CN112152977A - Heterogeneous cloud platform authentication and authorization integration system - Google Patents
Heterogeneous cloud platform authentication and authorization integration system Download PDFInfo
- Publication number
- CN112152977A CN112152977A CN201910576296.4A CN201910576296A CN112152977A CN 112152977 A CN112152977 A CN 112152977A CN 201910576296 A CN201910576296 A CN 201910576296A CN 112152977 A CN112152977 A CN 112152977A
- Authority
- CN
- China
- Prior art keywords
- authentication
- heterogeneous
- platform
- token
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A heterogeneous cloud platform authentication and authorization integration system is disclosed, which integrates multiple service authentication mechanisms, and combines and issues a universal authority (Token) for recording service sessions (sessions). In the effective time of the universal authority stick, different platforms can authenticate users through the universal authority stick, thereby avoiding the situation that the services of different platforms need to continuously and repeatedly authenticate the users, and enabling heterogeneous service platforms to achieve the micro-service and stateless service architecture.
Description
[ technical field ] A method for producing a semiconductor device
The present invention relates to an authentication and authorization integration technology, and more particularly, to authentication and authorization of a heterogeneous cloud platform.
[ background of the invention ]
Accessing cloud services requires authentication of the user and authorization accordingly. For example, an account password is verified. After the user is authenticated, the system grants the user the authority (Privilege) for accessing the system resource according to the recorded authority, for example, the member can read and write, and the visitor can only read. Once the authentication is completed, a service (closed service) is started, and the Session (Session) of the service records the authentication status of the user, and the user does not need to be authenticated repeatedly in the same Session.
However, a cloud platform includes many complex functions, and for easy development and maintenance, the cloud platform is usually composed of a plurality of Service elements, so-called Service-Oriented Architecture (SOA) or Micro-Service (Micro-Service), which are usually developed on different platforms. Different systems usually have their own authentication and authorization mechanisms, for example, someone separately solves the integration of authentication and authorization through OpenID and OAuth. In addition, the services of the heterogeneous platforms are independent of each other, keep conversations and are irrelevant to each other. In contrast, the user desires to have a convenient and unified authentication and authorization mechanism for the cloud service, and the user does not need to repeatedly verify the cloud service when accessing the cloud service.
The subject of the invention is to integrate the services of heterogeneous platform by (1) integrating the authentication and authorization mechanism and (3) providing the exchange mechanism of heterogeneous platform session without modifying each system.
[ summary of the invention ]
One objective of the present invention is to utilize a Token to carry authentication and authorization information of heterogeneous platforms, so that the heterogeneous platforms can exchange verification information through the Token, thereby completing all services of the heterogeneous platforms.
An object of the present invention is to provide a Token (Token) for each system in series connection, which does not need to record authentication information by using Cookie or Session (Session) during the overdue period, so that the service is stateless and can be expanded in a large amount.
An object of the present invention is to provide a Token (Token) for different service platforms to exchange information required by a collection service without modifying the original service platform or redeveloping the original service platform.
A heterogeneous cloud platform authentication and authorization integration system comprises a manager instrument panel, a database, a platform registration module, a permission stick acquisition module, a universal permission stick issuing module and an API authentication interface.
The manager dashboard is used for providing a management interface of authentication information of the heterogeneous service platform. The database is used for storing the authentication information of the heterogeneous service platform. A platform registration module for accessing the heterogeneous service platform authentication information of the database. And the authority stick acquisition module acquires at least one heterogeneous cloud platform authority stick through the platform registration module. And the universal wand signing and issuing module encrypts and encapsulates the heterogeneous cloud platform wand into a universal wand load (Payload) for signing and issuing through the wand acquisition module. An API authentication interface provides services in a representational state transfer (RESTful) manner, and upon receiving a request, passes an authentication message to the generic token issuance module and retrieves the issued generic token payload.
[ description of the drawings ]
The drawings are for illustrative purposes and are not intended to limit the scope of the present disclosure, which is not intended to be exhaustive or to indicate a requirement, and the scope of the present disclosure is defined by the following claims.
Fig. 1 is a schematic diagram illustrating an architecture of a heterogeneous cloud platform authentication and authorization integration system.
Fig. 2 is an operation flowchart of the authentication and authorization integration system of the heterogeneous cloud platform, in which a system administrator registers the heterogeneous platform.
The embodiment shown in fig. 3 is an authentication and authorization integration system for heterogeneous cloud platforms, in which system components interact when a consumer requests a cloud service.
[ notation ] to show
10 heterogeneous cloud platform authentication and authorization integration system
110 manager dashboard
120 platform registration module
130 database
140 universal stick issuing module
150 yardstick collection module
160 API authentication interface
20 heterogeneous cloud resource management PaaS
30 heterogeneous cloud platform
40 AD/LDAP
50 API gateway
System manager A
U service user
[ detailed description ] embodiments
[ technical abstract ]
The authentication and authorization integration system of the heterogeneous cloud platform is communicated with the API gateway, acquires heterogeneous meta-end platform information after verifying user data, issues an authority stick (token) after integrating authentication information of each platform, and the API gateway can access services of the heterogeneous platforms by using the authority stick through the heterogeneous cloud resource management system.
Based on the above, the following describes (1) an issuance mechanism of the authority stick, and (2) a framework of the heterogeneous platform access service.
The management of the authority stick mainly comprises authority stick content and encryption and decryption. The heterogeneous cloud platform authentication and authorization integration system and the heterogeneous cloud resource PaaS need to use a common decryption key, so that the authority stick content can be shared. The authority stick heterogeneous platform verification information and session setup information. The invention uses JSON Web Token authentication as a mechanism for issuing the universal authority stick, carries authentication information of all heterogeneous platforms required by the interface system and simultaneously reduces the service attachment relation.
The heterogeneous platform access service architecture obtains authentication authorization information and access service by using heterogeneous cloud resources PaaS and Token information of the heterogeneous platform, does not need to use Cookie or record the authentication information by using Session (Session) in the service, ensures that the service is stateless, can be used for large-scale expansion, and is easy to implement a high-availability and load-balancing architecture.
[ embodiments of heterogeneous cloud platform authentication and authorization integration System ]
Referring to fig. 1, the heterogeneous cloud platform authentication and authorization integration system includes a manager dashboard, a platform registration module, a universal wand issuance module, an API authentication interface, a wand collection module, and a database. The heterogeneous cloud platform authentication and authorization integrated system is deployed inside the firewall.
The administrator typically manages the resources and settings of the cloud services over the internal network. The manager can set the platform and the authentication information of the heterogeneous service through the manager instrument board, and the information set for the heterogeneous platform can be recorded in the database through the platform registration module for the follow-up manager or the authority stick acquisition module to inquire.
The general users are located on the internet and mainly access cloud services. Depending on the privilege, access to services through firewalls typically interacts with cloud services through a Web interface or API gateway, while API authentication interfaces, i.e. a bridge interface between the provisioning system and the API gateway, are provided.
In one embodiment of the present invention, a RESTful API is used to implement an API authentication interface, which utilizes a universal authority stick issuance module to obtain information of a heterogeneous platform from a platform registration module through an authority stick acquisition module, and after retrieving the authority stick, the information is encrypted and encapsulated into a Payload (Payload) of a universal authority stick to perform issuance, thereby obtaining the universal authority stick.
The universal authority stick issuing module and the heterogeneous cloud resource management PaaS share the same key to carry out encryption and decryption on the universal authority stick, as indicated by a dotted line bidirectional arrow index x, and services of the heterogeneous cloud service platform are accessed through the authority stick.
The platform registration module needs to record the authentication information of the heterogeneous cloud platform at the back end, and the platform registration module can query the individual cloud service platforms to maintain the authentication mechanism of the heterogeneous cloud service platforms as indicated by a dotted one-way arrow y.
The API authentication interface, the heterogeneous cloud resource management PaaS and all heterogeneous cloud platforms are connected with the same AD/LDAP service in series, so that account numbers and passwords of all users can be unified, as indicated by a dotted line one-way arrow index z.
Fig. 2 is an embodiment of an operation flow of the system administrator of the authentication and authorization integration system of the heterogeneous cloud platform shown in fig. 1 for setting platform information, so as to display a program for system component interaction.
Step 1: the system administrator sets platform information including information of service endpoint, access authority endpoint, authority authentication format, etc. through the administrator's dashboard;
step 2: the manager dashboard transmits the updated platform information to the platform registration module, the platform registration module and the back-end heterogeneous cloud platform confirm verification information such as BasicAuth, AD/LDAP and the like to complete registration, and the platform information is usually stored in a database;
and step 3: after confirming the platform information, the platform registration module returns the verification result to the manager instrument panel;
and 4, step 4: the administrator dashboard presents the platform information to the front-end system administrator.
Fig. 3 is a flowchart illustrating an operation flow and an interaction procedure between system elements when a user issues an operation request in the heterogeneous cloud platform authentication and authorization integration system of fig. 1 according to an embodiment.
Step 1: the user provides a personal account number password, such as but not limited to, through an API gateway, a request to obtain a universal wand;
step 2: the API gateway sends the request of the universal authority stick to an API authentication interface of the heterogeneous cloud platform authentication and authorization integration system, at the moment, the authentication of the account password and AD/LDAP of the user can be confirmed, and the failure can be directly reported back to the user;
and step 3: after the primary authentication of the API authentication interface, the request of the user universal wand is transmitted to the universal wand signing and issuing module, and the universal wand signing and issuing module is requested to sign and issue a universal wand;
and 4, step 4: the universal authority stick issuing module is used for transmitting an issuing request of the universal authority stick to the authority stick acquisition module and collecting authentication information of each heterogeneous cloud platform;
and 5: the authority stick acquisition module calls the platform registration module to acquire all registered platform information, including service endpoints, access authority stick endpoints, authority stick authentication formats and the like;
step 6: the platform registration module transmits the authentication information of each platform back to the authority stick acquisition module, collects all heterogeneous cloud platform information, and records the heterogeneous cloud platform information and the authority stick information in data;
and 7: the authority stick acquisition module acquires the corresponding authority sticks of the users from the heterogeneous cloud platforms by using a parallel processing mode or a polling mode according to the authentication information of the heterogeneous cloud platforms;
and 8: after the authority stick acquisition module collects all the authority sticks of the heterogeneous cloud platforms, the authority sticks together with platform information such as service endpoints, access authority stick endpoints, authority stick authentication formats and the like are transmitted to the universal authority stick issuing module;
and step 9: the universal authority stick issuing module encrypts and packages authentication information and platform information of a user on all heterogeneous cloud platforms by using a secret key of the universal authority stick, and sets an effective period to finish issuing of the universal authority stick and return the information to the API authentication interface. The embodiment packages the weight cane into a load of JSON Web Token. The valid period of the universal wand is the shortest of all the wands.
Step 10: the API authentication interface transmits the generic wand back to the API gateway.
Step 11: the service user obtains his universal wand through the API gateway.
Step 12: in the effective time of the universal wand, the user can send the request of the cloud service to the API gateway through the wand.
Step 13: the API gateway sends the universal authority stick to a heterogeneous cloud resource management PaaS to request service;
step 14: the heterogeneous cloud resource management PaaS decrypts the universal authority rods by using the public keys of the universal authority rod signing and issuing modules, reads authentication information of each heterogeneous cloud platform of the load content of the universal authority rods, and sends the authentication information to the corresponding heterogeneous cloud platforms to request corresponding services.
The above examples are provided to illustrate the operation of the present invention and are not intended to limit the scope of the present invention. All the technical points that the universal stick is adopted to load the stick of the heterogeneous platform, the foreign platform PaaS system requests services to reduce the attachment relation among the services and integrate the services of the heterogeneous platform are within the scope of the invention, and the actual patent right scope is defined by the application patent scope.
Claims (7)
1. A heterogeneous cloud platform authentication and authorization integration system, the system comprising:
a manager dashboard for providing a management interface for authentication information of a heterogeneous service platform;
a database for storing the authentication information of the heterogeneous service platform;
a platform registration module for accessing the heterogeneous service platform authentication information of the database;
the system comprises a token acquisition module, a platform registration module and a cloud platform token acquisition module, wherein the token acquisition module acquires at least one heterogeneous cloud platform token;
the universal wand signing and issuing module encrypts and encapsulates the heterogeneous cloud platform wand into a universal wand load (Payload) for signing and issuing through the wand acquisition module; and
an API authentication interface provides services in a representational state transfer (RESTful) manner, and upon receiving a request, passes an authentication message to the generic token issuance module and retrieves the issued generic token payload.
2. The heterogeneous cloud platform authentication and authorization system of claim 1, wherein the administrator dashboard is configured to set a service configuration information comprising a service endpoint, a token access endpoint, and a token authentication format.
3. The system of claim 2, wherein the service configuration information further includes an authentication method including basichauth, OAuth, and LDAP/AD.
4. The heterogeneous cloud platform authentication and authorization integration system of claim 3, wherein the API authentication broker interface further comprises an authentication function of the authenticator information, connected to an AD/LDAP server, for authenticating the user.
5. The heterogeneous cloud platform authentication and authorization integration system of claim 1, wherein the generic token payload comprises an authentication status message and a token expiration time, wherein the authentication status message comprises an authentication success or an authentication failure.
6. The heterogeneous cloud platform authentication and authorization integration system of claim 5, wherein the platform registration module is further configured to record the authentication status information, and the administrator dashboard is configured to present the status of the heterogeneous service platform.
7. The heterogeneous cloud platform authentication and authorization integration system of claim 5, wherein the valid time of the universal token payload is determined by the shortest time of the token timeout.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910576296.4A CN112152977A (en) | 2019-06-28 | 2019-06-28 | Heterogeneous cloud platform authentication and authorization integration system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910576296.4A CN112152977A (en) | 2019-06-28 | 2019-06-28 | Heterogeneous cloud platform authentication and authorization integration system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112152977A true CN112152977A (en) | 2020-12-29 |
Family
ID=73869452
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910576296.4A Pending CN112152977A (en) | 2019-06-28 | 2019-06-28 | Heterogeneous cloud platform authentication and authorization integration system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112152977A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150105A (en) * | 2022-09-01 | 2022-10-04 | 杭州悦数科技有限公司 | Identity authentication method and system in distributed graph database |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168333A (en) * | 2014-09-01 | 2014-11-26 | 广东电网公司信息中心 | Working method of PROXZONE service platform |
| CN105577665A (en) * | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control and management system and method in cloud environment |
| US9432379B1 (en) * | 2014-10-09 | 2016-08-30 | Emc Corporation | Dynamic authorization in a multi-tenancy environment via tenant policy profiles |
| CN107147496A (en) * | 2017-04-28 | 2017-09-08 | 广东网金控股股份有限公司 | Under a kind of service-oriented technological frame between different application unified authorization certification method |
-
2019
- 2019-06-28 CN CN201910576296.4A patent/CN112152977A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104168333A (en) * | 2014-09-01 | 2014-11-26 | 广东电网公司信息中心 | Working method of PROXZONE service platform |
| US9432379B1 (en) * | 2014-10-09 | 2016-08-30 | Emc Corporation | Dynamic authorization in a multi-tenancy environment via tenant policy profiles |
| CN105577665A (en) * | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control and management system and method in cloud environment |
| CN107147496A (en) * | 2017-04-28 | 2017-09-08 | 广东网金控股股份有限公司 | Under a kind of service-oriented technological frame between different application unified authorization certification method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150105A (en) * | 2022-09-01 | 2022-10-04 | 杭州悦数科技有限公司 | Identity authentication method and system in distributed graph database |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5458888B2 (en) | Certificate generation / distribution system, certificate generation / distribution method, and program | |
| CN101399671B (en) | Cross-domain authentication method and system thereof | |
| JP6166596B2 (en) | Authorization server system, control method therefor, and program | |
| CN101331731B (en) | Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider | |
| RU2308755C2 (en) | System and method for providing access to protected services with one-time inputting of password | |
| JP5820188B2 (en) | Server, control method therefor, and program | |
| US7716469B2 (en) | Method and system for providing a circle of trust on a network | |
| KR101708587B1 (en) | Bidirectional authorization system, client and method | |
| JP6141076B2 (en) | System, control method therefor, access management service system, control method therefor, and program | |
| JP2018205840A (en) | System, method therefor and program therefor | |
| CN102598010B (en) | System and method for accessing private digital content | |
| JP7547603B2 (en) | PRINTING DEVICE COMPATIBLE WITH CLOUD PRINT SERVICE, AND METHOD AND PROGRAM FOR CONTRO | |
| JP6141041B2 (en) | Information processing apparatus, program, and control method | |
| CN105049427B (en) | The management method and device of application system login account | |
| AU2004254771A1 (en) | User authentication system | |
| US20200412713A1 (en) | Authentication and authorization integration system in heterogeneous cloud platform | |
| CN105141580B (en) | A kind of resource access control method based on the domain AD | |
| US8763151B2 (en) | Mediation processing method, mediation apparatus and system | |
| JPH05333775A (en) | User authentication system | |
| EP3909221A1 (en) | Method for securely providing a personalized electronic identity on a terminal | |
| Rountree | Federated identity primer | |
| JP2006031064A (en) | Session management system and management method | |
| JP5177505B2 (en) | Intra-group service authorization method using single sign-on, intra-group service providing system using the method, and each server constituting the intra-group service providing system | |
| CN112152977A (en) | Heterogeneous cloud platform authentication and authorization integration system | |
| Chen et al. | Design of web service single sign-on based on ticket and assertion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20201229 |
|
| WD01 | Invention patent application deemed withdrawn after publication |