CN113765963A - Data processing method, device, equipment and computer readable storage medium - Google Patents
Data processing method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN113765963A CN113765963A CN202010725591.4A CN202010725591A CN113765963A CN 113765963 A CN113765963 A CN 113765963A CN 202010725591 A CN202010725591 A CN 202010725591A CN 113765963 A CN113765963 A CN 113765963A
- Authority
- CN
- China
- Prior art keywords
- user
- docker
- machine
- service
- application service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a data processing method, a device, equipment and a computer readable storage medium, wherein the method comprises the following steps: responding to a fortress machine request of a user, and creating a trigger Docker for the user, wherein the trigger Docker is used for realizing the function of the fortress machine; responding to the access request of the user to the target IP, and accessing the target IP through a Docker of the user. According to the method provided by the embodiment of the invention, when a user requests the fortress machine, the springboard machine Docker for realizing the fortress machine function is dynamically created for the user, when the target IP is accessed, the user can access the corresponding target IP through the independent springboard machine Docker, so that the fortress machine containerization is realized, the resource allocation of the fortress machine according to the requirement can be realized, the utilization rate of the fortress machine is improved, and the stability and the safety of the fortress machine service are ensured because the springboard machine Docker is independently shared by the user.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a data processing method, an apparatus, a device, and a computer-readable storage medium.
Background
The fort machine is a security audit system which is reinforced with certain security and can resist certain attacks. The bastion machine has the main functions of auditing and controlling the authority of the terminal for logging in the target service server and providing the terminal with a single sign-on function. The terminal logs on to the target service server through the bastion machine using Secure Shell (SSH for short) protocol. The bastion service can assist the user to enter the actual target business server for operation according to the IP under the condition of meeting the Sarbanes-Oxley Act (SOX for short) audit and authority security.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
the traditional fort machine service needs to apply for a batch of fixed resources in advance to serve as a fort machine, namely, the fort machine IP is fixed, temporary capacity expansion is needed when the fort machine resources are insufficient, allocation according to needs cannot be achieved, and the fort machine resource utilization rate is low.
Disclosure of Invention
Embodiments of the present invention provide a data processing method, an apparatus, a device, and a computer-readable storage medium, so as to solve the problems in the prior art that bastion machine resources cannot be allocated as needed and the utilization rate is low.
In a first aspect, an embodiment of the present invention provides a data processing method, including:
responding to a fortress machine request of a user, creating a springboard machine application container engine (English: Docker) for the user, wherein the springboard machine Docker is used for realizing the fortress machine function;
responding to the access request of the user to the target IP, and accessing the target IP through a Docker of the user.
In a second aspect, an embodiment of the present invention provides a data processing method, which is applied to a cluster based on a container arrangement technology, where a service Docker, a jumper Docker, and a container arrangement service are run on the cluster, and the method includes:
responding to a fortress machine request of a user, and creating a springboard machine Docker for the user through the container arrangement service, wherein the springboard machine Docker is used for realizing the functions of the fortress machine;
responding to the access request of the user to the target IP, and accessing a service Docker corresponding to the target IP through a jumper Docker of the user.
In a third aspect, an embodiment of the present invention provides a data processing apparatus, including:
the container management module is used for responding to a fort machine request of a user and creating a trigger Docker for the user, and the trigger Docker is used for realizing the function of the fort machine;
and the bastion machine module is used for responding to the access request of the user to the target IP and accessing the target IP through a socket of the user.
In a fourth aspect, an embodiment of the present invention provides a data processing apparatus, including:
a processor, a memory, and a computer program stored on the memory and executable on the processor;
wherein the processor implements the data processing method of the first aspect when running the computer program.
In a fifth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the data processing method according to the first aspect.
According to the data processing method, the device, the equipment and the computer readable storage medium provided by the embodiment of the invention, the springboard machine Docker for realizing the fort machine function is dynamically created for the user by responding to the fort machine request of the user, and the user can access the corresponding target IP through the independent springboard machine Docker in response to the access request of the user to the target IP, so that the fort machine containerization is realized, the allocation of fort machine resources as required can be realized, the utilization rate of the fort machine is improved, and the stability and the safety of the fort machine service are ensured because the springboard machine Docker is independently shared by the user.
Drawings
FIG. 1 is a schematic diagram of a system framework provided by an embodiment of the present invention;
FIG. 2 is a flowchart of a data processing method according to an embodiment of the present invention;
FIG. 3 is a flowchart of a data processing method according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of a data processing apparatus according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data processing apparatus according to a fourth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a data processing apparatus according to a fifth embodiment of the present invention.
With the above figures, certain embodiments of the invention have been illustrated and described in more detail below. The drawings and the description are not intended to limit the scope of the inventive concept in any way, but rather to illustrate it by those skilled in the art with reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
First, terms related to embodiments of the present invention are explained:
kubernetes: the Kubernets aims to make the application of container deployment simple and efficient, and provides a mechanism for application deployment, planning, updating and maintenance.
The Seibans Act (Sarbanes-Oxley Act, SOX Act for short): is a mandated act by marketing companies on certificate exchanges in the united states. The SOX act audits IT systems and operation logs, baster logs, etc. of the listed companies.
Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. In the description of the following examples, "plurality" means two or more unless specifically limited otherwise.
With the continuous development of Cloud Native (Cloud Native, Cloud services occupy a very important position in the internet market, and more developers and companies begin to deploy applications to the Cloud.
The embodiment of the invention can be particularly applied to the cluster based on the container arrangement technology, such as the cluster based on Kubernetes. The cluster is used for deploying the service system and the bastion machine, and a user needs to access the service system through the bastion machine. As shown in fig. 1, a service Docker, a springboard Docker, a bastion machine service, a container orchestration service (e.g., kubernets as shown in fig. 1), and a base service may run on the cluster.
In this embodiment, the service Docker is used for deploying application services, which are service application services that a user actually needs to access, and the user cannot directly access the service application services and needs to connect and access the service application services through a jumper.
And the trigger Docker is used for realizing the function of the bastion machine, after a user selects and connects a certain actual service Docker, the user request is synchronized into the selected actual service Docker, the access data log is recorded at the same time, and the access data log is fed back to the bastion machine service for auditing.
In this embodiment, the kubernets service is taken as an example to exemplarily describe that the kubernets service is used to create and destroy a springboard Docker, and the container arrangement service may also be implemented by using messs, which is not specifically limited in this embodiment.
The basic service is used to verify whether the user has the right to access the application service IP.
The bastion machine service is used for providing a user interface UI for a user to apply for the bastion machine, interacting with the basic service and the Kubernets service, and calling the basic service and the Kubernets service to realize corresponding functions.
According to the data processing method provided by the embodiment of the invention, when a user requests the fortress machine, the springboard machine Docker for realizing the fortress machine function is dynamically created for the user, the user can access the corresponding target IP through the springboard machine Docker which is shared by the user, so that the containerization of the fortress machine is realized, the allocation of resources of the fortress machine according to needs can be realized, the utilization rate of the fortress machine is improved, and the stability and the safety of the service of the fortress machine are ensured because the springboard machine Docker is shared by the user.
The following describes the technical solutions of the present invention and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
Example one
Fig. 2 is a flowchart of a data processing method according to an embodiment of the present invention. As shown in fig. 2, the method comprises the following specific steps:
and S101, responding to a fortress machine request of a user, and creating a springboard machine Docker for the user, wherein the springboard machine Docker is used for realizing the function of the fortress machine.
In the embodiment, based on the fort machine request of the user, a springboard machine Docker which is shared by the user can be created for the user, containerization of the fort machine can be realized, and allocation of the fort machine according to needs can be realized.
And S102, responding to an access request of a user to the target IP, and accessing the target IP through a Docker of the user.
The target IP refers to an IP of an actual application service that the user requests to access, and may be, for example, an IP of a service Docker in which the actual application service that the user requests to access is located.
When a user requests to access the target IP, the target IP is accessed through the Docker corresponding to the user, and the Docker can realize the function of the bastion machine.
According to the data processing method provided by the embodiment of the invention, the springboard machine Docker for realizing the fort machine function is dynamically created for the user by responding to the fort machine request of the user, the user can access the corresponding target IP through the independent springboard machine Docker in response to the access request of the user to the target IP, the containerization of the fort machine is realized, the allocation of fort machine resources as required can be realized, the utilization rate of the fort machine is improved, and the stability and the safety of the fort machine service are ensured because the springboard machine Docker is independently shared by the user.
Example two
Fig. 3 is a flowchart of a data processing method according to a second embodiment of the present invention. On the basis of the first embodiment, in this embodiment, the bastion machine request of the user includes an application service IP to be accessed, and before the trigger Docker is created for the user, whether the user has the right to access the application service IP can be verified according to the identity information of the user; and if the user has the authority of accessing the application service IP, creating a trigger Docker for the user. In addition, when a board jumper Docker is created for a user, the board jumper Docker is created by using the residual fragment resources of the physical machine; and the Docker of the springboard machine can be destroyed after the Docker of the springboard machine fails, so that Docker resources of the springboard machine can be recycled, and the resource utilization rate is improved. As shown in fig. 3, the method comprises the following specific steps:
step S201, responding to the bastion machine request of the user, wherein the bastion machine request of the user comprises an application service IP to be accessed, and verifying whether the user has the authority of accessing the application service IP or not according to the identity information of the user.
In practical application, a user can send out the bastion machine request to the bastion machine service through a UI interface provided by the bastion machine service.
Wherein the bastion request of the user includes the application service IP to be accessed. The application service IP to be accessed by the user may be the IP of the service Docker where the application service to be accessed by the user is located.
Illustratively, based on the architecture shown in fig. 1, after receiving a bastion machine request of a user, the bastion machine service may send a first HTTP request to a base service, where the first HTTP request may carry identity information of the user and an application service IP to be applied. And the basic service verifies whether the user has the authority of accessing the application service IP according to the identity information of the user and feeds back the verification result to the bastion machine service.
The basic service may store an application service corresponding to the application service IP and authority information of each user corresponding to the application service. The authority information of each user corresponding to the application service may include whether the user has an authority to access the application service, and specific authority information that the user has to access the application service.
Alternatively, the verification results may be returned to the bastion service in json format.
If the verification result shows that the user does not have the access authority of the application service IP, step S202 is executed, prompt information is fed back to the user to prompt that the user does not have the access authority of the application service IP, and the bastion machine is not distributed to the user.
If the verification result indicates that the user has the authority to access the application service IP, the steps S203-S204 are executed to create a trigger Docker for the user, namely, to allocate the user with an exclusive bastion.
And step S202, feeding back prompt information to the user.
In this step, prompt information can be displayed to the corresponding UI through the bastion machine service, and the prompt information is used for prompting that the user does not have the access right of the currently applied application service IP, so that the user can reapply after checking the IP.
Step S203, inquiring a database, and determining whether a Docker of the user exists.
Wherein, the database at least stores the following information: user identification, application service IP information and springboard IP. The user identifier may be information such as a user account that can be used to uniquely identify a user. In addition, the database may further include information such as SSH connection jumper command, password, creation time, authorized role, authorized duration, and the like, which is not specifically limited in this embodiment.
If the verification result shows that the user has the right to access the application service IP, the bastion machine service can inquire a database of the bastion machine service to determine whether a springboard machine Docker of the user exists or not.
Exemplarily, if a record containing the current user identifier exists in the database, if the record containing the current user identifier exists, it is described that the springboard machine Docker is allocated to the current user, that is, the springboard machine Docker of the user already exists; if the record containing the current user identifier does not exist, it indicates that the springboard machine Docker is not allocated to the current user, that is, the springboard machine Docker of the user does not exist.
In the step, if it is determined that the user does not have a springboard Docker, executing steps S204-S205, creating a springboard Docker for the user, and recording the application service IP applied by the user this time into the database.
If the user' S patch board Docker is determined to exist, the user does not need to create the patch board Docker again, step S205 is directly executed, and the application service IP applied by the user this time is recorded in the database.
And S204, if the user does not have the springboard Docker, creating the springboard Docker for the user, and recording mapping information of the user and the springboard Docker into a database.
In this embodiment, if it is determined that there is no springboard Docker of the user, the bastion machine service creates the springboard Docker for the user by calling a container arrangement service (for example, kubernets service).
Because the service Docker usually occupies a large amount of physical machine resources, the remaining fragment resources of the physical machine cannot be used, for example, when only 0.5-core 0.4G memory resources remain, the redundant resources cannot be separated to the service Docker.
Preferably, the Kubernetes service creates a springboard machine Docker by using the residual fragment resources of the physical machine, so that the fragment resources can be effectively used, and the resource utilization rate can be improved.
For example, a jumper Docker may be created using a 0.1 core and 0.2G memory; or, a jumper Docker can be created by using the 0.1 core and the 0.3G memory; alternatively, a jumper Docker may be created using 0.2 cores and 0.3G memory, and so on.
Illustratively, the kubernets service creates a jumper Docker with 0.1 cores and 0.2G of memory resources according to the identity information of the user.
Optionally, the bastion service may poll an interface of the kubernets service according to the identity information of the user to obtain information whether the jumper Docker is successfully created.
And when the fact that the jumper Docker is successfully established is determined, recording mapping information of the user and the jumper Docker into a database.
And step S205, adding the application service IP into the application service IP information corresponding to the user in the database.
The application service IP information corresponding to the user in the database is used for storing the application service IP applied by the user.
After determining the jumper Docker corresponding to the user, in the step, the application service IP is added to the application service IP information corresponding to the user in the database, and the corresponding relation between the application service IP and the user and the jumper Docker is recorded.
Optionally, the database may store the application service IP information corresponding to each user separately, or may record the docker IP corresponding to the user and all the application service IPs corresponding to the user in the same data table, which is not specifically limited in this embodiment.
Optionally, a validity period can be set for each application service IP applied by the user, and in the validity period, the user can access the corresponding application service IP through a trigger Docker; after the validity period is invalid, the user cannot access the corresponding application service IP through the Docker.
And S206, feeding login information of the trigger Docker back to the user.
After determining the Docker corresponding to the user, feeding login information of the Docker corresponding to the user back to the user.
The login information of the Docker may include a Docker ip, a login password, and other information that a user needs to use to log in the Docker, which is not specifically limited in this embodiment.
Illustratively, there may be a bastion service that displays the login information of the springboard Docker on the user interface.
Optionally, the bastion service may further display a command including login information of the springboard Docker on the user interface, and the user may connect the corresponding springboard Docker by executing the command.
And step S207, responding to the request of the user for connecting the bastion machine, and acquiring the application service IP of the user with the access authority according to the identity information of the user after the login information of the user is verified.
When a user needs to connect the bastion machine, according to login information of the user, a bastion machine connection request is sent to the corresponding springboard machine Docker through a local SSH tool so as to connect the springboard machine Docker. After the login information of the user is verified by the Docker, the Docker can obtain the identity information of the user.
And the trigger Docker sends a second HTTP request containing the identity information of the user to the bastion machine service, and after receiving the second HTTP request, the bastion machine service acquires the application service IP of the user with the access right by inquiring the database according to the identity information of the user.
Specifically, the application service IP applied by the user is obtained from the database through the bastion machine service, whether the user has the access authority of the applied application service IP or not is verified through the basic service, the application service IP with the access authority of the user is determined, and the user authority can be verified again.
In one possible implementation mode, if the application service IP which is applied for has the validity period, the application service IP which is applied for by the user in the validity period is obtained from the database through the bastion machine service.
Illustratively, the jumper Docker may send a third HTTP request containing the user identity to the base service. After receiving the third HTTP request, the basic service verifies whether the user currently has the access authority of each application service IP which is applied, determines the application service IP which is currently provided with the access authority in the application service IP which is applied by the user, and then returns the application service IP which is currently provided with the access authority to the bastion machine service.
Optionally, the basic service can return the application service IP which the user currently has the access right to the bastion service in a json format.
Further, after the application service IP with the access right of the user is obtained, the application service IP information corresponding to the user in the database can be updated according to the currently determined application service IP with the access right of the user, so that all the application service IPs recorded in the application service IP information corresponding to the user in the database are ensured that the user has the access right.
For example, after a service Docker corresponding to an application service IP applied by a user fails, the service Docker may be allocated to another application service for use, that is, an actual application service corresponding to the application service IP is changed, and the user may no longer have an authority to access the application service IP, so that corresponding information in a database needs to be updated to accurately control the access authority of the user.
Illustratively, after the bastion machine service obtains the application service IP of which the user has the access right, the application service IP information corresponding to the user in the database is updated.
And S208, displaying the application service IP with the access authority of the user through a front-end page for the user to select to access.
After determining the application service IP which the user has the access right, displaying the application service IP which the user has the access right through a front-end page for the user to select to access.
Illustratively, after the bastion machine service obtains the application service IP with the access right of the user, the application service IP with the access right of the user can be returned to the corresponding jumper machine Docker in a json format. And the trigger Docker displays the application service IP with the access authority of the user on the corresponding front-end page, and the user can browse the application service IP with the access authority currently and select a target IP from the application service IP for access.
And S209, responding to the access request of the user to the target IP, and accessing the target IP through a Docker of the user.
After a user selects a target IP, an access request to the target IP can be initiated through a front-end page corresponding to a Docker, and various access operations to application services corresponding to the target IP are realized.
Each access operation of the user to the application service corresponding to the target IP passes through the Docker and is then transmitted to the service Docker of the application service corresponding to the target IP for operation.
And step S210, recording and storing an access data log of the user access target IP.
In this embodiment, each access operation of the user to the application service corresponding to the target IP passes through the jumper Docker and is then transmitted to the service Docker of the application service corresponding to the target IP for operation.
In this step, an access data log of the user accessing the target IP may be recorded and stored.
Specifically, the springboard Docker can record an access data log and send the access data log to the bastion machine service, and the bastion machine service stores the access data log so as to facilitate SOX audit.
The access data log may include information such as a target IP, user information, access time, an access operation command, and the like, and the information recorded in the access data log may include configuration and adjustment according to the SOX audit requirement, which is not specifically limited in this embodiment.
Illustratively, the springboard Docker can send the access data log to the bastion service by adopting a socket communication mode based on a TCP protocol.
In a possible implementation manner of this embodiment, after the trigger Docker is created for the user, steps S211 and S212 may be further executed, the validity period of the trigger Docker is set, and after the validity period expires, the trigger Docker is destroyed, and the resource occupied by the trigger Docker is recovered.
And step S211, setting and storing the validity period of the trigger Docker.
In this embodiment, the step is performed after the trigger Docker is created for the user, and may be performed before or after step S205 or in parallel, and this embodiment is exemplarily described as being performed after step S206, where the order of step S206 and step S205 is not limited here.
And S212, destroying the Docker after the valid period of the Docker is invalid.
Optionally, after the trigger Docker is created for the user, the validity period of the trigger Docker may be set and stored. In this step, after the validity period of the springboard Docker is expired, the springboard Docker is destroyed to recover the resource corresponding to the springboard Docker.
In another embodiment of this embodiment, when a recovery instruction for the bastion machine of the specified IP is received, the springboard machine Docker corresponding to the specified IP may be destroyed to recover the corresponding resource.
For example, when it is confirmed that the user no longer needs the bastion machine of the specified IP or the user is not allowed to use the bastion machine of the specified IP, a recovery instruction for the bastion machine of the specified IP can be issued to the bastion machine service through a front end page or in a command manner.
The embodiment of the invention is matched with the springboard machine Docker realized by container resource scheduling, realizes that the springboard machine Docker used by a user is a bastion machine resource which is exclusively shared by the user, can use the residual fragment resource of a physical machine to create the springboard machine Docker, and can recycle the corresponding resource after the springboard machine Docker fails, thereby ensuring the stable service, realizing the allocation of the bastion machine resource as required and improving the utilization rate of the bastion machine. Further, in this embodiment, each time when applying for the bastion machine service, it is verified whether the user has the access authority of the application service IP to which the user applies, and when the user connects to the trigger Docker, it is verified whether the user has the access authority of the application service IP that has already applied, and by means of strong consistency verification, it is verified whether the user has the access authority of the application service IP for 2 times, so that it can be ensured that the bastion machine is trusted and safe.
EXAMPLE III
Fig. 4 is a schematic structural diagram of a data processing apparatus according to a third embodiment of the present invention. The data processing device provided by the embodiment of the invention can execute the processing flow provided by the embodiment of the data processing method. As shown in fig. 4, the data processing apparatus 30 includes: a container management module 301 and a fort machine module 302.
Specifically, the container management module 301 is configured to create a springboard Docker for the user in response to the bastion request of the user, the springboard Docker being configured to implement the bastion function.
The bastion module 302 is used for responding to the access request of the user to the target IP and accessing the target IP through a user's jumper Docker.
The apparatus provided in the embodiment of the present invention may be specifically configured to execute the method embodiment provided in the first embodiment, and specific functions are not described herein again.
According to the data processing method provided by the embodiment of the invention, the springboard machine Docker for realizing the fort machine function is dynamically created for the user by responding to the fort machine request of the user, the user can access the corresponding target IP through the independent springboard machine Docker in response to the access request of the user to the target IP, the containerization of the fort machine is realized, the allocation of fort machine resources as required can be realized, the utilization rate of the fort machine is improved, and the stability and the safety of the fort machine service are ensured because the springboard machine Docker is independently shared by the user.
Example four
Fig. 5 is a schematic structural diagram of a data processing apparatus according to a fourth embodiment of the present invention. In addition to the third embodiment, as shown in fig. 5, in the present embodiment, the data processing apparatus 30 further includes: a rights verification module 303 for:
the bastion machine request of the user comprises an application service IP to be accessed, and whether the user has the authority of accessing the application service IP is verified according to the identity information of the user.
The container management module 301 is further configured to: and if the user has the authority of accessing the application service IP, creating a trigger Docker for the user.
In one possible implementation, the container management module 301 is further configured to:
inquiring a database, and determining whether a Docker of a user exists or not; and if the user does not have the Docker of the jumper, creating the Docker of the jumper for the user, and recording mapping information of the user and the Docker of the jumper into a database.
In one possible implementation, the container management module 301 is further configured to:
and adding the application service IP into the application service IP information corresponding to the user in the database.
In one possible implementation, the container management module 301 is further configured to:
and creating a Docker by utilizing the residual fragment resources of the physical machine.
In one possible implementation, the container management module 301 is further configured to:
and setting and storing the validity period of the trigger Docker.
In one possible implementation, the container management module 301 is further configured to:
and when the period of validity of the Docker of the springboard machine is invalid, destroying the Docker of the springboard machine.
In one possible implementation, the container management module 301 is further configured to:
and feeding back login information of the trigger Docker to the user.
In one possible implementation, the privilege verification module 303 is further configured to:
responding to a request of a connection bastion machine of a user, and acquiring an application service IP of the user with access authority according to identity information of the user after the login information of the user is verified; and displaying the application service IP with the access right of the user through a front-end page so as to be selected and accessed by the user.
In one possible implementation, the container management module 301 is further configured to:
and updating the application service IP information with the access authority of the user in the database according to the application service IP with the access authority of the user.
In one possible embodiment, the baster module 302 is further configured to:
and recording and storing an access data log of the user accessing the target IP.
The apparatus provided in the embodiment of the present invention may be specifically configured to execute the method embodiment provided in the second embodiment, and specific functions are not described herein again.
The embodiment of the invention is matched with the springboard machine Docker realized by container resource scheduling, realizes that the springboard machine Docker used by a user is a bastion machine resource which is exclusively shared by the user, can use the residual fragment resource of a physical machine to create the springboard machine Docker, and can recycle the corresponding resource after the springboard machine Docker fails, thereby ensuring the stable service, realizing the allocation of the bastion machine resource as required and improving the utilization rate of the bastion machine. Further, in this embodiment, each time when applying for the bastion machine service, it is verified whether the user has the access authority of the application service IP to which the user applies, and when the user connects to the trigger Docker, it is verified whether the user has the access authority of the application service IP that has already applied, and by means of strong consistency verification, it is verified whether the user has the access authority of the application service IP for 2 times, so that it can be ensured that the bastion machine is trusted and safe.
EXAMPLE five
Fig. 6 is a schematic structural diagram of a data processing apparatus according to a fifth embodiment of the present invention. As shown in fig. 6, the data processing apparatus 100 includes: a processor 1001, a memory 1002, and computer programs stored on the memory 1002 and executable on the processor 1001.
When the processor 1001 runs the computer program, the data processing method provided by any one of the above method embodiments is implemented.
According to the data processing method provided by the embodiment of the invention, the springboard machine Docker for realizing the fort machine function is dynamically created for the user by responding to the fort machine request of the user, the user can access the corresponding target IP through the independent springboard machine Docker in response to the access request of the user to the target IP, the containerization of the fort machine is realized, the allocation of fort machine resources as required can be realized, the utilization rate of the fort machine is improved, and the stability and the safety of the fort machine service are ensured because the springboard machine Docker is independently shared by the user.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the data processing method provided in any of the above method embodiments.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.
It should be understood that, although the respective steps in the flowcharts in the above-described embodiments are sequentially shown as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least some of the steps in the figures may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, in different orders, and may be performed alternately or at least partially with respect to other steps or sub-steps of other steps.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (15)
1. A data processing method, comprising:
responding to a fortress machine request of a user, and creating a trigger Docker for the user, wherein the trigger Docker is used for realizing the function of the fortress machine;
responding to the access request of the user to the target IP, and accessing the target IP through a Docker of the user.
2. The method of claim 1, wherein in response to a user's bastion request, prior to creating a trigger Docker for the user, further comprising:
the bastion machine request of the user comprises an application service IP to be accessed, and whether the user has the authority of accessing the application service IP is verified according to the identity information of the user;
and if the user has the authority of accessing the application service IP, creating a Docker for the user.
3. The method of claim 2, wherein the creating a trigger Docker for a user in response to the user's bastion request comprises:
querying a database to determine whether a Docker of the user exists;
and if the user does not have the Docker of the springboard machine, creating the Docker of the springboard machine for the user, and recording mapping information of the user and the Docker of the springboard machine into the database.
4. The method of claim 3, wherein after recording the mapping information of the user and the Docker into the database, further comprising:
and adding the application service IP into the application service IP information corresponding to the user in the database.
5. The method of any of claims 1-4, wherein creating a Docker for the user comprises:
and creating the Docker by utilizing the residual fragment resources of the physical machine.
6. The method according to any of claims 1-4, wherein after creating a trigger Docker for the user, further comprising:
and setting and storing the validity period of the trigger Docker.
7. The method of claim 6, further comprising:
and destroying the springboard Docker after the validity period of the springboard Docker is invalid.
8. The method of claim 1, wherein after creating a trigger Docker for the user, further comprising:
and feeding back login information of the Docker to the user.
9. The method of claim 8, further comprising:
responding to a request of a connection bastion machine of the user, and acquiring an application service IP of the user with access authority according to the identity information of the user after the login information of the user is verified;
and displaying the application service IP with the access authority of the user through a front-end page so as to be selected and accessed by the user.
10. The method according to claim 9, wherein after acquiring the application service IP to which the user has access rights according to the identity information of the user, the method further comprises:
and updating the application service IP information with the access authority of the user in the database according to the application service IP with the access authority of the user.
11. The method of claim 1, further comprising:
and recording and storing an access data log of the user accessing the target IP.
12. A data processing method is applied to a cluster based on a container arrangement technology, wherein a service Docker, a springboard machine Docker and a container arrangement service are operated on the cluster, and the method comprises the following steps:
responding to a fortress machine request of a user, and creating a springboard machine Docker for the user through the container arrangement service, wherein the springboard machine Docker is used for realizing the functions of the fortress machine;
responding to the access request of the user to the target IP, and accessing a service Docker corresponding to the target IP through a jumper Docker of the user.
13. A data processing apparatus, comprising:
the container management module is used for responding to a fort machine request of a user and creating a trigger Docker for the user, and the trigger Docker is used for realizing the function of the fort machine;
and the bastion machine module is used for responding to the access request of the user to the target IP and accessing the target IP through a socket of the user.
14. A data processing apparatus, characterized by comprising:
a processor, a memory, and a computer program stored on the memory and executable on the processor;
wherein the processor, when executing the computer program, implements the method of any of claims 1 to 12.
15. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010725591.4A CN113765963A (en) | 2020-07-24 | 2020-07-24 | Data processing method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010725591.4A CN113765963A (en) | 2020-07-24 | 2020-07-24 | Data processing method, device, equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113765963A true CN113765963A (en) | 2021-12-07 |
Family
ID=78785573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010725591.4A Pending CN113765963A (en) | 2020-07-24 | 2020-07-24 | Data processing method, device, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113765963A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465766A (en) * | 2021-12-27 | 2022-05-10 | 天翼云科技有限公司 | SSH-based remote access method and device, electronic equipment and storage medium |
| CN114500023A (en) * | 2022-01-18 | 2022-05-13 | 江苏银承网络科技股份有限公司 | Bastion machine access control method under multi-cloud environment |
-
2020
- 2020-07-24 CN CN202010725591.4A patent/CN113765963A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465766A (en) * | 2021-12-27 | 2022-05-10 | 天翼云科技有限公司 | SSH-based remote access method and device, electronic equipment and storage medium |
| CN114465766B (en) * | 2021-12-27 | 2023-08-04 | 天翼云科技有限公司 | SSH-based remote access method and device, electronic equipment and storage medium |
| CN114500023A (en) * | 2022-01-18 | 2022-05-13 | 江苏银承网络科技股份有限公司 | Bastion machine access control method under multi-cloud environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11811722B2 (en) | Method for processing cloud service in cloud system, apparatus, and device | |
| CN113169952B (en) | Container cloud management system based on block chain technology | |
| US9524382B2 (en) | System and method for centralizedly controlling server user rights | |
| CN103795690B (en) | A kind of method, proxy server and the system of cloud access control | |
| EP3618352B1 (en) | Virtual machine management | |
| CN110324338B (en) | Data interaction method, device, fort machine and computer readable storage medium | |
| CN111934918A (en) | Network isolation method and device for container instances in same container cluster | |
| WO2016173199A1 (en) | Mobile application single sign-on method and device | |
| CN113079164B (en) | Remote control method and device for bastion machine resources, storage medium and terminal equipment | |
| CN109033857A (en) | A kind of method, apparatus, equipment and readable storage medium storing program for executing accessing data | |
| CN113765963A (en) | Data processing method, device, equipment and computer readable storage medium | |
| CN110839014A (en) | Authentication method, device, computer system and readable storage medium | |
| CN105162774A (en) | Virtual machine login method and device used for terminal | |
| CN112073413A (en) | Online alliance chain management method and device, computer equipment and storage medium | |
| CN113505354A (en) | Data processing method, device and storage medium | |
| CN104967515B (en) | A kind of identity identifying method and server | |
| CN102685115B (en) | Resource access method, resource management device and system | |
| EP2808820A1 (en) | Method of changing password in an industrial automation and control system | |
| EP4087206A1 (en) | Internet-of-things device registration method and apparatus, device and storage medium | |
| CN111597537A (en) | Block chain network-based certificate issuing method, related equipment and medium | |
| CN111241523A (en) | Authentication processing method, device, equipment and storage medium | |
| CN110493175A (en) | A kind of information processing method, electronic equipment and storage medium | |
| CN114462003A (en) | Server user permission control method and device under multi-type test environment | |
| CN114389868A (en) | Method, system and device for distributing cloud resources and storage medium | |
| CN113312111A (en) | Instruction processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |