,可以执行如下步骤:The processor 501 can perform the following steps by reading the program in the memory 503:

通过通信接口502获取用户的认证请求,其中,所述认证请求包括所述用户的用户信息,所述第三云属于云联盟,所述云联盟包括多朵云;Obtain the authentication request of the user through the communication interface 502, wherein the authentication request includes the user information of the user, the third cloud belongs to the cloud alliance, and the cloud alliance includes multiple clouds;

通过通信接口502根据所述认证请求向背书主体发送背书请求,并接收所述背书主体返回的背书结果,其中,所述背书请求包括所述用户信息,所述背书结果为所述背书主体对所述用户信息进行背书得到的结果;Send an endorsement request to the endorsement subject through the communication interface 502 according to the authentication request, and receive an endorsement result returned by the endorsement subject, wherein the endorsement request includes the user information, and the endorsement result is the endorsement subject to all The result obtained from the endorsement of the user information;

通过处理器501根据所述背书结果为所述目标用户生成目标令牌;Generate a target token for the target user according to the endorsement result by the processor 501;

通过通信接口502将所述目标令牌上传至联盟区块链中以作为联盟令牌,所述联盟区块链可被所述云联盟中的任意一朵云访问。The target token is uploaded to the consortium blockchain through the communication interface 502 as a consortium token, and the consortium blockchain can be accessed by any cloud in the cloud consortium.

可选地,所述背书主体包括云联盟中的任一云或者第三方公证机构。Optionally, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

可选地,通过处理器501确定所述联盟令牌的失效周期,其中,所述失效周期用于在所述联盟令牌的生命周期大于失效周期时,使所述联盟令牌失效。Optionally, an expiration period of the alliance token is determined by the processor 501, wherein the expiration period is used to invalidate the alliance token when the life cycle of the alliance token is greater than the expiration period.

可选地,所述用户信息包括联盟账号、密码、联盟标识中的一种或者多种。Optionally, the user information includes one or more of an alliance account number, a password, and an alliance identification.

如图8所示,本申请的第三云系统的结构与第一云系统相似,包括多个计算设备,每个计算设备包括一个或多个处理器601、通信接口602和存储器603。其中,处理器601、通信接口602和存储器603之间可以通过总线604连接。As shown in FIG. 8 , the structure of the third cloud system of the present application is similar to that of the first cloud system, including multiple computing devices, each computing device including one or more processors 601 , communication interfaces 602 and memory 603 . The processor 601 , the communication interface 602 and the memory 603 may be connected through a bus 604 .

处理器601通过读取存储器603中的程序,可以执行如下步骤:The processor 601 can perform the following steps by reading the program in the memory 603:

通过通信接口602获取用户的第一访问请求,其中,所述第一访问请求包括目标令牌,所述目标令牌由背书主体对所述用户的用户信息进行背书而生成的,所述第一云属于云联盟,所述云联盟包括多朵云;The user's first access request is obtained through the communication interface 602, wherein the first access request includes a target token, and the target token is generated by an endorsement subject endorsing the user information of the user, and the first access request includes a target token. The cloud belongs to the cloud alliance, and the cloud alliance includes multiple clouds;

通过通信接口602从联盟区块链上获取联盟令牌,并将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果,其中,所述联盟区块链可被所述云联盟中的任意一朵云访问;Obtain the alliance token from the alliance blockchain through the communication interface 602, and match the target token and the alliance token to obtain a matching result, wherein the alliance blockchain can be used in the cloud alliance Any cloud access of ;

通过处理器601根据匹配结果确定所述目标用户为合法用户,并允许所述目标用户对所述第一云进行访问。The processor 601 determines that the target user is a legitimate user according to the matching result, and allows the target user to access the first cloud.

可选地,所述背书主体包括云联盟中的任一云或者第三方公证机构。Optionally, the endorsement subject includes any cloud in the cloud alliance or a third-party notary institution.

可选地,在所述联盟令牌的生命周期大于失效周期的情况下,处理器601重新生成新的联盟令牌,并将所述新的联盟令牌上传到所述联盟区块链中。Optionally, when the life cycle of the alliance token is greater than the expiration period, the processor 601 regenerates a new alliance token, and uploads the new alliance token to the alliance blockchain.

可选地,通过通信接口602接收用户的第二访问请求,其中,所述第二访问请求包括目标令牌;通过通信接口602向所述第二云发送所述用户的第二访问请求,其中,所述第二云属于所述云联盟。Optionally, the second access request of the user is received through the communication interface 602, wherein the second access request includes a target token; the second access request of the user is sent to the second cloud through the communication interface 602, wherein , the second cloud belongs to the cloud alliance.

上述方案中,在用户端需要访问第一云的情况下,第一云接收用户发送的第一访问请求,其中,第一访问请求中包括目标令牌。第一云从联盟区块链上获取联盟令牌,将所述目标令牌和所述联盟令牌进行匹配以得到匹配结果,根据匹配结果确定所述目标用户为合法用户,并允许所述目标用户对所述第一云进行访问。由于目标令牌是由背书主体对所述用户的用户信息进行背书而生成的,具有良好的公信力,因此,只要用户端发送的访问请求中携带了目标令牌,并且,对目标令牌的验证也顺利通过,就可以确定用户的身份是合法的,允许用户进行访问。所以,只要携带了目标令牌,云联盟的用户就可以随意访问云联盟中的任意一朵云的资源。In the above solution, when the user terminal needs to access the first cloud, the first cloud receives the first access request sent by the user, wherein the first access request includes the target token. The first cloud obtains the alliance token from the alliance blockchain, matches the target token and the alliance token to obtain a matching result, determines the target user as a legitimate user according to the matching result, and allows the target The user accesses the first cloud. Since the target token is generated by the endorsement subject's endorsement of the user's user information, it has good credibility. Therefore, as long as the access request sent by the client carries the target token, and the verification of the target token If it is also successfully passed, it can be determined that the user's identity is legitimate and the user is allowed to access. Therefore, as long as the target token is carried, the users of the cloud alliance can freely access the resources of any cloud in the cloud alliance.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、终端和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided in this application, it should be understood that the disclosed system, terminal and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may also be electrical, mechanical or other forms of connection.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solutions in the embodiments of the present invention.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-OnlyMemory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention is essentially or a part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, removable hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed by the present invention. Modifications or substitutions should be included within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (17)

1. A method of accessing a cloud, comprising:
a first cloud acquires a first access request of a user, wherein the first access request comprises a target token, the target token is generated by endorsement of an endorsement agent on user information of the user, the first cloud belongs to a cloud alliance, and the cloud alliance comprises a plurality of clouds;
acquiring a alliance token from an alliance block chain, and matching the target token with the alliance token to obtain a matching result, wherein the alliance block chain can be accessed by any cloud in the cloud alliance;
and determining that the target user is a legal user according to the matching result, and allowing the target user to access the first cloud.
2. The method of claim 1, wherein the endorsement agent comprises any cloud in a cloud federation or a third-party notarization authority.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
in the event that the lifetime of the federation token is greater than a failure period, the first cloud regenerates a new federation token and uploads the new federation token into the federation blockchain.
4. The method according to any one of claims 1 to 3, further comprising:
receiving a second access request of the user, wherein the second access request comprises a target token;
sending a second access request of the user to the second cloud, wherein the second cloud belongs to the cloud federation.
5. A cloud user authentication method is characterized by comprising the following steps:
the method comprises the steps that a third cloud acquires an authentication request of a user, wherein the authentication request comprises user information of the user, the third cloud belongs to a cloud alliance, and the cloud alliance comprises a plurality of clouds;
sending an endorsement request to an endorsement main body according to the authentication request, and receiving an endorsement result returned by the endorsement main body, wherein the endorsement request comprises the user information, and the endorsement result is a result obtained by the endorsement main body in endorsement of the user information;
generating a target token for the target user according to the endorsement result;
uploading the target token into a federation blockchain as a federation token, the federation blockchain being accessible to any cloud in the cloud federation.
6. The method of claim 5, wherein the endorsement agent comprises any cloud in a cloud federation or a third-party notarization authority.
7. The method of claim 5 or 6, further comprising:
determining a failure period of the federation token, wherein the failure period is used for failing the federation token when the lifetime of the federation token is greater than the failure period.
8. The method according to any one of claims 5-7, wherein the user information comprises one or more of a federation account number, a password, and a federation identification.
9. An account opening method for a cloud user is characterized by comprising the following steps:
receiving an account opening request of a user by a fourth cloud, wherein the fourth cloud belongs to a cloud alliance, and the cloud alliance comprises a plurality of clouds;
generating user information for the user according to the account opening request;
sending an endorsement request to an endorsement main body, and receiving an endorsement result returned by the endorsement main body, wherein the endorsement request comprises the user information, and the endorsement result is a result obtained by the endorsement main body in endorsement of the user information;
uploading the endorsement result to a federation blockchain according to the endorsement result, wherein the federation blockchain can be accessed by any cloud in the cloud federation.
10. The method of claim 9, wherein the endorsement agent comprises any cloud in a cloud federation or a third-party notarization authority.
11. The method according to claim 9 or 10, wherein the user information comprises one or more of a federation account number, a password, and a federation identification.
12. A cloud system, comprising: a plurality of computer devices, wherein each of the plurality of computer devices comprises a memory and a processor, a communication module coupled with the memory, wherein: the communication module is used for transmitting or receiving data transmitted from the outside, the memory is used for storing program codes, and the processor is used for calling the program codes stored in the memory to execute the method described in any one of claims 1-4.
13. A cloud system, comprising: a plurality of computer devices, wherein each of the plurality of computer devices comprises a memory and a processor, a communication module coupled with the memory, wherein: the communication module is used for transmitting or receiving data transmitted from outside, the memory is used for storing program codes, and the processor is used for calling the program codes stored in the memory to execute the method described in any one of claims 5-8.
14. A cloud system, comprising: a plurality of computer devices, wherein each of the plurality of computer devices comprises a memory and a processor, a communication module coupled with the memory, wherein: the communication module is used for transmitting or receiving data transmitted from outside, the memory is used for storing program codes, and the processor is used for calling the program codes stored in the memory to execute the method described in any one of claims 9-11.
15. A computer non-transitory storage medium including instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 1-4.
16. A computer non-transitory storage medium including instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 5-8.
17. A computer non-transitory storage medium including instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 9-11.
CN201810931000.1A 2018-08-15 2018-08-15 Cloud account opening, authentication and access method and device Active CN110839002B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810931000.1A CN110839002B (en) 2018-08-15 2018-08-15 Cloud account opening, authentication and access method and device
PCT/CN2019/088169 WO2020034700A1 (en) 2018-08-15 2019-05-23 Method and device for accounting, authenticating and accessing cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810931000.1A CN110839002B (en) 2018-08-15 2018-08-15 Cloud account opening, authentication and access method and device

Publications (2)

Publication Number Publication Date
CN110839002A true CN110839002A (en) 2020-02-25
CN110839002B CN110839002B (en) 2022-05-17

Family

ID=69524843

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810931000.1A Active CN110839002B (en) 2018-08-15 2018-08-15 Cloud account opening, authentication and access method and device

Country Status (2)

Country Link
CN (1) CN110839002B (en)
WO (1) WO2020034700A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023142437A1 (en) * 2022-01-28 2023-08-03 中国银联股份有限公司 Identity authentication method and apparatus, device, and computer readable storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244546B (en) * 2020-09-09 2023-06-02 华为技术有限公司 Method and device for service provider to obtain user information
CN113364855B (en) * 2021-06-02 2023-03-24 网易(杭州)网络有限公司 Block chain information management method, device, service platform, equipment and medium
CN114615332B (en) * 2022-02-24 2024-06-18 阿里巴巴(中国)有限公司 Cloud product access method, device and system, storage medium and computer terminal
CN115515135A (en) * 2022-09-22 2022-12-23 中国电信股份有限公司 Alliance communication method, system, device, equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102984252A (en) * 2012-11-26 2013-03-20 中国科学院信息工程研究所 Cloud resource access control method based on dynamic cross-domain security token
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device
US9569771B2 (en) * 2011-04-29 2017-02-14 Stephen Lesavich Method and system for storage and retrieval of blockchain blocks using galois fields
CN106789047A (en) * 2017-03-03 2017-05-31 钱德君 A kind of block chain identification system
CN107079036A (en) * 2016-12-23 2017-08-18 深圳前海达闼云端智能科技有限公司 Registration and authorization method, apparatus and system
CN107579998A (en) * 2017-10-17 2018-01-12 光载无限(北京)科技有限公司 Personal data center and digital identification authentication method based on block chain, digital identity and intelligent contract
CN107786547A (en) * 2017-09-30 2018-03-09 厦门快商通信息技术有限公司 A kind of auth method based on block chain, device and computer-readable recording medium
CN107888384A (en) * 2017-11-30 2018-04-06 中链科技有限公司 A kind of identity data management method, system and computer-readable recording medium
CN108235806A (en) * 2017-12-28 2018-06-29 深圳达闼科技控股有限公司 Method, device and system for safely accessing block chain, storage medium and electronic equipment
CN108256864A (en) * 2018-02-13 2018-07-06 中链科技有限公司 Between a kind of block chain across the foundation of chain alliance and communication means, system
CN108280646A (en) * 2018-01-19 2018-07-13 中国科学院软件研究所 Block chain group chain method based on alliance's chain and block catenary system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532981B (en) * 2013-10-31 2016-08-17 中国科学院信息工程研究所 A kind of identity trustship towards many tenants authenticates cloud resource access control system and control method
US10362058B2 (en) * 2016-05-13 2019-07-23 Vmware, Inc Secure and scalable data transfer using a hybrid blockchain-based approach
JP6825296B2 (en) * 2016-10-11 2021-02-03 富士通株式会社 Edge server and its encrypted communication control method

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9569771B2 (en) * 2011-04-29 2017-02-14 Stephen Lesavich Method and system for storage and retrieval of blockchain blocks using galois fields
CN102984252A (en) * 2012-11-26 2013-03-20 中国科学院信息工程研究所 Cloud resource access control method based on dynamic cross-domain security token
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device
CN107079036A (en) * 2016-12-23 2017-08-18 深圳前海达闼云端智能科技有限公司 Registration and authorization method, apparatus and system
CN106789047A (en) * 2017-03-03 2017-05-31 钱德君 A kind of block chain identification system
CN107786547A (en) * 2017-09-30 2018-03-09 厦门快商通信息技术有限公司 A kind of auth method based on block chain, device and computer-readable recording medium
CN107579998A (en) * 2017-10-17 2018-01-12 光载无限(北京)科技有限公司 Personal data center and digital identification authentication method based on block chain, digital identity and intelligent contract
CN107888384A (en) * 2017-11-30 2018-04-06 中链科技有限公司 A kind of identity data management method, system and computer-readable recording medium
CN108235806A (en) * 2017-12-28 2018-06-29 深圳达闼科技控股有限公司 Method, device and system for safely accessing block chain, storage medium and electronic equipment
CN108280646A (en) * 2018-01-19 2018-07-13 中国科学院软件研究所 Block chain group chain method based on alliance's chain and block catenary system
CN108256864A (en) * 2018-02-13 2018-07-06 中链科技有限公司 Between a kind of block chain across the foundation of chain alliance and communication means, system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MANOJ V. THOMAS: "Single Sign-On in Cloud Federation using CloudSim", 《I. J. COMPUTER NETWORK AND INFORMATION SECURITY》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023142437A1 (en) * 2022-01-28 2023-08-03 中国银联股份有限公司 Identity authentication method and apparatus, device, and computer readable storage medium

Also Published As

Publication number Publication date
WO2020034700A1 (en) 2020-02-20
CN110839002B (en) 2022-05-17

Similar Documents

Publication Publication Date Title
CN110839002B (en) Cloud account opening, authentication and access method and device
US11297064B2 (en) Blockchain authentication via hard/soft token verification
CN110602096B (en) Data processing method, device, storage medium and equipment in block chain network
CN110771120B (en) System and method for blockchain based authentication
US10992670B1 (en) Authenticating identities for establishing secure network tunnels
US9455988B2 (en) System and method for verifying status of an authentication device
CN102823195B (en) System and method for remotely maintaining a client system in an electronic network using software testing performed by a virtual machine
CN110213223B (en) Service management method, device, system, computer equipment and storage medium
US20230037932A1 (en) Data processing method and apparatus based on blockchain network, and computer device
CN111010382A (en) Method and apparatus for processing data requests in a blockchain network
US20190141048A1 (en) Blockchain identification system
CN110753944A (en) System and method for blockchain based data management
CN108259438A (en) A kind of method and apparatus of the certification based on block chain technology
CN111753269A (en) A blockchain-based identity authentication method and device
CN109726531A (en) A marketing terminal security control method based on blockchain smart contract
CN107347073B (en) A kind of resource information processing method
US20190288833A1 (en) System and Method for Securing Private Keys Behind a Biometric Authentication Gateway
WO2025001468A1 (en) Decentralized identity authentication method and related device
Khalil et al. DSCOT: An NFT-based blockchain architecture for the authentication of IoT-enabled smart devices in smart cities
WO2021226854A1 (en) Blockchain machine, blockchain data access authentication method, and computer-readable storage medium
CN115001707A (en) Blockchain-based device authentication method and related devices
Khalil et al. Decentralized smart city of things: A blockchain tokenization-enabled architecture for digitization and authentication of assets in smart cities
CN105516134B (en) A kind of authentication method and system of the system integration
US20240015021A1 (en) Information processing device, information processing method, and information processing program
Liu et al. Risk‐Based Dynamic Identity Authentication Method Based on the UCON Model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220208

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Applicant after: Huawei Cloud Computing Technologies Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd.

GR01 Patent grant
GR01 Patent grant