CN115695017A - Multi-tenant access control method suitable for cloud platform operation - Google Patents
Multi-tenant access control method suitable for cloud platform operation Download PDFInfo
- Publication number
- CN115695017A CN115695017A CN202211367228.5A CN202211367228A CN115695017A CN 115695017 A CN115695017 A CN 115695017A CN 202211367228 A CN202211367228 A CN 202211367228A CN 115695017 A CN115695017 A CN 115695017A
- Authority
- CN
- China
- Prior art keywords
- data
- central control
- control module
- tenant
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000008859 change Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a multi-tenant access control method suitable for cloud platform operation, which comprises the steps that s1, under the condition that personal information input by a user is matched with pre-stored user information, the user is authenticated as a tenant; step s2, judging whether the user has the authority to acquire the data according to the grade of the user in the terminal; step s3, when determining that the tenant has the authority to acquire the data, determining whether to encrypt the data before delivering the data; step s4, judging the grade of the data by analyzing the type of the data; and step s5, controlling the storage module to send the corresponding data to the terminal used by the tenant. According to the invention, different access authorities are set according to the grades of the users, so that the problem of low safety efficiency of the platform caused by the leakage of the information of the users is effectively avoided; meanwhile, the central control module performs corresponding encryption processing according to the grade of the data, so that the safety of the data is effectively guaranteed, and the safety factor of the platform is further improved.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a multi-tenant access control method suitable for cloud platform operation.
Background
The cloud computing provides processing, storage, infrastructure and software services of a large-scale resource pool to users on the basis of the Internet, and further achieves I T services which are low in cost, automatic, rapid in providing and flexible in expansion and contraction. The cloud computing service can lease the instances to different tenants, so that a plurality of tenants share data resources, and the effects of reducing enterprise cost and improving enterprise efficiency are achieved. However, the tenant uses its service through the access shared data platform, but does not want its own data to be accessed by other tenants, so how to implement access control of multi-tenant security is an urgent problem to be solved.
Chinese patent publication No.: CN108259422B discloses a method and apparatus for multi-tenant access control, the method comprising: acquiring attributes corresponding to each role; clustering the roles corresponding to the same attribute into a task group; and generating corresponding access information for each task group according to the attribute corresponding to the role in each task group so as to obtain the operation authority of the resource by using the access information corresponding to the task group. Therefore, although the invention completes the control of the access of a plurality of tenants, the invention still can not effectively avoid different tenants from acquiring the information of other tenants in the data use process, and the safety factor is low.
Disclosure of Invention
Therefore, the invention provides a multi-tenant access control method suitable for cloud platform operation, which is used for solving the problem that the safety factor is low because different tenants acquire information of other tenants in the data using process in the prior art cannot be avoided.
In order to achieve the above object, the present invention provides a multi-tenant access control method suitable for cloud platform operation, including:
step s1, under the condition that personal information input by a user is matched with pre-stored user information, authenticating the user as a tenant, and sending a corresponding public key and a corresponding private key to the user;
step s2, when a single terminal sends a data acquisition application, the central control module judges whether the user has the authority of acquiring the data according to the grade of the user in the terminal;
step s3, when judging that the tenant in the terminal has the authority of acquiring the data, the central control module judges whether to encrypt the data before transmitting the data according to the grade of the data;
step s4, when the central control module receives a data uploading application of the terminal, the central control module judges the grade of the data by analyzing the type of the data;
and step s5, when the central control module judges that the tenant has the authority of acquiring the data, the central control module controls the storage module to send the corresponding data to the terminal used by the tenant.
Further, the data comprises personal data only used by a corresponding single tenant, primary public data only used by each tenant and secondary public data used by each tenant and read by each tourist; for different data, the central control module adds corresponding prefix codes for different levels of data,
for personal data, a prefix code of the data is recorded as A, the central control module controls the storage module to output corresponding data to the encryption module and controls the encryption module to select a corresponding encryption mode according to authentication information of a tenant to encrypt the data;
for the first-level public data, the prefix code of the data is recorded as B, and the central control module controls the storage module to output the corresponding data to the encryption module and controls the encryption module to select a corresponding encryption mode to encrypt the data;
for the secondary public data, the prefix code of the data is recorded as C, and the central control module does not need to encrypt the data.
Further, when a tenant acquires secondary public data, the central control module controls the storage module to send the corresponding secondary data to a terminal used by the tenant;
when a tenant acquires primary public data, the central control module controls the storage module to output corresponding data to the encryption module, the encryption module uses a universal encryption mode to perform primary encryption on the primary public data and transmits the encrypted primary public data to a terminal used by the tenant, and the tenant decrypts the primary public data encrypted by using a public key to acquire the primary public data;
when a tenant acquires personal data, the central control module controls the storage module to output the corresponding personal data to the encryption module, the encryption module performs primary encryption on the personal data by using a general encryption mode and performs secondary encryption on the data by using a corresponding personal encryption mode after the primary encryption is completed, after the secondary encryption is completed, the encryption module transmits the personal data subjected to the secondary encryption to a terminal used by the tenant, and the tenant decrypts the personal data subjected to the secondary encryption by using a private key and performs secondary decryption on the personal data subjected to the primary decryption by using a public key to acquire the personal data.
Furthermore, the central control module is provided with a preset value N0 for the number of tenants, adjusts the change period of the secret key according to the number N of the tenants,
if N is less than or equal TO N0, the central control module controls the changing period of the secret key TO be TO;
if N0 is more than N and less than or equal TO 2N0, the central control module controls the changing period of the secret key TO be TO/2;
if N > 2N0, the central control module controls the changing period of the secret key TO be TO/4.
Further, when the central control module adjusts the data grade according to the ratio of the memory of the data in a single category to the total memory of the data, the central control module is provided with the ratio Q of the memory of the personal data to the memory of the total data, the ratio Q is compared with a preset ratio Q0 to determine whether to adjust the personal data grade,
if Q is less than or equal to Q0, the central control module does not adjust the personal data grade;
if Q is larger than Q0, the central control module judges that the personal data is changed into the primary public data, calculates delta Q and determines the occupation ratio P of the personal data memory to be redistributed to the total personal data memory according to the delta Q.
Further, when the central control module finishes changing the personal data into the primary public data, the ratio of the memory of the changed personal data to the memory of the total data is compared with a preset ratio, the distribution rates of data with different grades are adjusted according to the comparison result, the central control module detects the ratio of the memory of the personal data to the memory of the total data again and records the ratio as Q',
if Q 'is more than Q0, the central control module adjusts the data distribution rate of different levels according to the delta Q', reduces the memory occupation ratio of the first-level public data, and increases the memory occupation ratio of the personal data;
and if Q' is less than or equal to Q0, the central control module does not adjust the data distribution rate of different grades.
Further, the central control module determines the ratio P of the personal data memory to be redistributed to the total personal data memory according to the delta Q, the central control module is provided with a first preset difference value delta Q1, a second preset difference value delta Q2, a first ratio adjusting coefficient alpha 1 and a second ratio adjusting coefficient alpha 2, wherein the delta Q1 is smaller than the delta Q2, the alpha 2 is smaller than the alpha 1 and smaller than 1,
if the delta Q is less than or equal to the delta Q1, the central control module does not adjust the proportion P of the personal data memory needing to be redistributed to the total personal data memory;
if delta Q1 is smaller than delta Q and is less than or equal to delta Q2, the central control module adjusts the proportion P of the personal data memory needing to be redistributed and the total personal data memory by using alpha 1;
if delta Q is larger than delta Q2, the central control module uses alpha 2 to adjust the occupation ratio P of the personal data memory to be redistributed to the total personal data memory;
when the central control module determines that the user needs to adjust the P by using the alpha i, i =1,2 is set, the ratio of the adjusted personal data memory to be reallocated to the total personal data memory is recorded as P ', and P' = P multiplied by alpha i is set.
Further, the central control module adjusts a preset occupation ratio Q0 according to a difference value delta R between the number R of the tenants and a preset value R0, the central control module is provided with a first preset difference value delta R1, a second preset difference value delta R2, a first occupation ratio adjusting coefficient beta 1 and a second occupation ratio adjusting coefficient beta 2, wherein the delta R1 is less than the delta R2,1 is more than alpha 1 and less than alpha 2,
if the delta R is less than or equal to the delta R1, the central control module does not adjust the preset proportion Q0;
if the delta R1 is less than the delta R and less than or equal to the delta R2, the central control module adjusts a preset proportion Q0 by using beta 1;
if delta R is > -delta R2, the central control module adjusts a preset ratio Q0 by using beta 2;
when the central control module determines that β j is needed to adjust Q0, j =1,2 is set, the adjusted preset occupation ratio is recorded as Q0', and Q0' = Q0 × β j is set.
Further, the central control module judges whether the user has the authority of acquiring data with different levels according to the level of the user,
if the user is an administrator, the central control module judges that the user has the authority of browsing and using the personal data, the primary public data and the secondary public data;
if the user is a tenant, the central control module judges that the user has the authority of browsing and using the personal data, the primary public data and the secondary public data;
if the user is a tourist, the central control module judges that the user only has the authority of browsing the secondary public data and does not have the authority of using the personal data, the primary public data and the secondary public data.
Further, the central control module uploads the data to a corresponding level by analyzing the type of the data,
if the data type is private information of the tenant, the central control module uploads the private information to the personal data;
if the data type is information for perfecting or maintaining the cloud platform, the central control module uploads the data to the primary public data;
and if the data type is a current political affairs headline or a social encyclopedia, the central control module uploads the data to the secondary public data.
Compared with the prior art, the method has the advantages that the central control module sets different access authorities according to the grade of the user, so that the problem that personal information of the user is leaked to cause low safety efficiency of the platform is effectively solved; meanwhile, the central control module performs corresponding encryption processing according to the grade of the data, so that the safety of the data is effectively ensured, and the safety factor of the platform is improved.
Furthermore, for data of different grades, the central control module adds corresponding prefix codes to the data, effectively classifies the data, facilitates the distinguishing and searching of users, and further improves the safety factor of tenants using the platform.
Further, when the tenants access data of different levels, the platform performs different processing on the data, and when the tenants access the secondary public data, the central control module directly transmits the secondary public data to the tenant terminals; when the tenant accesses the primary public data, the encryption module uses a general encryption mode to perform primary encryption on the primary public data and transmits the encrypted primary public data to the tenant terminal; when the tenant accesses the personal data, the encryption module encrypts the personal data twice and then transmits the personal data to the tenant terminal, and through the arrangement, the safety factor of the platform is further improved while the safety of the data is effectively guaranteed.
Furthermore, the invention adjusts the changing period of the secret key according to the number of the tenants, and the changing period of the secret key is continuously shortened along with the increase of the number of the tenants, thereby further improving the safety factor of the platform while further ensuring the safety of data.
Furthermore, the central control module adjusts the data grade according to the ratio of the memory of the data in a single category to the total memory of the data, and resources can be reasonably distributed through the arrangement, so that the platform is more organized, and the phenomenon of platform data loss caused by uneven memory ratio is avoided.
Furthermore, the central control module comprises a plurality of preset difference values and a plurality of proportion adjusting coefficients, the proportion of the personal data memory to be redistributed to the total personal data memory is adjusted by comparing the delta Q with the preset difference values, the proportion of each grade of data is effectively ensured, the data is evenly distributed, and the safety coefficient of the platform is further improved.
Furthermore, the central control module for the number of tenants is provided with a plurality of preset difference values and a plurality of proportion adjusting coefficients, and the preset proportion Q0 is adjusted by comparing the delta R with the preset difference values, so that the proportion of personal data of the tenants is ensured, the use requirements of the tenants are effectively met, and the safety factor of the platform is further improved.
Drawings
Fig. 1 is a block diagram of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention;
fig. 2 is a flowchart of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and do not limit the scope of the present invention.
It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Fig. 1 is a block diagram of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention, where a terminal is used for an administrator, a tenant, or a guest to use a medium of the platform; the authentication module is used for verifying the user identity information; the central control module is used for judging whether the user has the right to access and acquire the data and controlling the storage module to send the corresponding data to the terminal used by the tenant; the encryption module is used for encrypting the data output by the central control module and is arranged at the output end of the central control module; the storage module is used for storing information and sending corresponding data to the terminal used by the tenant.
Referring to fig. 2, it is a flowchart of a multi-tenant access control method suitable for cloud platform operation according to an embodiment of the present invention,
the multi-tenant access control method suitable for cloud platform operation comprises the following steps:
step s1, under the condition that personal information input by a user is matched with pre-stored user information, authenticating the user as a tenant, and sending a corresponding public key and a corresponding private key to the user;
step s2, when a single terminal sends a data acquisition application, the central control module judges whether the user has the authority of acquiring the data according to the grade of the user in the terminal;
step s3, when judging that the tenant in the terminal has the authority of acquiring the data, the central control module judges whether to encrypt the data before transmitting the data according to the grade of the data;
step s4, when the central control module receives a data uploading application of the terminal, the central control module judges the grade of the data by analyzing the type of the data;
and step s5, when the central control module judges that the tenant has the authority of acquiring the data, the central control module controls the storage module to send the corresponding data to the terminal used by the tenant.
Specifically, the data comprises personal data only used by a corresponding single tenant, primary public data only used by each tenant, and secondary public data used by each tenant and read by each visitor; for different data, the central control module adds corresponding prefix codes for different levels of data,
for personal data, a prefix code of the data is recorded as A, the central control module controls the storage module to output corresponding data to the encryption module and controls the encryption module to select a corresponding encryption mode according to authentication information of a tenant to encrypt the data;
for the first-level public data, the prefix code of the data is recorded as B, and the central control module controls the storage module to output the corresponding data to the encryption module and controls the encryption module to select a corresponding encryption mode to encrypt the data;
for the secondary public data, the prefix code of the data is marked as C, and the central control module does not need to encrypt the data.
For data of different grades, the central control module adds corresponding prefix codes to the data, effectively classifies the data, facilitates the distinguishing and searching of users, and further improves the safety factor of tenants using the platform.
Specifically, when a tenant acquires secondary public data, the central control module controls the storage module to send the corresponding secondary data to a terminal used by the tenant;
when a tenant acquires primary public data, the central control module controls the storage module to output corresponding data to the encryption module, the encryption module performs primary encryption on the primary public data in a general encryption mode and transmits the encrypted primary public data to a terminal used by the tenant, and the tenant decrypts the primary public data encrypted by using a public key to acquire the primary public data;
when a tenant acquires personal data, the central control module controls the storage module to output the corresponding personal data to the encryption module, the encryption module performs primary encryption on the personal data by using a general encryption mode and performs secondary encryption on the data by using a corresponding personal encryption mode after the primary encryption is completed, after the secondary encryption is completed, the encryption module transmits the personal data subjected to the secondary encryption to a terminal used by the tenant, and the tenant decrypts the personal data subjected to the secondary encryption by using a private key and performs secondary decryption on the personal data subjected to the primary decryption by using a public key to acquire the personal data.
According to the invention, when the tenants access data of different levels, the platform performs different processing on the data, and when the tenants access the secondary public data, the central control module directly transmits the secondary public data to the tenant terminals; when the tenant accesses the primary public data, the encryption module uses a general encryption mode to perform primary encryption on the primary public data and transmits the encrypted primary public data to the tenant terminal; when the tenant accesses the personal data, the encryption module encrypts the personal data twice and then transmits the personal data to the tenant terminal, and through the arrangement, the safety factor of the platform is further improved while the safety of the data is effectively guaranteed.
Specifically, the central control module is provided with a preset value N0 for the number of tenants, adjusts the change period of the secret key according to the number N of the tenants,
if N is less than or equal TO N0, the central control module controls the changing period of the secret key TO be TO;
if N0 is more than N and less than or equal TO 2N0, the central control module controls the changing period of the secret key TO be TO/2;
if N > 2N0, the central control module controls the changing period of the secret key TO be TO/4.
The invention adjusts the changing period of the secret key according to the number of the tenants, and the changing period of the secret key is continuously shortened along with the increase of the number of the tenants, thereby further ensuring the safety of data and simultaneously further improving the safety factor of the platform.
Specifically, when the central control module adjusts the data grade according to the ratio of the memory of the data in a single category to the total memory of the data, the central control module is provided with the ratio Q of the memory of the personal data to the memory of the total data, the ratio Q is compared with a preset ratio Q0 to determine whether to adjust the personal data grade,
if Q is less than or equal to Q0, the central control module does not adjust the personal data grade;
if Q is larger than Q0, the central control module judges that the personal data is changed into the primary public data, calculates delta Q and determines the occupation ratio P of the personal data memory to be redistributed to the total personal data memory according to the delta Q.
The central control module adjusts the data grade according to the ratio of the memory of the data in a single category to the total memory of the data, and resources can be reasonably distributed through the arrangement, so that the platform is more organized, and the phenomenon of platform data loss caused by uneven memory ratio is avoided.
Specifically, when the central control module finishes changing the personal data into the primary public data, the central control module compares the proportion of the memory of the changed personal data to the memory of the total data with a preset proportion, adjusts the distribution rate of data with different levels according to the comparison result, redetects the proportion of the memory of the personal data to the memory of the total data, and records the proportion as Q',
if Q 'is more than Q0, the central control module adjusts the data distribution rate of different levels according to the delta Q', reduces the memory occupation ratio of the first-level public data, and increases the memory occupation ratio of the personal data;
and if Q' is less than or equal to Q0, the central control module does not adjust the data distribution rate of different grades.
Specifically, the central control module determines the occupation ratio P of the personal data memory to be redistributed and the personal data total memory according to the delta Q, the central control module is provided with a first preset difference delta Q1, a second preset difference delta Q2, a first occupation ratio adjusting coefficient alpha 1 and a second occupation ratio adjusting coefficient alpha 2, wherein the delta Q1 is less than the delta Q2, the alpha 2 is less than the alpha 1 and less than 1,
if the delta Q is less than or equal to the delta Q1, the central control module does not adjust the proportion P of the personal data memory needing to be redistributed to the total personal data memory;
if delta Q1 is smaller than delta Q and is less than or equal to delta Q2, the central control module adjusts the proportion P of the personal data memory needing to be redistributed and the total personal data memory by using alpha 1;
if delta Q is larger than delta Q2, the central control module uses alpha 2 to adjust the occupation ratio P of the personal data memory to be redistributed to the total personal data memory;
when the central control module determines that the user needs to adjust the P by using the alpha i, i =1,2 is set, the ratio of the adjusted personal data memory to be reallocated to the total personal data memory is recorded as P ', and P' = P multiplied by alpha i is set.
According to the invention, the central control module comprises a plurality of preset difference values and a plurality of proportion adjusting coefficients, the proportion of the personal data memory to be redistributed to the personal data total memory is adjusted by comparing the delta Q with the preset difference values, the proportion of each grade of data is effectively ensured, the data is evenly distributed, and the safety coefficient of the platform is further improved.
Specifically, the central control module adjusts a preset occupation ratio Q0 according to a difference value delta R between the number R of the tenants and a preset value R0, the central control module is provided with a first preset difference value delta R1, a second preset difference value delta R2, a first occupation ratio adjusting coefficient beta 1 and a second occupation ratio adjusting coefficient beta 2, wherein the delta R1 is less than the delta R2,1 < alpha 2,
if the delta R is less than or equal to the delta R1, the central control module does not adjust the preset proportion Q0;
if the delta R1 is less than the delta R and less than or equal to the delta R2, the central control module adjusts a preset proportion Q0 by using beta 1;
if delta R is > -delta R2, the central control module adjusts the preset ratio Q0 by using beta 2;
when the central control module determines that β j is required to be used for adjusting Q0, j =1,2 is set, and the adjusted preset occupancy ratio is recorded as Q0', and Q0' = Q0 × β j is set.
According to the invention, aiming at the number of tenants, the central control module is provided with a plurality of preset difference values and a plurality of proportion adjusting coefficients, and the preset proportion Q0 is adjusted by comparing the delta R with the preset difference values, so that the proportion of personal data of the tenants is ensured, and the safety coefficient of the platform is further improved while the use requirements of the tenants are effectively met.
Specifically, the central control module judges whether the user has the authority to acquire data of different grades according to the grade of the user,
if the user is an administrator, the central control module judges that the user has the authority of browsing and using the personal data, the primary public data and the secondary public data;
if the user is a tenant, the central control module judges that the user has the authority of browsing and using the personal data, the primary public data and the secondary public data;
if the user is a tourist, the central control module judges that the user only has the authority of browsing the secondary public data and does not have the authority of using the personal data, the primary public data and the secondary public data.
Specifically, the central control module uploads the data to the corresponding level by analyzing the type of the data,
if the data type is private information of the tenant, the central control module uploads the private information to the personal data;
if the data type is information for perfecting or maintaining the cloud platform, the central control module uploads the data to the primary public data;
and if the data type is a current political affairs headline or a social encyclopedia, the central control module uploads the data to the secondary public data.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of the present invention is obviously not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A multi-tenant access control method suitable for cloud platform operation is characterized by comprising the following steps:
step s1, under the condition that personal information input by a user is matched with pre-stored user information, authenticating the user as a tenant, and sending a corresponding public key and a corresponding private key to the user;
step s2, when a single terminal sends a data acquisition application, the central control module judges whether the user has the authority of acquiring the data according to the grade of the user in the terminal;
step s3, when judging that the tenant in the terminal has the authority of acquiring the data, the central control module judges whether to encrypt the data before transmitting the data according to the grade of the data;
step s4, when the central control module receives a data uploading application of the terminal, the central control module judges the grade of the data by analyzing the type of the data;
and step s5, when the central control module judges that the tenant has the authority of acquiring the data, the central control module controls the storage module to send the corresponding data to the terminal used by the tenant.
2. The multi-tenant access control method suitable for cloud platform operation according to claim 1, wherein the data includes personal data only for a corresponding single tenant, primary common data only for each tenant, and secondary common data for each tenant and for each visitor to view; for different data, the central control module adds corresponding prefix codes for different levels of data,
for personal data, a prefix code of the data is marked as A, the central control module controls the storage module to output corresponding data to the encryption module and controls the encryption module to select a corresponding encryption mode according to the authentication information of the tenant to encrypt the data;
for the first-level public data, the prefix code of the data is recorded as B, and the central control module controls the storage module to output the corresponding data to the encryption module and controls the encryption module to select a corresponding encryption mode to encrypt the data;
for the secondary public data, the prefix code of the data is recorded as C, and the central control module does not need to encrypt the data.
3. The multi-tenant access control method suitable for cloud platform operation according to claim 2, wherein when a tenant acquires secondary common data, the central control module controls the storage module to send the corresponding secondary data to a terminal used by the tenant;
when a tenant acquires primary public data, the central control module controls the storage module to output corresponding data to the encryption module, the encryption module uses a universal encryption mode to perform primary encryption on the primary public data and transmits the encrypted primary public data to a terminal used by the tenant, and the tenant decrypts the primary public data encrypted by using a public key to acquire the primary public data;
when a tenant acquires personal data, the central control module controls the storage module to output the corresponding personal data to the encryption module, the encryption module performs primary encryption on the personal data by using a general encryption mode and performs secondary encryption on the data by using a corresponding personal encryption mode after the primary encryption is completed, after the secondary encryption is completed, the encryption module transmits the personal data subjected to the secondary encryption to a terminal used by the tenant, and the tenant decrypts the personal data subjected to the secondary encryption by using a private key and performs secondary decryption on the personal data subjected to the primary decryption by using a public key to acquire the personal data.
4. The multi-tenant access control method suitable for cloud platform operation according to claim 3, wherein the central control module sets a preset value N0 for the number of tenants, adjusts a change period of the key according to the number N of tenants,
if N is less than or equal TO N0, the central control module controls the changing period of the secret key TO be TO;
if N0 is more than N and less than or equal TO 2N0, the central control module controls the changing period of the secret key TO be TO/2;
if N > 2N0, the central control module controls the changing period of the secret key TO be TO/4.
5. The multi-tenant access control method suitable for cloud platform operation according to claim 4, wherein when the central control module adjusts the data grade according to the ratio of the memory of data in a single category to the total memory of data, the central control module is provided with a ratio Q of the memory of personal data to the memory of total data, and compares Q with a preset ratio Q0 to determine whether to adjust the personal data grade,
if Q is less than or equal to Q0, the central control module does not adjust the personal data grade;
if Q is larger than Q0, the central control module judges that the personal data is changed into the primary public data, calculates delta Q and determines the occupation ratio P of the personal data memory to be redistributed to the total personal data memory according to the delta Q.
6. The multi-tenant access control method suitable for cloud platform operation according to claim 5, wherein when the central control module finishes changing the personal data into the primary public data, the central control module compares an occupation ratio of a memory of the changed personal data and a memory of total data with a preset occupation ratio, adjusts data distribution rates of different levels according to a comparison result, redetects an occupation ratio of the memory of the personal data and the memory of the total data as Q',
if Q 'is more than Q0, the central control module adjusts the data distribution rate of different levels according to the delta Q', reduces the memory occupation ratio of the first-level public data, and increases the memory occupation ratio of the personal data;
and if Q' is less than or equal to Q0, the central control module does not adjust the data distribution rate of different grades.
7. The method for controlling access of multiple tenants suitable for cloud platform operation as claimed in claim 6, wherein the central control module determines an occupation ratio P of the personal data memory to be reallocated to the total personal data memory according to Δ Q, the central control module is provided with a first preset difference Δ Q1, a second preset difference Δ Q2, a first occupation ratio adjustment coefficient α 1 and a second occupation ratio adjustment coefficient α 2, where Δ Q1 is less than Δ Q2, α 2 < α 1 < 1,
if the delta Q is less than or equal to the delta Q1, the central control module does not adjust the proportion P of the personal data memory needing to be redistributed to the total personal data memory;
if delta Q1 is smaller than delta Q and is less than or equal to delta Q2, the central control module adjusts the proportion P of the personal data memory needing to be redistributed and the total personal data memory by using alpha 1;
if delta Q is larger than delta Q2, the central control module uses alpha 2 to adjust the occupation ratio P of the personal data memory to be redistributed to the total personal data memory;
when the central control module determines that the user needs to adjust the P by using the alpha i, i =1,2 is set, the ratio of the adjusted personal data memory to be reallocated to the total personal data memory is recorded as P ', and P' = P multiplied by alpha i is set.
8. The method for controlling access to multiple tenants applicable to cloud platform operation as claimed in claim 7, wherein the central control module adjusts the predetermined occupancy ratio Q0 according to a difference Δ R between the number R of tenants and a predetermined value R0, the central control module is provided with a first predetermined difference Δ R1, a second predetermined difference Δ R2, a first occupancy adjustment coefficient β 1 and a second occupancy adjustment coefficient β 2, where Δ R1 is less than Δ R2,1 < α 2,
if the delta R is less than or equal to the delta R1, the central control module does not adjust the preset proportion Q0;
if the delta R1 is less than the delta R and less than or equal to the delta R2, the central control module adjusts a preset proportion Q0 by using beta 1;
if delta R is > -delta R2, the central control module adjusts the preset ratio Q0 by using beta 2;
when the central control module determines that β j is needed to adjust Q0, j =1,2 is set, the adjusted preset occupation ratio is recorded as Q0', and Q0' = Q0 × β j is set.
9. The multi-tenant access control method suitable for cloud platform operation according to claim 8, wherein the central control module determines whether a user has authority to acquire data of different levels according to the level of the user,
if the user is an administrator, the central control module judges that the user has the authority of browsing and using the personal data, the primary public data and the secondary public data;
if the user is a tenant, the central control module judges that the user has the authority of browsing and using the personal data, the primary public data and the secondary public data;
if the user is a tourist, the central control module judges that the user only has the authority of browsing the secondary public data and does not have the authority of using the personal data, the primary public data and the secondary public data.
10. The multi-tenant access control method suitable for cloud platform operation of claim 9, wherein the central control module uploads the data to a corresponding level by analyzing the type of the data,
if the data type is private information of the tenant, the central control module uploads the private information to the personal data;
if the data type is information for perfecting or maintaining the cloud platform, the central control module uploads the data to the primary public data;
and if the data type is a current political affairs headline or a social encyclopedia, the central control module uploads the data to the secondary public data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211367228.5A CN115695017B (en) | 2022-11-02 | 2022-11-02 | Multi-tenant access control method suitable for cloud platform operation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211367228.5A CN115695017B (en) | 2022-11-02 | 2022-11-02 | Multi-tenant access control method suitable for cloud platform operation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115695017A true CN115695017A (en) | 2023-02-03 |
| CN115695017B CN115695017B (en) | 2024-04-23 |
Family
ID=85047576
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211367228.5A Active CN115695017B (en) | 2022-11-02 | 2022-11-02 | Multi-tenant access control method suitable for cloud platform operation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115695017B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104123616A (en) * | 2014-07-25 | 2014-10-29 | 南京邮电大学 | Cloud computing system towards multiple tenants |
| CN104252454A (en) * | 2013-06-25 | 2014-12-31 | 广州中国科学院软件应用技术研究所 | Method and system for multi-tenant mode data authority control oriented to cloud calculation |
| CN104767745A (en) * | 2015-03-26 | 2015-07-08 | 浪潮集团有限公司 | Cloud data security protection method |
| CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
| CN108259422A (en) * | 2016-12-29 | 2018-07-06 | 中兴通讯股份有限公司 | A kind of multi-tenant access control method and device |
| WO2021218328A1 (en) * | 2020-04-28 | 2021-11-04 | 深圳壹账通智能科技有限公司 | Multi-tenant access service implementation method, apparatus and device, and storage medium |
-
2022
- 2022-11-02 CN CN202211367228.5A patent/CN115695017B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104252454A (en) * | 2013-06-25 | 2014-12-31 | 广州中国科学院软件应用技术研究所 | Method and system for multi-tenant mode data authority control oriented to cloud calculation |
| CN104123616A (en) * | 2014-07-25 | 2014-10-29 | 南京邮电大学 | Cloud computing system towards multiple tenants |
| CN104767745A (en) * | 2015-03-26 | 2015-07-08 | 浪潮集团有限公司 | Cloud data security protection method |
| CN108259422A (en) * | 2016-12-29 | 2018-07-06 | 中兴通讯股份有限公司 | A kind of multi-tenant access control method and device |
| CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
| WO2021218328A1 (en) * | 2020-04-28 | 2021-11-04 | 深圳壹账通智能科技有限公司 | Multi-tenant access service implementation method, apparatus and device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115695017B (en) | 2024-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11397829B2 (en) | Method for handling privacy data | |
| US5249230A (en) | Authentication system | |
| US9298937B2 (en) | Secure data parser method and system | |
| US7187771B1 (en) | Server-side implementation of a cryptographic system | |
| US7751406B2 (en) | Controlling quality of service and access in a packet network based on levels of trust for consumer equipment | |
| US8726033B2 (en) | Context sensitive dynamic authentication in a cryptographic system | |
| US7047560B2 (en) | Credential authentication for mobile users | |
| US7467401B2 (en) | User authentication without prior user enrollment | |
| US20140075493A1 (en) | System and method for location-based protection of mobile data | |
| CN105072180A (en) | Cloud storage data security sharing method with permission time control | |
| US20210216622A1 (en) | Password Reset for Multi-Domain Environment | |
| CN115001860A (en) | Safety management system for paperless digital conference | |
| US11144657B2 (en) | System and method of providing a secure inter-domain data management using blockchain technology | |
| US20220358243A1 (en) | Method for handling privacy data | |
| CN115695017A (en) | Multi-tenant access control method suitable for cloud platform operation | |
| CN107276965B (en) | Authority control method and device of service discovery component | |
| AU2022370371A1 (en) | A device and system for the secure storage of data in a distributed manner | |
| AU2012203561B2 (en) | Secure Data Parser Method and System | |
| CN117714151A (en) | Access control method, system and medium for encrypted traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |