CN112019475A - Resource access method, device, system and storage medium under server-free architecture - Google Patents

Resource access method, device, system and storage medium under server-free architecture Download PDF

Info

Publication number
CN112019475A
CN112019475A CN201910451596.XA CN201910451596A CN112019475A CN 112019475 A CN112019475 A CN 112019475A CN 201910451596 A CN201910451596 A CN 201910451596A CN 112019475 A CN112019475 A CN 112019475A
Authority
CN
China
Prior art keywords
resource
service cluster
target
shared resource
target service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910451596.XA
Other languages
Chinese (zh)
Other versions
CN112019475B (en
Inventor
匡大虎
李鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201910451596.XA priority Critical patent/CN112019475B/en
Priority to PCT/CN2020/091527 priority patent/WO2020238751A1/en
Publication of CN112019475A publication Critical patent/CN112019475A/en
Application granted granted Critical
Publication of CN112019475B publication Critical patent/CN112019475B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a resource access method, equipment, a system and a storage medium under a server-free architecture. In the embodiment of the application, for a multi-tenant scenario in a serverless architecture, a resource control node is added in a service cluster deployed by a tenant, the resource control node is matched with a master control node in the serverless architecture, a shared resource with an access right is determined for the service cluster based on a private resource domain identifier of the service cluster, and on the basis of ensuring that the service cluster successfully accesses the corresponding shared resource, security isolation of access to the shared resource can be achieved among different tenants.

Description

Resource access method, device, system and storage medium under server-free architecture
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method, device, system, and storage medium for accessing resources under a server-less architecture.
Background
The serverless (serverless) architecture is a novel internet architecture, wherein application development does not use a conventional service process, and a novel architecture is provided for an application program in an edge computing scene. Under the mode of combining the serverless architecture with the edge computing, the serverless architecture can shield server facilities of tenants, such as a server, a database, middleware and the like, and the tenants do not participate in the deployment and maintenance of the server facilities any more, so that the deployment, operation and maintenance difficulty of the tenants can be greatly simplified.
However, the security isolation of the server-less architecture to the shared resource access in the multi-tenant scenario is a problem to be solved, and especially in the multi-tenant production environment combining a large number of edge nodes, how to ensure the access isolation of different tenants to the shared resource is especially important.
Disclosure of Invention
Various aspects of the present application provide a resource access method, device, system and storage medium under a server-less architecture, so as to implement secure isolation of shared resources between different tenants and improve access security of the shared resources.
An embodiment of the present application provides a server-less network system, including: the system comprises a main control node, a server cluster deployed by a plurality of tenants and at least one type of global shared resource shared by the plurality of tenants; each service cluster comprises a resource management and control node and a service node;
the master control node is used for providing a private resource domain identifier corresponding to a target service cluster for a resource control node in the target service cluster under the condition that the target service cluster needs to access global shared resources; wherein the target service cluster is any service cluster;
and the resource control node is used for determining a target shared resource with an access right of the target service cluster according to the private resource domain identifier corresponding to the target service cluster under the condition that the resource control node belongs to the target service cluster, and informing a service node in the target service cluster to perform resource access on the target shared resource.
An embodiment of the present application further provides an edge cloud network system implemented based on a container scheduling system, including: the system comprises a main control node deployed in a server device, a container cluster without a server deployed in an edge computing device by a plurality of tenants, and at least one type of cloud resource shared by the plurality of tenants; each container cluster comprises a resource management and control node and an elastic container instance ECI node;
the master control node is used for providing a namespace identifier corresponding to a target container cluster for a resource control node in the target container cluster under the condition that the target container cluster needs to access sharable cloud resources; wherein the target container cluster is any container cluster;
and the resource control node is used for determining the target shared resource with the access authority of the target container cluster according to the name space identifier corresponding to the target container cluster under the condition that the resource control node belongs to the target container cluster, and informing an ECI node in the target container cluster of carrying out resource access on the target shared resource.
The embodiment of the present application further provides a resource access method, which is applicable to a master control node, and the method includes:
receiving a resource access request of a target service cluster, wherein the target service cluster is any service cluster in a server-free network system where the master control node is located;
acquiring a private resource domain identifier corresponding to the target service cluster according to the resource access request;
and under the condition that the resource access request declares that a global shared resource is accessed, sending the resource access request and the private resource domain identifier to a resource control node in the target service cluster so as to indicate the resource control node to determine a target shared resource for the target service cluster.
The embodiment of the present application further provides a resource access method, which is applicable to a resource management and control node, and the method includes:
receiving a private resource domain identifier corresponding to a target service cluster sent by a master control node under the condition that the target service cluster needs to access global shared resources;
determining a target shared resource with an access right of the target service cluster according to a private resource domain identifier corresponding to the target service cluster;
informing a service node in the target service cluster to perform resource access on the target shared resource;
the target service cluster is any service cluster in a server-less network system where the master control node is located, and the resource control node belongs to the target service cluster.
An embodiment of the present application further provides a node device, including: a memory and a processor; the memory for storing a computer program; when executed by the processor, the computer program causes the processor to implement the steps in the resource access method that can be executed by the master node according to the embodiment of the present application.
An embodiment of the present application further provides a node device, including: a memory and a processor; the memory for storing a computer program; when executed by the processor, the computer program causes the processor to implement the steps in the resource access method that can be executed by the resource management and control node provided by the embodiment of the present application.
Embodiments of the present application further provide a computer-readable storage medium storing a computer program, which, when executed by the processor, causes the processor to implement the steps in the resource access method that can be executed by the master node and/or the resource management and control node according to the embodiments of the present application.
In the embodiment of the application, for a multi-tenant scenario in a serverless architecture, a resource control node is added in a service cluster deployed by a tenant, the resource control node is matched with a master control node in the serverless architecture, and under the condition that a service cluster to which the resource control node belongs needs to access a global shared resource, the shared resource with access authority can be determined for the service cluster to which the service cluster belongs according to a private resource domain identifier corresponding to the service cluster provided by the master control node, so that the service node in the service cluster is notified to perform resource access on the determined shared resource. The method comprises the steps that shared resources with access rights are determined for a service cluster based on a private resource domain identifier of the service cluster, and on the basis of ensuring that the service cluster successfully accesses the corresponding shared resources, the safety isolation of shared resource access can be realized among different tenants; in addition, the tenant does not need to sense the shared resource, and the process of accessing the shared resource is simplified.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1a is a schematic structural diagram of a network system without a server according to an exemplary embodiment of the present disclosure;
fig. 1b is a schematic structural diagram of an edge cloud network system implemented based on kubernets according to an exemplary embodiment of the present disclosure;
fig. 2a is a schematic flowchart of a resource access method according to an exemplary embodiment of the present application;
FIG. 2b is a flowchart illustrating another method for accessing resources according to an exemplary embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a node device according to an exemplary embodiment of the present application;
fig. 4 is a schematic structural diagram of another node device according to an exemplary embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The existing serverless architecture is a technical problem to be solved for the security isolation of the shared resource access in a multi-tenant scene. Aiming at the technical problem, in some embodiments of the application, for a multi-tenant scenario in a serverless architecture, a resource control node is added in a service cluster deployed by a tenant, the resource control node is matched with a master control node in the serverless architecture, a shared resource with access authority is determined for the service cluster based on a private resource domain identifier of the service cluster, and on the basis of ensuring that the service cluster successfully accesses the corresponding shared resource, the security isolation of access to the shared resource can be realized among different tenants; in addition, the tenants do not need to sense the shared resources, and the process of accessing the shared resources by the tenants is facilitated to be simplified.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1a is a schematic structural diagram of a network system 10 of a serverless according to an exemplary embodiment of the present application. As shown in fig. 1a, the network system 10 includes: the system comprises a master node 11, a serverless service cluster 12 deployed by a plurality of tenants, and at least one type of global shared resource 13 shared by the plurality of tenants. Each service cluster 12 includes a resource management node 121 and a service node 122.
The network system 10 of the present embodiment includes a variety of resources, such as computing resources, storage resources, and network resources, which may be provided by physical devices in the network system. Physical devices in the network system 10 include, but are not limited to: computer devices, sensor devices, storage devices, conventional servers, cloud servers or server arrays, and the like. The network system 10 of the present embodiment can provide various resources required for the tenant on the one hand, and can also provide services required for the tenant on the resources on the other hand. Among other things, the way in which the network system 10 provides services to tenants is to allow tenants to deploy their required service clusters in the network system 10 (specifically, on physical devices in the network system).
The network system 10 of the present embodiment can provide services for multiple tenants, that is, allows the multiple tenants to deploy their own required service clusters 12 in the network system. Wherein each tenant may deploy one or more service clusters 12. Different service clusters of the same tenant can provide the same service for the tenant, and can also provide different services for the tenant. In addition, service clusters deployed by different tenants can provide the same service, and also can provide different services. Each service cluster 12 includes a service node 122 for providing a service required by a corresponding tenant, and the number of the service nodes 122 may be one or more. Alternatively, when there are a plurality of service nodes 12, the plurality of service nodes 122 may be collectively deployed on the same physical device or virtual machine, or may be deployed in a distributed manner on a plurality of physical devices or virtual machines. The present embodiment is not limited to the distributed deployment manner of the multiple service nodes 122 in the same service cluster 12 on multiple physical devices or virtual machines.
Different tenants have different identity identifications, and the identity identification of each tenant can uniquely identify the tenant. The identity of the tenant may be any information capable of uniquely identifying the tenant, for example, the identity may be an ID of the tenant in the network system 10, and may also be a tenant name, an account number, a telephone number, an email address and/or a home address, etc. registered by the tenant in the network system 10. In addition, in order to distinguish the service clusters deployed by different tenants from different service clusters deployed by the same tenant, each service cluster 12 also has its own identifier, and the identifier of each service cluster 12 can uniquely identify the service cluster. The identification of the service cluster 12 may be any information capable of uniquely identifying the service cluster, and may be, for example, an ID, a name, a deployment time, and/or the like of the service cluster in the network system 10. In this embodiment, a correspondence between the identity of the tenant and the identity of the service cluster 12 deployed by the tenant is maintained.
Wherein each service cluster 12 has its own private resource domain, and the private resource domain includes various resources that are exclusively shared by the service cluster 12, such as various service programs deployed in the service cluster 12. The embodiment of the present application does not limit the implementation form of the service program, and may include various application programs and/or an operating system, for example. In order to distinguish the private resource domains of different service clusters 12, the private resource domains also have their own identity, which uniquely identifies the private resource domain of one service cluster. The identity of the private resource domain may be any information capable of uniquely identifying the private resource domain, such as an ID or name of the private resource domain in the network system 10. In the present embodiment, a correspondence between the identity of the service cluster 12 and the identity of its corresponding private resource domain (referred to as private resource domain identity for short) is maintained.
In the network system 10, some global resources are included in addition to private resources that are shared exclusively by each service cluster 12; some of these global resources are available for different tenants to share, and are called global shared resources, and some of these global resources are not allowed for tenants to use, and are called global unshared resources. The present embodiment is not limited to the type of the global shared resource, and may include at least one type of global shared resource, for example, a globally sharable storage class resource, a globally sharable computing node, and/or a globally sharable network resource. In fig. 1a, a globally shared resource is illustrated by taking a storage class resource, a compute node, and a network resource as an example. Optionally, the globally sharable Storage class resource may be a local Storage resource, or may be a Network Storage resource, such as a Network Attached Storage (NAS).
Different tenants can access the global shared resource in the network system 10, and in order to ensure the access security of the shared resource, it is necessary to implement secure isolation of access to the shared resource between different tenants. In order to implement secure isolation of access to shared resources between different tenants, a resource management and control node 121 is provided in the service cluster 12 of this embodiment. The resource management and control node 121 is matched with the main control node 11 in the network system 10, and can help the tenant to automatically complete mapping from the service cluster 12 to the shared resource when the service cluster 12 to which the tenant belongs needs to access the global shared resource, so as to ensure that the service cluster to which the tenant belongs can access the corresponding shared resource. Alternatively, the resource management node 121 may be deployed on a physical device or a virtual machine in the network system 10. Further optionally, the resource management node 121 may be deployed in the same physical device or the same virtual machine as one or several service nodes 122 in the service cluster 12 to which it belongs. Of course, the resource management node 121 and the service node 122 in the service cluster 12 may also be deployed in different physical devices or virtual machines, respectively.
The master control node 11 is a management and control node in the network system 10, and is mainly responsible for at least one of resource management, service scheduling, cluster management and control, security control, system monitoring, error correction, and the like in the network system 10. Optionally, a series of processes related to system management and control may be executed on the main control node 11, and these processes may implement management capabilities such as resource management, service scheduling, cluster management and control, security control, system monitoring and error correction in the network system 10. The number of the master nodes 11 may be one or more. The master node 11 may be deployed on a physical device or a virtual machine in the network system 10. In the case that there are a plurality of main control nodes 11, the plurality of main control nodes 11 may be deployed on a plurality of physical devices or virtual machines in a decentralized manner. Further optionally, the master node 11 may be deployed on a physical device or a virtual machine in a certain service cluster 12, for example, the master node 11 may be deployed on the same physical device or virtual machine as one or several service nodes 122 in the service cluster 12, or the master node 11 may also be deployed on the same physical device or virtual machine as the resource management node 121 in the service cluster 12. Alternatively, the master node 11 may be deployed separately on one or more physical devices or separately in one or more virtual machines, independent of the respective service clusters 12.
In this embodiment, the main control node 11 may further cooperate with the resource management and control node 121, and when the service cluster 12 requests to access the global shared resource, the shared resource is allocated among the service clusters 12 based on the private resource domain identifier of the service cluster 12, so as to implement security isolation of the global shared resource in the network system 10 among different tenants. Wherein, the process of allocating shared resources for each service cluster 12 is the same or similar, for convenience of description and understanding, the target service cluster will be taken as an example for explanation. Wherein the target service cluster is any service cluster in the network system 10.
The master control node 11 may monitor a resource access requirement of the target service cluster, and provide a private resource domain identifier corresponding to the target service cluster for the resource control node 121 in the target service cluster when it is monitored that the target service cluster needs to access the global shared resource, so as to instruct the resource control node 121 in the target service cluster to determine the shared resource with the access right for the target service cluster. For the resource management and control node 121, if it belongs to the target service cluster, the shared resource having the access right of the target service cluster may be determined according to the private resource domain identifier corresponding to the target service cluster, and the service node 122 in the target service cluster is notified to perform resource access on the shared resource. For the convenience of differentiation and description, the shared resource with access right determined by resource management node 121 for the target service cluster is denoted as the target shared resource. The target shared resource may be any type of shared resource, such as a computing resource or a storage resource.
In this embodiment, the access of the service cluster to the shared resource is associated with the private resource domain identifier corresponding to the service cluster, the resource management and control node in each service cluster can determine the shared resource with access right for the service cluster to which the resource management and control node belongs according to the private resource domain identifier corresponding to the service cluster to which the resource management and control node belongs, and based on the uniqueness of the private resource domain identifier, on the basis of ensuring that the service cluster successfully accesses the corresponding shared resource, the security isolation of the access to the shared resource can be realized among different tenants. Further, in the network system 10 of this embodiment, not only can security isolation of access to the shared resource be achieved between tenants, but also security isolation of access to the shared resource can be achieved even between different service clusters deployed by the same tenant. In addition, in the network system 10 of this embodiment, the tenant does not need to sense the shared resource, and the allocation between the shared resources is automatically completed by the resource management and control node, which is beneficial to simplifying the process of the tenant accessing the shared resource.
In an optional embodiment, when the target service cluster has a resource access requirement, the tenant deploying the target service cluster may generate a resource access request according to the resource access requirement of the target service cluster, and submit the resource access request to the main control node 11. Optionally, the network system 10 (specifically, the master node 11) may provide an interactive interface to the tenant, and the tenant may submit the resource access request to the master node 11 through the interactive interface, and further may perform other interactions with the master node 11 through the interactive interface. The interactive interface may be a web interface, a command window, or an application interface, depending on the product modality implemented by the network system 10. The resource access request of the interface carries information such as the identity of a tenant corresponding to the target service cluster, the identity of the target service cluster, the type of the resource to be accessed and the like. The resource type to be accessed represents a resource type that the target service cluster needs to access, and may be a private resource, a global shared resource, or a global non-shared resource, for example. The resource access request declares access to different types of resources according to different types of resources to be accessed.
In this optional embodiment, the main control node 11 may monitor the resource access requirement of the target service cluster by determining whether the resource access request of the target service cluster is received. If a resource access request of a target service cluster is received, the main control node 11 may obtain a private resource domain identifier corresponding to the target service cluster according to the resource access request on the one hand, and may identify whether the resource access request declares access to a global shared resource on the other hand. It should be noted that the execution sequence between the operation of obtaining the private resource domain identifier corresponding to the target service cluster and the operation of identifying whether the resource access request declares access to the global shared resource is not limited, and the two operations may be executed in parallel or sequentially.
Optionally, the master node 11 may store the corresponding relationship between the service cluster identifier and the private resource domain identifier in advance. Based on this, the main control node 11 may match the pre-stored service cluster identifier with the corresponding relationship between the private resource domain identifiers according to the identifier of the target service cluster carried in the resource access request, so as to obtain the private resource domain identifier corresponding to the target service cluster.
Alternatively, a global shared resource type, such as a storage resource type, a computing resource type, or the like, may be preset. Based on this, the master control node 11 may determine whether the type of the resource to be accessed carried in the resource access request belongs to a preset global shared resource type; and if the resource type to be accessed belongs to the global shared resource type, determining that the resource access request declares to access the global shared resource.
Furthermore, a global non-shared resource type can be preset, wherein the global non-shared resource type refers to a global resource which is not allowed to be accessed by the tenant. Based on this, the master control node 11 may also determine whether the resource type to be accessed belongs to a preset global unshared resource type; if the resource type to be accessed belongs to the global unshared resource type, shielding the resource access request; further optionally, a hint information to prohibit resource access may be returned to the tenant. For the case that the resource type to be accessed does not belong to the global shared resource type and does not belong to the global non-shared resource type, the master node 11 may determine that the resource access request declares access to the private resource. The declaration of access to a private resource with respect to a resource access request is described in the following embodiments and will not be described in detail here.
It should be noted that, in this embodiment, the execution sequence between the operation of determining whether the resource type to be accessed carried in the resource access request belongs to the preset global shared resource type and the operation of determining whether the resource type to be accessed belongs to the preset global non-shared resource type is not limited, and the two operations may be executed in parallel or sequentially. During sequential execution, the operation of judging whether the resource type to be accessed carried in the resource access request belongs to the preset global shared resource type or not can be performed, and under the condition that the judgment result is negative, whether the resource type to be accessed belongs to the preset global non-shared resource type or not can be further judged. Or, when the resource access request is executed sequentially, the method may first determine whether the resource type to be accessed belongs to the operation of the preset global non-shared resource type, and further determine whether the resource type to be accessed carried in the resource access request belongs to the preset global shared resource type under the condition that the determination result is negative.
Further, in a case that the resource access request states that the global shared resource is accessed, the main control node 11 may send the resource access request and the obtained private resource domain identifier corresponding to the target service cluster to the resource management and control node 121 in the target service cluster, so as to instruct the resource management and control node 121 to determine, for the target service cluster, the target shared resource having the right to access.
Optionally, the main control node 11 may send the resource access request and the private resource domain identifier corresponding to the target service cluster to the resource managing and controlling node 121 in the target service cluster in the same communication process. Further, the main control node 11 may add the private resource domain identifier corresponding to the target service cluster to the resource access request, and send the resource access request to the resource management and control node 121 in the target service cluster. Or, the main control node 11 may also send the resource access request and the private resource domain identifier corresponding to the target service cluster to the resource management and control node 121 in the target service cluster respectively in different communication processes.
In an optional embodiment, the resource management and control node 121 in the target service cluster may maintain a corresponding relationship between a private resource domain identifier corresponding to the target service cluster and a shared resource tag under at least one candidate global shared resource type. The candidate global shared resource type is the global shared resource type, and only for distinguishing and describing, a "candidate" word is preceded by the global shared resource type. The at least one candidate global shared resource type may be a part or all of the allowed global shared resource types in the network system 10. The shared resource label under a certain global shared resource type represents a shared resource which can be accessed by the target service cluster under the global shared resource type; if there are multiple shared resources that can be accessed by the target service cluster under the global shared resource type, each shared resource will be assigned a shared resource label, and the shared resource labels corresponding to different shared resources are different. It should be noted that, according to different resource segmentation granularities, the sizes of the shared resources in a certain global shared resource type in the embodiment of the present application may also be different. For example, for a storage resource, taking a storage disk as an example granularity, the storage resource may include multiple storage disks, and each storage disk may be used as a shared resource in this embodiment of the present application; further, if a block of storage disk is accessible by the target service cluster, the block of storage disk may be tagged with a shared resource. For another example, for the storage resource, taking a sector as an example granularity, the storage resource may include a plurality of sectors, and each sector may be used as the shared resource described in this embodiment; further, if a sector is accessible by the target service cluster, the sector is tagged with a shared resource.
Optionally, if a shared resource indicated by a certain candidate global shared resource type is a physical device deploying an ECI node, the shared resource that the target service cluster has access right under the candidate global shared resource type refers to a physical device visible to the target service cluster.
Optionally, if the shared resource indicated by a certain candidate global shared resource type is a storage resource, the shared resource that the target service cluster has access right under the candidate global shared resource type refers to a storage resource that is idle for the target service cluster and is already used by the target service cluster.
Based on the above, the resource management and control node 121 in the target service cluster may receive the resource access request sent by the main control node 11 and the private resource domain identifier corresponding to the target service cluster; according to the private resource domain identifier corresponding to the target service cluster and the resource type to be accessed carried in the resource access request, matching is carried out in the corresponding relation between the private resource domain identifier corresponding to the maintained target service cluster and the shared resource label under at least one candidate global shared resource type, so as to obtain a target shared resource label; and sending the resource access request and the target shared resource label to the service node 122 in the target service cluster, so that the service node 122 can perform resource access on the target shared resource. The target shared resource label identifies a target shared resource of which the target service cluster has access right.
Optionally, the resource management and control node 121 in the target service cluster may send the resource access request and the target shared resource tag to the service node 122 in the target service cluster in the same communication process. Further, the resource management and control node 121 in the target service cluster may add the target shared resource tag to the resource access request, and send the resource access request to the service node 122 in the target service cluster. Or, the resource management and control node 121 in the target service cluster may also send the resource access request and the target shared resource tag to the service node 122 in the target service cluster respectively in different communication processes.
The way for maintaining the corresponding relationship between the private resource domain identifier corresponding to the target service cluster and the shared resource label under the at least one candidate global shared resource type by the resource management and control node 121 in the target service cluster includes, but is not limited to:
acquiring at least one candidate global shared resource type which is authorized to be accessed by a tenant of a target service cluster, and acquiring shared resource information under the at least one candidate global shared resource type; respectively selecting shared resources of a target service cluster with access rights under at least one candidate global shared resource type according to shared resource information under at least one candidate global shared resource type; and allocating a shared resource label for the shared resource with the access right of the target service cluster under the at least one candidate global shared resource type, and establishing a corresponding relation between the private resource domain identifier corresponding to the target service cluster and the shared resource label under the at least one candidate global shared resource type.
Further optionally, the tenant administrator may provide authorization configuration information corresponding to the tenant of the target service cluster to resource managing node 121. The authorization configuration information includes an identity of a tenant and a global shared resource type that the tenant has authority access. Or, the authorization configuration information includes an identity of the tenant and an authority of the tenant, and the authority of the tenant determines a global shared resource type that the tenant has authority to access. In this embodiment, the candidate global shared resource type refers to a global shared resource type that the tenant has an access right, and the number of the global shared resource types may be one or more. Based on this, the resource management and control node 121 may obtain, according to the authorization configuration information, at least one candidate global shared resource type that the tenant of the target service cluster has permission to access.
Further optionally, the resource management and control node 121 may poll the global shared resource at regular time, and obtain shared resource information in at least one candidate global shared resource type. Or, the resource management and control node 121 may send a polling request to the service node 122 in the target service cluster, so that the service node 122 polls and reports the shared resource information in at least one candidate global shared resource type; receiving the shared resource information under at least one candidate global shared resource type reported by the serving node 122. The shared resource information under each candidate global shared resource type includes, but is not limited to: metadata and access control information for shared resources, etc. Considering that the access state of the shared resource is dynamically changed, based on a timing polling mode, the corresponding relationship between the private resource domain identifier corresponding to the maintained target service cluster and the shared resource label under at least one candidate global shared resource type can be updated in real time, so that the corresponding relationship can be changed along with the change of the access state of the shared resource, and the accuracy of the corresponding relationship is improved.
Further, in order to facilitate that the service node 122 in the target service cluster can successfully perform resource access on the target shared resource according to the target shared resource tag, the resource management and control node 121 may send the shared resource tag in the at least one candidate global shared resource type to the service node 122 in the target service cluster after allocating the shared resource tag to the shared resource of the target service cluster having the access right in the at least one candidate global shared resource type, so that the service node 122 locally maintains a corresponding relationship between the shared resource tag in the at least one candidate global shared resource type and the corresponding shared resource. Furthermore, when receiving the target shared resource tag sent by the resource management and control node 121, the service node 122 may query the locally maintained corresponding relationship, determine the target shared resource corresponding to the target shared resource tag, and then perform resource access on the target shared resource.
It should be noted that, depending on the resource access request, the service node 122 may perform resource access on the target shared resource in different manners. For example, if the resource access request is a resource query request, then service node 122 may return information such as metadata of the target shared resource to the tenant. For another example, if the resource access request is a resource usage request, the service node 122 may perform a corresponding operation on the target shared resource, for example, perform a resource operation of a disk mount type.
In an embodiment of the present application, a resource access request may state access to a globally shared resource, possibly to a private resource, and even to a globally unshared resource. For the case that the resource access request statement accesses the global unshared resource, the master node 11 will mask the resource access request, and ensure the security of the global unshared resource. For the condition that the resource access request declares to access the private resource, the master node 11 may further send the resource access request and the private resource domain identifier corresponding to the target service cluster to the resource management and control node 121 in the target service cluster, so as to instruct the resource management and control node 121 to forward to the service node 122 in the target service cluster. For the service node 122, the resource access request and the private resource domain identifier corresponding to the target service cluster may be directly used to perform resource access on the private resource of the target service cluster.
It should be noted that, under the condition that the resource access request declares to access the global shared resource and declares to access the private resource, the master node 11 sends the resource access request and the private resource domain identifier corresponding to the target service cluster to the resource managing and controlling node 121 in the target service cluster, but indicates that the resource managing and controlling node 121 performs different actions. For differentiation, in an optional embodiment, the resource management and control node 121 sets different resource access interfaces, which are a shared resource access interface and a private resource access interface. Based on this, in the case that the resource access request states that the global shared resource is accessed, the main control node 11 sends the resource access request and the private resource domain identifier corresponding to the target service cluster to the shared resource access interface on the resource management and control node 121 in the target service cluster, so as to instruct the resource management and control node 121 to determine the target shared resource for the target service cluster. Under the condition that the resource access request declares that the private resource is accessed, the master control node 11 sends the resource access request and the private resource domain identifier corresponding to the target service cluster to a private resource access interface on the resource management and control node 121 in the target service cluster, so as to instruct the resource management and control node 121 to forward to the service node 122 in the target service cluster.
For the resource management and control node 121, if the resource access request and the private resource domain identifier corresponding to the target service cluster are received on the shared resource access interface, it can be known that the resource access request declares access to the global shared resource, and then an access processing flow corresponding to the shared resource is executed; if the resource access request and the private resource domain identifier corresponding to the target service cluster are received on the private resource access interface, and the fact that the resource access request declares that the private resource is accessed can be known, the corresponding access processing flow of the private resource can be executed.
It is worth to be noted that the network system of the serverless provided in this embodiment may be applied to various application scenarios, and the implementation forms of the service cluster deployed by the tenant, the service node in the service cluster, and the resource management and control node may be different according to different application scenarios.
For example, the network system of the server in this embodiment may be applied to an edge cloud network scenario such as edge computing. In the edge cloud network system of server, a tenant may deploy a Container cluster in an edge computing device, where the Container cluster includes an Elastic Container Instance (ECI) node, and the ECI node provides a corresponding cloud computing service for the tenant. The ECI node is a containerized application deployed on an edge computing device, and is a specific implementation form of a service node, but is not limited thereto.
Further optionally, in the edge cloud network system of the server, the container orchestration scheduling system may be used to perform operations such as creation, management, discovery, access, configuration, and the like on the ECI nodes in the edge cloud network system, so as to liberate operation and maintenance personnel of the system. The container orchestration scheduling system refers to a system that can automatically deploy, expand and manage containerized applications, and for example, kubernets (abbreviated as K8s) can be adopted, but is not limited thereto.
Based on the above, an embodiment of the present application further provides an edge cloud network system implemented based on the container scheduling system, as shown in fig. 1 b. The edge cloud network system 20 includes: the system comprises a master control node 21 deployed in a server device, a container cluster 22 of serverless deployed by a plurality of tenants in an edge computing device, and at least one type of cloud resource 23 shared by the plurality of tenants. Wherein each container cluster 22 comprises a resource policing node 221 and an ECI node 222.
In this embodiment, the edge cloud network system 20 includes a server device and an edge computing device. The server-side device may be deployed in a cloud or a client room, and may be one or more devices, for example, a conventional server, a cloud server, a server array, or the like. The edge computing device is a device located at the edge of the network, relatively close to the terminal side, having certain computing and processing capabilities, and capable of performing network communication with other devices (such as a server device) in the network, and may be a terminal device such as a personal computer and a smart phone, or may be a mainframe computer or a server deployed at the edge of the network, or may be a virtual machine deployed at the edge of the network.
In this embodiment, a container orchestration scheduling system, such as kubernets, is used to logically divide the physical devices in the edge cloud network system 20 into a Master (Master) node 21 and an ECI node 222. For ease of illustration, an edge cloud network system implemented based on kubernets is illustrated in fig. 1b as an example. The main control node 21 is deployed on a server device in the edge cloud network system 20, and a group of processes related to cluster management is run on the main control node 21, taking kubernets as an example, the processes include but are not limited to: the system comprises a kube-api server, a kube-controller-manager, a kube-scheduler and the like, wherein the processes realize the management capabilities of resource management, container group (such as Pod in kubernets) scheduling, elastic expansion, safety control, system monitoring, error correction and the like of the whole cluster, and are all completed automatically. The ECI nodes are used as working nodes in the edge cloud network system 20 and run containerized application programs, and the ECI nodes 222 are distributed in container clusters 22 deployed by different tenants; container clusters 22 of different tenants are deployed in edge computing devices in the edge cloud network system 20. At the ECI node 222, a container group is the smallest unit of execution managed by the container orchestration scheduling system, the container group containing at least one container. Taking kubernets as an example, the smallest unit of operation managed by kubernets is Pod. Pod is interpreted to mean a collection of containers, in this embodiment, a group of containers, as described above. The ECI node 222 runs a container group-related process in the container scheduling system, and taking Kubernets as an example, the container group-related process includes but is not limited to: kubernets kubbelet and kube-proxy service processes that are responsible for the creation, startup, monitoring, restarting, destruction of a group of containers (e.g., Pod), and implementing a load balancer for software models.
Wherein the number of ECI nodes 222 contained in each container cluster 22 may be one or more. When the container cluster 22 includes a plurality of ECI nodes 222, the plurality of ECI nodes 222 may be collectively deployed on the same edge computing device or may be distributed across a plurality of edge computing devices.
Different tenants have different identity identifications, and the identity identification of each tenant can uniquely identify the tenant. The identity of the tenant may be any information capable of uniquely identifying the tenant, for example, the identity may be an ID of the tenant in the edge cloud network system 20, and may also be a tenant name, an account, a phone number, an email, a home address, and/or the like, which are registered by the tenant in the edge cloud network system 20. In addition, in order to distinguish container clusters 22 deployed by different tenants in the edge computing device from different container clusters 22 deployed by the same tenant in the edge computing device, each container cluster 22 also has its own identity, and the identity of each container cluster 22 can uniquely identify the service cluster. The identification of the container cluster 22 may be any information capable of uniquely identifying the service cluster, and may be, for example, an ID or a name of the container cluster 22 in the edge cloud network system 20. In this embodiment, a correspondence between the identity of the tenant and the identity of the container cluster 22 deployed by the tenant is maintained.
Where each container cluster 22 has its own Namespace (Namespace). The Namespace is an important concept in a container scheduling system, such as kubernets, and different projects, groups or user groups are formed by "distributing" objects inside the edge cloud network system 20 to different namespaces, so that different groups can be managed separately while sharing and using resources of the whole system. For example, a container group (such as Pod), RC, and Service (Service) created by a tenant in a container cluster 22 are all created into Namespace of the container cluster 22. Each namespace has its own identity, such as an ID or name. In this embodiment, a correspondence between the identity of the container cluster 22 and the identity of its corresponding namespace is maintained.
In the edge cloud network system 20, besides the private resources that are shared by each container cluster 22, some global resources are also included; some of these global resources are available for different tenants to share, and are called global shared resources, and some of these global resources are not allowed for tenants to use, and are called global unshared resources. The present embodiment is not limited to the type of the global shared resource, and may include at least one type of global shared resource, for example, a globally sharable storage class resource, a globally sharable computing node, and/or a globally sharable network resource. In fig. 1b, the global shared resource is illustrated by taking NAS as an example.
Different tenants can access the global shared resource in the edge cloud network system 20, and in order to ensure the access security of the shared resource, it is necessary to implement security isolation of access to the shared resource between different tenants. In order to implement secure isolation of access to shared resources among different tenants, in the present embodiment, the extensibility of the scheduling system is programmed by means of a container, for example, kubernets, and the resource management and control node 221 may be extended in each container cluster 22 based on the extensibility of Virtual Kubelet. The Virtual Kubelet is an implementation of Kubernetes Kubelet, and allows different manufacturers to extend communication between API implementation of corresponding Kubernetes nodes and a system based on the Virtual Kubelet, so that the server capability of Kubernetes is realized. The resource management and control node 221 may help the tenant to automatically complete mapping from the container cluster 22 to the shared resource when the container cluster 22 to which the tenant belongs needs to access the global shared resource, and ensure that the container cluster 22 to which the tenant belongs can access the corresponding shared resource. Optionally, the resource management node 221 is deployed on an edge computing device in the edge cloud network system 20. Further optionally, the resource management node 221 may be deployed in the same edge computing device as some or some of the ECI nodes 222 in the container cluster 22 to which it belongs. Of course, the resource management node 221 and the ECI node 222 in the container cluster 22 may also be respectively deployed in different edge computing devices.
In this embodiment, in addition to extending the resource management node 221, the main control node 21 is also deployed in the server device. Optionally, a function extension may be performed on a native Master node (Master) of the container orchestration scheduling system to obtain the Master node 21 in the embodiment of the present application. Optionally, the manner of performing function expansion on the native master node of the container scheduling system may be to expand an API proxy component for the native master node, which may be denoted as API-proxy, and the API proxy component is combined with the native master node to implement the function of the master control node 21 in this embodiment; or, the native master node of the container scheduling system is directly modified in function to implement the function of the master node 21 in this embodiment. Taking Kubernetes as an example, the Kubernetes native host node refers to its native apiserver component. In FIG. 1b, the extended API proxy component API-proxy is illustrated as an example. In addition, as shown in fig. 1b, the master node 21 and the resource management and control node 221 may implement a container orchestration and scheduling system, such as the management and control system of kubernets, which is logically divided, and does not mean that the master node 21 and the resource management and control node 221 are actually deployed in the same physical device. The resource management and control node 221 belongs to the container cluster 22 and is deployed in the edge computing device. In this embodiment, the master control node 21 may control access to shared resources initiated by tenants, and in cooperation with the resource management and control node 221 in the container cluster 22, may allocate shared resources among the container clusters 22 based on the namespace identifiers of the container clusters 22, and implement security isolation of global shared resources in the edge cloud network system 20 among different tenants. Where the process of allocating shared resources to each container cluster 22 is the same or similar, for ease of description and understanding, the following description will take the target container cluster as an example. Wherein the target container cluster is any container cluster in the edge cloud network system 20.
The main control node 21 (taking kubernets as an example, specifically, an api-proxy component newly added in the main control node 21 or a modified api server component) may monitor a resource access requirement of the target container cluster, and provide a namespace identifier corresponding to the target container cluster for the resource management and control node 221 in the target container cluster under the condition that it is monitored that the target container cluster needs to access the global shared resource, so as to indicate the resource management and control node 221 in the target container cluster to determine the shared resource with the access right for the target container cluster. For the resource management and control node 221, if it belongs to the target container cluster, the shared resource having the access right of the target container cluster may be determined according to the namespace identifier corresponding to the target container cluster, and the ECI node 222 in the target container cluster is notified to perform resource access on the shared resource. For the convenience of differentiation and description, the shared resource with access right determined by resource management node 221 for the target container cluster is denoted as the target shared resource. The target shared resource may be any type of shared resource, such as a computing resource or a storage resource.
In this embodiment, the access of the container cluster to the shared resource is associated with the namespace corresponding to the container cluster, the resource management and control node in each container cluster can determine the shared resource with access right for the container cluster to which the resource management and control node belongs according to the namespace corresponding to the container cluster to which the resource management and control node belongs, and based on the uniqueness of the namespace, on the basis of ensuring that the container cluster successfully accesses the corresponding shared resource, the security isolation of the access to the shared resource can be realized among different tenants. Further, in the edge cloud network system 20 of this embodiment, not only can security isolation of access to shared resources be achieved between tenants, but also security isolation of access to shared resources can be achieved even between different container clusters deployed by the same tenant. In addition, in the edge cloud network system 20 of this embodiment, the tenant does not need to sense the shared resource, and the allocation between the shared resources is automatically completed by the resource management and control node, which is beneficial to simplifying the process of the tenant accessing the shared resource.
In an optional embodiment, when the target container cluster has a resource access requirement, a resource access request may be generated according to the resource access requirement, and the resource access request is sent to the main control node 21. The resource access request carries information such as an identity of a tenant corresponding to the target container cluster, an identity of the target container cluster, and a type of the resource to be accessed. The resource type to be accessed represents a resource type that the target container cluster needs to access, and may be a private resource, a global shared resource, or a global non-shared resource, for example. The resource access request declares access to different types of resources according to different types of resources to be accessed.
In this alternative embodiment, the master node 21 may receive a resource access request for a target container cluster; if a resource access request of the target container cluster is received, on one hand, the private resource domain identifier corresponding to the target container cluster can be obtained according to the resource access request, and whether the resource access request declares to access the global shared resource can be identified. Optionally, matching may be performed in the correspondence between the pre-stored container cluster identifier and the identifier of the namespace according to the identifier of the target container cluster carried in the resource access request, so as to obtain the identifier of the namespace corresponding to the target container cluster.
Further, a global non-shared resource type may be preset, where the global non-shared resource type refers to a global resource that is not allowed to be accessed by the tenant. For example, global unshared resources include, but are not limited to: a global namespace list, system component states, global network policy configuration, and the like. Based on the method, whether the resource type to be accessed belongs to a preset global non-shared resource type can be judged; and if the resource type to be accessed belongs to the global unshared resource type, shielding the resource access request so as to ensure the security of the global unshared resource.
Further, in a case that the resource access request states that the global shared resource is accessed, the master node 21 may send the resource access request and a namespace identifier corresponding to the target container cluster to the resource managing and controlling node 221 in the target container cluster, so as to instruct the resource managing and controlling node 221 to determine the target shared resource with permission to access for the target container cluster.
In an optional embodiment, the resource management and control node 221 in the target container cluster may maintain a corresponding relationship between a namespace identifier corresponding to the target container cluster and a shared resource tag under at least one candidate global shared resource type. Wherein the at least one candidate global shared resource type is a global shared resource type which is authorized to be accessed by the tenant of the target container cluster. Based on this, the resource management and control node 221 in the target container cluster may receive the resource access request sent by the main control node 21 and the namespace identifier corresponding to the target container cluster; matching the corresponding relation between the namespace identifier corresponding to the maintained target container cluster and the shared resource label under at least one candidate global shared resource type according to the namespace identifier corresponding to the target container cluster and the resource type to be accessed carried in the resource access request to obtain a target shared resource label; and sending the resource access request and the target shared resource label to the ECI node 222 in the target container cluster so that the ECI node 222 can perform resource access on the target shared resource. Wherein the target shared resource label identifies a target shared resource for which the target container cluster has access rights.
Optionally, the resource management and control node 221 in the target container cluster acquires at least one candidate global shared resource type that a tenant of the target container cluster has permission to access, and acquires shared resource information under the at least one candidate global shared resource type; respectively selecting shared resources of a target container cluster with access rights under at least one candidate global shared resource type according to shared resource information under at least one candidate global shared resource type; and allocating a shared resource label for the shared resource with the access right of the target container cluster under the at least one candidate global shared resource type, and establishing a corresponding relation between the namespace identifier corresponding to the target container cluster and the shared resource label under the at least one candidate global shared resource type.
Optionally, the resource management and control node 221 may poll the global shared resource at regular time to obtain shared resource information in at least one candidate global shared resource type. Or, the resource management and control node 221 may send a polling request to the ECI node 222 in the target container cluster, so that the ECI node 222 polls and reports shared resource information in at least one candidate global shared resource type; and receiving the shared resource information under at least one candidate global shared resource type reported by the ECI node 222. The shared resource information under each candidate global shared resource type includes, but is not limited to: metadata and access control information for shared resources, etc. Considering that the access state of the shared resource is dynamically changed, based on a timed polling mode, the corresponding relationship between the namespace identifier corresponding to the maintained target container cluster and the shared resource label under at least one candidate global shared resource type can be updated in real time, so that the corresponding relationship can be changed along with the change of the access state of the shared resource, and the accuracy of the corresponding relationship is improved.
Further, in order to facilitate that the ECI node 222 in the target container cluster can successfully perform resource access on the target shared resource according to the target shared resource label, the resource management and control node 221 may send the shared resource label in at least one candidate global shared resource type to the ECI node 222 in the target container cluster after allocating the shared resource label to the shared resource of the target container cluster having the access right in the at least one candidate global shared resource type, so that the ECI node 222 locally maintains the corresponding relationship between the shared resource label in the at least one candidate global shared resource type and the corresponding shared resource. Furthermore, when receiving the target shared resource label sent by the resource management and control node 221, the ECI node 222 may query the locally maintained corresponding relationship, determine the target shared resource corresponding to the target shared resource label, and then perform resource access on the target shared resource.
The edge cloud network system 20 shown in fig. 1b may be used as a specific implementation of the network system 10 shown in fig. 1a, some contents are the same as or similar to those of the network system 10 shown in fig. 1a, and details that are not referred to in this embodiment may refer to the description of the foregoing embodiment, and are not described herein again.
Fig. 2a is a schematic flowchart of a resource access method according to an exemplary embodiment of the present application. This embodiment is described from the perspective of a master node, and as shown in fig. 2a, the method includes:
201a, receiving a resource access request of a target service cluster, wherein the target service cluster is any service cluster in a network system without a server (server) where a master control node is located.
202a, obtaining a private resource domain identifier corresponding to the target service cluster according to the resource access request.
203a, under the condition that the resource access request states to access the global shared resource, sending the resource access request and the private resource domain identifier to a resource control node in the target service cluster so as to indicate the resource control node to determine the target shared resource for the target service cluster.
Optionally, one implementation of step 202a includes: and matching the pre-stored service cluster identifier and the corresponding relation of the private resource domain identifier according to the identifier of the target service cluster carried in the resource access request to obtain the private resource domain identifier corresponding to the target service cluster.
In an optional embodiment, the method further comprises: judging whether the type of the resource to be accessed carried in the resource access request belongs to a preset global shared resource type or not; and if the resource type to be accessed belongs to the global shared resource type, determining that the resource access request declares to access the global shared resource.
Further, the method also includes: judging whether the type of the resource to be accessed belongs to a preset global non-shared resource type or not; if the resource type to be accessed belongs to the global unshared resource type, shielding the resource access request; and if the resource type to be accessed does not belong to the global shared resource type and does not belong to the global non-shared resource type, determining that the resource access request declares to access the private resource.
Further, the method also includes: and under the condition that the resource access request declares that the private resource is accessed, sending the resource access request and the private resource domain identifier to a resource control node in the target service cluster so as to indicate the resource control node to forward to a service node in the target service cluster.
Optionally, the sending the resource access request and the private resource domain identifier to a resource management and control node in the target service cluster includes: and sending the resource access request and the private resource domain identifier to a shared resource access interface on a resource management and control node in the target service cluster. Correspondingly, the sending the resource access request and the private resource domain identifier to a resource management and control node in the target service cluster includes: and sending the resource access request and the private resource domain identifier to a private resource access interface on a resource management and control node in the target service cluster.
Fig. 2b is a flowchart illustrating another resource access method according to an exemplary embodiment of the present application. This embodiment is described from the perspective of a resource management node that belongs to a target service cluster. As shown in fig. 2b, the method comprises:
201b, receiving a private resource domain identifier corresponding to the target service cluster sent by the master control node under the condition that the target service cluster needs to access the global shared resource.
202b, determining the target shared resource with the access right of the target service cluster according to the private resource domain identifier corresponding to the target service cluster.
203b, informing a service node in the target service cluster to perform resource access on the target shared resource; the target service cluster is any service cluster in a network system without a server (server) where the master control node is located.
In an optional embodiment, the method further comprises: and receiving a resource access request from the target service cluster, which is sent by the master control node, wherein the resource access request carries the type of the resource to be accessed. Based on this, one embodiment of step 202b includes: according to the private resource domain identifier corresponding to the target service cluster and the type of the resource to be accessed, matching is carried out in the corresponding relation between the private resource domain identifier corresponding to the maintained target service cluster and the shared resource label under at least one candidate global shared resource type, so as to obtain a target shared resource label; wherein the target shared resource identifies the target shared resource.
In an optional embodiment, in step 203b, one implementation manner of notifying the service node in the target service cluster of resource access to the target shared resource includes: and sending the resource access request and the target shared resource label to a service node in the target service cluster so that the service node can access the target shared resource.
In an optional embodiment, the method further comprises: acquiring at least one candidate global shared resource type which is authorized to be accessed by a tenant of a target service cluster, and acquiring shared resource information under the at least one candidate global shared resource type; respectively selecting shared resources of a target service cluster with access rights under at least one candidate global shared resource type according to shared resource information under at least one candidate global shared resource type; and allocating a shared resource label for the shared resource with the access right of the target service cluster under the at least one candidate global shared resource type, and establishing a corresponding relation between the private resource domain identifier corresponding to the target service cluster and the shared resource label under the at least one candidate global shared resource type.
Further, the method also includes: and sending the shared resource label under the at least one candidate global shared resource type to a service node in the target service cluster, so that the service node locally maintains the corresponding relation between the shared resource label under the at least one candidate global shared resource type and the corresponding shared resource.
For the steps and other contents in the above method embodiments of the present application, reference may be made to the description in the foregoing system embodiments, which are not repeated herein.
In the embodiment of the method, the resource control node in each service cluster is matched with the master control node in the server architecture, shared resources with access authority can be determined for the service clusters based on the private resource domain identifiers of the service clusters, and on the basis of ensuring that the service clusters successfully access the corresponding shared resources, the security isolation of access to the shared resources can be realized among different service clusters and different tenants; in addition, the tenants do not need to sense the shared resources, so that the process of accessing the shared resources is simplified, and the safety of the shared resources is improved.
It should be noted that in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 201a, 202a, etc., are merely used for distinguishing different operations, and the sequence numbers themselves do not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
Fig. 3 is a schematic structural diagram of a node device according to an exemplary embodiment of the present application. The node device may be implemented as a master node in the foregoing embodiment, as shown in fig. 3, the node device includes: memory 31, processor 32, and communications component 33.
A memory 31 for storing the computer program and may be configured to store other various data to support operations on the node device. Examples of such data include instructions for any application or method operating on the node device, contact data, phonebook data, messages, pictures, videos, and so forth.
A processor 32, coupled to the memory 31, for executing the computer program in the memory 31 for:
receiving a resource access request of a target service cluster through the communication component 33, wherein the target service cluster is any service cluster in a serverless network system where the node equipment is located;
acquiring a private resource domain identifier corresponding to a target service cluster according to the resource access request;
in the case that the resource access request declares that the global shared resource is accessed, the resource access request and the private resource domain identifier are sent to the resource management and control node in the target service cluster through the communication component 33, so as to instruct the resource management and control node to determine the target shared resource for the target service cluster.
Optionally, when obtaining the private resource domain identifier corresponding to the target service cluster, the processor 32 is specifically configured to: and matching the pre-stored service cluster identifier and the corresponding relation of the private resource domain identifier according to the identifier of the target service cluster carried in the resource access request to obtain the private resource domain identifier corresponding to the target service cluster.
In an alternative embodiment, processor 32 is further configured to: judging whether the type of the resource to be accessed carried in the resource access request belongs to a preset global shared resource type or not; and if the resource type to be accessed belongs to the global shared resource type, determining that the resource access request declares to access the global shared resource.
Further, processor 32 is also configured to: judging whether the type of the resource to be accessed belongs to a preset global non-shared resource type or not; if the resource type to be accessed belongs to the global unshared resource type, shielding the resource access request; and if the resource type to be accessed does not belong to the global shared resource type and does not belong to the global non-shared resource type, determining that the resource access request declares to access the private resource.
Further, processor 32 is also configured to: and under the condition that the resource access request declares that the private resource is accessed, sending the resource access request and the private resource domain identifier to a resource control node in the target service cluster so as to indicate the resource control node to forward to a service node in the target service cluster.
Optionally, when the processor 32 sends the resource access request and the private resource domain identifier to the resource management and control node in the target service cluster through the communication component 33, the processor is specifically configured to: the resource access request and the private resource domain identifier are sent to the shared resource access interface on the resource management and control node in the target service cluster through the communication component 33. Correspondingly, when the processor 32 sends the resource access request and the private resource domain identifier to the resource management and control node in the target service cluster through the communication component 33, the processor is specifically configured to: the resource access request and the private resource domain identifier are sent to the private resource access interface on the resource management and control node in the target service cluster through the communication component 33.
Further, as shown in fig. 3, the node apparatus further includes: display 34, power supply components 35, audio components 36, and the like. Only some of the components are schematically shown in fig. 3, and it is not meant that the node apparatus includes only the components shown in fig. 3. In addition, the components shown in the dashed line in fig. 3 are optional components, but not necessarily optional components, according to different node device implementations.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program is capable of implementing the steps that can be executed by the master node in the foregoing method embodiments when executed.
Fig. 4 is a schematic structural diagram of another node device according to an exemplary embodiment of the present application. The node device may be implemented as a resource management and control node in the foregoing embodiment, as shown in fig. 4, the node device includes: memory 41, processor 42, and communication component 43.
A memory 41 for storing the computer program and may be configured to store other various data to support operations on the node device. Examples of such data include instructions for any application or method operating on the node device, contact data, phonebook data, messages, pictures, videos, and so forth.
A processor 42, coupled to the memory 41, for executing the computer program in the memory 41 to:
receiving, by the communication component 44, a private resource domain identifier corresponding to the target service cluster sent by the master node when it is determined that the target service cluster needs to access the global shared resource;
determining a target shared resource with access authority of a target service cluster according to a private resource domain identifier corresponding to the target service cluster;
informing a service node in the target service cluster to perform resource access on the target shared resource;
the target service cluster is any service cluster in a server-free network system where the master control node is located, and the resource control node belongs to the target service cluster.
In an alternative embodiment, processor 42 is further configured to: a resource access request from a target service cluster sent by a master control node is received through a communication component 44, and the resource access request carries a type of a resource to be accessed. Based on this, when determining that the target service cluster has the target shared resource with the access right, the processor 42 is specifically configured to: according to the private resource domain identifier corresponding to the target service cluster and the type of the resource to be accessed, matching is carried out in the corresponding relation between the private resource domain identifier corresponding to the maintained target service cluster and the shared resource label under at least one candidate global shared resource type, so as to obtain a target shared resource label; wherein the target shared resource identifies the target shared resource.
In an optional embodiment, when notifying the service node in the target service cluster to perform resource access on the target shared resource, the processor 42 is specifically configured to: the resource access request and the target shared resource tag are sent to the service node in the target service cluster through the communication component 44, so that the service node can perform resource access on the target shared resource.
In an alternative embodiment, processor 42 is further configured to: acquiring at least one candidate global shared resource type which is authorized to be accessed by a tenant of a target service cluster, and acquiring shared resources under the at least one candidate global shared resource type; respectively selecting shared resources of which the target service cluster has access rights under at least one candidate global shared resource type from the shared resources under at least one candidate global shared resource type; and allocating a shared resource label for the shared resource with the access right of the target service cluster under the at least one candidate global shared resource type, and establishing a corresponding relation between the private resource domain identifier corresponding to the target service cluster and the shared resource label under the at least one candidate global shared resource type.
In an alternative embodiment, processor 42 is further configured to: the shared resource label under at least one candidate global shared resource type is sent to the service node in the target service cluster through the communication component 44, so that the service node locally maintains the corresponding relationship between the shared resource label under at least one candidate global shared resource type and the corresponding shared resource.
Further, as shown in fig. 4, the node apparatus further includes: a display 44, a power supply component 45, an audio component 46, and the like. Only some of the components are schematically shown in fig. 4, and it is not meant that the node apparatus includes only the components shown in fig. 4. In addition, the components with the dashed boxes in fig. 4 are optional components, but not necessarily optional components, according to different node device implementation forms.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program is capable of implementing the steps that can be executed by the master node in the foregoing method embodiments when executed.
The memories of fig. 3 and 4 may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The communication components of fig. 3 and 4 described above are configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device in which the communication component is located may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component may further include a Near Field Communication (NFC) module, Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and the like.
The displays in fig. 3 and 4 described above include screens, which may include Liquid Crystal Displays (LCDs) and Touch Panels (TPs). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.
The power supply components of fig. 3 and 4 described above provide power to the various components of the device in which the power supply components are located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.
The audio components of fig. 3 and 4 described above may be configured to output and/or input audio signals. For example, the audio component includes a Microphone (MIC) configured to receive an external audio signal when the device in which the audio component is located is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (28)

1. A serverless network system, comprising: the system comprises a main control node, a server cluster deployed by a plurality of tenants and at least one type of global shared resource shared by the plurality of tenants; each service cluster comprises a resource management and control node and a service node;
the master control node is used for providing a private resource domain identifier corresponding to a target service cluster for a resource control node in the target service cluster under the condition that the target service cluster needs to access global shared resources; wherein the target service cluster is any service cluster;
and the resource control node is used for determining a target shared resource with an access right of the target service cluster according to the private resource domain identifier corresponding to the target service cluster under the condition that the resource control node belongs to the target service cluster, and informing a service node in the target service cluster to perform resource access on the target shared resource.
2. The network system according to claim 1, wherein the master node is specifically configured to:
receiving a resource access request of the target service cluster, obtaining a private resource domain identifier corresponding to the target service cluster according to the resource access request, and sending the resource access request and the private resource domain identifier to a resource control node in the target service cluster under the condition that the resource access request declares that a global shared resource is accessed, so as to instruct the resource control node to determine the target shared resource for the target service cluster.
3. The network system according to claim 2, wherein the master node is specifically configured to:
and matching in the corresponding relation between the pre-stored service cluster identifier and the private resource domain identifier according to the identifier of the target service cluster carried in the resource access request to obtain the private resource domain identifier corresponding to the target service cluster.
4. The network system of claim 2, wherein the master node is further configured to:
judging whether the type of the resource to be accessed carried in the resource access request belongs to a preset global shared resource type or not;
and if the resource type to be accessed belongs to the global shared resource type, determining that the resource access request declares to access the global shared resource.
5. The network system of claim 4, wherein the master node is further configured to:
judging whether the resource type to be accessed belongs to a preset global unshared resource type or not;
if the resource type to be accessed belongs to the global unshared resource type, shielding the resource access request;
and if the resource type to be accessed does not belong to the global shared resource type and does not belong to the global non-shared resource type, determining that the resource access request declares access to the private resource.
6. The network system of claim 5, wherein the master node is further configured to:
and under the condition that the resource access request declares that private resources are accessed, sending the resource access request and the private resource domain identifier to a resource management and control node in the target service cluster so as to indicate the resource management and control node to forward to a service node in the target service cluster.
7. The network system according to claim 6, wherein the master node is specifically configured to:
under the condition that the resource access request declares that a global shared resource is accessed, sending the resource access request and the private resource domain identifier to a shared resource access interface on a resource management and control node in the target service cluster so as to indicate the resource management and control node to determine the target shared resource for the target service cluster;
and under the condition that the resource access request declares that private resources are accessed, sending the resource access request and the private resource domain identifier to a private resource access interface on a resource management and control node in the target service cluster so as to indicate the resource management and control node to forward to a service node in the target service cluster.
8. The network system according to any one of claims 2 to 7, wherein the resource managing node is specifically configured to:
according to the private resource domain identifier corresponding to the target service cluster and the resource type to be accessed carried in the resource access request, matching is carried out in the corresponding relation between the private resource domain identifier corresponding to the maintained target service cluster and the shared resource label under at least one candidate global shared resource type, so as to obtain a target shared resource label; and sending the resource access request and the target shared resource label to a service node in the target service cluster so that the service node can perform resource access on the target shared resource, wherein the target shared resource label identifies the target shared resource.
9. The network system according to claim 8, wherein the resource management node is further configured to:
acquiring at least one candidate global shared resource type which is authorized to be accessed by a tenant of the target service cluster, and acquiring shared resource information under the at least one candidate global shared resource type;
respectively selecting the shared resources of the target service cluster with access rights under the at least one candidate global shared resource type according to the shared resource information under the at least one candidate global shared resource type;
and allocating a shared resource label to the shared resource of the target service cluster with the access right under the at least one candidate global shared resource type, and establishing a corresponding relation between the private resource domain identifier corresponding to the target service cluster and the shared resource label under the at least one candidate global shared resource type.
10. The network system according to claim 9, wherein the resource managing node is further configured to:
and sending the shared resource label under the at least one candidate global shared resource type to a service node in the target service cluster, so that the service node locally maintains the corresponding relation between the shared resource label under the at least one candidate global shared resource type and the corresponding shared resource.
11. The network system according to claim 9, wherein the resource management and control node is specifically configured to:
sending a polling request to a service node in the target service cluster, so that the service node polls and reports the shared resource information under the at least one candidate global shared resource type;
and receiving the shared resource information under the at least one candidate global shared resource type reported by the service node.
12. An edge cloud network system implemented based on a container orchestration scheduling system, comprising: the system comprises a main control node deployed in a server device, a container cluster without a server deployed in an edge computing device by a plurality of tenants, and at least one type of cloud resource shared by the plurality of tenants; each container cluster comprises a resource management and control node and an elastic container instance ECI node;
the master control node is used for providing a namespace identifier corresponding to a target container cluster for a resource control node in the target container cluster under the condition that the target container cluster needs to access sharable cloud resources; wherein the target container cluster is any container cluster;
and the resource control node is used for determining the target shared resource with the access authority of the target container cluster according to the name space identifier corresponding to the target container cluster under the condition that the resource control node belongs to the target container cluster, and informing an ECI node in the target container cluster of carrying out resource access on the target shared resource.
13. The network system according to claim 12, wherein the master node comprises: the method comprises the steps that an API agent component and a native master node in a container arrangement scheduling system are arranged, and the API agent component provides a namespace identifier corresponding to a target container cluster for a resource management and control node in the target container cluster under the condition that the target container cluster needs to access sharable cloud resources.
14. The network system of claim 12, wherein each container cluster is deployed on at least one edge computing device.
15. A resource access method is suitable for a master control node, and is characterized by comprising the following steps:
receiving a resource access request of a target service cluster, wherein the target service cluster is any service cluster in a server-free network system where the master control node is located;
acquiring a private resource domain identifier corresponding to the target service cluster according to the resource access request;
and under the condition that the resource access request declares that a global shared resource is accessed, sending the resource access request and the private resource domain identifier to a resource control node in the target service cluster so as to indicate the resource control node to determine a target shared resource for the target service cluster.
16. The method of claim 15, wherein obtaining the private resource domain identifier corresponding to the target service cluster according to the resource access request comprises:
and matching in the corresponding relation between the pre-stored service cluster identifier and the private resource domain identifier according to the identifier of the target service cluster carried in the resource access request to obtain the private resource domain identifier corresponding to the target service cluster.
17. The method of claim 15, further comprising:
judging whether the type of the resource to be accessed carried in the resource access request belongs to a preset global shared resource type or not;
and if the resource type to be accessed belongs to the global shared resource type, determining that the resource access request declares to access the global shared resource.
18. The method of claim 17, further comprising:
judging whether the resource type to be accessed belongs to a preset global unshared resource type or not;
if the resource type to be accessed belongs to the global unshared resource type, shielding the resource access request;
and if the resource type to be accessed does not belong to the global shared resource type and does not belong to the global non-shared resource type, determining that the resource access request declares access to the private resource.
19. The method of claim 18, further comprising:
and under the condition that the resource access request declares that private resources are accessed, sending the resource access request and the private resource domain identifier to a resource management and control node in the target service cluster so as to indicate the resource management and control node to forward to a service node in the target service cluster.
20. The method of claim 19, wherein sending the resource access request and the private resource domain identifier to a resource management node in the target service cluster comprises: sending the resource access request and the private resource domain identifier to a shared resource access interface on a resource management and control node in the target service cluster;
sending the resource access request and the private resource domain identifier to a resource management and control node in the target service cluster, including: and sending the resource access request and the private resource domain identifier to a private resource access interface on a resource management and control node in the target service cluster.
21. A resource access method is suitable for a resource management and control node, and is characterized by comprising the following steps:
receiving a private resource domain identifier corresponding to a target service cluster sent by a master control node under the condition that the target service cluster needs to access global shared resources;
determining a target shared resource with an access right of the target service cluster according to a private resource domain identifier corresponding to the target service cluster;
informing a service node in the target service cluster to perform resource access on the target shared resource;
the target service cluster is any service cluster in a server-less network system where the master control node is located, and the resource control node belongs to the target service cluster.
22. The method of claim 21, further comprising:
receiving a resource access request from the target service cluster, which is sent by the master control node, wherein the resource access request carries a type of a resource to be accessed;
the determining the target shared resource with the access right of the target service cluster according to the private resource domain identifier corresponding to the target service cluster comprises:
according to the private resource domain identifier corresponding to the target service cluster and the type of the resource to be accessed, matching is carried out in the corresponding relation between the maintained private resource domain identifier corresponding to the target service cluster and a shared resource label under at least one candidate global shared resource type, so as to obtain a target shared resource label; the target shared resource identifies the target shared resource.
23. The method of claim 22, wherein notifying service nodes in the target service cluster to perform resource access to the target shared resource comprises:
and sending the resource access request and the target shared resource label to a service node in the target service cluster so that the service node can perform resource access on the target shared resource.
24. The method of claim 23, further comprising:
acquiring at least one candidate global shared resource type which is authorized to be accessed by a tenant of the target service cluster, and acquiring shared resource information under the at least one candidate global shared resource type;
respectively selecting the shared resources of the target service cluster with access rights under the at least one candidate global shared resource type according to the shared resource information under the at least one candidate global shared resource type;
and allocating a shared resource label to the shared resource of the target service cluster with the access right under the at least one candidate global shared resource type, and establishing a corresponding relation between the private resource domain identifier corresponding to the target service cluster and the shared resource label under the at least one candidate global shared resource type.
25. The method of claim 24, further comprising:
and sending the shared resource label under the at least one candidate global shared resource type to a service node in the target service cluster, so that the service node locally maintains the corresponding relation between the shared resource label under the at least one candidate global shared resource type and the corresponding shared resource.
26. A node apparatus, comprising: a memory and a processor; the memory for storing a computer program; the computer program, when executed by the processor, causes the processor to carry out the steps of the method of any one of claims 15-20.
27. A node apparatus, comprising: a memory and a processor; the memory for storing a computer program; the computer program, when executed by the processor, causes the processor to carry out the steps of the method of any one of claims 21-25.
28. A computer-readable storage medium storing a computer program, which, when executed by a processor, causes the processor to carry out the steps of the method according to any one of claims 15-25.
CN201910451596.XA 2019-05-28 2019-05-28 Resource access method, device, system and storage medium under server-free architecture Active CN112019475B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910451596.XA CN112019475B (en) 2019-05-28 2019-05-28 Resource access method, device, system and storage medium under server-free architecture
PCT/CN2020/091527 WO2020238751A1 (en) 2019-05-28 2020-05-21 Resource access method under serverless architecture, device, system, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910451596.XA CN112019475B (en) 2019-05-28 2019-05-28 Resource access method, device, system and storage medium under server-free architecture

Publications (2)

Publication Number Publication Date
CN112019475A true CN112019475A (en) 2020-12-01
CN112019475B CN112019475B (en) 2021-12-21

Family

ID=73501718

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910451596.XA Active CN112019475B (en) 2019-05-28 2019-05-28 Resource access method, device, system and storage medium under server-free architecture

Country Status (2)

Country Link
CN (1) CN112019475B (en)
WO (1) WO2020238751A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143315A (en) * 2021-11-30 2022-03-04 阿里巴巴(中国)有限公司 Edge cloud system, host access method and device
CN114615268A (en) * 2022-03-28 2022-06-10 阿里巴巴(中国)有限公司 Service network, monitoring node, container node and equipment based on Kubernetes cluster
CN114726854A (en) * 2021-12-27 2022-07-08 天翼云科技有限公司 Service request processing method and device and cloud service system
CN114898152A (en) * 2022-05-13 2022-08-12 电子科技大学 Embedded elastic self-expansion universal learning framework
CN115086234A (en) * 2022-05-09 2022-09-20 阿里巴巴(中国)有限公司 Message processing method and system, device and storage medium
CN115509549A (en) * 2022-11-23 2022-12-23 中国电子信息产业集团有限公司 Data element processing method and computer readable storage medium
WO2024045646A1 (en) * 2022-09-01 2024-03-07 京东科技信息技术有限公司 Method, apparatus and system for managing cluster access permission
CN114726854B (en) * 2021-12-27 2024-06-07 天翼云科技有限公司 Service request processing method and device and cloud service system

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112445550B (en) * 2020-12-08 2024-05-17 中国科学院深圳先进技术研究院 Server-free computing method and system for preprocessing function
CN113162910B (en) * 2021-03-10 2024-04-09 视联动力信息技术股份有限公司 Resource transmission method and device, electronic equipment and storage medium
CN113079545B (en) * 2021-03-29 2023-08-25 维沃移动通信有限公司 Network sharing method and device and electronic equipment
CN113839995A (en) * 2021-09-06 2021-12-24 阿里巴巴(中国)有限公司 Cross-domain resource management system, method, device and storage medium
CN113835844B (en) * 2021-09-29 2024-05-24 新华三大数据技术有限公司 Container cluster management method and device and cloud computing platform
CN113923023B (en) * 2021-10-09 2024-04-05 京东科技信息技术有限公司 Authority configuration and data processing method, device, electronic equipment and medium
CN113986139B (en) * 2021-10-31 2024-02-13 济南浪潮数据技术有限公司 Deployment method and device of hybrid storage cluster, computer and storage medium
CN114422492B (en) * 2022-01-17 2023-12-12 星环信息科技(上海)股份有限公司 Request forwarding method, device and storage medium
CN114500047B (en) * 2022-01-26 2023-06-27 烽台科技(北京)有限公司 Industrial network shooting range heterogeneous interconnection method and system
CN114629958B (en) * 2022-03-15 2024-01-30 抖音视界有限公司 Resource allocation method, device, electronic equipment and storage medium
CN114826964B (en) * 2022-04-11 2024-04-05 京东科技信息技术有限公司 Resource monitoring method, device and system
CN114827157A (en) * 2022-04-12 2022-07-29 北京云思智学科技有限公司 Cluster task processing method, device and system, electronic equipment and readable medium
CN115361285B (en) * 2022-07-05 2024-02-23 海南车智易通信息技术有限公司 Method, device, equipment and medium for realizing off-line service mixed deployment
CN115314354A (en) * 2022-07-19 2022-11-08 中电通商数字技术(上海)有限公司 Mass container cluster management method and system
WO2024074196A1 (en) * 2022-10-04 2024-04-11 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatus for data sharing for services
CN115361389B (en) * 2022-10-20 2023-04-11 阿里巴巴(中国)有限公司 Cloud computing instance creating method and device
CN116258622A (en) * 2023-02-16 2023-06-13 青软创新科技集团股份有限公司 GPU distribution method and device based on container, electronic equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150163158A1 (en) * 2013-12-11 2015-06-11 Amazon Technologies, Inc. Identity and access management-based access control in virtual networks
CN106933648A (en) * 2015-12-31 2017-07-07 中国电信股份有限公司 For the method and system of multi-tenant container resource management
CN107864131A (en) * 2017-11-03 2018-03-30 郑州云海信息技术有限公司 A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations
US20180113793A1 (en) * 2016-10-25 2018-04-26 International Business Machines Corporation Facilitating debugging serverless applications via graph rewriting
CN109067827A (en) * 2018-06-22 2018-12-21 杭州才云科技有限公司 Based on Kubernetes and OpenStack container cloud platform multi-tenant construction method, medium, equipment
CN109189568A (en) * 2018-09-04 2019-01-11 山东浪潮云投信息科技有限公司 A kind of cluster resource management method and device
WO2019090523A1 (en) * 2017-11-08 2019-05-16 华为技术有限公司 Business deployment method under serverless architecture and function management platform

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9804895B2 (en) * 2015-08-28 2017-10-31 Vmware, Inc. Constrained placement in hierarchical randomized schedulers
US10474501B2 (en) * 2017-04-28 2019-11-12 Databricks Inc. Serverless execution of code using cluster resources
CN109376009A (en) * 2018-09-26 2019-02-22 郑州云海信息技术有限公司 A kind of method and device of shared resource
CN109743199A (en) * 2018-12-25 2019-05-10 中国联合网络通信集团有限公司 Containerization management system based on micro services

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150163158A1 (en) * 2013-12-11 2015-06-11 Amazon Technologies, Inc. Identity and access management-based access control in virtual networks
CN106933648A (en) * 2015-12-31 2017-07-07 中国电信股份有限公司 For the method and system of multi-tenant container resource management
US20180113793A1 (en) * 2016-10-25 2018-04-26 International Business Machines Corporation Facilitating debugging serverless applications via graph rewriting
CN107864131A (en) * 2017-11-03 2018-03-30 郑州云海信息技术有限公司 A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations
WO2019090523A1 (en) * 2017-11-08 2019-05-16 华为技术有限公司 Business deployment method under serverless architecture and function management platform
CN109067827A (en) * 2018-06-22 2018-12-21 杭州才云科技有限公司 Based on Kubernetes and OpenStack container cloud platform multi-tenant construction method, medium, equipment
CN109189568A (en) * 2018-09-04 2019-01-11 山东浪潮云投信息科技有限公司 A kind of cluster resource management method and device

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143315A (en) * 2021-11-30 2022-03-04 阿里巴巴(中国)有限公司 Edge cloud system, host access method and device
CN114726854A (en) * 2021-12-27 2022-07-08 天翼云科技有限公司 Service request processing method and device and cloud service system
CN114726854B (en) * 2021-12-27 2024-06-07 天翼云科技有限公司 Service request processing method and device and cloud service system
CN114615268A (en) * 2022-03-28 2022-06-10 阿里巴巴(中国)有限公司 Service network, monitoring node, container node and equipment based on Kubernetes cluster
CN114615268B (en) * 2022-03-28 2023-09-12 阿里巴巴(中国)有限公司 Service network, monitoring node, container node and equipment based on Kubernetes cluster
CN115086234A (en) * 2022-05-09 2022-09-20 阿里巴巴(中国)有限公司 Message processing method and system, device and storage medium
CN114898152A (en) * 2022-05-13 2022-08-12 电子科技大学 Embedded elastic self-expansion universal learning framework
CN114898152B (en) * 2022-05-13 2023-05-30 电子科技大学 Embedded elastic self-expanding universal learning system
WO2024045646A1 (en) * 2022-09-01 2024-03-07 京东科技信息技术有限公司 Method, apparatus and system for managing cluster access permission
CN115509549A (en) * 2022-11-23 2022-12-23 中国电子信息产业集团有限公司 Data element processing method and computer readable storage medium

Also Published As

Publication number Publication date
CN112019475B (en) 2021-12-21
WO2020238751A1 (en) 2020-12-03

Similar Documents

Publication Publication Date Title
CN112019475B (en) Resource access method, device, system and storage medium under server-free architecture
US10635496B2 (en) Thread pool management
US10701139B2 (en) Life cycle management method and apparatus
US10700947B2 (en) Life cycle management method and device for network service
US11553034B2 (en) Server computer management system for supporting highly available virtual desktops of multiple different tenants
US10917294B2 (en) Network function instance management method and related device
WO2022062304A1 (en) Method and device for deploying image recognition service on container cloud
US9130943B1 (en) Managing communications between client applications and application resources of on-premises and cloud computing nodes
CN108322325B (en) Virtual machine management method and device
US9678984B2 (en) File access for applications deployed in a cloud environment
US20220244998A1 (en) Method and apparatus for acquiring device information, storage medium and electronic device
CN110837407B (en) Server-free cloud service system, resource management method thereof and electronic equipment
CN108073423B (en) Accelerator loading method and system and accelerator loading device
US20200042344A1 (en) Cloud Management Platform, and Virtual Machine Management Method and System
CN111061692A (en) Data access method, device, system and storage medium
CN110908774A (en) Resource scheduling method, device, system and storage medium
CN107770190B (en) Authority management method and device
CN115086166A (en) Computing system, container network configuration method, and storage medium
CN112445602A (en) Resource scheduling method, device and system and electronic equipment
CN111597021B (en) Method, device, system and related equipment for realizing application program operation
CN112015524A (en) Workflow deployment method, equipment, system and storage medium
KR101495562B1 (en) Method And Apparatus for Providing Data Analysis Service
EP4304154A1 (en) Information processing device, information processing method, program, and information processing system
US20230161603A1 (en) Handling the running of software
CN117435307A (en) Virtual machine migration method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230522

Address after: Room 1-2-A06, Yungu Park, No. 1008 Dengcai Street, Sandun Town, Xihu District, Hangzhou City, Zhejiang Province

Patentee after: Aliyun Computing Co.,Ltd.

Address before: Box 847, four, Grand Cayman capital, Cayman Islands, UK

Patentee before: ALIBABA GROUP HOLDING Ltd.

TR01 Transfer of patent right