CN115310068A - Authorization control method, device and system - Google Patents

Authorization control method, device and system Download PDF

Info

Publication number
CN115310068A
CN115310068A CN202210978077.0A CN202210978077A CN115310068A CN 115310068 A CN115310068 A CN 115310068A CN 202210978077 A CN202210978077 A CN 202210978077A CN 115310068 A CN115310068 A CN 115310068A
Authority
CN
China
Prior art keywords
authorization
server
file
management
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210978077.0A
Other languages
Chinese (zh)
Inventor
余良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN202210978077.0A priority Critical patent/CN115310068A/en
Publication of CN115310068A publication Critical patent/CN115310068A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Computer And Data Communications (AREA)

Abstract

The disclosure discloses an authorization control method, an authorization control device and an authorization control system, which relate to the technical field of computers, in particular to the field of host security. The specific implementation scheme is as follows: the method comprises the steps that a feature file of an authorization server is generated according to hardware information of at least one control server, so that the authorization file is requested to be obtained from a corresponding authorization center based on the feature file, and after authentication is carried out based on authentication information in the authorization file, authorization permission for executing authorization control operation on a target host is allocated to the at least one control server in response to passing of the authentication according to the authorization information in the authorization file. Therefore, no matter how many target hosts need to be managed and controlled by at least one management and control server, the authorization server only needs to acquire an authorization file once, and then authorization permission for executing authorization control operation on the target hosts can be allocated to each management and control server under the condition that authentication is passed, so that the technical problem of complex operation in the process of authorization in a single-machine state in the related art is solved.

Description

Authorization control method, device and system
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for authorization control.
Background
The host safety mainly comprises two parts, namely a management and control server (server) and a host agent (agent), wherein one management and control server can manage and control the number of hosts, the time for which the hosts can be used, the functions of the hosts and the like, and the functions of the hosts and the like are completed through authorization.
In the related art, the authorization scheme for performing authorization in a single machine state is mostly adopted to complete authorization, however, the authorization scheme for performing authorization in a single machine state needs to import the authorization file for multiple times under the condition that multiple authorized hosts exist, and the operation is repeated and tedious, so that the problem of how to effectively solve the problem of tedious operation during authorization in a single machine state is worth researching.
Disclosure of Invention
The disclosure provides an authorization control method, device and system.
According to a first aspect of the present disclosure, there is provided an authorization control method applied to an authorization server, the method including:
generating a feature file of the authorization server according to hardware information of at least one management and control server;
requesting to obtain an authorization file from a corresponding authorization center based on the feature file;
performing authentication based on the authentication information in the authorization file;
and responding to the authentication passing, and allocating authorization authority for executing authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file.
According to a second aspect of the present disclosure, there is provided an authorization control method applied to an authorization center, the method including:
in response to a request sent by an authorization server based on a profile, sending an authorization file to the authorization server;
and the authorization file is used for allocating authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that the authentication is passed.
According to a third aspect of the present disclosure, there is provided an authorization control method applied to a management and control server, the method including:
receiving authorization authority which is distributed by an authorization server and used for executing authorization control operation on a target host;
performing management and control on the target host based on the authorization authority; wherein the management and control comprises controlling the use duration and the use function of the target host.
According to a fourth aspect of the present disclosure, there is provided an authorization control system comprising:
the authorization server is used for generating a feature file of the authorization server according to the hardware information of at least one management and control server; requesting to obtain an authorization file from a corresponding authorization center based on the feature file; performing authentication based on the authentication information in the authorization file; responding to the authentication, and allocating authorization authority for executing authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file;
the authorization center is used for responding to a request sent by an authorization server based on the characteristic file and sending an authorization file to the authorization server; and the authorization file is used for allocating authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that the authentication is passed.
The management and control server is used for receiving the authorization authority distributed by the authorization server and used for executing the authorization control operation on the target host; performing management and control on the target host based on the authorization authority; the management and control comprises controlling the use duration and the use function of the target host;
the target host is used for receiving the management and control of the management and control server; the management and control comprises controlling the use duration and the use function of the target host; and providing the use function for the user within the range of the use duration.
According to a fifth aspect of the present disclosure, there is provided an authorization control apparatus applied to an authorization server, the apparatus including:
the generating module is used for generating a feature file of the authorization server according to hardware information of at least one management and control server;
the acquisition module is used for requesting to acquire an authorization file from a corresponding authorization center based on the feature file;
the authentication module is used for authenticating based on the authentication information in the authorization file;
and the distribution module is used for responding to the passing of the authentication and distributing the authorization authority for executing the authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file.
According to a sixth aspect of the present disclosure, there is provided an authorization control device applied to an authorization center, the device including:
the sending module is used for responding to a request sent by the authorization server based on the characteristic file and sending the authorization file to the authorization server;
the authorization file is used for distributing authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that authentication is passed.
According to a seventh aspect of the present disclosure, there is provided an authorization control apparatus applied to a management and control server, the apparatus including:
the receiving module is used for receiving the authorization authority distributed by the authorization server and used for executing the authorization control operation on the target host;
the control module is used for executing management and control on the target host based on the authorization authority; wherein the management and control comprises controlling the use duration and the use function of the target host.
According to an eighth aspect of the present disclosure, there is provided an electronic apparatus comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the first aspect, or to perform the method of the second aspect, or to perform the method of the third aspect.
According to a ninth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of the first aspect, or to perform the method of the second aspect, or to perform the method of the third aspect.
According to a tenth aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method of the first aspect, or performs the method of the second aspect, or performs the method of the third aspect.
According to the authorization control method, the authorization control device and the authorization control system, the feature file of the authorization server is generated according to the hardware information of at least one control server, so that the authorization file is requested to be obtained from a corresponding authorization center based on the feature file, and then after authentication is carried out based on the authentication information in the authorization file, the authorization authority for executing authorization control operation on a target host is distributed to the at least one control server according to the authorization information in the authorization file in response to the passing of the authentication. Therefore, no matter how many target hosts need to be managed and controlled by at least one management and control server, the authorization server only needs to acquire an authorization file once, and then authorization permission for executing authorization control operation on the target hosts can be allocated to each management and control server under the condition that authentication is passed, so that the technical problem of complex operation in the process of authorization in a single-machine state in the related art is solved.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
fig. 1 is a schematic flow chart of an authorization control method according to a first embodiment of the present disclosure;
fig. 2 is a schematic flow chart of an authorization control method according to a second embodiment of the disclosure;
fig. 3 is a schematic flow chart of an authorization control method according to a third embodiment of the present disclosure;
fig. 4 is a schematic flow chart of an authorization control method according to a fourth embodiment of the disclosure;
fig. 5 is a schematic flow chart of an authorization control method according to a fifth embodiment of the disclosure;
fig. 6 is a schematic flow chart of an authorization control method according to a sixth embodiment of the disclosure;
fig. 7 is a schematic flow chart of an authorization control method according to a seventh embodiment of the disclosure;
fig. 8 is a schematic diagram of a time synchronization check according to an eighth embodiment of the present disclosure;
fig. 9 is a schematic flow chart of an authorization control method according to a ninth embodiment of the disclosure;
fig. 10 is a schematic diagram of an authentication process provided in accordance with a tenth embodiment of the present disclosure;
fig. 11 is a schematic flow chart of an authorization control method according to an eleventh embodiment of the disclosure;
fig. 12 is a flowchart illustrating an authorization control method according to a twelfth embodiment of the disclosure;
fig. 13 is a schematic diagram of an overall architecture of an authorization control method according to a thirteenth embodiment of the present disclosure;
fig. 14 is a schematic diagram of an overall architecture of an authorization control method according to a fourteenth embodiment of the disclosure;
fig. 15 is a schematic structural diagram of an authorization control device according to a fifteenth embodiment of the present disclosure;
fig. 16 is a schematic structural diagram of an authorization control device according to a sixteenth embodiment of the present disclosure;
fig. 17 is a schematic structural diagram of an authorization control device according to a seventeenth embodiment of the present disclosure;
fig. 18 is a schematic structural diagram of an authorization control device according to an eighteenth embodiment of the present disclosure;
fig. 19 is a schematic structural diagram of an authorization control device according to a nineteenth embodiment of the present disclosure;
fig. 20 is a schematic structural diagram of an authorization control device according to a twentieth embodiment of the present disclosure;
fig. 21 shows a schematic block diagram of an example electronic device 2100 that can be used to implement embodiments of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in other sequences than those illustrated or described herein.
Currently, an authorization server mainly adopts the following three authorization schemes to complete authorization:
first, public network authorization: the authorization server can access the public network, so that the authorization server can actively access the authentication server for legal verification through the configured public network address when being started. And, the authorization can take effect only after the authentication is passed.
Second, dongle authorization: the host can plug and pull the dongle, so that the authorization server can detect whether the dongle exists and carry out legal verification when the authorization server is started. Similarly, authorization can only take effect if the legitimacy is verified. And one host corresponds to one dongle.
Third, system serial number authorization: under the condition that the authorization server can not be networked or plugged in and out the dongle, the verification can be realized by using SN (Serial Number) code verification of the host. Specifically, the authorization server may run an SN acquisition program to obtain an SN code, then write the SN code into the fingerprint file, and then the authorization server may perform verification through SN code comparison.
However, the above three authorization schemes have the following disadvantages:
first, public network authorization: the disadvantage is that the network is disconnected and cannot be authorized. Because the environment of many users is the intranet environment, there is no extranet environment at all or can not use, thereby the phenomenon that normal authorization can not occur easily.
Second, dongle authorization: the defects are high cost and inapplicable to machines which do not support plug-in and pull-out of the dongle. Specifically, because the price of one dongle is not low, and one host corresponds to one dongle, the cost is higher when the number of hosts authorized by the dongle is larger. And because part of the hosts may not support plugging and unplugging the dongle, normal authorization is not possible. Furthermore, if the hardware is damaged, the authorization needs to be re-made.
Third, system serial number authorization: the disadvantage is that the system is moved and reinstalled, and the authorization is needed to be purchased again. And in the case of virtual machine copy, the authorization file can be reused, which causes loss to the manufacturer.
In addition to the above disadvantages, the above three authorization schemes have a common disadvantage, that is, the above three authorization schemes are based on authorization in a single machine state, and in the case of multiple authorized hosts, since authorization information (quantity, time, function) of each authorized host may be different, operations in terms of applying for authorization, importing authorization files, due renewal, and the like are cumbersome. In the case of renewal, it may even be necessary to perform a renewal operation for each authorized host based on a form recorded with the authorization information of each authorized host.
In order to solve the above problem, embodiments of the present disclosure provide an authorization control method, apparatus, and system.
An authorization control method, device, and system according to embodiments of the present disclosure are described below with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of an authorization control method according to a first embodiment of the present disclosure.
As shown in fig. 1, the authorization control method may include the steps of:
step 101, generating a feature file of an authorization server according to hardware information of at least one management and control server.
It should be noted that the authorization control method provided by the embodiment of the present disclosure is applied to an authorization server, and the authorization server is configured to allocate authorization authority for performing an authorization control operation on a target host to at least one management and control server.
In the embodiment of the present disclosure, the authorization server has corresponding authorization clients, and the authorization clients correspond to the management and control servers one to one, that is, the number of the authorization clients is consistent with the number of the management and control servers. As a possible implementation manner, the authorization client may be installed on the management and control server, and is used to connect with the authorization server.
In the embodiment of the present disclosure, the management and control server may be any server that performs management and control on the target host based on the authorization authority, and the number of the management and control servers may be one or more, which is not limited in the embodiment of the present disclosure.
In this embodiment of the present disclosure, the hardware information of the management and Control server may include at least one of an IP (Internet Protocol) Address, a Media Access Control Address (MAC Address), a Central Processing Unit (CPU) serial number, and a motherboard serial number of the management and Control server.
In the embodiment of the disclosure, the feature file of the authorization server may be generated based on hardware information of at least one management and control server. Optionally, since the hardware information of the management and control server may include at least one of an IP address, a MAC address, a CPU serial number, and a motherboard serial number, a feature file of the authorization server may be generated for at least one management and control server based on at least one of the IP address, the MAC address, the CPU serial number, and the motherboard serial number.
And 102, requesting to obtain an authorization file from a corresponding authorization center based on the characteristic file.
In the embodiment of the present disclosure, the authorization clients corresponding to the authorization server have a one-to-one correspondence relationship with the authorization centers, that is, one authorization client corresponds to one authorization center. It should be noted that different authorization clients may correspond to the same authorization center, and may also correspond to different authorization centers, which is not limited in the embodiment of the present disclosure.
In the embodiment of the disclosure, the authorization file can be requested to the authorization center corresponding to the authorization client based on the feature file of the authorization server. Specifically, the signature file of the authorization server generated in the previous step may be sent to an authorization center corresponding to the authorization client, so that the authorization center can generate an authorization file based on the signature file, and thus, the authorization center may request to acquire the authorization file generated by the authorization center.
It should be noted that, in order to ensure the security of data transmission, in a possible implementation manner of the embodiment of the present disclosure, the authorization server may perform public key encryption on the feature file to obtain an encrypted authorization file, and the authorization center may perform private key decryption on the encrypted feature file to obtain an authorization file, and generate the authorization file based on the feature file. Likewise, the transmission of the authorization file also needs to be encrypted. Optionally, the transmission of the authorization file may be encrypted using an AES-GCM symmetric encryption algorithm. It should be noted that the public key encryption and the private key decryption are performed based on public and private keys of the authorization client corresponding to the authorization server, each authorization client has a set of public and private keys, and optionally, the authorization center may obtain the private key based on a UUID (universal Unique Identifier) of the authorization client.
And 103, performing authentication based on the authentication information in the authorization file.
It should be noted that, after the authorization server obtains the authorization file, the authorization file needs to be authenticated first, and the authorization file can only take effect after the authentication is passed.
In the embodiment of the present disclosure, the authentication information in the authorization file may include the hardware information of the authorization server and the authorization time, so that the authentication may be performed based on the authorization time and the hardware information of the authorization server. It is understood that the authentication based on the authorization time is to ensure that the authorization file is not expired, and to avoid the loss of the manufacturer due to the possibility of using the expired authorization file.
It should be noted that, since the authentication information in the authorization file may include the hardware information of the authorization server and the authorization time, when the authorization center generates the authorization file, the hardware information of the authorization server and the authorization time may be written into the authorization file, so as to ensure that the authorization file may include the hardware information of the authorization server and the authorization time.
And step 104, responding to the passing of the authentication, and allocating authorization authority for executing authorization control operation on the target host to at least one management and control server according to the authorization information in the authorization file.
In the disclosed embodiment, the authorization information in the authorization file may include at least one of an authorization total, an authorization time, and an authorization function. The authorization total number is used for indicating the number of the authorization server applying for authorization, the authorization time is used for indicating the validation time of at least authorization to be applied by the authorization server, and the authorization function is used for indicating at least one authorized use function applied by the authorization server.
It should be noted that, since the authorization information in the authorization file may include at least one of the total number of authorizations, the time of authorization and the function of authorization. Therefore, when the authorization file is generated, the authorization center can write at least one of the authorization total number, the authorization time and the authorization function into the authorization file so as to ensure that the authorization file can comprise at least one of the authorization total number, the authorization time and the authorization function.
In the embodiment of the present disclosure, the number of target hosts may be one or more, which is not limited in the embodiment of the present disclosure.
In the embodiment of the disclosure, in the case that the authentication passes, an authorization right for performing an authorization control operation on the target host may be allocated to the at least one management and control server based on the authorization information of the authorization file. In one possible implementation manner, the authorization information may include an authorization total and an authorization time, so that in response to passing of the authentication, according to the authorization number and the authorization time included in the authorization information in the authorization file, an authorization that is not greater than the authorization total included in the authorization information and that does not exceed the authorization time included in the authorization information may be allocated to the at least one management and control server.
In another possible implementation manner, the authorization information includes an authorization total, an authorization time and an authorization function, so that in response to passing of the authentication, according to the authorization information in the authorization file, the authorization that is not greater than the authorization total included in the authorization information, does not exceed the authorization time included in the authorization information and can implement the authorization function included in the authorization information may be allocated to the at least one management and control server.
According to the authorization control method provided by the embodiment of the disclosure, the feature file of the authorization server is generated according to the hardware information of at least one management and control server, so that the authorization file is requested to be acquired from the corresponding authorization center based on the feature file, and after authentication is performed based on the authentication information in the authorization file, the authorization authority for executing authorization control operation on the target host is allocated to the at least one management and control server according to the authorization information in the authorization file in response to the passing of the authentication. Therefore, no matter how many target hosts need to be managed and controlled by at least one management and control server, the authorization server only needs to acquire an authorization file once, and then authorization permission for executing authorization control operation on the target hosts can be allocated to each management and control server under the condition that authentication is passed, so that the technical problem of complex operation in the process of authorization in a single-machine state in the related art is solved.
As can be seen from the above analysis, in the embodiment of the present disclosure, in response to the passing of the authentication, according to the authorization information in the authorization file, the authorization right for performing the authorization control operation on the target host may be allocated to the at least one management and control server, and in order to clearly illustrate how in the present disclosure, in response to the passing of the authentication, according to the authorization information in the authorization file, the authorization right for performing the authorization control operation on the target host is allocated to the at least one management and control server, and the embodiment of the present disclosure provides the authorization control method shown in fig. 2.
Fig. 2 is a flowchart illustrating an authorization control method according to a second embodiment of the disclosure. As shown in fig. 2, the authorization control method may include the steps of:
step 201, generating a feature file of an authorization server according to the hardware information of at least one management and control server.
Step 202, requesting to obtain an authorization file from a corresponding authorization center based on the feature file.
And step 203, performing authentication based on the authentication information in the authorization file.
It should be noted that, the specific implementation processes of steps 201 to 203 may refer to the descriptions of embodiments 101 to 103, and the principle is the same, which is not described herein again.
And step 204, responding to the authentication, and determining the unused authorization quantity according to the authorization total number and the used authorization quantity.
In the disclosed embodiment, the authorization information includes the authorization total and the authorization time, so that the unused authorization quantity can be determined based on the authorization total and the used authorization quantity when the authentication is passed. The used authorization quantity can default to 0 before allocation authorization is not carried out, and the used authorization quantity is changed into the sum of the distribution authorization quantity and the used authorization quantity according to the distribution authorization quantity when authorization allocation is carried out.
In a possible implementation manner of the embodiment of the present disclosure, in a case that the authentication is passed, a difference between the total number of grants and the used grant number may be determined as the unused grant number.
And step 205, distributing authorization authority for executing authorization control operation on the target host to at least one management and control server based on preset rules according to the unused authorization quantity and the authorization time.
In the embodiment of the disclosure, after determining the unused authorization amount, an authorization right for performing an authorization control operation on the target host may be allocated to the at least one management and control server based on a preset rule according to the unused authorization amount and the authorization time. The setting of the preset rule is not limited in the embodiment of the present disclosure, and optionally, the preset rule may be set according to manual experience, for example, the preset rule may be set to be fixed to an authorization that 3 authorization time is allocated to one management and control server for 2 years, or may also be dynamically adjusted according to actual application requirements, which is not limited in the embodiment of the present disclosure.
It should be noted that, in this step, while the authorization authority for performing the authorization control operation on the target host is allocated to at least one management and control server based on the preset rule, the used authorization number needs to be correspondingly changed according to the number of the distributed authorizations in the preset rule, and specifically, the used authorization number may be changed to the sum of the number of the distributed authorizations in the preset rule and the used authorization number.
According to the authorization control method provided by the embodiment of the disclosure, the unused authorization quantity is determined according to the authorization total number and the used authorization quantity by responding to the passing of the authentication, so that the authorization authority for executing the authorization control operation on the target host is allocated to at least one management and control server based on the preset rule according to the unused authorization quantity and the authorization time. Therefore, the authorization authority can be distributed to at least one management and control server based on the authorization total number and the authorization time in the authorization information and the preset rule.
It should be noted that, the above embodiment describes a possible implementation manner of allocating, in response to the passing of the authentication, the authorization right for performing the authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file, and the embodiment of the present disclosure provides another possible implementation manner of allocating, in response to the passing of the authentication, the authorization right for performing the authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file, as shown in fig. 3.
Fig. 3 is a flowchart illustrating an authorization control method according to a third embodiment of the disclosure. As shown in fig. 3, the authorization control method may include the steps of:
step 301, generating a feature file of the authorization server according to the hardware information of the at least one management and control server.
And step 302, requesting to obtain an authorization file from a corresponding authorization center based on the feature file.
Step 303, performing authentication based on the authentication information in the authorization file.
It should be noted that, for the specific implementation process of steps 301 to 303, reference may be made to the description of embodiments 101 to 103, and the principle is the same, which is not described herein again.
And 304, responding to the authentication, and displaying the authorization information in the at least one management and control server and the authorization file under the condition that the at least one management and control server is started.
In the embodiment of the present disclosure, in response to the authentication passing, when the at least one management and control server is started, the authorization information in the at least one management and control server and the authorization file may be displayed. The authorization information of the authorization file comprises an authorization total number and an authorization time.
It can be understood that, since the authorization information of the authorization file includes the total authorization amount and the authorization time, the authorization information in the authorization file is displayed, that is, the total authorization amount and the authorization time are displayed. Optionally, the display mode may adopt at least one of a text, a picture and a list.
It should be noted that, displaying at least one management and control server is to display information of at least one management and control server. The information of the at least one management and control server at least comprises authorization management. That is to say, in response to the authentication passing, in the case that the at least one management and control server is started, the at least one management and control server is displayed, that is: and responding to the authentication passing, and at least showing the authorization management of the at least one management and control server under the condition that the at least one management and control server is started. Optionally, the authorization management may include an allocation authorization, a deletion authorization, a change authorization, a stop authorization, and the like, and the display manner may be at least one of a text, a picture, and a list.
In a possible implementation manner of the embodiment of the present disclosure, the information of the at least one management and control server includes a management and control server name, a management and control server ID, an assigned authorization quantity, an authorization expiration time, and authorization management, so that in response to the authentication being passed, in a case that the at least one management and control server is started, the management and control server name, the management and control server ID, the assigned authorization quantity, the authorization expiration time, and the authorization management of the at least one management and control server are displayed in a text list, for example, the information of the at least one management and control server may be displayed in a form as shown in table 1 below:
table 1 information table of at least one management and control server
Figure BDA0003798385050000111
It should be noted that "xxxxxx" and "xx" in the table may schematically indicate values. Furthermore, "xxxxxx" does not indicate that a corresponding position only includes six-bit characters, and similarly, "xx" does not indicate that a corresponding position only includes two-bit characters, and those skilled in the art know that "xxxxxx" and "xx" may be one-bit characters, or three-bit or more characters, which is not limited in this embodiment.
As can be seen from table 1, the policing server with the policing server name test1 has already assigned an authorization, and has an assigned authorization number of 5, the policing server with the policing server name test2 has already assigned an authorization, and has an assigned authorization number of 2, and the policing server with the policing server name test3 has not assigned an authorization, so its assigned authorization number is represented by "and an authorization expiration time is represented by" as well. It can be understood that since the policing server with the name of test1 and the policing server with the name of test2 have already been assigned with authorization, the corresponding authorization operation may be to delete the authorization | change the authorization | and stop the authorization, whereas since the policing server with the name of test3 has not yet been assigned with authorization, the corresponding authorization operation is to assign the authorization.
In response to the authorization operation performed on the at least one administrative server based on the authorization information, an authorization right for performing an authorization control operation on the target host is assigned to the at least one administrative server, step 305.
In the embodiment of the present disclosure, in response to an authorization operation performed on at least one regulation server based on the authorization information, an authorization authority for performing an authorization control operation on a target host may be allocated to the at least one regulation server. Specifically, the maximum authorization number and the maximum authorization time that the management server can be authorized to be allocated to may be determined based on the authorization information in the authorization file, so that the authorization server performs the authorization operation on the at least one management server based on the maximum authorization number and the maximum authorization time, so that the authorization server can allocate the authorization right for performing the authorization control operation on the target host to the at least one management server based on the performed authorization operation.
In a possible implementation manner of the embodiment of the present disclosure, the authorization information may include an authorization total number and authorization time, so that the maximum authorization number to which authorization may be allocated to the management control server may be determined according to the authorization total number and the used authorization number, and the maximum authorization number time to which authorization may be allocated to the management control server may be determined according to the authorization time. Specifically, the difference between the total number of grants and the number of grants used may be determined as a maximum number of grants that can allocate grants to the tube control server, and the grant time may be determined as a maximum grant time that can allocate grants to the tube control server. It should be noted that the used authorization amount can be determined by the authorization server by defaulting it to 0 before the distribution authorization is not performed, and changing the used authorization amount to the sum of the distribution authorization amount and the used authorization amount according to the distribution authorization amount when the distribution authorization is performed.
According to the authorization control method provided by the embodiment of the disclosure, by responding to the passing of authentication, under the condition that at least one management and control server is started, the authorization information in at least one management and control server and the authorization file is displayed, so that the authorization authority for executing the authorization control operation on the target host is allocated to at least one management and control server in response to the authorization operation executed on the at least one management and control server based on the authorization information. Therefore, the authorization authority can be distributed to the at least one management and control server by receiving the authorization operation executed on the at least one management and control server based on the authorization information.
As can be seen from the above analysis, in the embodiment of the present disclosure, authentication may be performed based on the authentication information in the authorization file, and in order to clearly illustrate how authentication is performed based on the authentication information in the authorization file in the present disclosure, the embodiment of the present disclosure provides an authorization control method as shown in fig. 4.
Fig. 4 is a flowchart illustrating an authorization control method according to a fourth embodiment of the disclosure. As shown in fig. 4, the authorization control method may include the steps of:
step 401, generating a feature file of the authorization server according to the hardware information of at least one management and control server.
Step 402, requesting to obtain an authorization file from a corresponding authorization center based on the feature file.
It should be noted that, for the specific implementation process of steps 401 to 402, reference may be made to the description of embodiments 101 to 102, and the principle is the same, which is not described herein again.
Step 403, acquiring the system time of the current time and the hardware information of the authorization server.
In the embodiment of the disclosure, the system time at the current moment and the hardware information of the authorization server can be obtained, so as to verify the authorization time in the authorization file and the hardware information of the authorization server.
It should be noted that, since the system time can be tampered, there may be a case that the expired authorization file can still be used at the present time because the system time is modified to a time that does not exceed the authorization time in the authorization file. In order to avoid this situation, before the system time at the current time is obtained, it is also necessary to verify whether the system time at the current time is tampered by means of time synchronization. Specifically, it may be checked whether the system time of the authorization server is consistent with the system time of the at least one management and control server, and for any one management and control server, it may be checked whether the system time of the management and control server is consistent with the system time of the target host, so that in a case where the system time of the authorization server is consistent with the system time of the at least one management and control server, and the system time of any one management and control server is consistent with the system time of the target host, the system time at the current moment may be obtained.
Step 404, comparing the system time at the current time with the authorization time in the authorization file, and comparing the hardware information of the authorization server at the current time with the hardware information of the authorization server in the authorization file.
In the embodiment of the present disclosure, the system time at the current time may be compared with the authorization time in the authorization file, and the hardware information of the authorization server at the current time may be compared with the hardware information of the authorization server in the authorization file, so as to determine the corresponding authentication result according to the comparison result.
Step 405, in response to that the system time at the current time does not exceed the authorization time in the authorization file, and the hardware information of the authorization server at the current time is consistent with the hardware information of the authorization server in the authorization file, determining that the authentication is passed.
In the embodiment of the present disclosure, it may be determined that the authentication is passed when the system time at the current time does not exceed the authorization time in the authorization file, and the hardware information of the authorization server at the current time is consistent with the hardware information of the authorization server in the authorization file; and determining that the authentication is not passed under the condition that the system time at the current moment exceeds the authorization time in the authorization file and/or the hardware information of the authorization server at the current moment is inconsistent with the hardware information of the authorization server in the authorization file.
And step 406, responding to the authentication, and allocating authorization authority for performing authorization control operation on the target host to at least one management and control server according to the authorization information in the authorization file.
It should be noted that, the specific implementation process of this step may refer to the description of the above embodiment 104, and the principle is the same, which is not described herein again.
The authorization control method provided by the embodiment of the disclosure compares the system time of the current time with the authorization time in the authorization file by acquiring the system time of the current time and the hardware information of the authorization server, compares the hardware information of the authorization server of the current time with the hardware information of the authorization server in the authorization file, and determines that the authentication is passed in response to that the system time of the current time does not exceed the authorization time in the authorization file and the hardware information of the authorization server of the current time is consistent with the hardware information of the authorization server in the authorization file. Therefore, the authentication can be realized based on the authentication information in the authorization file.
It should be noted that, if only the hardware information of the authorization server in the authorization file is verified, there may be a case that the authorization file is reused. This is because the hardware information of the authorization server is not changed. To avoid this, the embodiment of the present disclosure provides an authorization control method as shown in fig. 5, which prevents the authorization file from being reused by adopting a two-factor check of hardware information and UUID.
Fig. 5 is a flowchart illustrating an authorization control method according to a fifth embodiment of the disclosure. As shown in fig. 5, the authorization control method may include the steps of:
step 501, generating a feature file of an authorization server according to hardware information of at least one management and control server.
Step 502, requesting to obtain an authorization file from a corresponding authorization center based on the feature file.
Step 503, performing authentication based on the authentication information in the authorization file.
And 504, responding to the passing of the authentication, and allocating authorization authority for executing authorization control operation on the target host to at least one management and control server according to the authorization information in the authorization file.
It should be noted that, for specific implementation processes of steps 501 to 504, reference may be made to the description of embodiments 101 to 104, and the principle is the same, which is not described herein again.
Step 505, periodically checking the hardware information of the authorization server in the authorization file and the UUID of the authorization client corresponding to the authorization server.
In the embodiment of the present disclosure, in order to avoid the situation of reusing the authorization file, the hardware information and the UUID may be periodically checked in a two-factor checking manner. Specifically, the hardware information of the authorization server and the UUID of the authorization client corresponding to the authorization server may be written into the authorization file when the authorization file is generated, so that the authorization file includes the hardware information of the authorization server and the UUID of the authorization client corresponding to the authorization server at the same time. And because a unique UUID is generated every time the authorized client is installed or reinstalled, the validity of the authorized file can be ensured by periodically checking the hardware information of the authorized server in the authorized file and the UUID of the authorized client corresponding to the authorized server.
Step 506, under the condition that the hardware information of the authorization server fails to be checked and/or the UUID of the authorization client corresponding to the authorization server fails to be checked, the authorization is stopped.
In the embodiment of the present disclosure, the authorization may be stopped when the verification of the hardware information of the authorization server fails, and/or the verification of the UUID of the authorization client corresponding to the authorization server fails. That is to say, the authorization may be stopped when the verification of the hardware information of the authorization server fails, or the authorization may be stopped when the verification of the UUID of the authorization client corresponding to the authorization server fails, or the authorization may be stopped when the verification of both the hardware information of the authorization server and the UUID of the authorization client corresponding to the authorization server fails, which is not limited in the embodiment of the present disclosure.
According to the authorization control method provided by the embodiment of the disclosure, the hardware information of the authorization server and the UUID of the authorization client corresponding to the authorization server in the authorization file are periodically checked, so that the authorization is stopped when the hardware information of the authorization server fails to be checked and/or the UUID of the authorization client corresponding to the authorization server fails to be checked. Therefore, the situation that only the hardware information of the management and control server in the authorization file is verified and the authorization file is reused possibly can be effectively prevented.
It should be noted that there may be a case where an unused authorization file is backed up, so that after a period of use of the authorization file, the authorization file that has been used is replaced with the backed up authorization file, so that the authorization right that has been used can be reallocated. To avoid this, the embodiment of the present disclosure provides an authorization control method as shown in fig. 6, which prevents the distribution of the used authorization right using the backed-up authorization file by adopting a time factor check.
Fig. 6 is a flowchart illustrating an authorization control method according to a sixth embodiment of the disclosure. As shown in fig. 6, the authorization control method may include the steps of:
step 601, generating a feature file of the authorization server according to the hardware information of at least one management and control server.
Step 602, requesting to obtain the authorization file from the corresponding authorization center based on the feature file.
Step 603, performing authentication based on the authentication information in the authorization file.
And step 604, responding to the passing of the authentication, and allocating authorization authority for executing authorization control operation on the target host to at least one management and control server according to the authorization information in the authorization file.
It should be noted that, the specific implementation process of steps 601 to 604 may refer to the description of embodiments 101 to 104, and the principle is the same, which is not described herein again.
Step 605, in response to the authorization client corresponding to the first installation of the authorization server, recording the time when the authorization client imports the authorization file for the first time.
In the embodiment of the present disclosure, in order to avoid the situation that the authorization authority that has been used is allocated using the backed-up authorization file, the time factor check may be performed periodically. Specifically, the time when the authorization file is first imported by the authorization client may be recorded in response to the authorization client corresponding to the authorization server being installed for the first time, so as to periodically compare the time when the authorization file is first imported by the authorization client with the system time at the current time.
Step 606, periodically comparing the time when the authorization client end first inputs the authorization file with the system time of the current time.
In the embodiment of the present disclosure, the time when the authorization client imports the authorization file for the first time may be periodically compared with the system time at the current time to determine a difference between the system time at the current time and the time when the authorization client imports the authorization file for the first time.
Step 607, when the difference between the system time of the current time and the time when the authorization client side first inputs the authorization file is greater than the preset threshold value, the authorization is stopped.
In the embodiment of the present disclosure, the authorization may be stopped when a difference between the system time at the current time and the time when the authorization client first imports the authorization file is greater than a preset threshold. The setting of the preset threshold is not limited in the embodiment of the present disclosure, and optionally, the preset threshold may be set according to manual experience, for example, the preset threshold may be set to 10 days, or may also be dynamically adjusted according to actual application requirements, which is not limited in the embodiment of the present disclosure.
The authorization control method provided by the embodiment of the disclosure records the time for the authorization client to import the authorization file for the first time by responding to the authorization client corresponding to the authorization server installed for the first time, and periodically compares the time for the authorization client to import the authorization file for the first time with the system time of the current time, so that authorization is stopped when the difference between the system time of the current time and the time for the authorization client to import the authorization file for the first time is greater than a preset threshold. Therefore, the situation that the used authorization authority can be redistributed by using the backed-up authorization file can be effectively avoided.
It should be noted that, since the system time may be tampered with, there may be a situation that the time factor check is bypassed by modifying the system time to the past time, and to avoid this situation, the embodiment of the present disclosure provides an authorization control method as shown in fig. 7, and prevents tampering with the system time by adopting a time synchronization check.
Fig. 7 is a flowchart illustrating an authorization control method according to a seventh embodiment of the disclosure. As shown in fig. 7, the authorization control method may include the steps of:
step 701, generating a feature file of an authorization server according to hardware information of at least one management and control server.
Step 702, requesting to obtain an authorization file from a corresponding authorization center based on the feature file.
Step 703, performing authentication based on the authentication information in the authorization file.
And 704, responding to the authentication, and allocating authorization authority for executing authorization control operation on the target host to at least one management and control server according to the authorization information in the authorization file.
It should be noted that, for the specific implementation process of steps 701 to 704, reference may be made to the description of embodiments 101 to 104, and the principle is the same, which is not described herein again.
Step 705, periodically checking whether the system time of the authorization server is consistent with the system time of at least one management and control server, and for any management and control server, checking whether the system time of the management and control server is consistent with the system time of the target host.
In the embodiment of the present disclosure, in order to avoid bypassing the time factor check by tampering the system time, it may be checked whether the system time of the authorization server is consistent with the system time of at least one management and control server, and for any management and control server, it may be checked whether the system time of the management and control server is consistent with the system time of the target host, that is, it is verified whether the system time of the authorization server, the system time of the management and control server, and the system time of the target host are synchronized, so as to effectively prevent bypassing the time factor check by tampering the system time.
Step 706, under the condition that the system time of the authorization server is inconsistent with the system time of at least one management and control server, and/or the system time of any one management and control server is inconsistent with the system time of the target host, stopping authorization.
In the embodiment of the present disclosure, the authorization may be stopped when the system time of the authorization server is inconsistent with the system time of the at least one management server, and/or the system time of any one management server is inconsistent with the system time of the target host. That is to say, the authorization may be stopped when the system time of the authorization server is inconsistent with the system time of the at least one management and control server, may also be stopped when the system time of any one management and control server is inconsistent with the system time of the target host, and may also be stopped when the system time of the authorization server is inconsistent with the system time of the at least one management and control server, and the system time of any one management and control server is inconsistent with the system time of the target host, which is not limited in the embodiment of the present disclosure.
According to the authorization control method provided by the embodiment of the disclosure, whether the system time of the authorization server is consistent with the system time of the at least one management and control server is periodically checked, and whether the system time of the management and control server is consistent with the system time of the target host is checked for any one management and control server, so that authorization is stopped when the system time of the authorization server is inconsistent with the system time of the at least one management and control server, and/or the system time of any one management and control server is inconsistent with the system time of the target host. Therefore, the time factor check can be effectively prevented from being bypassed by tampering the system time.
To more clearly illustrate how the previous embodiment performs time synchronization verification, the embodiment of the present disclosure provides a time synchronization verification diagram as shown in fig. 8.
Fig. 8 is a schematic diagram of a time synchronization check according to an eighth embodiment of the present disclosure. As shown in fig. 8, the authorization server may check the system time, and in particular, may check whether the system time of the authorization server is synchronized with the system time of at least one management and control server, and check whether the system time of each management and control server is synchronized with the system time of at least one target host managed and controlled by the management and control server, so as to perform an authorization check result according to the check result. Optionally, when the system time of the authorization server is synchronized with the system time of at least one management and control server, and the system time of each management and control server is also synchronized with the system time of at least one target host managed and controlled by the management and control server, determining that the verification result is a pass verification, and further determining that the authorization verification result is a pass verification; and determining that the authorization check fails and stopping the authorization under the condition that the system time of the authorization server is inconsistent with the system time of at least one management and control server and/or the system time of any one management and control server is inconsistent with the system time of the target host.
As can be seen from the above analysis, in the embodiment of the present disclosure, an authorization file may be requested to an authorization center corresponding to an authorization server based on a feature file, and in order to clearly illustrate how to request to an authorization center corresponding to an authorization server to obtain an authorization file based on a feature file, the embodiment of the present disclosure provides an authorization control method as shown in fig. 9.
Fig. 9 is a flowchart illustrating an authorization control method according to a ninth embodiment of the disclosure. As shown in fig. 9, the authorization control method may include the steps of:
step 901, generating a feature file of the authorization server according to the hardware information of at least one management and control server.
It should be noted that, for a specific implementation process of this step, reference may be made to the description of embodiment 101, and the principle is the same, which is not described herein again.
And step 902, performing public key encryption on the feature file to obtain an encrypted feature file.
In the embodiment of the present disclosure, in order to ensure the security of data transmission, the authorization server may perform public key encryption on the feature file, so as to obtain an encrypted authorization file. It should be noted that, because each authorization client has a set of public and private keys, the public key encryption in this step may be performed based on the public key of the authorization client corresponding to the authorization server.
And 903, sending the encrypted feature file to a corresponding authorization center so that the authorization center can decrypt the encrypted feature file by using a private key to obtain the feature file, and generating the authorization file based on the feature file.
In the embodiment of the disclosure, after the encrypted feature file is obtained, the encrypted feature file may be sent to an authorization center corresponding to the authorization client, so that the authorization center can decrypt the private key of the encrypted feature file to obtain the feature file, and generate the authorization file based on the feature file. It should be noted that, since each authorized client has a set of public and private keys, the decryption of the private key in this step can be performed based on the private key of the authorized client corresponding to the authorization server. Alternatively, the authorization center may obtain the private key based on the UUID of the authorizing client.
Step 904, request the authorization center to obtain the authorization file.
In the embodiment of the present disclosure, since the authorization center can generate the authorization file, the authorization file can be obtained by initiating a request for obtaining the authorization file by the authorization center. It should be noted that, in order to ensure the security of the transmission of the authorization file, the AES-GCM symmetric encryption algorithm may be used to encrypt the transmission of the authorization file, so that the integrity of the data can be verified based on the AES-GCM symmetric encryption algorithm.
Step 905, performing authentication based on the authentication information in the authorization file.
And step 906, responding to the authentication, and allocating authorization authority for executing authorization control operation on the target host to at least one management and control server according to the authorization information in the authorization file.
It should be noted that, for the specific implementation process of steps 905 to 906, reference may be made to the description of embodiments 103 to 104, and the principle is the same, which is not described herein again.
The authorization control method provided by the embodiment of the disclosure obtains the encrypted feature file by encrypting the feature file with the public key, and then sends the encrypted feature file to the corresponding authorization center, so that the authorization center decrypts the encrypted feature file with the private key to obtain the feature file, generates the authorization file based on the feature file, and further requests the authorization center to obtain the authorization file. Therefore, encrypted transmission of the feature file can be achieved, and the security of feature file transmission is effectively guaranteed. And allocating authorization authority to at least one management and control server by receiving an authorization instruction initiated by a user based on authorization operation and authorization information in the authorization file.
To more clearly illustrate how the above embodiments perform authentication, the embodiments of the present disclosure provide a schematic authentication flow diagram as shown in fig. 10.
Fig. 10 is a schematic diagram of an authentication procedure according to a tenth embodiment of the disclosure. As shown in fig. 10, the authorization server generates a feature file of the authorization server based on hardware information of at least one management and control server, and performs public key encryption on the feature file to obtain an encrypted feature file, and sends the encrypted feature file to a corresponding authorization client, so that the authorization client can send the encrypted feature file to an authorization center, so that the authorization center can perform private key decryption on the encrypted feature file to obtain the feature file, and generate an authorization file based on the feature file and encrypt the authorization file by using an AES-GCM symmetric encryption algorithm to obtain an encrypted authorization file, and send the encrypted authorization file to the authorization client, so that the authorization client can send the encrypted authorization file to the authorization server, so that the authorization server can decrypt the encrypted authorization file to obtain the authorization file, and perform authentication based on authentication information in the authorization file.
It should be noted that the foregoing embodiment is described from the perspective of an authorization server, in order to more clearly illustrate an authorization control process, the embodiment of the present disclosure provides a possible implementation manner of an authorization control method described from the perspective of an authorization center, and fig. 11 is a flowchart of an authorization control method provided according to an eleventh embodiment of the present disclosure.
As shown in fig. 11, the authorization control method may include the steps of:
step 1101, in response to a request sent by the authorization server based on the profile, sends an authorization file to the authorization server.
In the embodiment of the present disclosure, the authorization file is used to allocate, to the at least one management and control server, an authorization right for performing an authorization control operation on the target host if the authentication passes.
In the disclosed embodiment, the authorization center may send the authorization file to the authorization server in response to a request sent by the authorization server based on the profile. Specifically, after receiving the request sent by the authorization server based on the feature file, the authorization center may generate an authorization file based on the feature file, so as to send the authorization file to the authorization server. It should be noted that, in order to ensure the security of the feature file transmission, a public and private key of an authorization client corresponding to the authorization server may be used to perform encrypted transmission on the feature file. Specifically, the authorization server may perform public key encryption on the signature file to obtain an encrypted authorization file, and the authorization center may perform private key decryption on the encrypted signature file to obtain the authorization file. Similarly, in order to ensure the security of the transmission of the authorization file, the AES-GCM symmetric encryption algorithm can be adopted to encrypt the transmission of the authorization file, so that the integrity of the data can be verified based on the AES-GCM symmetric encryption algorithm.
The authorization control method provided by the embodiment of the disclosure can realize that an authorization file is sent to an authorization server in response to a request sent by the authorization server based on a feature file, wherein the authorization file is used for allocating authorization authority for executing authorization control operation on a target host to at least one management and control server under the condition that authentication is passed.
It can be understood that the authorization control process of the present disclosure also relates to a management and control server, in order to more clearly illustrate the authorization control process, the embodiment of the present disclosure provides a possible implementation manner of an authorization control method described from the perspective of the management and control server, and fig. 12 is a flowchart of an authorization control method provided according to a twelfth embodiment of the present disclosure.
As shown in fig. 12, the authorization control method may include the steps of:
step 1101, receiving an authorization authority distributed by an authorization server for executing an authorization control operation on a target host.
In the embodiment of the disclosure, the management and control server may receive the authorization authority, which is allocated by the authorization server and used for performing the authorization control operation on the target host.
And 1202, executing management and control on the target host based on the authorization authority, wherein the management and control includes controlling the use duration and the use function of the target host.
In the embodiment of the present disclosure, after receiving the authorization authority, the management and control server may perform management and control on the target host based on the authorization authority. The management and control comprises controlling the use duration and the use function of the target host.
According to the authorization control method provided by the embodiment of the disclosure, the authorization authority which is distributed by the authorization server and used for executing authorization control operation on the target host is received, so that the management and control on the target host is executed based on the authorization authority, wherein the management and control includes controlling the use duration and the use function of the target host.
To more clearly illustrate the above embodiments, the present disclosure also provides an overall architecture diagram as shown in fig. 13.
Fig. 13 is a schematic diagram of an overall architecture of an authorization control method according to a thirteenth embodiment of the present disclosure. As shown in fig. 13, the target host is installed with a target host agent, and the target host agent is configured to monitor data of the host, such as monitoring, protection, and the like, in real time, and send the data of the monitoring, protection, and the like to the corresponding management and control server, so that the management and control server can obtain the data of the target host, such as monitoring, protection, and the like, managed and controlled by the management and control server in real time. The authorization client side corresponds to the management and control server in a one-to-one mode, the management and control server can be connected with the authorization server through the authorization client side, so that the authorization server can respond to the passing of the authentication, and authorization permission for executing authorization control operation on the target host computer is distributed to at least one management and control server according to authorization information in the authorization file. Optionally, the authorization server may determine, in response to the authentication passing, the unused authorization amount according to the total authorization amount and the used authorization amount in the authorization file, so as to allocate, to the at least one management and control server, authorization authority for performing an authorization control operation on the target host based on a preset rule according to the unused authorization amount and the authorization time in the authorization file. Or in response to the authentication passing, under the condition that the management and control server is started, the authorization information in the at least one management and control server and the authorization file is displayed, so that in response to the authorization operation performed on the at least one management and control server based on the authorization information, an authorization right for performing an authorization control operation on the target host is allocated to the at least one management and control server.
To more clearly illustrate the above embodiments, the present disclosure also provides an overall architecture diagram as shown in fig. 14.
Fig. 14 is a schematic diagram of an overall architecture of an authorization control method according to a fourteenth embodiment of the disclosure. As shown in fig. 14, the host security includes a policing server and a target host. The target hosts are already provided with host agents, one or more management and control servers can be provided, each management and control server can be connected with one or more target hosts, and the number of the connected target hosts is controlled by the authorization number in the authorization file and can be distributed in the authorization server. The target host sends data such as monitoring and protection to the control server, and the control server issues a control command to the target host. The control method comprises the steps of controlling the use number, the use duration and the use function of the target host. The management and control server interacts with the authorization server, executes network heartbeat and time synchronization to the authorization server, and allocates authorization permission for executing authorization control operation on the target host to the management and control server. The time synchronization is mainly used for preventing the problems that the authorization is not invalid and the authorization file can be repeatedly imported due to the time tampering of the system. The authorization server is internally provided with service authentication for authentication and authorization verification. And the authorization server interacts with the corresponding authorization center, the authorization server sends the encrypted feature file to the authorization center, and the authorization center sends the encrypted authorization file to the authorization server.
In order to more clearly illustrate the above embodiments, the present disclosure also provides an authorization control system. The authorization control system includes: the system comprises an authorization server, an authorization center, a management and control server and a target host.
The authorization server is used for generating a feature file of the authorization server according to the hardware information of at least one management and control server; requesting to obtain an authorization file from a corresponding authorization center based on the feature file; performing authentication based on the authentication information in the authorization file; responding to the authentication, and allocating authorization authority for executing authorization control operation on the target host to at least one management and control server according to authorization information in the authorization file;
the authorization center is used for responding to a request sent by the authorization server based on the characteristic file and sending the authorization file to the authorization server; and the authorization file is used for allocating authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that the authentication is passed.
The management and control server is used for receiving authorization authority which is distributed by the authorization server and used for executing authorization control operation on the target host; based on the authorization authority, performing management and control on the target host; the management and control comprises the control of the use number, the use duration and the use function of the target host;
and the target host is used for responding to the management and control of the management and control server and providing the use function for the user within the range of the use duration.
Corresponding to the authorization control method provided in the embodiment of fig. 1 to 9, the present disclosure also provides an authorization control device, and since the authorization control device provided in the embodiment of the present disclosure corresponds to the authorization control method provided in the embodiment of fig. 1 to 9, the implementation of the authorization control method is also applicable to the authorization control device provided in the embodiment of the present disclosure, and will not be described in detail in the embodiment of the present disclosure.
Fig. 15 is a schematic structural diagram of an authorization control device according to a fifteenth embodiment of the present disclosure.
As shown in fig. 15, the authorization control device 10 may include: a generation module 11, an acquisition module 12, an authentication module 13 and an allocation module 14.
The generation module 11 is configured to generate a feature file of the authorization server according to hardware information of at least one management and control server;
the obtaining module 12 is configured to request a corresponding authorization center to obtain an authorization file based on the feature file;
the authentication module 13 is used for performing authentication based on the authentication information in the authorization file;
and the allocating module 14 is used for responding to the authentication passing and allocating authorization authority for executing the authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file.
In a possible implementation manner of the embodiment of the present disclosure, the authorization information includes an authorization total and an authorization time, and the allocating module 14 includes:
a determining unit, configured to determine, in response to the authentication passing, an unused authorization number according to the authorization total number and the used authorization number;
and the first allocation unit is used for allocating authorization authority for executing authorization control operation on the target host to at least one management and control server based on a preset rule according to the unused authorization quantity and the authorization time.
In a possible implementation manner of the embodiment of the present disclosure, the allocating module 14 includes:
the display unit is used for responding to the authentication and displaying the authorization information in the at least one management and control server and the authorization file under the condition that the at least one management and control server is started;
and a second allocating unit configured to allocate, to the at least one hosting server, an authorization authority for performing an authorization control operation on the target host, in response to an authorization operation performed on the at least one hosting server based on the authorization information.
In a possible implementation manner of the embodiment of the present disclosure, the authentication information includes authorization time and hardware information of the authorization server, and the authentication module includes:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring the system time at the current moment and the hardware information of an authorization server;
the comparison unit is used for comparing the system time at the current moment with the authorization time in the authorization file, and comparing the hardware information of at least one management and control server at the current moment with the hardware information of the authorization server in the authorization file;
and the determining unit is used for determining that the authentication is passed in response to the fact that the system time at the current moment does not exceed the authorization time in the authorization file and the hardware information of the at least one management and control server at the current moment is consistent with the hardware information of the authorization server in the authorization file.
In a possible implementation manner of the embodiment of the present disclosure, the obtaining unit is further configured to:
checking whether the system time of the authorization server is consistent with the system time of at least one management and control server, and checking whether the system time of the management and control server is consistent with the system time of the target host aiming at any one management and control server;
and under the condition that the system time of the authorization server is consistent with the system time of at least one management and control server, and the system time of any management and control server is consistent with the system time of the target host, acquiring the system time at the current moment.
In a possible implementation manner of the embodiment of the present disclosure, the obtaining module 12 includes:
the encryption unit is used for carrying out public key encryption on the feature file to obtain an encrypted feature file;
the transmitting unit is used for transmitting the encrypted feature files to a corresponding authorization center so that the authorization center can decrypt the private key of the encrypted feature files to obtain the feature files and generate the authorization files based on the feature files;
and the acquisition unit is used for requesting the authorization center to acquire the authorization file.
In a possible implementation manner of the embodiment of the present disclosure, the feature file is used to indicate at least one of an IP address, a MAC address, a CPU serial number, and a motherboard serial number of at least one management and control server.
According to the authorization control device provided by the embodiment of the disclosure, the feature file of the authorization server is generated according to the hardware information of at least one management and control server, so that the authorization file is requested to be acquired from the corresponding authorization center based on the feature file, after authentication is performed based on the authentication information in the authorization file, and after the authentication is passed, authorization authority for executing authorization control operation on the target host is allocated to at least one management and control server according to the authorization information in the authorization file. Therefore, no matter how many target hosts need to be controlled by at least one control server, the authorization server only needs to acquire the authorization file once, and the authorization authority for executing the authorization control operation on the target hosts can be distributed to each control server under the condition that the authorization passes, so that the technical problem of complex operation when the authorization is performed in the state of a single machine in the related art is solved.
Based on the foregoing embodiment, the embodiment of the present disclosure further provides a possible implementation manner of an authorization control device, fig. 16 is a schematic structural diagram of an authorization control device according to a sixteenth embodiment of the present disclosure, and on the basis of the foregoing embodiment, the authorization control device further includes: a first verification module 15 and a first stop authorization module 16.
A first checking module 15, configured to periodically check hardware information of the authorization server and a UUID of an authorization client corresponding to the authorization server:
and the first authorization stopping module 16 is configured to stop authorization if the hardware information of the authorization server and/or the UUID of the authorization client corresponding to the authorization server fails to be checked.
Based on the foregoing embodiment, the embodiment of the present disclosure further provides a possible implementation manner of an authorization control device, fig. 17 is a schematic structural diagram of an authorization control device according to a seventeenth embodiment of the present disclosure, and on the basis of the foregoing embodiment, the authorization control device further includes: a logging module 17, a comparison module 18 and a second stop authorization module 19.
The recording module 17 is configured to record, in response to an authorization client corresponding to the authorization server being installed for the first time, a time when the authorization client imports the authorization file for the first time;
a comparing module 18, configured to periodically compare the time when the authorization client imports the authorization file for the first time with the system time at the current time;
and the second authorization stopping module 19 is configured to stop authorization when a difference between the system time at the current time and the time when the authorization client first imports the authorization file is greater than a preset threshold.
Based on the foregoing embodiment, the embodiment of the present disclosure further provides a possible implementation manner of an authorization control device, fig. 18 is a schematic structural diagram of an authorization control device according to an eighteenth embodiment of the present disclosure, and on the basis of the foregoing embodiment, the authorization control device further includes: a second check-up module 20 and a third stop authorization module 21.
A second checking module 20, configured to periodically check whether the system time of the authorization server is consistent with the system time of the at least one management and control server, and check whether the system time of the management and control server is consistent with the system time of the target host for any management and control server;
and a third authorization stopping module 21, configured to stop authorization when the system time of the authorization server is inconsistent with the system time of the at least one management and control server, and/or the system time of any one management and control server is inconsistent with the system time of the target host.
Corresponding to the authorization control method provided in the embodiment of fig. 11, the present disclosure also provides an authorization control device, and since the authorization control device provided in the embodiment of the present disclosure corresponds to the authorization control method provided in the embodiment of fig. 11, the implementation of the authorization control method is also applicable to the authorization control device provided in the embodiment of the present disclosure, and is not described in detail in the embodiment of the present disclosure.
Fig. 19 is a schematic structural diagram of an authorization control device according to a nineteenth embodiment of the present disclosure.
As shown in fig. 19, the authorization control device 30 may include: a sending module 31.
A sending module 31, configured to send the authorization file to the authorization server in response to a request sent by the authorization server based on the feature file;
the authorization file is used for distributing authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that authentication is passed.
The authorization control device provided by the embodiment of the disclosure can send an authorization file to the authorization server in response to a request sent by the authorization server based on the feature file, wherein the authorization file is used for allocating authorization authority for executing authorization control operation on a target host to at least one management and control server under the condition that authentication is passed.
Corresponding to the authorization control method provided in the embodiment of fig. 12, the present disclosure further provides an authorization control device, and since the authorization control device provided in the embodiment of the present disclosure corresponds to the authorization control method provided in the embodiment of fig. 12, the implementation of the authorization control method is also applicable to the authorization control device provided in the embodiment of the present disclosure, and will not be described in detail in the embodiment of the present disclosure.
Fig. 20 is a schematic structural diagram of an authorization control device according to a twentieth embodiment of the disclosure.
As shown in fig. 20, the authorization control means 40 may include: a receiving module 41 and a control module 42.
The receiving module 41 is configured to receive an authorization right, which is allocated by the authorization server and used for performing an authorization control operation on the target host;
the control module 42 is used for performing management and control on the target host based on the authorization authority; the management and control comprises the control of the use number, the use duration and the use function of the target host.
The authorization control device provided by the embodiment of the disclosure implements management and control on the target host based on the authorization authority by receiving the authorization authority distributed by the authorization server and used for executing authorization control operation on the target host, wherein the management and control includes controlling the use duration and the use function of the target host.
To implement the above embodiments, the present disclosure also provides an electronic device, which may include at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executable by the at least one processor to enable the at least one processor to perform the authorization control method set forth in any of the above-described embodiments of the present disclosure.
In order to achieve the above embodiments, the present disclosure also provides a non-transitory computer readable storage medium storing computer instructions for causing a computer to execute the authorization control method set forth in any of the above embodiments of the present disclosure.
In order to implement the above embodiments, the present disclosure also provides a computer program product, which includes a computer program that, when executed by a processor, implements the authorization control method proposed by any of the above embodiments of the present disclosure.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
Fig. 21 shows a schematic block diagram of an example electronic device 2100 that can be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 21, the device 2100 includes a computing unit 2101, which can perform various appropriate actions and processes according to a computer program stored in a ROM (Read-Only Memory) 2102 or a computer program loaded from a storage unit 2108 into a RAM (Random Access Memory) 2103. In the RAM 2103, various programs and data necessary for the operation of the device 2100 may also be stored. The computing unit 2101, ROM 2102 and RAM 2103 are connected to each other via a bus 2104. An I/O (Input/Output) interface 2105 is also connected to the bus 2104.
A number of components in device 2100 are connected to I/O interface 2105, including: an input unit 2106 such as a keyboard, a mouse, or the like; an output unit 2107 such as various types of displays, speakers, and the like; a storage unit 2108 such as a magnetic disk, an optical disk, or the like; and a communication unit 2109 such as a network card, modem, wireless communication transceiver, etc. The communication unit 2109 allows the device 2100 to exchange information/data with other devices over a computer network, such as the internet, and/or various telecommunications networks.
The computing unit 2101 may be a variety of general-purpose and/or special-purpose processing components with processing and computing capabilities. Some examples of the computing Unit 2101 include, but are not limited to, a CPU (Central Processing Unit), a GPU (graphics Processing Unit), various dedicated AI (Artificial Intelligence) computing chips, various computing Units running machine learning model algorithms, a DSP (Digital Signal Processor), and any suitable Processor, controller, microcontroller, and the like. The calculation unit 2101 executes the respective methods and processes described above, such as the above-described authorization control method. For example, in some embodiments, the authorization control methods described above may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 2108. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 2100 via the ROM 2102 and/or the communication unit 2109. When the computer program is loaded into the RAM 2103 and executed by the computing unit 2101, one or more steps of the authorization control method described above may be performed. Alternatively, in other embodiments, the computing unit 2101 may be configured in any other suitable way (e.g., by means of firmware) to perform the authorization control methods described above.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, FPGAs (Field Programmable Gate arrays), ASICs (Application-Specific Integrated circuits), ASSPs (Application Specific Standard products), SOCs (System On Chip), CPLDs (Complex Programmable Logic devices), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a RAM, a ROM, an EPROM (Electrically Programmable Read-Only-Memory) or flash Memory, an optical fiber, a CD-ROM (Compact Disc Read-Only-Memory), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a Display device (e.g., a CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: LAN (Local Area Network), WAN (Wide Area Network), internet, and blockchain Network.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The Server may be a cloud Server, also called a cloud computing Server or a cloud host, and is a host product in a cloud computing service system, so as to solve the defects of high management difficulty and weak service extensibility in a traditional physical host and VPS service ("Virtual Private Server", or "VPS" for short). The server may also be a server of a distributed system, or a server incorporating a blockchain.
It should be noted that artificial intelligence is a subject for studying a computer to simulate some human thinking process and intelligent behaviors (such as learning, reasoning, thinking, planning, etc.), and has both hardware-level and software-level technologies. Artificial intelligence hardware technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing, and the like; the artificial intelligence software technology mainly comprises a computer vision technology, a voice recognition technology, a natural language processing technology, machine learning/deep learning, a big data processing technology, a knowledge map technology and the like.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.

Claims (28)

1. An authorization control method is applied to an authorization server, and comprises the following steps:
generating a feature file of the authorization server according to hardware information of at least one management and control server;
requesting to obtain an authorization file from a corresponding authorization center based on the feature file;
performing authentication based on the authentication information in the authorization file;
and responding to the passing of the authentication, and allocating authorization authority for executing authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file.
2. The method according to claim 1, wherein the authorization information includes an authorization total and an authorization time, and the assigning, in response to the authentication passing, an authorization right for performing an authorization control operation on a target host to the at least one management and control server according to the authorization information in the authorization file includes:
responding to the authentication, and determining the unused authorization quantity according to the authorization total number and the used authorization quantity;
and according to the unused authorization quantity and the authorization time, allocating authorization permission for executing authorization control operation on the target host to the at least one management and control server based on a preset rule.
3. The method according to claim 1, wherein the allocating, in response to the authentication passing, an authorization right for performing an authorization control operation on a target host to the at least one policing server according to the authorization information in the authorization file includes:
responding to the authentication, and displaying the authorization information in the at least one management and control server and the authorization file under the condition that the at least one management and control server is started;
and in response to the authorization operation performed on the at least one management server based on the authorization information, allocating authorization authority for performing an authorization control operation on a target host to the at least one management server.
4. The method of claim 1, wherein the authentication information comprises an authorization time and hardware information of the authorization server, and wherein the performing authentication based on the authentication information in the authorization file comprises:
acquiring system time at the current moment and hardware information of an authorization server;
comparing the system time at the current moment with the authorization time in the authorization file, and comparing the hardware information of the authorization server at the current moment with the hardware information of the authorization server in the authorization file;
and determining that the authentication is passed in response to that the system time at the current moment does not exceed the authorization time in the authorization file and the hardware information of the authorization server at the current moment is consistent with the hardware information of the authorization server in the authorization file.
5. The method of claim 4, wherein the obtaining the system time of the current time comprises:
checking whether the system time of the authorization server is consistent with the system time of the at least one management and control server, and checking whether the system time of the management and control server is consistent with the system time of the target host for any one management and control server;
and under the condition that the system time of the authorization server is consistent with the system time of the at least one management and control server, and the system time of any one management and control server is consistent with the system time of the target host, acquiring the system time at the current moment.
6. The method according to any one of claims 1-5, further comprising:
periodically checking hardware information of the authorization server in the authorization file and a Universal Unique Identifier (UUID) of an authorization client corresponding to the authorization server;
and stopping authorization under the condition that the hardware information of the authorization server fails to be checked and/or the UUID of the authorization client corresponding to the authorization server fails to be checked.
7. The method according to any one of claims 1-5, further comprising:
responding to an authorization client corresponding to the authorization server which is installed for the first time, and recording the time for the authorization client to import the authorization file for the first time;
periodically comparing the time when the authorization client side imports the authorization file for the first time with the system time at the current moment;
and under the condition that the difference value between the system time at the current moment and the time for the authorization client to import the authorization file for the first time is greater than a preset threshold value, stopping authorization.
8. The method according to any one of claims 1-5, further comprising:
periodically checking whether the system time of the authorization server is consistent with the system time of the at least one management and control server, and for any one management and control server, checking whether the system time of the management and control server is consistent with the system time of the target host;
and stopping authorization under the condition that the system time of the authorization server is inconsistent with the system time of the at least one management and control server and/or the system time of any one management and control server is inconsistent with the system time of the target host.
9. The method according to any one of claims 1-5, wherein requesting an authorization file from a corresponding authorization center based on the profile comprises:
carrying out public key encryption on the feature file to obtain an encrypted feature file;
sending the encrypted feature file to a corresponding authorization center so that the authorization center can decrypt the private key of the encrypted feature file to obtain the feature file, and generating an authorization file based on the feature file;
and requesting the authorization center to acquire the authorization file.
10. The method according to any one of claims 1-5, wherein the profile is used to indicate at least one of an IP address, a MAC address, a CPU serial number, and a motherboard serial number of the at least one hosting server.
11. An authorization control method is applied to an authorization center, and comprises the following steps:
in response to a request sent by an authorization server based on a profile, sending an authorization file to the authorization server;
and the authorization file is used for allocating authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that the authentication is passed.
12. An authorization control method is applied to a management and control server and comprises the following steps:
receiving authorization authority distributed by an authorization server and used for executing authorization control operation on a target host;
performing management and control on the target host based on the authorization authority; wherein the management and control comprises controlling the use quantity, the use duration and the use function of the target host.
13. An authorization control system, comprising:
the authorization server is used for generating a feature file of the authorization server according to the hardware information of at least one management and control server; requesting to obtain an authorization file from a corresponding authorization center based on the feature file; performing authentication based on the authentication information in the authorization file; responding to the authentication, and allocating authorization authority for executing authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file;
the authorization center is used for responding to a request sent by an authorization server based on the characteristic file and sending an authorization file to the authorization server; the authorization file is used for distributing authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that authentication is passed.
The management and control server is used for receiving the authorization authority distributed by the authorization server and used for executing the authorization control operation on the target host; performing management and control on the target host based on the authorization authority; the management and control comprises the steps of controlling the use number, the use duration and the use function of the target host;
and the target host is used for responding to the management and control of the management and control server and providing the use function for the user within the range of the use duration.
14. An authorization control device applied to an authorization server, the device comprising:
the generating module is used for generating a feature file of the authorization server according to hardware information of at least one management and control server;
the acquisition module is used for requesting an authorization center corresponding to the authorization server to acquire an authorization file based on the characteristic file;
the authentication module is used for authenticating based on the authentication information in the authorization file;
and the distribution module is used for responding to the passing of the authentication and distributing the authorization authority for executing the authorization control operation on the target host to the at least one management and control server according to the authorization information in the authorization file.
15. The apparatus of claim 14, wherein the authorization information comprises a total number of authorizations and an authorization time, and wherein the assignment module comprises:
the determining unit is used for responding to the authentication and determining the unused authorization quantity according to the authorization total number and the used authorization quantity;
and the first allocation unit is used for allocating authorization authority for executing authorization control operation on the target host to the at least one management and control server based on a preset rule according to the unused authorization quantity and the authorization time.
16. The apparatus of claim 14, wherein the assignment module comprises:
the display unit is used for responding to the authentication and displaying the at least one management and control server and the authorization information in the authorization file under the condition that the at least one management and control server is started;
a second allocating unit configured to allocate, to the at least one hosting server, an authorization right for performing an authorization control operation on a target host in response to an authorization operation performed on the at least one hosting server based on the authorization information.
17. The apparatus of claim 14, wherein the authentication information comprises an authorization time and hardware information of the authorization server, and wherein the authentication module comprises:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring the system time at the current moment and the hardware information of an authorization server;
the comparison unit is used for comparing the system time at the current moment with the authorization time in the authorization file, and comparing the hardware information of the authorization server at the current moment with the hardware information of the authorization server in the authorization file;
and the determining unit is used for responding that the system time at the current moment does not exceed the authorization time in the authorization file, and the hardware information of the authorization server at the current moment is consistent with the hardware information of the authorization server in the authorization file, and determining that the authentication is passed.
18. The apparatus of claim 14, wherein the obtaining unit is further configured to:
checking whether the system time of the authorization server is consistent with the system time of the at least one management and control server, and checking whether the system time of the management and control server is consistent with the system time of the target host for any one management and control server;
and under the condition that the system time of the authorization server is consistent with the system time of the at least one management and control server, and the system time of any one management and control server is consistent with the system time of the target host, acquiring the system time at the current moment.
19. The apparatus of any one of claims 14-18, further comprising:
the first checking module is used for periodically checking the hardware information of the authorization server and the UUID of the authorization client corresponding to the authorization server:
and the first authorization stopping module is used for stopping authorization under the condition that the hardware information of the authorization server fails to be checked and/or the UUID of the authorization client corresponding to the authorization server fails to be checked.
20. The apparatus of any one of claims 14-18, further comprising:
the recording module is used for responding to an authorization client corresponding to the authorization server which is installed for the first time and recording the time for the authorization client to import the authorization file for the first time;
the comparison module is used for periodically comparing the time of the authorization client for importing the authorization file for the first time with the system time of the current moment;
and the second authorization stopping module is used for stopping authorization under the condition that the difference value between the system time at the current moment and the time for the authorization client to import the authorization file for the first time is greater than a preset threshold value.
21. The apparatus of any one of claims 14-18, further comprising:
the second checking module is used for periodically checking whether the system time of the authorization server is consistent with the system time of the at least one management and control server, and checking whether the system time of the management and control server is consistent with the system time of the target host for any management and control server;
and the third authorization stopping module is used for stopping authorization under the condition that the system time of the authorization server is inconsistent with the system time of the at least one management and control server and/or the system time of any one management and control server is inconsistent with the system time of the target host.
22. The apparatus according to any one of claims 14-18, wherein the obtaining module comprises:
the encryption unit is used for carrying out public key encryption on the feature file to obtain an encrypted feature file;
the sending unit is used for sending the encrypted feature file to a corresponding authorization center so that the authorization center can decrypt the private key of the encrypted feature file to obtain the feature file, and an authorization file is generated based on the feature file;
and the acquisition unit is used for requesting the authorization center to acquire the authorization file.
23. The apparatus according to any of claims 14-18, wherein the profile is configured to indicate at least one of an IP address, a MAC address, a CPU serial number, and a motherboard serial number of the at least one policing server.
24. An authorization control device applied to an authorization center, the device comprising:
the sending module is used for responding to a request sent by the authorization server based on the characteristic file and sending the authorization file to the authorization server;
and the authorization file is used for allocating authorization authority for executing authorization control operation on the target host to at least one management and control server under the condition that the authentication is passed.
25. An authorization control device is applied to a management and control server and comprises:
the receiving module is used for receiving the authorization authority distributed by the authorization server and used for executing the authorization control operation on the target host;
the control module is used for executing management and control on the target host based on the authorization authority; wherein the management and control comprises controlling the use number, the use duration and the use function of the target host.
26. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-10, or to perform the method of claim 11, or to perform the method of claim 12.
27. A non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1-10, or to perform the method of claim 11, or to perform the method of claim 12.
28. A computer program product comprising a computer program which, when executed by a processor, implements the method of any one of claims 1-10, or implements the method of claim 11, or implements the method of claim 12.
CN202210978077.0A 2022-08-15 2022-08-15 Authorization control method, device and system Pending CN115310068A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210978077.0A CN115310068A (en) 2022-08-15 2022-08-15 Authorization control method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210978077.0A CN115310068A (en) 2022-08-15 2022-08-15 Authorization control method, device and system

Publications (1)

Publication Number Publication Date
CN115310068A true CN115310068A (en) 2022-11-08

Family

ID=83862340

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210978077.0A Pending CN115310068A (en) 2022-08-15 2022-08-15 Authorization control method, device and system

Country Status (1)

Country Link
CN (1) CN115310068A (en)

Similar Documents

Publication Publication Date Title
US11146589B2 (en) Out-of-band challenge in a computer system
CN110414268B (en) Access control method, device, equipment and storage medium
RU2620998C2 (en) Method and authentication device for unlocking administrative rights
US9286455B2 (en) Real identity authentication
US8561152B2 (en) Target-based access check independent of access request
WO2022247359A1 (en) Cluster access method and apparatus, electronic device, and medium
US20130318576A1 (en) Method, device, and system for managing user authentication
US10432622B2 (en) Securing biometric data through template distribution
US20220255947A1 (en) Gradual Credential Disablement
CN114117376B (en) Identity authentication method, method for distributing dynamic password and corresponding equipment
WO2021139244A1 (en) Permissions request verification method and apparatus, device, and storage medium
US20180004934A1 (en) Systems and methods to enable automatic password management in a proximity based authentication
TW201415277A (en) Account management system and method
US8495730B2 (en) Dynamically constructed capability for enforcing object access order
US20140007197A1 (en) Delegation within a computing environment
CN108390892B (en) Control method and device for security access of remote storage system
CN115310068A (en) Authorization control method, device and system
US20150170443A1 (en) User permissions based control of pooled features on demand activation keys
US10348490B2 (en) Information processing device, authorization system, information processing method, and recording medium
US8171302B2 (en) Method and system for creating a pre-shared key
US20220067215A1 (en) Media exfiltration prevention system
CN114547592A (en) Data processing method and device and electronic equipment
CN112733101A (en) Cloud server management method, device, storage medium and server terminal
CN105868603A (en) Configuration data based fingerprinting for access to a resource
CN108322421B (en) Computer system safety management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination