CN111104202A - Method and system for realizing traffic prohibition based on OpenStack security group rule - Google Patents
Method and system for realizing traffic prohibition based on OpenStack security group rule Download PDFInfo
- Publication number
- CN111104202A CN111104202A CN201911274113.XA CN201911274113A CN111104202A CN 111104202 A CN111104202 A CN 111104202A CN 201911274113 A CN201911274113 A CN 201911274113A CN 111104202 A CN111104202 A CN 111104202A
- Authority
- CN
- China
- Prior art keywords
- security group
- rule
- openstack
- neutron
- prohibition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Abstract
The invention discloses a method and a system for realizing flow prohibition based on OpenStack security group rules, which comprises the following steps: adding an attribute to the security group rule to identify and implement the permission or prohibition of the flow; persisting the security group rules into a Neutron database; and issuing the security group rule to a flow table rule corresponding to the virtual machine network card. The invention introduces the flow permission and prohibition attributes into the native OpenStack, so that the security group function is more complete.
Description
Technical Field
The invention relates to the field of cloud computing application, in particular to a method and a system for realizing flow prohibition based on OpenStack security group rules.
Background
OpenStack has a considerable position in the industry as a platform layer tool for managing and scheduling cluster resources, and many public cloud service providers are developed secondarily based on OpenStack. However, native OpenStack cannot meet the requirement of a commercial public cloud service scenario, and particularly in definition and application of security group rules, native OpenStack only supports definition of rule policies that allow traffic and does not support rule policies that prohibit traffic. This is not able to meet the product demands of public cloud users for cloud computing.
The usage pattern of the original OpenStack to the security group rule is as follows: by default, all traffic of the cloud host virtual network card is limited, and specified protocol or port traffic is released through the defined security group rules, so that the requirement of a user for binding the security group rules of the cloud host can be met, but the requirement is very inflexible. For example: the user lets through the traffic of 8000-10000 ports, but for the protection of some sensitive network services, the network traffic accessing the 8080 port needs to be prohibited, so that the user needs to redefine the own security group rule to 8000-8079 and 8081-10000, but this only prohibits one port, if 8180, 8280, 8380 … … also needs to be prohibited, or if the rules are defined once and then the port is changed, the repeated modification and redefinition make the native OpenStack security group rule function very inflexible.
Disclosure of Invention
In view of this, an object of the present invention is to provide a method and a system for implementing traffic barring based on OpenStack security group rules, so as to solve the problem in the prior art that the rules for traffic barring are not flexible.
In order to achieve the above object, the present invention provides a method for implementing traffic barring based on OpenStack security group rules, including the following steps:
a: adding an attribute to the security group rule to identify and implement the permission or prohibition of the flow;
b: persisting the security group rules into a Neutron database;
c: and issuing the security group rule to a flow table rule corresponding to the virtual machine network card.
Optionally, in step a, an API of a security group rule created in OpenStack is rewritten, and a new API parameter is added to identify whether traffic is allowed or prohibited.
Optionally, in step B, a table structure of security group rules is defined and persisted into the Neutron database.
Optionally, in step C, the security group rule is issued to an OpenVSwitch component, where the component is located on a physical machine where the cloud host is located.
Optionally, in step C, the OpenVSwitch component configures a flow table rule for a virtual machine network card of the cloud host, and sets an enable attribute and a disable attribute for the rule at the same time.
The invention also provides a system for realizing flow prohibition based on the OpenStack security group rule, which comprises the following steps: the system comprises a cloud computing control system, a network management component Neutron and a physical machine; the cloud computing control system provides an interface for setting the attribute permission or prohibition of the security group rule for a user, and issues a data request to a network management component Neutron; the network management component Neutron defines persistent security group rules including enable or disable attributes and issues them to the physical machine.
Optionally, in the network management component Neutron, an API for creating the security group rule is rewritten, and a new API parameter is added to identify whether the traffic is allowed or prohibited; the network management component Neutron receives a user request sent by the cloud computing control system through an API (application programming interface).
Optionally, the physical machine includes an OpenVSwitch component and a cloud host, and the network management component Neutron issues the security group rule to the OpenVSwitch component; the OpenVSwitch component configures a flow table rule for a virtual machine network card of the cloud host, and sets permission and prohibition attributes for the rule.
Compared with the prior art, the technical scheme of the invention has the following advantages: the method is characterized in that a traffic permission attribute and a traffic prohibition attribute are added to the security group rule in the OpenStack, and by judging the attributes, the traffic permission and the traffic prohibition attributes can be distinguished to define which traffic is permitted to pass through and which traffic is prohibited, so that the security group is simpler and easier to use in function, more complete in function, and more supporting calling scenes.
Drawings
FIG. 1 is a flow chart of a method for implementing flow disabling in accordance with the present invention;
FIG. 2 is a block diagram of a system for implementing flow disabling in accordance with the present invention;
Detailed Description
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings, but the present invention is not limited to only these embodiments. The invention is intended to cover alternatives, modifications, equivalents and alternatives which may be included within the spirit and scope of the invention.
In the following description of the preferred embodiments of the present invention, specific details are set forth in order to provide a thorough understanding of the present invention, and it will be apparent to those skilled in the art that the present invention may be practiced without these specific details.
The invention is described in more detail in the following paragraphs by way of example with reference to the accompanying drawings. It should be noted that the drawings are in simplified form and are not to precise scale, which is only used for convenience and clarity to assist in describing the embodiments of the present invention.
Referring to fig. 1, a flow chart illustrating a method for implementing traffic barring is shown, comprising the steps of:
s01: adding an attribute to the security group rule to identify and implement the permission or prohibition of the flow;
s02: persisting the security group rules into a Neutron database;
s03: and issuing the security group rule to a flow table rule corresponding to the virtual machine network card.
Specifically, in step a, an API of a security group rule created in OpenStack is rewritten, and a new API parameter is added to identify whether traffic is allowed or prohibited. In step B, a table structure of security group rules is defined and persisted into a Neutron database. In step C, issuing the security group rule to an OpenVSwitch component, where the component is located on a physical machine where the cloud host is located; in addition, in step C, the OpenVSwitch component configures a flow table rule for a virtual machine network card of the cloud host, and sets an enable attribute and a disable attribute for the rule at the same time.
Referring to fig. 2, a structural diagram of a system for implementing flow prohibition according to the present invention is shown, including: the system comprises a cloud computing control system, a network management component Neutron and a physical machine; the cloud computing control system manages cloud computing resources of a user facing the user, comprises a visual page and background services, provides an interface for setting security group rule permission or prohibition attributes for the user, and issues a data request to a network management component Neutron. The network management component Neutron is a tool of a cloud computing resource management and scheduling layer, and the system defines a persistent security group rule comprising an allowed attribute or a forbidden attribute and sends the persistent security group rule to the physical machine. In addition, in a network management component Neutron, an API for creating a security group rule needs to be rewritten, and a new API parameter is added to identify whether the flow is allowed or forbidden; the network management component Neutron receives a user request sent by the cloud computing control system through an API (application programming interface).
The physical machine comprises an OpenVSwitch component and a cloud host, and the network management component Neutron issues the security group rule to the OpenVSwitch component; the OpenVSwitch component configures a flow table rule for a virtual machine network card of the cloud host, and sets permission and prohibition attributes for the rule.
In the interaction mechanism, the interaction method negotiated in the scheme can be obtained by using an API request mode, and interface layout and binding of corresponding click events are carried out.
Although the embodiments have been described and illustrated separately, it will be apparent to those skilled in the art that some common techniques may be substituted and integrated between the embodiments, and reference may be made to one of the embodiments not explicitly described, or to another embodiment described.
The above-described embodiments do not limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the above-described embodiments should be included in the protection scope of the technical solution.
Claims (8)
1. A method for realizing flow prohibition based on OpenStack security group rules is characterized by comprising the following steps:
a: adding an attribute to the security group rule to identify and implement the permission or prohibition of the flow;
b: persisting the security group rules into a Neutron database;
c: and issuing the security group rule to a flow table rule corresponding to the virtual machine network card.
2. The method for implementing traffic barring based on the OpenStack security group rule according to claim 1, wherein: in step a, the API of the security group rule created in OpenStack is rewritten, and a new API parameter is added to identify whether traffic is allowed or prohibited.
3. The method for implementing traffic barring based on the OpenStack security group rule according to claim 2, wherein: in step B, a table structure of security group rules is defined and persisted into a Neutron database.
4. The method for implementing traffic barring based on the OpenStack security group rule of claim 3, wherein: in step C, the security group rule is issued to an OpenVSwitch component, which is located on a physical machine where the cloud host is located.
5. The method for implementing traffic barring based on the OpenStack security group rule of claim 4, wherein: in step C, the OpenVSwitch component configures a flow table rule for a virtual machine network card of the cloud host, and sets an enable attribute and a disable attribute for the rule at the same time.
6. A system for realizing traffic prohibition based on OpenStack security group rules is characterized by comprising: the system comprises a cloud computing control system, a network management component Neutron and a physical machine; the cloud computing control system provides an interface for setting the attribute permission or prohibition of the security group rule for a user, and issues a data request to a network management component Neutron; the network management component Neutron defines persistent security group rules including enable or disable attributes and issues them to the physical machine.
7. The system for implementing traffic barring based on OpenStack security group rules of claim 6, wherein: in a network management component Neutron, an API for creating a security group rule is rewritten, and a new API parameter is added to identify whether the flow is allowed or forbidden; the network management component Neutron receives a user request sent by the cloud computing control system through an API (application programming interface).
8. The system for implementing traffic barring based on OpenStack security group rules of claim 7, wherein: the physical machine comprises an OpenVSwitch component and a cloud host, and the network management component Neutron issues the security group rule to the OpenVSwitch component; the OpenVSwitch component configures a flow table rule for a virtual machine network card of the cloud host, and sets permission and prohibition attributes for the rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911274113.XA CN111104202A (en) | 2019-12-12 | 2019-12-12 | Method and system for realizing traffic prohibition based on OpenStack security group rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911274113.XA CN111104202A (en) | 2019-12-12 | 2019-12-12 | Method and system for realizing traffic prohibition based on OpenStack security group rule |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111104202A true CN111104202A (en) | 2020-05-05 |
Family
ID=70422314
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911274113.XA Pending CN111104202A (en) | 2019-12-12 | 2019-12-12 | Method and system for realizing traffic prohibition based on OpenStack security group rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111104202A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112436966A (en) * | 2020-11-17 | 2021-03-02 | 浪潮云信息技术股份公司 | OpenStack platform-based cloud physical host network card binding configuration method and system |
-
2019
- 2019-12-12 CN CN201911274113.XA patent/CN111104202A/en active Pending
Non-Patent Citations (1)
| Title |
|---|
| 付广平: "深入浅出 OpenStack 安全组实现原理", 《HTTPS://WWW.INFOQ.CN/ARTICLE/OAGPPDCG*A1ZQKZGBBCB》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112436966A (en) * | 2020-11-17 | 2021-03-02 | 浪潮云信息技术股份公司 | OpenStack platform-based cloud physical host network card binding configuration method and system |
| CN112436966B (en) * | 2020-11-17 | 2022-05-31 | 浪潮云信息技术股份公司 | OpenStack platform-based cloud physical host network card binding configuration method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10326637B2 (en) | Functionality management via application modification | |
| US20210203723A1 (en) | Data Storage Method and Apparatus | |
| US9075955B2 (en) | Managing permission settings applied to applications | |
| US9065771B2 (en) | Managing application execution and data access on a device | |
| CN107657169B (en) | Authority management method, device, medium and electronic equipment | |
| CN112818309A (en) | Method and device for controlling data access authority and storage medium | |
| EP3025229B1 (en) | Data communications management | |
| US10999326B1 (en) | Fine grained network security | |
| US11621961B2 (en) | Method for managing a cloud computing system | |
| WO2020156135A1 (en) | Method and device for processing access control policy and computer-readable storage medium | |
| CN109413080B (en) | Cross-domain dynamic authority control method and system | |
| WO2020046630A1 (en) | Directory access sharing across web services accounts | |
| CN115152268A (en) | Method for network slice isolation management | |
| CA2830880C (en) | Managing permission settings applied to applications | |
| CN111062028A (en) | Authority management method and device, storage medium and electronic equipment | |
| CA2829805C (en) | Managing application execution and data access on a device | |
| CN114650170A (en) | Cross-cluster resource management method, device, equipment and storage medium | |
| US7523506B1 (en) | Approach for managing functionalities within a system | |
| CN111104202A (en) | Method and system for realizing traffic prohibition based on OpenStack security group rule | |
| CN116438895A (en) | License-based network slice selection | |
| CN115174177B (en) | Rights management method, device, electronic apparatus, storage medium, and program product | |
| CN109492376B (en) | Device access authority control method and device and bastion machine | |
| US11695777B2 (en) | Hybrid access control model in computer systems | |
| CN113765925A (en) | Improvement method based on OSAC and PERM access control model | |
| CN113935017A (en) | Fine-grained data authority control configuration method and system based on attribute policy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200505 |