Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the prior art, a security product is deployed in a cloud platform, the security product is required to be deployed in the cloud platform, the security product is installed in a virtual machine or a container to run, and then a virtual instance running the security product is connected with other virtual servers by manually establishing a virtual network card so as to realize network communication and corresponding security capability.
In the manual management mode, if a certain security product is down or deleted, and other servers or application systems affected by the downtime or the deletion cannot uniformly sense that the down or the deletion of the security product can affect other nodes in the system only if the access of the whole system is interrupted or the access of the whole system is abnormal, and the sensing capability of the system is poor; and which nodes are affected and need to be judged manually, and the situation of misjudgment or incomplete judgment can occur.
In order to solve the technical problems, the method automatically connects elements through drawing a network topology graph of a cloud platform to generate a cloud platform system, and generates first chained data information of the cloud platform system according to the network topology graph and information of the elements in the network topology graph, wherein the first chained data information comprises data blocks corresponding to the elements connected according to the sequence of the network topology graph, hash values of the first information and information of the elements are included in the data blocks corresponding to any element, and the first information comprises hash values of all the data blocks before the data blocks and information of the element in the first chained data information; and then the information of each element in the cloud platform system can be monitored according to the first chained data information, if the information of any element changes, the hash value in the corresponding data block changes, and further the hash value in the subsequent data blocks also changes, so that the first target element with changed information can be determined according to the data block with changed hash value, the corresponding element of each data block after the data block corresponding to the first target element is determined as the second target element influenced by the first target element, thereby the abnormal node and other affected nodes in the cloud platform system can be quickly obtained, the perceptibility is improved, and the situation of misjudgment or incompleteness is avoided.
In the management method of the cloud platform system of the present invention, the electronic device may draw a network topology diagram of the cloud platform through the interface 110 shown in fig. 1a, icons and names of elements such as network products, security products, server products, network connection lines, and other basic network elements in the network may be preconfigured in the first area 111 in the interface 110, the second area 112 may be a network topology diagram drawing and displaying area, the user may add the icon of the network element in the first area to the second area, for example, by a drag manner, and connect the elements together using corresponding network connection lines (network lines, optical fibers, hundred megameters, gigabytes, etc.), and draw a network topology diagram 121, thereby according to the network topology diagram and information of the elements in the network topology diagram, generating first chained data information of the cloud platform system, as shown in fig. 1b, wherein the first chained data information comprises data blocks corresponding to elements connected according to a network topological graph sequence, the data blocks corresponding to the internet are initial data blocks, the data blocks corresponding to the server are end data blocks, the data blocks corresponding to any element comprise hash values of the first information and information of the element, the first information comprises hash values of all data blocks before the data block in the first chained data information and information of the element, for example, for the data block corresponding to a firewall, hash value 1 in the data block corresponding to the internet before the data block, hash value 2 in the data block of an internet router and information of the firewall can be spliced to form first information, hash calculation is performed on the first information to obtain hash value 3, as a hash value in the data block corresponding to the firewall. And finally, monitoring the information of each element in the cloud platform system according to the first chain data information.
The management process of the cloud platform system is explained and illustrated in detail below with reference to specific embodiments.
Fig. 2 is a flowchart of a management method of a cloud platform system according to an embodiment of the present invention. The embodiment provides a management method of a cloud platform system, which comprises the following specific steps:
s201, responding to a drawing operation instruction of the network topology diagram of the cloud platform, and generating the network topology diagram of the cloud platform.
In this embodiment, the cloud platform construction is divided into three layers, i.e., an IaaS (Infrastructure as a service ) layer, a PaaS (Platform as aservice, platform service) layer, and a SaaS (Software as a Service ) layer, where the cloud platform system is deployed as a software system in the IaaS layer, and can provide services of the PaaS layer and the SaaS layer.
When the cloud platform system provides service for users, the bottom layer virtual machine adopts a KVM (Kernel-basedVirtual Machine) technology, the container adopts a Docker (application container engine) technology, and the security capability of the cloud platform system is embedded into the virtual machine and the container without providing security capability through external security products.
In this embodiment, a cloud platform is built with default security products, including a firewall, a WEB application firewall, WEB vulnerability scanning, system vulnerability scanning, database auditing, log auditing, situation awareness system, fort machine, load balancing system, and the like. The self-defined security product can be added as an element and built into the cloud platform by deploying a virtual machine or container.
In the present embodiment, the network topology refers to a network configuration diagram constituted by network node devices and communication media. Elements such as network products (switches, routers, etc.), security products, server products, network connection lines, etc. may be included in the network topology.
The electronic equipment can receive drawing operation instructions of the network topology graph of the cloud platform, and the network topology graph of the cloud platform is drawn in the interface according to the drawing operation instructions. Specifically, in this embodiment, an interface for drawing and displaying a network topology map may be provided, in a first area in the interface, icons and names of elements such as a network product, a security product, a server product, a network connection line, etc. in the network may be preconfigured, where the icons correspond to information security products prestored in the system, and other basic network elements (such as a network product, a server product, a network connection line, etc.); the second area may be a network topology drawing and display area, and the user may add the icon of the element in the first area to the second area, for example by dragging, and connect the elements using corresponding network connection lines (network lines, optical fibers, hundred megas, gigas, etc.), so as to draw the network topology.
Optionally, on the basis of the topology map of the existing cloud platform, the user can also input a drawing operation instruction for the network topology map of the cloud platform, so that elements are added or deleted to the topology map of the existing cloud platform, especially some security products, and finally the modified network topology map of the cloud platform is generated.
And S202, connecting all elements in the network topology diagram on a cloud platform according to the network topology diagram to generate a cloud platform system.
In this embodiment, after the network topology map is obtained, each element may be connected on the cloud platform, so as to generate a cloud platform system.
Specifically, in an alternative embodiment, a virtual network card may be automatically generated between adjacent elements, so as to connect the adjacent elements through the virtual network card. In a further alternative embodiment, the virtual network card may be used as an element, and the user may add the virtual network card to the network topology map by dragging.
On the basis of the above embodiment, when a certain element or some elements need to be added to the cloud platform system, the user may input an operation instruction of adding the element, including a target type of the newly added element and a target addition position, for example, the user may drag an icon of the newly added element from the first area to the target addition position of the current network topology map displayed in the second area. Further, the newly added element can be connected to the current cloud platform system through the virtual network card.
For example, a firewall is added between the internet router and the core switch, an icon of the firewall can be dragged between the internet router and the core switch of the current network topology, the cloud platform can delete a virtual network card between the internet router and the core switch, disconnect the connection between the two elements, and then newly generate two virtual network cards, one is connected with the internet router and the firewall, and the other is connected with the firewall and the core switch.
S203, generating first chained data information of the cloud platform system according to the network topological graph and information of each element in the network topological graph;
the first chained data information comprises data blocks corresponding to elements connected in sequence according to a network topological graph, the data block corresponding to any element comprises hash values of first information and information of the element, and the first information comprises hash values of all data blocks before the data block in the first chained data information and information of the element.
In this embodiment, in order to better monitor whether each element in the cloud platform system changes, the present embodiment uses the block chain technology principle, and generates, according to the network topology graph and the information of each element in the network topology graph, first chained data information of the cloud platform system, where the first chained data information includes a plurality of data blocks, each data block corresponds to one element in the network topology graph, and the plurality of data blocks are sequentially connected according to the network topology graph sequence, as shown in fig. 1b, for the network topology graph shown in fig. 1a, the data block corresponding to the internet is a starting data block, and then sequentially is a data block corresponding to an internet router, a firewall, and a core switch, and the data block corresponding to the server is a final data block; each data block includes two parts, one part is information (such as configuration information and state information) of a corresponding element, the other part is a hash value, the hash value is obtained after the hash values of all data blocks before the data block and the information of the element are combined, for example, for a data block corresponding to a firewall, the hash value in the data block corresponding to the internet before the data block, the hash value in the data block of the internet router and the information of the firewall can be spliced to form first information, and then the hash value is obtained for the first information to be used as the hash value in the data block corresponding to the firewall.
S204, monitoring information of each element in the cloud platform system according to the first chained data information.
In this embodiment, after the first chained data information is obtained, information of each element in the cloud platform system may be monitored based on the first chained data information, especially, if information of any element changes (for example, a state changes, a downtime occurs, etc.), a hash value in a data block corresponding to the element changes accordingly, and further, other subsequent data blocks also respond to the change, so that the hash value in each data block in the first chained data information may be monitored, that is, whether each element in the cloud platform system changes may be monitored. Optionally, in this embodiment, the first chain data information may be updated at preset intervals, and compared with the first chain data information before updating; or when any element changes, the first chain type data information is updated in real time and compared with the first chain type data information before updating, so that monitoring is realized.
As an optional embodiment, as shown in fig. 3, S204, monitoring information of each element in the cloud platform system according to the first chained data information includes:
S301, if the hash value in at least one data block in the first chained data information changes, determining a first target element with changed information according to the data block with the changed hash value;
s302, determining corresponding elements of each data block after the data block corresponding to the first target element as second target elements influenced by the first target element.
In this embodiment, if the hash value in at least one data block in the first chained data information changes, it is described that the information of at least one element in the first chained data information changes, and the element whose information changes may be determined from the changed data block, specifically, it may be considered that the information of the element corresponding to the forefront data block certainly changes, and it is determined as the first target element, and whether the information of the following element changes cannot be determined, but may be affected, and it is determined as the second target element.
Further, a first alarm prompt message is sent to an administrator terminal of the first target element and/or the second target element. The administrator can be prompted to pay attention to the corresponding target elements through the first alarm prompt information, and whether the abnormal condition occurs or not is judged.
According to the management method of the cloud platform system, the network topology diagram of the cloud platform is generated by responding to the drawing operation instruction of the network topology diagram of the cloud platform; according to the network topology diagram, connecting all elements in the network topology diagram on a cloud platform to generate a cloud platform system; generating first chained data information of the cloud platform system according to the network topology diagram and information of each element in the network topology diagram, wherein the first chained data information comprises data blocks corresponding to each element connected according to the sequence of the network topology diagram, hash values of first information and information of the element are included in the data block corresponding to any element, and the first information comprises hash values of all data blocks before the data block in the first chained data information and information of the element; and monitoring the information of each element in the cloud platform system according to the first chain data information. According to the embodiment, the efficiency of constructing the cloud platform system can be improved by drawing the network topological graph of the cloud platform and automatically generating the cloud platform system, meanwhile, the first chained data information of the cloud platform system is generated, the information of each element is recorded, the abnormal elements and other affected elements in the cloud platform system can be rapidly known based on the first chained data information, and the perception capability and the judgment accuracy are improved.
As a further improvement of the foregoing embodiment, as shown in fig. 4, after the generating the first chained data information of the cloud platform system, the method may further include:
s401, acquiring the data block type of each data block in the first chained data information;
s402, judging whether the network topological graph is reasonable or not according to the data block type of each data block, the position of each data block in the first chained data information and the data block type of the adjacent data block;
s403, if the network topological graph is unreasonable, displaying second alarm prompt information.
In this embodiment, for the first chained data information, each data block has its corresponding data block type, for example, for the "internet" data block, the data block type is "start data block", and all the first chained data information uses the "start data block" as the first data block; for the "server" data block, the data block type is "last data block", and all the first chained data information uses "last data block" as the last data block; for example, the data block is classified into different data block types according to different types of products, such as a firewall product, and the data block types are serial type security products. The back-end data block of this data block must contain a server, and may contain a data block of a switch, a router, or the like; for example, for a "web tamper resistant" product, the data block type is "deployment type security product" and the data block of this type of data block must be located immediately before the data block of the "server".
Therefore, whether the network topology map is reasonable or not can be judged according to the data block type of each data block, the position of each data block in the first chained data information and the data block type of the adjacent data block, and if the unreasonable position exists, second alarm prompt information is displayed so as to prompt a user to modify the network topology map of the cloud platform.
On the basis of any one of the above embodiments, as shown in fig. 5, the method further includes:
s501, generating second chained data information of the cloud platform system according to the network topological graph and information of each element in the network topological graph;
the second chained data information comprises data blocks corresponding to all elements connected in reverse order according to a network topological graph, wherein the data block corresponding to any element comprises hash values of second information and information of the element, and the second information comprises hash values of all data blocks before the data block and information of the element in the second chained data information;
s502, if any element to be configured needs to be configured and changed, sending a change request to an administrator device of the corresponding element of each data block before the element to be configured in the second chained data information, so that each administrator device adaptively changes the configuration of the corresponding element, and writing authorization information for performing configuration and change on the element to be configured and information after updating each element into the corresponding data block;
S503, performing configuration change on the element to be configured, and updating the data block and the subsequent data block of the element to be configured.
In this embodiment, the second chained data information of the cloud platform system may also be generated, where the second chained data information of the cloud platform system is similar to the first chained data information, and a difference is that a plurality of data blocks included in the second chained data information are connected in reverse order according to a network topology diagram, that is, as shown in fig. 6, for the network topology diagram shown in fig. 1a, a data block corresponding to a server is a starting data block, then a data block corresponding to a core switch, a firewall, and an internet router is sequentially used, and a data block corresponding to the internet is a final data block; for each data block, two parts are included, one part is information (such as configuration information, state information, etc.) of the corresponding element, and the other part is a hash value, where the hash value is a hash value obtained after combining the hash values in all data blocks before the data block and the information of the element.
In this embodiment, the second chained data information of the cloud platform system is used for authority authentication when any element is configured. Specifically, for example, a firewall needs to be configured, since the firewall related configuration affects elements such as a core switch and a server behind the firewall in the network topology map, all the elements behind the firewall need to be confirmed, that is, an administrator device of the core switch and the server behind the firewall sends a change request, where the change request may include information of the firewall, then the element behind the firewall may perform adaptive configuration modification according to the information of the firewall, authorize the firewall change configuration, write each modified information and authorization information into a corresponding data block, and sequentially calculate hash values of each data block from a sequence of data blocks in the second chained data information, that is, calculate hash values of the data blocks corresponding to the server first, calculate hash values of the data blocks corresponding to the core switch, and the firewall may read authorization information from the data blocks corresponding to the server and the core switch, and further change the configuration, and then update the data blocks corresponding to the firewall and the data blocks of other elements. After the configuration of any element is changed, the first chain data information also needs to be changed accordingly.
Based on the above embodiment, the strong authentication of login according to the second chained data information may further be performed, as shown in fig. 7, which specifically includes:
s601, if any element to be configured needs to be logged in, a login request is sent to the manager equipment of the corresponding element of each data block before the element to be configured in the second chained data information, so that each manager equipment writes the authorization information of logging in the element to be configured into the corresponding data block;
s602, logging in the element to be configured, and updating the data block and the subsequent data block of the element to be configured.
In this embodiment, if a certain element to be configured needs to be logged in, since configuration may need to be changed after logging in, the element behind the element to be configured in the network topology graph is affected, so authorization verification may be performed, and a login request is sent to an administrator device of the element behind the element to be configured in the network topology graph, that is, the element corresponding to each data block before the element to be configured in the second chained data information, if the administrators agree to log in, authorization information logged in by the element to be configured may be written in the corresponding data block, and the hash value of the data block may be recalculated in response to the need, and the element to be configured may read from the data block to the authorization information logged in by the element to be configured.
Fig. 8 is a block diagram of a management device of a cloud platform system according to an embodiment of the present invention. The management device of the cloud platform system provided in this embodiment may execute the processing flow provided by the management method embodiment of the cloud platform system, as shown in fig. 8, where the management device 800 of the cloud platform system includes a drawing module 801, a connection module 802, a generating module 803, and a monitoring module 804.
A drawing module 801, configured to generate a network topology map of the cloud platform in response to a drawing operation instruction for the network topology map of the cloud platform;
a connection module 802, configured to connect, according to the network topology map, each element in the network topology map on a cloud platform, so as to generate a cloud platform system;
a generating module 803, configured to generate, according to the network topology graph and information of each element in the network topology graph, first chained data information of the cloud platform system, where the first chained data information includes data blocks corresponding to each element connected in sequence according to the network topology graph, a data block corresponding to any element includes a hash value of the first information and information of the element, and the first information includes hash values in all data blocks before the data block in the first chained data information and information of the element;
And the monitoring module 804 is configured to monitor information of each element in the cloud platform system according to the first chained data information.
On the basis of any one of the foregoing embodiments, when the monitoring module 804 monitors information of each element in the cloud platform system according to the first chained data information, the monitoring module is configured to:
if the hash value in at least one data block in the first chained data information is changed, determining a first target element with changed information according to the data block with the changed hash value;
and determining each data block corresponding element after the data block corresponding to the first target element as a second target element influenced by the first target element.
On the basis of any one of the above embodiments, the management device of the cloud platform system further includes an alarm module, configured to send a first alarm prompt message to an administrator terminal of the first target element and/or the second target element.
On the basis of any of the above embodiments, the monitoring module 804 is further configured to:
acquiring the data block type of each data block in the first chained data information;
judging whether the network topological graph is reasonable or not according to the data block type of each data block, the position of each data block in the first chained data information and the data block type of the adjacent data block;
And if the network topological graph is unreasonable, displaying second alarm prompt information.
On the basis of any of the above embodiments, the generating module 803 is further configured to:
generating second chained data information of the cloud platform system according to the network topology diagram and the information of each element in the network topology diagram, wherein the second chained data information comprises data blocks corresponding to each element connected in reverse order according to the network topology diagram, the data block corresponding to any element comprises hash values of the second information and the information of the element, and the second information comprises hash values of all data blocks before the data block and the information of the element in the second chained data information;
the apparatus further comprises a configuration module 805 for:
if any element to be configured needs to be configured and changed, sending a change request to an administrator device of the corresponding element of each data block before the element to be configured in the second chained data information, so that the administrator device adapts to change the configuration of the corresponding element, and writing authorization information for performing configuration and change on the element to be configured and information after updating each element into the corresponding data block; and carrying out configuration change on the element to be configured, and updating the data block and the subsequent data block of the element to be configured.
On the basis of any of the above embodiments, the configuration module 805 is further configured to:
if any element to be configured needs to be logged in, a login request is sent to the manager equipment of the corresponding element of each data block before the element to be configured in the second chained data information, so that each manager equipment writes the authorization information of the login of the element to be configured into the corresponding data block;
logging in the element to be configured, and updating the data block and the subsequent data block of the element to be configured.
On the basis of any one of the foregoing embodiments, when each element in the network topology is connected on a cloud platform according to the network topology, the connection module 802 is configured to:
and generating a virtual network card between adjacent elements so as to connect the adjacent elements through the virtual network card.
The management device of the cloud platform system provided in the embodiment of the present invention may be specifically used to execute the method embodiments provided in fig. 2 to 5 and fig. 7, and specific functions are not repeated herein.
The management device of the cloud platform system provided by the embodiment of the invention generates the network topology diagram of the cloud platform by responding to the drawing operation instruction of the network topology diagram of the cloud platform; according to the network topology diagram, connecting all elements in the network topology diagram on a cloud platform to generate a cloud platform system; generating first chained data information of the cloud platform system according to the network topology diagram and information of each element in the network topology diagram, wherein the first chained data information comprises data blocks corresponding to each element connected according to the sequence of the network topology diagram, hash values of first information and information of the element are included in the data block corresponding to any element, and the first information comprises hash values of all data blocks before the data block in the first chained data information and information of the element; and monitoring the information of each element in the cloud platform system according to the first chain data information. According to the embodiment, the efficiency of constructing the cloud platform system can be improved by drawing the network topological graph of the cloud platform and automatically generating the cloud platform system, meanwhile, the first chained data information of the cloud platform system is generated, the information of each element is recorded, the abnormal elements and other affected elements in the cloud platform system can be rapidly known based on the first chained data information, and the perception capability and the judgment accuracy are improved.
Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. The electronic device provided by the embodiment of the present invention may execute the processing flow provided by the management method embodiment of the cloud platform system, as shown in fig. 9, the electronic device 90 includes a memory 91, a processor 92, and a computer program; wherein the computer program is stored in the memory 91 and configured to be executed by the processor 92 in the cloud platform system management method described in the above embodiment. The electronic device 90 may also have a communication interface 93 for transmitting instructions or data.
The electronic device of the embodiment shown in fig. 9 may be used to implement the technical solution of the above-mentioned method embodiment, and its implementation principle and technical effects are similar, and are not repeated here.
In addition, the present embodiment also provides a computer-readable storage medium having stored thereon a computer program that is executed by a processor to implement the method for managing a cloud platform system described in the above embodiment.
In addition, the present embodiment also provides a computer program product, including a computer program, where the computer program is executed by a processor to implement the method for managing a cloud platform system according to the foregoing embodiment.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to perform part of the steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional modules is illustrated, and in practical application, the above-described functional allocation may be performed by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above. The specific working process of the above-described device may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.