CN114785612B - Cloud platform management method, device, equipment and medium - Google Patents
Cloud platform management method, device, equipment and medium Download PDFInfo
- Publication number
- CN114785612B CN114785612B CN202210505401.7A CN202210505401A CN114785612B CN 114785612 B CN114785612 B CN 114785612B CN 202210505401 A CN202210505401 A CN 202210505401A CN 114785612 B CN114785612 B CN 114785612B
- Authority
- CN
- China
- Prior art keywords
- security component
- access
- port
- relation
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 52
- 238000013507 mapping Methods 0.000 claims abstract description 114
- 238000000034 method Methods 0.000 claims description 153
- 230000008569 process Effects 0.000 claims description 138
- 238000012795 verification Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 6
- 230000006854 communication Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000012423 maintenance Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000002441 reversible effect Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000002071 nanotube Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Abstract
The application discloses a cloud platform management method, a device, equipment and a medium, comprising the following steps: acquiring an access relation establishment request sent by a security component in a cloud platform; responding to the access relation establishment request, and establishing an access relation with the security component; based on the local port and the port mapping relation, the security component is managed through the access relation; the port mapping relationship is a mapping relationship between the local port and a service port of the security component. The security component actively establishes an access relation with the cloud platform, the cloud platform can access the service in the security component through the local port based on the port mapping relation and the access relation, and the security component is managed, so that the security component is accessed through the access relation actively established by the security component and the cloud platform and the port mapping relation, and the cost can be reduced while the security is ensured.
Description
Technical Field
The present application relates to the field of cloud services, and in particular, to a cloud platform management method, device, equipment, and medium.
Background
At present, a cloud platform management security component needs to manage a network to ensure connectivity, but in a VPC (i.e. Virtual Private Cloud, self-defined logic isolation network space on public cloud) scene, the cloud platform cannot directly access the security component, and the existing network opening mode mainly comprises modes of a private line VPN (i.e. Virtual Private Network, virtual private network), mapping EIP (i.e. ELASTIC INTERNET Protocol, elastic IP), an independent network card, installation proxy software and the like, so that the following problems exist: 1. private line VPN: the technical difficulty is high, and the input cost and the maintenance cost are high. 2. Mapping EIP scheme: the network maintenance cost is high and the security is not high. 3. Individual network card management: the additional addition of network cards and lines may result in increased costs. 4. And (3) installing an agent: by mapping out agents, security issues remain essentially unsolved.
Disclosure of Invention
In view of the above, the present application aims to provide a cloud platform management method, device, equipment and medium, which can reduce cost while ensuring security. The specific scheme is as follows:
in a first aspect, the present application discloses a cloud platform management method, including:
Acquiring an access relation establishment request sent by a security component in a cloud platform;
Responding to the access relation establishment request, and establishing an access relation with the security component;
Based on the local port and the port mapping relation, the security component is managed through the access relation; the port mapping relationship is a mapping relationship between the local port and a service port of the security component.
Optionally, the method further comprises:
acquiring target data sent by the security component through the access relation; wherein the target data is data containing the service port;
and determining the port mapping relation based on the target data.
Optionally, the target data is port data;
correspondingly, the determining the port mapping relation based on the target data includes:
And distributing a local port to the service port based on the port data so as to obtain the port mapping relation.
Optionally, the target data is a port mapping relationship corresponding to the service port preconfigured in the security component;
correspondingly, the determining the port mapping relation based on the target data includes:
And directly determining the target data as the port mapping relation.
Optionally, the method further comprises:
acquiring an newly added service port of the security component through the access relation;
Distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation;
generating a configuration update task corresponding to the security component based on the updated port mapping relation;
and acquiring a task query request sent by the safety component, and responding to the task query request and sending the configuration update task to the safety component so that the safety component executes the configuration update task.
Optionally, before the obtaining the request for establishing the access relationship sent by the security component in the cloud platform, the method further includes:
acquiring an access request sent by the security component;
And verifying the access request, and if the access request passes the verification, returning a password to the security component so that the security component sends the access relation establishment request based on the password.
Optionally, the method further comprises:
Creating a first process to obtain an access request sent by the security component through the first process; verifying the access request, and if the access request passes the verification, returning a password to the security component;
Creating one or more second processes, wherein each second process is used for acquiring an access relation establishment request sent by a security component in the cloud platform; responding to the access relation establishment request, and establishing an access relation with the security component; and managing the security component through the access relation based on the local port and the port mapping relation.
In a second aspect, the present application discloses a cloud platform management apparatus, applied to a cloud security service platform, including:
The request acquisition module is used for acquiring an access relation establishment request sent by the security component in the cloud platform;
The relation establishing module is used for responding to the access relation establishing request and establishing the access relation with the security component;
The component management module is used for managing the safety component based on the local port and the port mapping relation and through the access relation; the port mapping relationship is a mapping relationship between the local port and a service port of the security component.
In a third aspect, the application discloses an electronic device comprising a processor and a memory; wherein,
The memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the foregoing cloud platform management method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, where the computer program when executed by a processor implements the foregoing cloud platform management method.
The method comprises the steps of firstly obtaining an access relation establishment request sent by a security component in a cloud platform, then responding to the access relation establishment request, establishing an access relation with the security component, and finally managing the security component through the access relation based on a local port and a port mapping relation; the port mapping relationship is a mapping relationship between the local port and a service port of the security component. That is, in the application, the security component actively establishes an access relation with the cloud platform, the cloud platform can access the service in the security component through the local port based on the port mapping relation and the access relation, and manage the security component, so that the security component is accessed through the access relation actively established by the security component and the cloud platform and the port mapping relation, and the cost can be reduced while the security is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a system framework to which the cloud platform management scheme provided by the present application is applicable;
FIG. 2 is a flowchart of a cloud platform management method disclosed by the application;
FIG. 3 is a flowchart of a specific cloud platform management method disclosed in the present application;
FIG. 4 is a schematic diagram of a specific cloud platform management architecture according to the present disclosure;
FIG. 5 is a schematic diagram of a specific cloud platform management architecture according to the present disclosure;
FIG. 6 is a flowchart of a cloud platform management access method disclosed by the application;
Fig. 7 is a schematic structural diagram of a cloud platform management device disclosed in the present application;
Fig. 8 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Firstly, to further explain the technical terms related to the application, the VPC is a customized logic isolation network space on the public cloud, and similar to the traditional network operated by the user in the data center, service resources of the user on the private cloud, such as a cloud host, load balancing, a cloud database and the like, are hosted in the VPC. Users can customize network segment division, IP addresses, routing policies, etc., and achieve multi-layer security protection through security groups and network ACLs (i.e., access Control Lists, access control lists), etc. Meanwhile, the VPC and the data center of the user can be communicated through the VPN or the private line, and the hybrid cloud can be flexibly deployed. NFV (i.e., network Functions Virtualization, network function virtualization) is a concept of network architecture (network architecture), and uses virtualization technology to divide functions of a network node hierarchy into several functional blocks, which are implemented in software, and are not limited to hardware architecture. CSSP (i.e. Cloud Security Service Platform, cloud security service platform) provides administrator and tenant interfaces, and tenant can select the needed security components on the interfaces to apply for, manage the security components, and check the authorization and running state of the security components; an administrator can examine and approve the component application of the tenant on the interface and allocate the corresponding security component; the management platform is a bridge between the user and the bottom layer platform, and realizes access path definition and full life cycle management of the tenant network and the security component. The cloud platform in the application can be CSSP, and the security component can be NFV component.
In the VPC scenario, the cloud platform cannot directly access the security component to manage, and the existing network opening mode mainly includes modes of private VPN, mapping EIP, individual network card, installing proxy software and the like, and has the following problems: 1. private line VPN: the technical difficulty is high, and the input cost and the maintenance cost are high. 2. Mapping EIP scheme: the network maintenance cost is high and the security is not high. 3. Individual network card management: the additional addition of network cards and lines may result in increased costs. 4. And (3) installing an agent: by mapping out agents, security issues remain essentially unsolved. Therefore, the cloud platform management scheme provided by the application can be used for reducing the cost while ensuring the safety.
In the cloud platform scheme of the present application, the adopted system framework may specifically be shown in fig. 1, and may specifically include: server, client and network. The user side includes, but is not limited to, tablet computers, notebook computers, smart phones, personal computers (personal computer, PC), but is not limited thereto.
The method comprises the steps that a user operates a user terminal, a security component in a cloud platform is triggered to send an access relation establishment request to the cloud platform, and a server executes the following steps: acquiring an access relation establishment request sent by a security component in a cloud platform; responding to the access relation establishment request, and establishing an access relation with the security component; based on the local port and the port mapping relation, the security component is managed through the access relation; the port mapping relationship is a mapping relationship between the local port and a service port of the security component.
Referring to fig. 2, the embodiment of the application discloses a cloud platform management access method, which comprises the following steps:
step S11: and acquiring an access relation establishment request sent by a security component in the cloud platform.
In one embodiment, before an access relation establishment request sent by a security component in a cloud platform is obtained, obtaining an access request sent by the security component; and verifying the access request, and if the access request passes the verification, returning a password to the security component so that the security component sends the access relation establishment request based on the password.
Further, in a specific embodiment, an access request carrying a verification code sent by the security component may be obtained, the access request is verified by the verification code, and if the verification code is consistent with the local verification code, it is determined that the access request passes the verification.
And the security component acquires the IP address or the domain name of the cloud platform input by the user, and sends an access request to the cloud platform. And before sending the access request, checking the validity of parameters of the IP address or domain name of the cloud platform input by the user.
Step S12: and responding to the access relation establishment request, and establishing an access relation with the security component.
In a specific embodiment, the encrypted data carried in the access relation establishment request may be decrypted based on the password, so as to obtain decrypted data; and establishing an access relation with the security component based on the decrypted data. That is, only if decryption is successful, the access relation with the security component is established, and the validity check of the security component is realized.
And in the subsequent communication process, the security component also performs data interaction with the cloud platform based on the password. That is, when the security component sends data to the cloud platform, the data can be encrypted through a password, and the cloud platform decrypts after receiving the data, so that the communication security is ensured.
Step S13: based on the local port and the port mapping relation, the security component is managed through the access relation; the port mapping relationship is a mapping relationship between the local port and a service port of the security component.
In a specific embodiment, service logic in the cloud platform accesses the local IP address and the local port, then accesses the service in the security component based on the local port and the port mapping relation, and manages the security component through the access relation.
Further, the embodiment of the application can acquire the target data sent by the security component through the access relation; wherein the target data is data containing the service port; and determining the port mapping relation based on the target data. That is, the port mapping relation in the embodiment of the application is determined based on the data sent by the security component, and the cloud platform obtains the service port of the security component, which is open to the outside, through the data sent by the security component, so that the security of the security component is further ensured.
In a specific embodiment, the target data is the port data; correspondingly, the determining the port mapping relation based on the target data includes: and distributing a local port to the service port based on the port data so as to obtain the port mapping relation. It can be understood that after determining the port mapping relationship, the cloud platform sends the port mapping relationship to the security component, so that when the security component receives a service access request sent by the cloud platform, the security component sends the service access request to a corresponding service port based on the port mapping relationship, so as to realize access to a corresponding service in the security component.
In another embodiment, the target data is a port mapping relationship corresponding to the service port preconfigured in the security component; correspondingly, the determining the port mapping relation based on the target data includes: and directly determining the target data as the port mapping relation. That is, the embodiment of the application can pre-configure the mapping relation between the service port and the port of the cloud platform in the security component.
In addition, the embodiment of the application can acquire the newly added service port of the security component through the access relation; and distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation.
Moreover, the embodiment of the application can generate the configuration update task corresponding to the security component based on the updated port mapping relation; and acquiring a task query request sent by the safety component, and responding to the task query request and sending the configuration update task to the safety component so that the safety component executes the configuration update task. Wherein the task query request is a request sent by the security component at regular time.
In addition, after the access request passes the verification, the embodiment of the application can return the public key to the security component, so that the security component sends the task query request based on the public key, namely, the security component sends the task query request after encrypting the task query request data by using the public key. Further ensure the communication security of safety subassembly and cloud platform.
It can be seen that, in the embodiment of the present application, an access relationship establishment request sent by a security component in a cloud platform is first obtained, then an access relationship with the security component is established in response to the access relationship establishment request, and finally the security component is managed through the access relationship based on a local port and a port mapping relationship; the port mapping relationship is a mapping relationship between the local port and a service port of the security component. In other words, in the embodiment of the application, the security component actively establishes the access relation with the cloud platform, the cloud platform can access the service in the security component through the local port based on the port mapping relation and the access relation, and manage the security component, so that the security can be ensured and the cost can be reduced at the same time through the access relation established between the security component actively and the cloud platform and the access of the security component through the port mapping relation.
Referring to fig. 3, the embodiment of the application discloses a specific cloud platform management access method, which comprises the following steps:
step S21: and creating a first process to acquire an access request sent by the security component through the first process, verifying the access request, and if the access request passes the verification, returning a password to the security component.
The security component comprises a third process, and the third process is a process used for sending the access request to the cloud platform in the security component.
That is, in a specific embodiment, an access request is sent to a first process by a third process in a security component, and the first process obtains the access request sent by the security component; and verifying the access request, and if the access request passes the verification, returning a password and a public key to the security component.
In a specific embodiment, the first process performs parameter validity verification and storage on the IP address or domain name of the cloud service platform input by the user, and monitors the survival state of the second process.
Step S22: creating one or more second processes, wherein each second process is used for acquiring an access relation establishment request sent by a security component in the cloud platform; responding to the access relation establishment request, and establishing an access relation with the security component; and managing the security component through the access relation based on the local port and the port mapping relation.
Further, the second process is further configured to obtain, through the access relationship, target data sent by the security component; wherein the target data is data containing the service port; and determining the port mapping relation based on the target data. For specific implementation manners of determining the port mapping relationship, reference may be made to the foregoing embodiments, and no description is repeated here.
Further, the second process is further configured to obtain an added service port of the security component through the access relationship; and distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation. Correspondingly, the first process is also used for generating a configuration update task corresponding to the security component based on the updated port mapping relation; and acquiring a task query request sent by the safety component, and responding to the task query request and sending the configuration update task to the safety component so that the safety component executes the configuration update task. The first process issues a configuration update task to a third process of the security component, so that the third process executes the configuration update task.
In a specific embodiment, the load balancing agent may obtain access relationship establishment requests sent by the plurality of security components, and send the plurality of access relationship establishment requests to the plurality of second processes respectively.
In a specific embodiment, the load balancing agent may be configured by a preset rule, for example, configured according to an IP address of the security component, so as to send a plurality of access relationship establishment requests to a plurality of second processes respectively.
That is, when the cloud platform needs a large number of security components, the embodiment of the application can realize load balancing through the load balancing agent. Thereby improving reliability and processing performance.
Further, in the embodiment of the present application, a first process to be upgraded may be determined from the first process and the second process; and acquiring a first target program upgrading packet corresponding to the first process to be upgraded, and performing program upgrading on the first process to be upgraded by using the first target program upgrading packet.
And a second process to be upgraded can be determined from the third process and the fourth process; and acquiring a second target program upgrading packet corresponding to the second process to be upgraded, and performing program upgrading on the second process to be upgraded by using the second target program upgrading packet. And the fourth process is a process for sending an access relation establishment request to a cloud platform and responding to a service access request sent by the second process in the security component. And the fourth process sends an access relation establishment request based on the IP address or domain name of the cloud platform input by the user and acquired by the first process.
In a specific embodiment, an upgrade task corresponding to the security component may be generated based on the second target program upgrade package; and acquiring a task query request sent by the security component, responding to the task query request, and issuing the upgrading task to the security component so that the security component executes the upgrading task to perform program upgrading on the second process to be upgraded by using the second target program upgrading packet. In a specific embodiment, the upgrade task is issued to a third process of the security component, so that the third process uses the second target program upgrade package to perform program upgrade on the second process to be upgraded
It should be noted that, in the embodiment of the present application, a first process to be upgraded may be determined from the first process and the second process through the first process; and acquiring a first target program upgrading packet corresponding to the first process to be upgraded, and performing program upgrading on the first process to be upgraded by using the first target program upgrading packet. In a specific embodiment, the second process to be upgraded may be determined from the third process and the fourth process through the first process; and acquiring a second target program upgrading packet corresponding to the second process to be upgraded, and performing program upgrading on the second process to be upgraded by using the second target program upgrading packet.
In a specific embodiment, the third process performs data transmission based on the public key and the first process, and the fourth process performs data transmission based on the password and the second process, so as to ensure security.
Therefore, according to the embodiment of the application, the access channel of the cloud platform to the security component is opened through the second process in the cloud platform and the fourth process in the security component, so that the business logic of the cloud platform can access the business of the security component through the local port and the IP, the reliability and the security of the second process and the fourth process are ensured through the first process in the cloud platform and the third process in the security component, and the subsequent maintenance is facilitated.
For example, referring to fig. 4, fig. 4 is a specific cloud platform management architecture diagram disclosed in an embodiment of the present application. The cloud platform is CSSP, the security component is NFV component, a third process is created on the NFV side and named as a management and control plane process a, a fourth process is created and named as a data plane process b, a first process is created on the CSSP side and named as a management and control plane process d, and a second process is created and named as a data plane process e. In addition, the NFV side further includes a service process c, and the CSSP side further includes a service process f. The data tunnels of the NFV and the CSSP are opened through the data surface process, the existing business logic of the CSSP can access the business in the NFV by accessing the local IP and the port, and the reliability, the safety and the subsequent maintenance of the data surface process are ensured through the management and control surface process. The management and control surface process a is mainly used for realizing verification and storage of user IP or CSSP domain name input, guaranteeing safety and legality of the data surface process, monitoring the data surface process b and subsequent upgrading maintenance functions, requesting opposite-end tasks through timing polling and executing. And the data surface process b is used as a client of the data surface process, actively connected with the data surface process e of the CSSP by taking the IP address or the domain name of the CSSP input by the user, establishing a reverse data tunnel, and forwarding the flow of the opposite-end server to the local service. The service process c is a process corresponding to the original service of the NFV, such as Web console login and upgrading of a large version of the NFV. The management and control plane process d is mainly used for realizing legal access of the management and control plane of the NFV, distributing local resources of the NFV, namely distributing local ports for the acquired service ports, upgrading and maintaining the service functions of the management plane and the data plane process of the NFV, and the like. And the data surface process e is used as a server side of the data surface process, the legitimacy of the client side is checked, a reverse proxy tunnel is locally opened and mapped to the NFV, and local traffic is forwarded to the client side. The service process f is a process corresponding to the original service of the CSSP, such as operations of authorization, single sign-on, NFV upgrading and the like.
It can be appreciated that the present application solves the problem of CSSP nanotube NFV by installing agents, i.e., management plane processes and data plane processes, on NFV and CSSP, in single or multiple VPC scenarios, where the CSSP cannot directly access NFV, but where the NFV can access CSSP, without affecting external networks, and with ease of use, security, and maintainability.
Thousands of NFVs may be required for a single CSSP to be load balanced to multiple data plane processes e inside by introducing a reverse proxy g. Referring to fig. 5, fig. 5 is a specific cloud platform management architecture diagram disclosed in an embodiment of the present application. The reverse proxy g, through a certain rule configuration, load balances the data channels of a plurality of NFVs to a plurality of internal data surface processes, thereby improving the reliability and the processing performance.
Referring to fig. 6, an embodiment of the application discloses a cloud platform management method, which is applied to a security component and includes:
step S31: and sending an access relation establishment request to a cloud platform so that the cloud platform responds to the access relation establishment request to establish the access relation with the security component.
In a specific embodiment, before sending a connection request to a cloud platform, sending an access request to the cloud platform; the cloud platform is used for verifying the access request, and if the access request passes the verification, a password is returned to the security component; the security component sends the access relation establishment request based on the password, so that the cloud platform decrypts the encrypted data carried in the access relation establishment request based on the password to obtain decrypted data; and establishing an access relation with the security component based on the decrypted data.
Step S32: responding to a service access request sent by the cloud platform so that the cloud platform accesses the service in the security component to manage the security component; the service access request is an access request which is sent by the cloud platform based on a local port and a port mapping relation of the cloud platform and through the access relation, and the port mapping relation is a mapping relation between the local port and a service port of the security component.
In one embodiment, the target data may be sent to the cloud platform through an access relationship; and the cloud platform determines the port mapping relation based on the target data, wherein the target data is data containing the service port.
In a specific embodiment, the target data is port data; correspondingly, the cloud platform allocates a local port to the service port based on the port data so as to obtain the port mapping relation.
In another specific embodiment, the target data is a port mapping relationship corresponding to the service port preconfigured in the security component; and the cloud platform directly determines the target data as the port mapping relation.
Furthermore, the embodiment of the application can also send the newly added service port of the security component to the cloud security service by the communication connection, so that the cloud platform distributes a local port for the newly added service port and updates the port mapping relationship to obtain an updated port mapping relationship.
In addition, the embodiment of the application can acquire the configuration update task issued by the cloud platform and execute the configuration update task by sending the task query request to the cloud platform; the configuration updating task is generated by the cloud platform based on the updated port mapping relation.
Further, in a specific embodiment, a third process and a fourth process may be created, where the third process is configured to send the access request to the cloud platform, and the fourth process is configured to send an access relationship establishment request to the cloud platform and respond to a service access request sent by the second process.
And a task query request sent to the acquisition cloud platform can be sent to the cloud platform so that the cloud platform responds to the task query request and issues an upgrading task to the security component. Correspondingly, the security component executes the upgrade task to upgrade the second process to be upgraded by using the second target program upgrade package.
The upgrading task is an upgrading task corresponding to a security component generated by the cloud platform based on a second target program upgrading package, the second target program upgrading package is a program upgrading package which is obtained by the cloud platform and corresponds to a second process to be upgraded and is determined from a third process and the fourth process.
Therefore, the cloud platform can access the service in the security component through the local port based on the port mapping relation and the access relation, and the security component is accessed through the access relation established by the security component and the cloud platform and the port mapping relation, so that the security is ensured, and the cost is reduced.
Referring to fig. 7, the application discloses a cloud platform management device, which comprises:
the request acquisition module 11 is used for acquiring an access relation establishment request sent by a security component in the cloud platform;
A relationship establishing module 12, configured to establish an access relationship with the security component in response to the access relationship establishing request;
a component management module 13, configured to manage the security component based on a local port and a port mapping relationship and through the access relationship; the port mapping relationship is a mapping relationship between the local port and a service port of the security component.
It can be seen that, in the embodiment of the present application, an access relationship establishment request sent by a security component in a cloud platform is first obtained, then an access relationship with the security component is established in response to the access relationship establishment request, and finally the security component is managed through the access relationship based on a local port and a port mapping relationship; the port mapping relationship is a mapping relationship between the local port and a service port of the security component. In other words, in the embodiment of the application, the security component actively establishes the access relation with the cloud platform, the cloud platform can access the service in the security component through the local port based on the port mapping relation and the access relation, and manage the security component, so that the security can be ensured and the cost can be reduced at the same time through the access relation established between the security component actively and the cloud platform and the access of the security component through the port mapping relation.
Further, the device further comprises:
The target data acquisition module is used for acquiring target data sent by the security component through the access relation; wherein the target data is data containing the service port;
And the port mapping relation determining module is used for determining the port mapping relation based on the target data.
In a specific embodiment, the target data is port data;
correspondingly, the port mapping relation determining module is specifically configured to allocate a local port to the service port based on the port data, so as to obtain the port mapping relation.
In another specific embodiment, the target data is a port mapping relationship corresponding to the service port preconfigured in the security component;
correspondingly, the port mapping relation determining module is specifically configured to directly determine the target data as the port mapping relation.
Further, the device further comprises:
The newly added service port acquisition module is used for acquiring the newly added service port of the security component through the access relation;
And the port mapping relation updating module is used for distributing local ports for the newly added service ports and updating the port mapping relation to obtain an updated port mapping relation.
Further, the device further comprises:
The configuration update task generation module is used for generating a configuration update task corresponding to the security component based on the updated port mapping relation;
And the task query request processing module is used for acquiring a task query request sent by the safety component, responding to the task query request and issuing the configuration update task to the safety component so that the safety component can execute the configuration update task.
Further, the device further comprises:
the access request acquisition module is used for acquiring the access request sent by the security component before the connection request sent by the security component is acquired;
and the access request processing module is used for verifying the access request, and if the access request passes the verification, a password is returned to the security component so that the security component can send the access relation establishment request based on the password.
Further, the relationship establishing module 12 specifically includes:
A data decoding unit: the method comprises the steps of decrypting encrypted data carried in the access relation establishment request based on the password to obtain decrypted data;
And the communication connection establishment unit is used for establishing an access relation with the security component based on the decrypted data.
In addition, the device further comprises:
The first process creation module is used for creating a first process so as to acquire an access request sent by the security component through the first process; verifying the access request, and if the access request passes the verification, returning a password to the security component;
The system comprises a cloud platform, a first process creation module, a second process creation module and a storage module, wherein the cloud platform is used for storing access relation establishment requests sent by security components in the cloud platform; responding to the access relation establishment request, and establishing an access relation with the security component; and managing the security component through the access relation based on the local port and the port mapping relation.
Further, the device further comprises:
And the load balancing module is used for acquiring access relation establishment requests sent by the plurality of security components through a load balancing agent and respectively sending the plurality of access relation establishment requests to the plurality of second processes.
In addition, the device further comprises:
the first process to be upgraded determining module is used for determining a first process to be upgraded from the first process and the second process;
The first target program upgrading package acquisition module is used for acquiring a first target program upgrading package corresponding to the first process to be upgraded;
And the first process to be upgraded upgrading module is used for upgrading the program of the first process to be upgraded by utilizing the first target program upgrading packet.
Further, the device further comprises:
The second process to be upgraded determining module is used for determining a second process to be upgraded from the third process and the fourth process;
the second target program upgrading packet acquisition module is used for acquiring a second target program upgrading packet corresponding to the second process to be upgraded;
And the second process to be upgraded upgrading module is used for carrying out program upgrading on the second process to be upgraded by utilizing the second target program upgrading packet.
The third process is a process in the security component, which is used for sending the access request to the cloud security service platform, and the fourth process is a process in the security component, which is used for sending an access relation establishment request to the cloud security service platform and responding to a service access request sent by the second process.
Further, the second process to be upgraded upgrade module is specifically configured to generate an upgrade task corresponding to the security component based on the second target program upgrade package, and the corresponding task query request processing module is specifically configured to obtain a task query request sent by the security component, and respond to the task query request, and issue the upgrade task to the security component, so that the security component executes the upgrade task, so as to use the second target program upgrade package to perform program upgrade on the second process to be upgraded.
Referring to fig. 8, an embodiment of the present application discloses an electronic device 30 including a processor 31 and a memory 32; wherein the memory 32 is used for storing a computer program; the processor 31 is configured to execute the computer program, and the cloud platform management method disclosed in the foregoing embodiments is disclosed.
For the specific process of the cloud platform management method, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
The memory 32 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the storage mode may be transient storage or permanent storage.
In addition, the electronic device 30 further includes a power supply 33, a communication interface 34, an input-output interface 35, and a communication bus 36; wherein the power supply 33 is configured to provide an operating voltage for each hardware device on the electronic device 30; the communication interface 24 can create a data transmission channel between the electronic device 30 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 35 is used for obtaining external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
Further, the embodiment of the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program is executed by a processor to realize the cloud platform management method disclosed in the previous embodiment.
For the specific process of the cloud platform management method, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The cloud platform management method, device, equipment and medium provided by the application are described in detail, and specific examples are applied to illustrate the principle and implementation of the application, and the description of the above examples is only used for helping to understand the method and core ideas of the application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (8)
1. The cloud platform management method is characterized by comprising the following steps of:
Acquiring an access relation establishment request sent by a security component in a cloud platform;
Responding to the access relation establishment request, and establishing an access relation with the security component;
Acquiring target data sent by the security component through the access relation; wherein, the target data is data containing a service port;
determining a port mapping relation based on the target data; the port mapping relationship is a mapping relationship between a local port and a service port of the security component;
Based on the local port and the port mapping relation, the security component is managed through the access relation; the service logic of the cloud platform accesses the service in the security component by accessing the local IP and the port and based on the port mapping relation;
before the access relation establishment request sent by the security component in the cloud platform is acquired, the method further comprises the following steps: acquiring an access request sent by the security component; and verifying the access request, and if the access request passes the verification, returning a password to the security component so that the security component sends the access relation establishment request based on the password.
2. The cloud platform management method of claim 1, wherein the target data is port data;
correspondingly, the determining the port mapping relation based on the target data includes:
And distributing a local port to the service port based on the port data so as to obtain the port mapping relation.
3. The cloud platform management method according to claim 1, wherein the target data is a port mapping relationship corresponding to the service port preconfigured in the security component;
correspondingly, the determining the port mapping relation based on the target data includes:
And directly determining the target data as the port mapping relation.
4. The cloud platform management method of claim 3, further comprising:
acquiring an newly added service port of the security component through the access relation;
Distributing a local port for the newly added service port, and updating the port mapping relation to obtain an updated port mapping relation;
generating a configuration update task corresponding to the security component based on the updated port mapping relation;
and acquiring a task query request sent by the safety component, and responding to the task query request and sending the configuration update task to the safety component so that the safety component executes the configuration update task.
5. The cloud platform management method of claim 1, further comprising:
Creating a first process to obtain an access request sent by the security component through the first process; verifying the access request, and if the access request passes the verification, returning a password to the security component;
Creating one or more second processes, wherein each second process is used for acquiring an access relation establishment request sent by a security component in the cloud platform; responding to the access relation establishment request, and establishing an access relation with the security component; and managing the security component through the access relation based on the local port and the port mapping relation.
6. A cloud platform management apparatus, comprising:
The request acquisition module is used for acquiring an access relation establishment request sent by the security component in the cloud platform;
The relation establishing module is used for responding to the access relation establishing request and establishing the access relation with the security component;
The component management module is used for managing the safety component based on the local port and the port mapping relation and through the access relation; the service logic of the cloud platform accesses the service in the security component by accessing the local IP and the port and based on the port mapping relation;
the apparatus further comprises:
The target data acquisition module is used for acquiring target data sent by the security component through the access relation; wherein the target data is data containing the service port;
the port mapping relation determining module is used for determining the port mapping relation based on the target data;
the apparatus further comprises:
The access request acquisition module is used for acquiring an access request sent by the security component before acquiring an access relation establishment request sent by the security component in the cloud platform;
and the access request processing module is used for verifying the access request, and if the access request passes the verification, a password is returned to the security component so that the security component can send the access relation establishment request based on the password.
7. An electronic device comprising a processor and a memory; wherein,
The memory is used for storing a computer program;
The processor is configured to execute the computer program to implement the cloud platform management method according to any one of claims 1 to 5.
8. A computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the cloud platform management method according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210505401.7A CN114785612B (en) | 2022-05-10 | Cloud platform management method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210505401.7A CN114785612B (en) | 2022-05-10 | Cloud platform management method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114785612A CN114785612A (en) | 2022-07-22 |
| CN114785612B true CN114785612B (en) | 2024-07-09 |
Family
ID=
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110365663A (en) * | 2019-06-28 | 2019-10-22 | 北京淇瑀信息科技有限公司 | Access method, device and electronic equipment between a kind of isolation cluster |
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110365663A (en) * | 2019-06-28 | 2019-10-22 | 北京淇瑀信息科技有限公司 | Access method, device and electronic equipment between a kind of isolation cluster |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11722465B2 (en) | Password encryption for hybrid cloud services | |
| US11258780B2 (en) | Securing a data connection for communicating between two end-points | |
| JP6731023B2 (en) | Secure single sign-on and conditional access for client applications | |
| US10230704B2 (en) | System and method for providing key-encrypted storage in a cloud computing environment | |
| JP6782307B2 (en) | Dynamic access to hosted applications | |
| US10331882B2 (en) | Tracking and managing virtual desktops using signed tokens | |
| US20210218722A1 (en) | Dynamic crypto key management for mobility in a cloud environment | |
| KR102036758B1 (en) | Fast smart card logon and federated full domain logon | |
| US11438421B2 (en) | Accessing resources in a remote access or cloud-based network environment | |
| US11477188B2 (en) | Injection of tokens or client certificates for managed application communication | |
| US20220078007A1 (en) | Secure Information Exchange In Federated Authentication | |
| US10318747B1 (en) | Block chain based authentication | |
| US11522847B2 (en) | Local mapped accounts in virtual desktops | |
| US11354300B2 (en) | Mobile auditable and tamper-resistant digital-system usage tracking and analytics | |
| US10721719B2 (en) | Optimizing caching of data in a network of nodes using a data mapping table by storing data requested at a cache location internal to a server node and updating the mapping table at a shared cache external to the server node | |
| US11366883B2 (en) | Reflection based endpoint security test framework | |
| CN114785612B (en) | Cloud platform management method, device, equipment and medium | |
| JP7134362B2 (en) | Tracking tainted connection agents | |
| JP2023551837A (en) | Authenticity evaluation of request source based on communication request | |
| CN114785612A (en) | Cloud platform management method, device, equipment and medium | |
| CN117319486A (en) | Micro-service debugging method and device, electronic equipment and storage medium | |
| Moreno Martín | Security in cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |