CN112637214A - Resource access method and device and electronic equipment - Google Patents
Resource access method and device and electronic equipment Download PDFInfo
- Publication number
- CN112637214A CN112637214A CN202011554559.0A CN202011554559A CN112637214A CN 112637214 A CN112637214 A CN 112637214A CN 202011554559 A CN202011554559 A CN 202011554559A CN 112637214 A CN112637214 A CN 112637214A
- Authority
- CN
- China
- Prior art keywords
- target
- account
- tenant
- role
- iam
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a resource access method, a resource access device and electronic equipment, wherein the method is applied to a resource server, and the resource server stores the corresponding relation between an IAM role and a credit account; the corresponding relation comprises a corresponding relation between a target IAM role configured for the second tenant by the first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; the method comprises the following steps: receiving a resource access request of a second tenant; the resource access request carries an identifier of a target credit granting account; acquiring a temporary access key of a target IAM role based on the resource access request and the corresponding relation; the temporary access key has a valid duration; and sending the temporary access key to the second tenant, so that the second tenant accesses and accesses the cloud resource corresponding to the first tenant through the temporary access key. The method and the device can improve the safety of resource access.
Description
Technical Field
The present application relates to the technical field of cloud services, and in particular, to a resource access method and apparatus, and an electronic device.
Background
In the existing resource management application scenario, if a first tenant wants to make a second tenant perform maintenance on its own resources, the first tenant needs to create a sub-user first, and create a corresponding AK/SK (Access Key ID/Secret Access Key, Access Key ID/Key used in combination with the Access Key ID, referred to as Access Key for short) for the sub-user, and then provide the Access Key of the sub-user to the second tenant, so that the second tenant can use the AK/SK to program and call OpenAPI to manage and control the cloud resources of the first tenant.
However, in the above manner, the access key of the sub-user is valid for a long time, and once the access key is revealed, there is a security problem, and once the staff of the second tenant changes, the second tenant needs to find the first tenant and update the access key of the sub-user, which is cumbersome to operate.
Disclosure of Invention
The present application aims to provide a resource access method, a resource access device, and an electronic device, which can ensure the security of resource access without any operation performed by a first tenant when a second tenant has personnel change.
In a first aspect, an embodiment of the present application provides a resource access method, where the method is applied to a resource server, and a corresponding relationship between an IAM role and a credit account is stored in the resource server; the corresponding relation comprises a corresponding relation between a target IAM role configured for the second tenant by the first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; the method comprises the following steps: receiving a resource access request of a second tenant; the resource access request carries an identifier of a target credit granting account and a target access key corresponding to the identifier; the target access key is a long-term effective access key; acquiring a temporary access key of a target IAM role based on the resource access request and the corresponding relation; the temporary access key has a valid duration; and sending the temporary access key to the second tenant, so that the second tenant accesses the cloud resource corresponding to the first tenant through the temporary access key.
Further, the step of obtaining the temporary access key of the target IAM role based on the resource access request and the corresponding relationship includes: searching a target IAM role corresponding to the identification of the target credit authorization account according to the corresponding relation; and calling a preset role playing API (application program interface) through the target access key to acquire a temporary access key of the target IAM (identity information model).
Further, before the step of receiving the resource access request of the second tenant, the method further includes: responding to a role creating operation of a first account of a first tenant, and creating a target IAM role associated with the first account; responding to a target credit account adding operation aiming at the target IAM role, and determining the corresponding relation between the target IAM role and the target credit account; the target credit granting account number comprises a second account number of a second tenant.
Further, the method further comprises: and responding to the permission policy setting operation aiming at the target IAM role, and configuring a preset permission policy for the target IAM role and a corresponding target credit account.
Further, a client corresponding to the resource server is configured with a role creation page; responding to a role creating operation of a first account of a first tenant, and creating a target IAM role associated with the first account, wherein the step comprises the following steps: in response to a preset operation aiming at a first account in a role creation page, creating a target IAM role associated with the first account; wherein the preset operation comprises one of: the method comprises the steps of account selecting operation, role name editing operation, account adding operation and role name editing operation.
Further, a credit account input box is also arranged in the role creation page; responding to a target credit account adding operation aiming at the target IAM role, and determining the corresponding relation between the target IAM role and the credit account, wherein the step comprises the following steps: and responding to the input operation of the second account aiming at the credit account input box, and taking the second account as a target credit account of the target IAM role to obtain the corresponding relation between the target IAM role and the target credit account.
Further, a client corresponding to the resource server is configured with a role authority configuration page; the role authority configuration page is provided with an authorized main body input box and an authority selection list; the permission selection list comprises a plurality of permission strategies to be selected; responding to the permission policy setting operation aiming at the target IAM role, and configuring a preset permission policy for the target IAM role and a corresponding target credit account, wherein the step comprises the following steps: and responding to the input operation of the role name of the target IAM role aiming at the input box of the authorized subject and the selection operation of the target authority strategy in the authority selection list, and configuring the target authority strategy for the target IAM role and the corresponding target credit account.
Further, the target credit granting account also includes an IAM user corresponding to a second account of a second tenant.
In a second aspect, an embodiment of the present application further provides a resource access device, where the device is applied to a resource server, and a corresponding relationship between an IAM role and a credit account is stored in the resource server; the corresponding relation comprises a corresponding relation between a target IAM role configured for the second tenant by the first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; the device comprises: the request receiving module is used for receiving a resource access request of a second tenant; the resource access request carries an identifier of a target credit granting account and a target access key corresponding to the identifier; the access key acquisition module is used for acquiring a temporary access key of the target IAM role based on the resource access request and the corresponding relation; the temporary access key has a valid duration; and the access key sending module is used for sending the temporary access key to the second tenant so that the second tenant can access the cloud resource corresponding to the first tenant through the temporary access key.
In a third aspect, an embodiment of the present application further provides an electronic device, which includes a processor and a memory, where the memory stores computer-executable instructions that can be executed by the processor, and the processor executes the computer-executable instructions to implement the method in the first aspect.
In a fourth aspect, embodiments of the present application further provide a computer-readable storage medium storing computer-executable instructions that, when invoked and executed by a processor, cause the processor to implement the method of the first aspect.
In the resource access method provided by the embodiment of the application, the corresponding relation between an IAM role and a credit account is stored in a resource server; the corresponding relation comprises a corresponding relation between a target IAM role configured for the second tenant by the first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; when the resource server receives a resource access request of a second tenant, a temporary key of a target IAM role is obtained according to the corresponding relation and an identifier carrying a target credit account and a target key corresponding to the identifier in the resource access request; then sending the temporary key to a second tenant, so that the second tenant accesses and accesses the cloud resource corresponding to the first tenant through the temporary key; because the temporary key has valid duration, after the staff of the second tenant leaves, the first tenant can ensure the security of resource access without any operation.
Drawings
In order to more clearly illustrate the detailed description of the present application or the technical solutions in the prior art, the drawings needed to be used in the detailed description of the present application or the prior art description will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a resource access method according to an embodiment of the present application;
fig. 2 is a flowchart of a key obtaining method according to an embodiment of the present application;
fig. 3 is a flowchart of an account authorization method according to an embodiment of the present application;
fig. 4 is a block diagram illustrating a structure of a resource access device according to an embodiment of the present disclosure;
fig. 5 is a block diagram of another resource access device according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions of the present application will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In one resource management application scenario, there are two tenants: the system comprises a first tenant A and a second tenant B, wherein the first tenant A purchases cloud resources, such as a cloud host, an elastic IP and load balance, but the first tenant A has no operation and maintenance capability, the first tenant A wants to enable the second tenant B to perform operation and maintenance instead, and at the moment, the second tenant B needs to access and manage the resources of the first tenant A.
In the prior art, the manner in which the second tenant B enjoys the management authority for the resource of the first tenant a is as follows: the first tenant A creates a sub-user X, the first tenant A binds a necessary authority policy to the sub-user X and creates an access key for the sub-user X, the first tenant A provides the access key of the sub-user X to the second tenant B, and therefore the second tenant B can use the access key to program and call OpenAPI to manage and control cloud resources of the first tenant A.
However, in the above method, the access key of the sub-user is valid for a long time, and once the access key is leaked, a security problem exists. If a certain employee of the tenant B leaves the office, the employee can still use the access key of the sub-user to operate the resource of the tenant a, and in this case, the tenant B needs to find the tenant a to update the access key of the sub-user, so as to avoid the security problem.
In summary, there is a potential safety hazard in the prior art, and once a person changes, the access key needs to be updated, and the operation process is cumbersome.
Based on this, embodiments of the present application provide a resource access method, an apparatus, and an electronic device, which can ensure security of resource access without any operation performed by a first tenant when a second tenant has personnel change.
To facilitate an understanding of the embodiments, several concepts in the art are first explained:
the IAM (Identity and Access Management) is a set of comprehensive establishment and maintenance of digital identities, and provides an effective and safe business process and Management means for IT resource Access, thereby implementing Identity authentication, authorization and centralized Management and audit of Identity data for organizing information assets.
The sub-user is also called an IAM user, and the IAM user is an entity identity type of the IAM, and has a certain identity ID and an identity certificate, which generally corresponds to a certain person or application program one to one. A plurality of IAM users can be created under one tenant account, and correspond to employees, systems or application programs in an enterprise, the IAM users do not have resources, the IAM users belong to the cloud account and can only be visible under the space of the cloud account, but not independent cloud accounts, and the IAM users can log in a cloud server or use an API to operate the resources under the cloud account after obtaining the authorization of the cloud account. When an enterprise has various cloud resources, the authorization management function of the IAM is used, so that user authorization and resource unified management can be realized.
The IAM role, like the IAM user, is one of the types of IAM identities. The IAM role is a virtual user, without a certain authentication key, and needs to be played by a trusted entity user for normal use. The IAM role is a virtual user, unlike an entity user (cloud account, IAM user, and cloud service).
Trusted entity (Trusted entity), a Trusted entity in a role refers to an entity user identity that can take on a role. Trusted entities must be specified when creating roles, which roles can only be played by trusted entities. The trusted entity may be a trusted cloud account number or an identity provider. The trusted entity has a certain login password or access key.
The authority policy is a set of authorities described by a grammatical structure, and can accurately describe authorized resource sets, operation sets and authorization conditions. A rights policy is a simple language specification that describes a set of rights. A role can bind a set of rights policies. Roles that do not have a binding right policy may also exist, but cannot access the resource.
An acting role (asseme role), which is a method for an entity user to obtain a security token of a role identity. An entity user calls a Security Token Service (STS) Application Programming Interface (API) for acquiring Security tokens of roles, and the Security tokens are used for accessing a cloud Service API.
The temporary identity is a temporary access key of the role identity. Role identity has no definite access key, and when an entity user wants to use a role, the corresponding temporary identity must be acquired by playing the role, and then the cloud service API is called by using the temporary identity.
Fig. 1 is a flowchart of a resource access method provided in an embodiment of the present application, where the method is applied to a resource server, and a corresponding relationship between an IAM role and a credit account is stored in the resource server; the corresponding relation comprises a corresponding relation between a target IAM role configured for the second tenant by the first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; the account of the second tenant may be a cloud account of the second tenant, or may be a sub-user under the cloud account, that is, an IAM user.
The resource access method specifically comprises the following steps:
step S102, receiving a resource access request of a second tenant; the resource access request carries an identifier of the target credit granting account and a target access key corresponding to the identifier.
The second tenant is a substitute manager or an access party of the cloud resource of the first tenant, and when the second tenant needs to access the cloud resource of the first tenant, the second tenant can initiate a resource access request to the resource server through programming, wherein the request carries an identifier of a target credit account corresponding to the second tenant and a target access key thereof, and the target access key is a long-term effective access key.
Step S104, acquiring a temporary access key of the target IAM role based on the resource access request and the corresponding relation; the temporary access key has a valid duration.
According to the correspondence between the IAM role and the credit account pre-stored in the resource server, the target IAM role corresponding to the target credit account of the second tenant can be further determined, and then through the role playing of the second tenant, the resource server can obtain the temporary access key of the target IAM role, wherein the temporary access key has effective duration.
And step S106, sending the temporary access key to the second tenant, so that the second tenant accesses the cloud resource corresponding to the first tenant through the temporary access key.
And the resource server sends the temporary access key of the target IAM role obtained in the last step to the second tenant, and the second tenant can access the cloud resource corresponding to the first tenant through the temporary access key.
In the resource access method provided by the embodiment of the application, the corresponding relation between an IAM role and a credit account is stored in a resource server; the corresponding relation comprises a corresponding relation between a target IAM role configured by the first tenant for the second tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; when the resource server receives a resource access request of a second tenant, a temporary access key of a target IAM role is obtained according to the identifier of a target credit account carried in the resource access request, a target access key corresponding to the identifier and the corresponding relation; then sending the temporary access key to a second tenant so that the second tenant can access the cloud resource corresponding to the first tenant through the temporary access key; because the temporary access key has effective duration, after the staff of the second tenant leaves, the first tenant can ensure the security of resource access without any operation.
The step of obtaining the temporary access key of the target IAM role based on the resource access request and the corresponding relationship may be specifically implemented by the flowchart of the access key obtaining method shown in fig. 2:
and S202, searching a target IAM role corresponding to the identification of the target credit account according to the corresponding relation.
The resource server stores the corresponding relation between the IAM role and the credit account, the corresponding relation comprises the corresponding relation between a target IAM role configured for a second tenant by the first tenant and a target credit account, and the target credit account is an account which is authorized to access cloud resources of the first tenant in the account of the second tenant; the first tenant and the second tenant may have a plurality of roles, that is, the corresponding relationship may include IAM roles configured by a plurality of different tenants and corresponding trust accounts, and therefore, a target IAM role corresponding to the identity needs to be determined from the corresponding relationship according to the identity of the target trust account carried in the resource access request.
And step S204, calling a preset role playing API (application program interface) through the target access key to acquire a temporary access key of the target IAM role.
The target access key is a long-term valid access key. After the role of the target IAM is determined, a role playing API (application programming interface), namely STS API AspumeRole, can be called through the target access key of the second tenant to obtain a temporary access key of the role of the target IAM, and the temporary access key has certain effective duration. If the temporary access key is invalid after expiration, a preset role playing API interface can be called through the target access key to obtain the temporary access key of the target IAM role, the obtained temporary access key is different every time, and the preset effective duration is provided, so that the safety of resource access can be protected.
In order to improve the security of resource access, an embodiment of the present application further provides an account authorization method, and a specific process may be implemented with reference to the flowchart shown in fig. 3:
step S302, in response to a new role operation for a first account of a first tenant, creating a target IAM role associated with the first account.
In a preferred embodiment, a client corresponding to the resource server is configured with a role creation page; step S302 may also be implemented by: in response to a preset operation aiming at a first account in a role creation page, creating a target IAM role associated with the first account; wherein the preset operation comprises one of: the method comprises the steps of account selecting operation, role name editing operation, account adding operation and role name editing operation. The first account is a cloud account of the first tenant.
Step S304, responding to a target credit account adding operation aiming at a target IAM role, and determining the corresponding relation between the target IAM role and a target credit account; the target credit granting account number comprises a second account number of a second tenant.
A credit account input box is also arranged in the role establishing page; step S304 may also be implemented by: and responding to the input operation of the second account aiming at the credit account input box, and taking the second account as a target credit account of the target IAM role to obtain the corresponding relation between the target IAM role and the target credit account. Optionally, the second account is a cloud account of the second tenant.
In addition, a certain permission policy may also be set for the trusted account, specifically refer to step S306.
Step S306: and responding to the permission policy setting operation aiming at the target IAM role, and configuring a preset permission policy for the target IAM role and a corresponding target credit account.
In one embodiment, the preset permission policy is used for representing the use permission of the target API interface. In a preferred embodiment, a client corresponding to the resource server is configured with a role authority configuration page; the role authority configuration page is provided with an authorized main body input box and an authority selection list; the permission selection list comprises a plurality of permission strategies to be selected; the step S306 can also be implemented as follows: and responding to the input operation of the role name of the target IAM role aiming at the input box of the authorized subject and the selection operation of the target authority strategy in the authority selection list, and configuring the target authority strategy for the target IAM role and the corresponding target credit account.
After the first tenant binds the target authority policy for the target IAM role in the manner, the target trust account corresponding to the target IAM role also binds the target authority policy, and is also influenced by the target authority policy when accessing resources. That is, the authority that the target IAM role enjoys is also enjoyed by the target trust account.
In view of security, in this embodiment of the application, the target trust account may further include an IAM user corresponding to a second account of a second tenant. That is, the second tenant may use a sub-user thereof to obtain the temporary access key in the role of the target IAM, and access the cloud resource of the first tenant through the temporary access key. The role played by the sub-user is used to achieve the minimum constraint of rights from the security point of view, and the sub-user only authorizes the operation that can be role played. Role playing verifies whether the child user is in the trusted account list in the role of target IAM. If the employee of the second tenant leaves, only the sub-users of the employee under the second tenant need to be recovered.
In the resource access method provided by the embodiment of the application, the first tenant may grant the role of the IAM created by the first tenant to the account of another tenant, or a sub-user of the cloud account of another tenant, so that the another tenant may obtain the temporary access key of the role of the IAM through role playing, and thus access to the resource of the first tenant is performed through the temporary access key, and the temporary access key is time-efficient, so that security of resource access or access can be protected.
Based on the method embodiment, the embodiment of the application also provides a resource access device, which is applied to a resource server, wherein the resource server stores the corresponding relation between the IAM role and the credit account; the corresponding relation comprises a corresponding relation between a target IAM role configured for the second tenant by the first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; referring to fig. 4, the apparatus includes:
a request receiving module 402, configured to receive a resource access request of a second tenant; the resource access request carries an identifier of a target credit granting account and a target access key corresponding to the identifier; an access key obtaining module 404, configured to obtain a temporary access key of the target IAM role based on the resource access request and the corresponding relationship; the temporary access key has a valid duration; the access key sending module 406 is configured to send the temporary access key to the second tenant, so that the second tenant accesses the cloud resource corresponding to the first tenant through the temporary access key.
In another possible implementation, the access key obtaining module 404 is further configured to: searching a target IAM role corresponding to the identification of the target credit authorization account according to the corresponding relation; and calling a preset role playing API (application program interface) to obtain a temporary access key of the target IAM (integrated access model).
In another possible implementation, the apparatus further includes a role creation module 408 and a relationship generation module 410, which is shown in fig. 5.
The role creation module 408 is configured to respond to a role creation operation for a first account of a first tenant, and create a target IAM role associated with the first account; the relationship generating module 410 is configured to determine a corresponding relationship between a target IAM role and a target credit account in response to a target credit account adding operation for the target IAM role; the target credit granting account number comprises a second account number of a second tenant.
In another possible implementation manner, the apparatus further includes an authority configuration module 412, configured to configure a preset authority policy for the target IAM role and the corresponding target trust account in response to an authority policy setting operation for the target IAM role; optionally, the preset permission policy is used to represent the usage permission of the target API interface.
In another possible implementation manner, a client corresponding to the resource server is configured with a role creation page; the role creation module 408 is further configured to: in response to a preset operation aiming at a first account in a role creation page, creating a target IAM role associated with the first account; wherein the preset operation comprises one of: the method comprises the steps of account selecting operation, role name editing operation, account adding operation and role name editing operation.
In another possible implementation manner, a credit account input box is further arranged in the role creation page; the relationship generation module 410 is further configured to: and responding to the input operation of the second account aiming at the credit account input box, and taking the second account as a target credit account of the target IAM role to obtain the corresponding relation between the target IAM role and the target credit account.
In another possible implementation manner, a client corresponding to the resource server is configured with a role permission configuration page; the role authority configuration page is provided with an authorized main body input box and an authority selection list; the permission selection list comprises a plurality of permission strategies to be selected; the permission configuration module 412 is further configured to: and responding to the input operation of the role name of the target IAM role aiming at the input box of the authorized subject and the selection operation of the target authority strategy in the authority selection list, and configuring the target authority strategy for the target IAM role and the corresponding target credit account.
In another possible implementation, the target trust account further includes an IAM user corresponding to a second account of a second tenant.
The resource access device provided in the embodiment of the present application has the same implementation principle and technical effect as those of the foregoing embodiment of the resource access method, and for brief description, reference may be made to corresponding contents in the foregoing embodiment of the resource access method where no mention is made in the embodiment of the resource access device.
An electronic device is further provided in the embodiment of the present application, as shown in fig. 6, which is a schematic structural diagram of the electronic device, where the electronic device includes a processor 61 and a memory 60, the memory 60 stores computer-executable instructions that can be executed by the processor 61, and the processor 61 executes the computer-executable instructions to implement the method.
In the embodiment shown in fig. 6, the electronic device further comprises a bus 62 and a communication interface 63, wherein the processor 61, the communication interface 63 and the memory 60 are connected by the bus 62.
The Memory 60 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 63 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used. The bus 62 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus 62 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 6, but that does not indicate only one bus or one type of bus.
The processor 61 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 61. The Processor 61 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and the processor 61 reads information in the memory and performs the steps of the method of the previous embodiment in combination with its hardware.
Embodiments of the present application further provide a computer-readable storage medium, where computer-executable instructions are stored, and when the computer-executable instructions are called and executed by a processor, the computer-executable instructions cause the processor to implement the method, and specific implementation may refer to the foregoing method embodiments, and is not described herein again.
The resource access method, the resource access device, and the computer program product of the electronic device provided in the embodiments of the present application include a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementations may refer to the method embodiments and are not described herein again.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present application.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In the description of the present application, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, and do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present application. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A resource access method is characterized in that the method is applied to a resource server, and the resource server stores the corresponding relation between an IAM role and a credit account; the corresponding relation comprises a corresponding relation between a target IAM role configured for a second tenant by a first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; the method comprises the following steps:
receiving a resource access request of a second tenant; the resource access request carries an identifier of the target credit granting account and a target access key corresponding to the identifier; the target access key is a long-term effective access key;
acquiring a temporary access key of the target IAM role based on the resource access request and the corresponding relation; the temporary access key has a valid duration;
and sending the temporary access key to the second tenant, so that the second tenant accesses the cloud resource corresponding to the first tenant through the temporary access key.
2. The method according to claim 1, wherein the step of obtaining the temporary access key of the target IAM role based on the resource access request and the corresponding relationship comprises:
searching a target IAM role corresponding to the identification of the target credit authorization account according to the corresponding relation;
and calling a preset role playing API (application program interface) through the target access key to acquire a temporary access key of the target IAM (internet access model).
3. The method of claim 1, wherein prior to the step of receiving the resource access request of the second tenant, the method further comprises:
responding to a role creating operation of a first account of a first tenant, and creating a target IAM role associated with the first account;
responding to a target credit account adding operation aiming at the target IAM role, and determining the corresponding relation between the target IAM role and the target credit account; and the target credit granting account number comprises a second account number of a second tenant.
4. The method of claim 3, further comprising:
and responding to the permission policy setting operation aiming at the target IAM role, and configuring a preset permission policy for the target IAM role and a corresponding target credit account.
5. The method of claim 3, wherein the client corresponding to the resource server is configured with a role creation page;
responding to a role creating operation of a first account of a first tenant, and creating a target IAM role associated with the first account, wherein the step comprises the following steps:
responding to preset operation aiming at the first account in the role creation page, and creating a target IAM role associated with the first account; wherein the preset operation comprises one of: the method comprises the steps of account selecting operation, role name editing operation, account adding operation and role name editing operation.
6. The method according to claim 5, wherein the role creation page is further provided with a credit account input box;
responding to a target credit account adding operation aiming at the target IAM role, and determining the corresponding relation between the target IAM role and the credit account, wherein the step comprises the following steps of:
and responding to the input operation of a second account aiming at the credit account input box, and taking the second account as a target credit account of the target IAM role to obtain the corresponding relation between the target IAM role and the target credit account.
7. The method according to claim 4, wherein the client corresponding to the resource server is configured with a role permission configuration page; the role authority configuration page is provided with an authorized main body input box and an authority selection list; the permission selection list comprises a plurality of permission strategies to be selected;
responding to the permission policy setting operation aiming at the target IAM role, and configuring a preset permission policy for the target IAM role and a corresponding target credit account thereof, wherein the step comprises the following steps:
and responding to the input operation of the role name of the target IAM role aiming at the input box of the authorized subject and the selection operation of the target authority strategy in the authority selection list, and configuring the target authority strategy for the target IAM role and the corresponding target credit account thereof.
8. The method of claim 3, wherein the target trusted account further comprises an IAM user corresponding to the second account of the second tenant.
9. A resource access device is characterized in that the device is applied to a resource server, and the resource server stores the corresponding relation between an IAM role and a credit account; the corresponding relation comprises a corresponding relation between a target IAM role configured for a second tenant by a first tenant and a target credit granting account, and the target credit granting account is an account which has authority to access cloud resources of the first tenant in accounts of the second tenant; the device comprises:
the request receiving module is used for receiving a resource access request of a second tenant; the resource access request carries an identifier of the target credit granting account and a target access key corresponding to the identifier; the target access key is a long-term effective access key;
an access key obtaining module, configured to obtain a temporary access key of the target IAM role based on the resource access request and the corresponding relationship; the temporary access key has a valid duration;
and the access key sending module is used for sending the temporary access key to the second tenant so that the second tenant accesses the cloud resource corresponding to the first tenant through the temporary access key.
10. An electronic device comprising a processor and a memory, the memory storing computer-executable instructions executable by the processor, the processor executing the computer-executable instructions to implement the method of any of claims 1 to 8.
11. A computer-readable storage medium having computer-executable instructions stored thereon which, when invoked and executed by a processor, cause the processor to implement the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011554559.0A CN112637214B (en) | 2020-12-24 | 2020-12-24 | Resource access method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011554559.0A CN112637214B (en) | 2020-12-24 | 2020-12-24 | Resource access method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112637214A true CN112637214A (en) | 2021-04-09 |
| CN112637214B CN112637214B (en) | 2023-04-07 |
Family
ID=75324676
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011554559.0A Active CN112637214B (en) | 2020-12-24 | 2020-12-24 | Resource access method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637214B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113127909A (en) * | 2021-04-30 | 2021-07-16 | 北京奇艺世纪科技有限公司 | Feature data processing method and device, electronic equipment and storage medium |
| CN113794720A (en) * | 2021-09-14 | 2021-12-14 | 树根互联股份有限公司 | Method and device for authorization of permission of cross-tenant device resources and electronic device |
| CN114095200A (en) * | 2021-09-28 | 2022-02-25 | 阿里巴巴(中国)有限公司 | Resource access authority management method and device, electronic equipment and medium |
| CN114389868A (en) * | 2021-12-30 | 2022-04-22 | 天翼物联科技有限公司 | Method, system and device for distributing cloud resources and storage medium |
| CN114584364A (en) * | 2022-03-01 | 2022-06-03 | 北京金山云网络技术有限公司 | Resource access control method, device, storage medium and electronic equipment |
| CN114650183A (en) * | 2022-04-11 | 2022-06-21 | 远景智能国际私人投资有限公司 | Resource management method, device, server and storage medium |
| CN114666126A (en) * | 2022-03-21 | 2022-06-24 | 阿里云计算有限公司 | Resource management method, device, server and system |
| CN114666125A (en) * | 2022-03-21 | 2022-06-24 | 阿里云计算有限公司 | Resource management method and device and server |
| CN114726629A (en) * | 2022-04-12 | 2022-07-08 | 树根互联股份有限公司 | Authority configuration method, system, device, electronic equipment and readable storage medium |
| CN114978652A (en) * | 2022-05-16 | 2022-08-30 | 北京百度网讯科技有限公司 | Authority control method of edge device, resource access method and device |
| CN115001729A (en) * | 2022-02-22 | 2022-09-02 | 中国光大银行股份有限公司 | User authority control method, device, equipment and medium |
| CN115525889A (en) * | 2022-09-28 | 2022-12-27 | 北京亚控科技发展有限公司 | Security authority control method and device, electronic equipment and storage medium |
| CN115714689A (en) * | 2022-11-30 | 2023-02-24 | 重庆忽米网络科技有限公司 | UI resource access control method based on IAM |
| CN115801833A (en) * | 2022-11-16 | 2023-03-14 | 浙江九州云信息科技有限公司 | Enterprise-level public cloud resource management method and system |
| WO2023160632A1 (en) * | 2022-02-25 | 2023-08-31 | 华为云计算技术有限公司 | Method for setting cloud service access permissions of enclave instance, and cloud management platform |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080313716A1 (en) * | 2007-06-12 | 2008-12-18 | Park Joon S | Role-based access control to computing resources in an inter-organizational community |
| US9225704B1 (en) * | 2013-06-13 | 2015-12-29 | Amazon Technologies, Inc. | Unified management of third-party accounts |
| CN106230818A (en) * | 2016-08-01 | 2016-12-14 | 浪潮(苏州)金融技术服务有限公司 | A kind of resource authorization method of information management system |
| US9894067B1 (en) * | 2015-12-03 | 2018-02-13 | Amazon Technologies, Inc. | Cross-region roles |
| US20190075115A1 (en) * | 2017-09-01 | 2019-03-07 | Atlassian Pty Ltd | Systems and methods for accessing cloud resources from a local development environment |
| US10250612B1 (en) * | 2016-07-07 | 2019-04-02 | Amazon Technologies, Inc. | Cross-account role management |
| US20190132280A1 (en) * | 2017-10-27 | 2019-05-02 | At&T Intellectual Property I, L.P. | Network Based Distribution for Compute Resource and Application Accessibility |
| US10715514B1 (en) * | 2016-12-07 | 2020-07-14 | Amazon Technologies, Inc. | Token-based credential renewal service |
| CN111953708A (en) * | 2020-08-24 | 2020-11-17 | 北京金山云网络技术有限公司 | Cross-account login method and device based on cloud platform and server |
| CN112003706A (en) * | 2020-08-24 | 2020-11-27 | 北京字节跳动网络技术有限公司 | Signature method and device, computer equipment and storage medium |
-
2020
- 2020-12-24 CN CN202011554559.0A patent/CN112637214B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080313716A1 (en) * | 2007-06-12 | 2008-12-18 | Park Joon S | Role-based access control to computing resources in an inter-organizational community |
| US9225704B1 (en) * | 2013-06-13 | 2015-12-29 | Amazon Technologies, Inc. | Unified management of third-party accounts |
| US9894067B1 (en) * | 2015-12-03 | 2018-02-13 | Amazon Technologies, Inc. | Cross-region roles |
| US10250612B1 (en) * | 2016-07-07 | 2019-04-02 | Amazon Technologies, Inc. | Cross-account role management |
| CN106230818A (en) * | 2016-08-01 | 2016-12-14 | 浪潮(苏州)金融技术服务有限公司 | A kind of resource authorization method of information management system |
| US10715514B1 (en) * | 2016-12-07 | 2020-07-14 | Amazon Technologies, Inc. | Token-based credential renewal service |
| US20190075115A1 (en) * | 2017-09-01 | 2019-03-07 | Atlassian Pty Ltd | Systems and methods for accessing cloud resources from a local development environment |
| US20190132280A1 (en) * | 2017-10-27 | 2019-05-02 | At&T Intellectual Property I, L.P. | Network Based Distribution for Compute Resource and Application Accessibility |
| CN111953708A (en) * | 2020-08-24 | 2020-11-17 | 北京金山云网络技术有限公司 | Cross-account login method and device based on cloud platform and server |
| CN112003706A (en) * | 2020-08-24 | 2020-11-27 | 北京字节跳动网络技术有限公司 | Signature method and device, computer equipment and storage medium |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113127909A (en) * | 2021-04-30 | 2021-07-16 | 北京奇艺世纪科技有限公司 | Feature data processing method and device, electronic equipment and storage medium |
| CN113127909B (en) * | 2021-04-30 | 2023-07-25 | 北京奇艺世纪科技有限公司 | Feature data processing method and device, electronic equipment and storage medium |
| CN113794720B (en) * | 2021-09-14 | 2023-06-23 | 树根互联股份有限公司 | Permission authorization method and device for cross-tenant equipment resources and electronic equipment |
| CN113794720A (en) * | 2021-09-14 | 2021-12-14 | 树根互联股份有限公司 | Method and device for authorization of permission of cross-tenant device resources and electronic device |
| CN114095200A (en) * | 2021-09-28 | 2022-02-25 | 阿里巴巴(中国)有限公司 | Resource access authority management method and device, electronic equipment and medium |
| CN114095200B (en) * | 2021-09-28 | 2023-12-01 | 阿里巴巴(中国)有限公司 | Resource access authority management method and device, electronic equipment and medium |
| CN114389868A (en) * | 2021-12-30 | 2022-04-22 | 天翼物联科技有限公司 | Method, system and device for distributing cloud resources and storage medium |
| CN114389868B (en) * | 2021-12-30 | 2024-01-30 | 天翼物联科技有限公司 | Cloud resource allocation method, system, device and storage medium |
| CN115001729B (en) * | 2022-02-22 | 2024-03-12 | 中国光大银行股份有限公司 | User authority control method, device, equipment and medium |
| CN115001729A (en) * | 2022-02-22 | 2022-09-02 | 中国光大银行股份有限公司 | User authority control method, device, equipment and medium |
| WO2023160632A1 (en) * | 2022-02-25 | 2023-08-31 | 华为云计算技术有限公司 | Method for setting cloud service access permissions of enclave instance, and cloud management platform |
| CN114584364A (en) * | 2022-03-01 | 2022-06-03 | 北京金山云网络技术有限公司 | Resource access control method, device, storage medium and electronic equipment |
| CN114666126A (en) * | 2022-03-21 | 2022-06-24 | 阿里云计算有限公司 | Resource management method, device, server and system |
| CN114666125A (en) * | 2022-03-21 | 2022-06-24 | 阿里云计算有限公司 | Resource management method and device and server |
| CN114666125B (en) * | 2022-03-21 | 2024-03-22 | 阿里云计算有限公司 | Resource management method, device and server |
| CN114666126B (en) * | 2022-03-21 | 2024-06-07 | 阿里云计算有限公司 | Resource management method, device, server and system |
| CN114650183A (en) * | 2022-04-11 | 2022-06-21 | 远景智能国际私人投资有限公司 | Resource management method, device, server and storage medium |
| CN114726629A (en) * | 2022-04-12 | 2022-07-08 | 树根互联股份有限公司 | Authority configuration method, system, device, electronic equipment and readable storage medium |
| CN114726629B (en) * | 2022-04-12 | 2024-03-12 | 树根互联股份有限公司 | Authority configuration method, system, device, electronic equipment and readable storage medium |
| CN114978652A (en) * | 2022-05-16 | 2022-08-30 | 北京百度网讯科技有限公司 | Authority control method of edge device, resource access method and device |
| CN115525889A (en) * | 2022-09-28 | 2022-12-27 | 北京亚控科技发展有限公司 | Security authority control method and device, electronic equipment and storage medium |
| CN115525889B (en) * | 2022-09-28 | 2023-08-01 | 北京亚控科技发展有限公司 | Security authority control method and device, electronic equipment and storage medium |
| CN115801833A (en) * | 2022-11-16 | 2023-03-14 | 浙江九州云信息科技有限公司 | Enterprise-level public cloud resource management method and system |
| CN115714689A (en) * | 2022-11-30 | 2023-02-24 | 重庆忽米网络科技有限公司 | UI resource access control method based on IAM |
| CN115714689B (en) * | 2022-11-30 | 2023-08-08 | 重庆忽米网络科技有限公司 | IAM-based UI resource access control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637214B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112637214B (en) | Resource access method and device and electronic equipment | |
| US8510818B2 (en) | Selective cross-realm authentication | |
| US9639678B2 (en) | Identity risk score generation and implementation | |
| US9166966B2 (en) | Apparatus and method for handling transaction tokens | |
| CN111416822B (en) | Method for access control, electronic device and storage medium | |
| US8572686B2 (en) | Method and apparatus for object transaction session validation | |
| US20140215575A1 (en) | Establishment of a trust index to enable connections from unknown devices | |
| US8806602B2 (en) | Apparatus and method for performing end-to-end encryption | |
| US9521032B1 (en) | Server for authentication, authorization, and accounting | |
| US20130144633A1 (en) | Enforcement and assignment of usage rights | |
| CN106878250B (en) | Cross-application single-state login method and device | |
| US8752157B2 (en) | Method and apparatus for third party session validation | |
| US8572690B2 (en) | Apparatus and method for performing session validation to access confidential resources | |
| US20210144138A1 (en) | Authority transfer system, server and method of controlling the server, and storage medium | |
| CN116319024B (en) | Access control method and device of zero trust system and zero trust system | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| EP3062254B1 (en) | License management for device management system | |
| US8572724B2 (en) | Method and apparatus for network session validation | |
| US20080271114A1 (en) | System for providing and utilizing a network trusted context | |
| CN110869928A (en) | Authentication system and method | |
| US8572688B2 (en) | Method and apparatus for session validation to access third party resources | |
| US8584201B2 (en) | Method and apparatus for session validation to access from uncontrolled devices | |
| CN116707849A (en) | Cloud service access authority setting method and cloud management platform for enclave instance | |
| US8726340B2 (en) | Apparatus and method for expert decisioning | |
| CN111064695A (en) | Authentication method and authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |