CN115913793A - Security authentication method, system, electronic device, distributed storage system, and medium - Google Patents
Security authentication method, system, electronic device, distributed storage system, and medium Download PDFInfo
- Publication number
- CN115913793A CN115913793A CN202310220803.7A CN202310220803A CN115913793A CN 115913793 A CN115913793 A CN 115913793A CN 202310220803 A CN202310220803 A CN 202310220803A CN 115913793 A CN115913793 A CN 115913793A
- Authority
- CN
- China
- Prior art keywords
- tenant
- authentication
- security authentication
- client
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a security authentication method, a system, electronic equipment, a distributed storage system and a medium, relating to the field of security authentication, wherein the security authentication method comprises the following steps: acquiring a service address requested by a client and a first mapping relation; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user; determining tenant authentication user information according to the service address and the first mapping relation; and performing security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful. The invention can realize that a single-name node simultaneously connects a plurality of Kerberos services and supports separately opening the Kerberos security authentication of partial tenants, and can adapt to different security authentication requirements of different large data platforms under a multi-tenant scene.
Description
Technical Field
The present invention relates to the field of security authentication, and in particular, to a security authentication method, system, electronic device, distributed storage system, and medium.
Background
In a distributed big data storage system, kerberos (a computer network authorization protocol for authenticating personal communications in an insecure network by secure means) is generally used as a secure authentication authority of the distributed storage system. The Kerberos protocol is mainly used for identity Authentication (Authentication) of a computer network, and is characterized in that a user can access a plurality of services, namely SSO (Single Sign On) by verifying a ticket (ticket-verifying ticket) obtained by Authentication only by inputting identity verification information once, and the security of the protocol is higher because a shared key is established between each Client and a Service terminal Service.
In the prior art, each tenant of a distributed big data storage system can provide an independent big data service in a multi-tenant scenario, but the whole distributed big data storage system can only interface one Kerberos service at the same time, and different tenants have different security authentication requirements when interfacing different big data platforms, so that a scenario exists in which different Kerberos services need to be interfaced at the same time and different tenants use different security authentication modes (Simple or Kerberos). The multi-tenant function is also provided in some big data platforms, and the Ranger big data component is used for realizing the tenant function, but the realization mode cannot meet different security authentication requirements of a plurality of tenants.
Therefore, how to provide a solution to the above technical problems is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a security authentication method, a system, electronic equipment, a distributed storage system and a medium, which can realize that a single-name node can simultaneously interface a plurality of Kerberos services and support the Kerberos security authentication of a part of tenants to be independently started, and can adapt to different security authentication requirements of different large data platforms under a multi-tenant scene.
In order to solve the above technical problem, the present invention provides a security authentication method, including:
acquiring a service address requested by a client and a first mapping relation; the first mapping relation is a mapping relation between a virtual IP and a tenant authentication user;
determining tenant authentication user information according to the service address and the first mapping relation;
and performing security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
Optionally, before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
acquiring a tenant list in a file system, namespaces under the tenant and a domain name corresponding to each namespace;
acquiring a security authentication mode of each tenant, and determining user information authenticated by the tenant based on the security authentication mode;
and obtaining the first mapping relation based on the tenant list, the namespace, the virtual IP list under the domain name and the tenant authentication user information.
Optionally, the process of acquiring the tenant list in the file system, the namespaces under the tenant, and the domain name corresponding to each of the namespaces includes:
acquiring a tenant list, namespaces under the tenant and a domain name corresponding to each namespace in a file system from a configuration file;
correspondingly, the process of acquiring the security authentication mode of each tenant includes:
and acquiring the security authentication mode of each tenant from the configuration file.
Optionally, the obtaining of the security authentication manner of each tenant, and the determining of the tenant authentication user information based on the security authentication manner includes:
acquiring a security authentication mode of each tenant;
determining the tenant of which the security authentication mode is a Kerberos authentication mode as a target tenant;
authenticating all the target tenants to the KDC servers corresponding to the target tenants;
and adding the successfully authenticated credential information to the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
Optionally, after obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information, the security authentication method further includes:
determining a second mapping relationship and a third mapping relationship based on the first mapping relationship;
the second mapping relationship is a mapping relationship between a virtual IP and a security authentication method, and the third mapping relationship is a mapping relationship between the virtual IP and a negotiation response.
Optionally, the process of obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information includes:
determining a first corresponding relation between a tenant and a namespace, a second corresponding relation between the namespace and the domain name, and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the namespace and the virtual IP list under the domain name;
and obtaining the first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
Optionally, the process of performing security authentication based on the tenant authentication user information includes:
and establishing interaction between the corresponding saslServer and the KDC server based on the tenant authentication user information so as to perform security authentication.
Optionally, before the obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
and the client applies for the authentication parameters to the KDC server and authenticates itself to the authentication server to acquire the authentication bill.
Optionally, before the obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
and the client initiates a request to the server after acquiring the authentication ticket so as to create network sockets of the client and the server.
Optionally, before the obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
and establishing connection according to the network socket, wherein the service address is the address requested in the network socket.
Optionally, the process of performing security authentication based on the tenant authentication user information includes:
analyzing the client message in the connection and determining the current message state;
if the current message state is the first state, generating challenge information and sending the challenge information to the client;
and when receiving the mark information returned by the client based on the challenge information, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and if the evaluation authentication result is successful, judging that the security authentication is successful.
Optionally, the process of parsing the client message in the connection includes:
analyzing the remote calling Id of the client message;
correspondingly, if the current message state is the first state, the process of generating the challenge information and sending the challenge information to the client comprises the following steps:
and if the current message state is the first state and the remote call Id is the target value, generating challenge information and sending the challenge information to the client.
Optionally, after generating the challenge information and sending the challenge information to the client, the secure authentication method further includes:
and after the client analyzes the challenge information, evaluating the challenge information to a KDC server to generate marking information, and modifying the current message state into a second state.
Optionally, the first state is a negative state, and the second state is an initial state.
Optionally, the process of generating challenge information includes:
establishing an authentication method as a first saslServer of the TOKEN according to the authentication user information of the current tenant;
and calling the method of the first saslServer to evaluate the response information sent by the client to the KDC server and generate challenge information.
Optionally, the process of obtaining the evaluation authentication result of the tag information based on the tenant authentication user information includes:
re-establishing a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
calling a method in the second saslServer to evaluate the marking information to the KDC server;
and determining an evaluation authentication result according to the received feedback information.
In order to solve the above technical problem, the present invention further provides a security authentication system, including:
the first obtaining module is used for obtaining the service address requested by the client and a first mapping relation; the first mapping relation is a mapping relation between the virtual IP and a tenant authentication user;
the first determining module is used for determining tenant authentication user information according to the service address and the first mapping relation;
and the authentication module is used for carrying out security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
In order to solve the above technical problem, the present invention further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the security authentication method as claimed in any one of the above when executing the computer program.
In order to solve the technical problem, the present invention further provides a distributed storage system, which includes a plurality of name nodes, and each of the name nodes includes the electronic device as described above.
To solve the above technical problem, the present invention further provides a computer-readable storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the security authentication method as described in any one of the above.
The invention provides a security authentication method, which is characterized in that independent security authentication configuration is configured for each tenant, tenant user authentication is respectively carried out when the service is started, different user authentication is carried out according to a requested service address when a client request is processed, a single-name node service is simultaneously connected with a plurality of Kerberos services and Kerberos security authentication supporting independent opening of partial tenants is realized, and different security authentication requirements of different big data platforms can be met under a multi-tenant scene. The invention also provides a security authentication system, electronic equipment, a distributed storage system and a computer readable storage medium, which have the same beneficial effects as the security authentication method.
Drawings
In order to illustrate the embodiments of the present invention more clearly, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 is a multi-tenant architecture diagram of a distributed big data storage system according to the present invention;
fig. 2 is a schematic structural diagram of a name node service system according to the present invention;
FIG. 3 is a flowchart illustrating steps of a security authentication method according to the present invention;
FIG. 4 is a diagram of a distributed big data storage security authentication architecture according to the present invention;
fig. 5 is a schematic structural diagram of a security authentication system provided in the present invention.
Detailed Description
The core of the invention is to provide a security authentication method, a system, electronic equipment, a distributed storage system and a medium, which can realize that a single-name node can simultaneously interface a plurality of Kerberos services and support the Kerberos security authentication of a part of tenants to be independently started, and can adapt to different security authentication requirements of different large data platforms under a multi-tenant scene.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Based on a distributed big data storage system multi-tenant scenario, referring to fig. 1, fig. 1 is a distributed big data storage system multi-tenant architecture diagram provided by the present invention, in order to facilitate understanding of the solution of the present invention, a multi-tenant is explained first, i.e., the multi-tenant divides a unified shared resource into a plurality of mutually isolated independent resources, and the multi-tenant characteristics provide unified resource management based on tenant granularity, and the resources are allocated and managed in units of tenants. The multi-tenant characteristic enables a set of storage system to be shared by a plurality of tenants, the running cost of the system is reduced by sharing software and hardware resources, the resource utilization rate of the system is improved, resources among the tenants are isolated, and the safety and the privacy are ensured. Referring to fig. 2, a name node service system provided by the present invention is described below, where the name node service system includes a tenant management module and a server module, and a security authentication scheme in the present invention can be implemented by the server module.
In a first aspect, referring to fig. 3, fig. 3 is a flowchart illustrating steps of a security authentication method according to the present invention, the security authentication method includes:
s101: acquiring a service address requested by a client and a first mapping relation; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
s102: determining tenant authentication user information according to the service address and the first mapping relation;
specifically, the first mapping relationship is prestored in a storage space of the server module, and after a request sent by the client is obtained, the first mapping relationship is obtained from the storage space, and the service address serverp is analyzed from the request.
It can be understood that the serverp in the request sent by the client may be any virtual IP in the first mapping relationship, or may also be any known virtual IP, if the serverp is any virtual IP in the first mapping relationship, the tenant authentication user information corresponding to the serverp is determined according to the first mapping relationship, if the serverp is any known virtual IP, it indicates that there is no tenant, and at this time, the preset cluster authentication user information is obtained as the tenant authentication user information corresponding to the service address.
S103: and performing security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
Specifically, interaction between a corresponding saslServer and a KDC server is created according to tenant authentication user information so as to inquire and verify a client Token, and after authentication is completed, connection between the client and a server is completed.
Therefore, in the embodiment, independent security authentication configuration is configured for each tenant, tenant user authentication is performed when the service is started, different user authentication is performed according to the requested service address when the client request is processed, a single name node service is simultaneously connected with a plurality of Kerberos services, kerberos security authentication of partial tenants is supported to be independently started, and different security authentication requirements of different large data platforms can be met under a multi-tenant scene.
On the basis of the above-described embodiment:
as an optional embodiment, before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
acquiring a tenant list in a file system, namespaces under the tenant and a domain name corresponding to each namespace;
acquiring a security authentication mode of each tenant, and determining user information authenticated by the tenant based on the security authentication mode;
and obtaining a first mapping relation based on the tenant list, the namespace, the virtual IP list under the domain name and the tenant authentication user information. As an optional embodiment, the process of obtaining a tenant list, namespaces under the tenant, and a domain name corresponding to each namespace in a file system includes:
acquiring a tenant list, namespaces under the tenant and a domain name corresponding to each namespace in a file system from a configuration file;
correspondingly, the process of acquiring the security authentication mode of each tenant comprises the following steps:
and acquiring the security authentication mode of each tenant from the configuration file.
As an optional embodiment, the process of obtaining the security authentication manner of each tenant and determining the tenant authentication user information based on the security authentication manner includes:
acquiring a security authentication mode of each tenant;
determining the tenants with the security authentication mode of Kerberos authentication mode as target tenants;
authenticating all target tenants to respective corresponding KDC servers;
and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an optional embodiment, after obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information, the security authentication method further includes:
determining a second mapping relation and a third mapping relation based on the first mapping relation;
the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an optional embodiment, the process of obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information includes:
determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the name space and the virtual IP list under the domain name;
and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
Specifically, in this embodiment, a first mapping relationship between the virtual IP and the tenant authentication user is established in advance through the tenant management module. It can be understood that, when the name node service is started, the name node synchronously starts the tenant management module, and the tenant management module reads a tenant list in the file system, a namespace under the tenant, and domain name information corresponding to the namespace from the configuration file.
And simultaneously, reading a security authentication mode corresponding to each tenant from the configuration file, if the security authentication mode is a Kerberos mode, further acquiring a Principal and a Keytab corresponding to the tenant, authenticating each tenant to a corresponding KDC server through the Kerberos mode, the Principal and the Keytab, and recording the starting user information of the tenant in a tenant management module after the authentication is finished, wherein the starting user information can be understood to include a certificate which is successfully authenticated. The tenant management module mainly has several corresponding relations: after the tenant starts user authentication, a first mapping relation between a virtual IP and a tenant authentication user can be finally obtained through conversion of the corresponding relations, and after the server module is started and the tenant management module is initialized, the first mapping relation between the virtual IP in the tenant management module and the tenant authentication user is transmitted to the server module.
And the server module acquires a security authentication mode corresponding to the tenant from each tenant authentication user according to the transmitted first mapping relationship, and generates a mapping relationship between the virtual IP and the security authentication mode and a mapping relationship between the virtual IP and a new Response negotiation Response, wherein the two mapping relationships are used when the client accesses.
Further, after the name node service is started, the data node registers with the name node service, and after the registration is completed, heartbeat information is periodically sent to the name node, referring to the distributed big data storage security authentication architecture diagram shown in fig. 4, when the data node registers with the name node and sends the heartbeat, the data node is also implemented by RPC, so that Kerberos authentication is required, and the part is according to the existing logic.
Referring to fig. 4, creating saslServer to interact with KDC server according to the tenant authentication user information to challenge and verify the client Token to complete the authentication process as follows:
as an optional embodiment, before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
the client applies for the authentication parameters to the KDC server and authenticates itself to the authentication server to obtain the authentication bill.
As an optional embodiment, before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
and the client initiates a request to the server after acquiring the authentication ticket so as to create network sockets of the client and the server.
As an optional embodiment, before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further includes:
a connection is created from the socket and the service address is the address requested in the socket.
Specifically, a client needs to apply authentication parameters Principal and Keytab to a KDC server first, authenticate itself to an Authentication Server (AS) before access, acquire an authentication Ticket TGT (Ticket gradingticket), initiate a request to a server after acquiring the TGT, establish a network Connection socket between the client and the server, create a Connection according to the socket, and search corresponding tenant authentication user information in a first mapping relationship between a virtual IP in a server module and a tenant authentication user according to the serverp requested in the socket when the Connection is created. As an alternative embodiment, the process of performing security authentication based on tenant authentication user information includes:
analyzing the client message in the connection and determining the current message state;
if the current message state is the first state, generating inquiry information and sending the inquiry information to the client;
and when receiving the mark information returned by the client based on the challenge information, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and if the evaluation authentication result is successful, judging that the security authentication is successful.
As an alternative embodiment, the process of parsing the client message in the connection includes:
analyzing the remote call Id of the client message;
correspondingly, if the current message state is the first state, the process of generating the challenge information and sending the challenge information to the client comprises the following steps:
and if the current message state is the first state, remotely calling the Id as a target value, generating inquiry information and sending the inquiry information to the client.
As an alternative embodiment, after generating the challenge information and sending the challenge information to the client, the secure authentication method further includes:
and after analyzing the inquiry information, the client evaluates the inquiry information to the KDC server to generate mark information, and modifies the current message state into a second state.
As an alternative embodiment, the first state is a negative state and the second state is an initial state.
As an alternative embodiment, the process of generating challenge information includes:
establishing a first saslServer with an authentication method of TOKEN according to the authentication user information of the current tenant;
and calling a method of the first sasServer to evaluate the response information sent by the client to the KDC server and generate challenge information.
As an alternative embodiment, the process of obtaining the evaluation authentication result of the tag information based on the tenant authentication user information includes:
re-establishing a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
calling a method in the second saslServer to evaluate the marking information to the KDC server;
and determining an evaluation authentication result according to the received feedback information.
Specifically, a client message (sastmessage) is processed in the Connection, a call Id, namely a remote call Id, in the client message (sastmessage) is analyzed, the remote call Id in the Connection establishment process has a fixed value, the specific remote call Id after Kerberos security authentication is started is-33, a current message state is analyzed from the client message (sastmessage), the message state is a Negotiate state when the Connection is established for the first time, and then sasl negotiation response information is constructed. When the sasl negotiation response information is constructed, firstly, a sasl Server with an authentication method of TOKEN is established according to the authentication user information of the current tenant (when Kerberos security authentication is started, the sasl Server is similar to GsKrb 5 Server), then, the method in the sasl Server is called to evaluate response data sent by the client side to the KDC Server and generate inquiry information, and the Server side sends the inquiry information to the client side.
After receiving the challenge, the client analyzes the challenge information and evaluates the challenge information to the KDC Server to generate Token, the client sends the Token to the name node and sets the saslimessage message state as initial, after receiving the message of the initial state, the Server analyzes the Token information, and creates a saslServer with the authentication method as KERBEROS according to the current tenant authentication user information (when KerbEROS security authentication is started, the implementation is GssKrb5 Server), then calls the method in the saslServer to evaluate the Token information sent by the client to the KDC Server, and after the evaluation authentication is completed, the client returns to SUCCESS, so that the connection between the client and the Server is completed.
In summary, the security authentication method has obvious advantages for the distributed big data storage system under the scene of storing multi-tenant information: firstly, the distributed file system can provide service for a plurality of big data services at the same time, and can provide different safety certification requirements; secondly, because different tenants access to respective KDC services, users who are not under the tenant cannot access resources under the tenant, and the safety is high; thirdly, simultaneously maintaining the security authentication configuration and the security authentication user information of each tenant in a single name node process, and enabling a plurality of name node services to be fault-tolerant with each other, so that the whole system is relatively stable; the invention can be compatible with the existing security authentication mode, is integrated into the existing distributed big data storage system and has strong compatibility; fifthly, a set of distributed big data storage system multi-tenant scene can provide service for a plurality of big data services at the same time, and the cost is low.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a security authentication system provided in the present invention, the security authentication system including:
a first obtaining module 51, configured to obtain a service address requested by a client and a first mapping relationship; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
a first determining module 52, configured to determine tenant authentication user information according to the service address and the first mapping relationship;
and the authentication module 53 is configured to perform security authentication based on the tenant authentication user information, and establish connection between the client and the server after the security authentication is successful.
In the embodiment, independent security authentication configuration is configured for each tenant, tenant user authentication is performed when the service is started, different user authentication is performed according to the requested service address when the client request is processed, a single-name node service is enabled to simultaneously dock a plurality of Kerberos services and support independent opening of Kerberos security authentication of part of tenants, and different security authentication requirements of different large data platforms can be met in a multi-tenant scene.
As an optional embodiment, the security authentication system further comprises:
the system comprises a preprocessing module, a domain name obtaining module and a domain name obtaining module, wherein the preprocessing module is used for obtaining a tenant list in a file system, name spaces under tenants and domain names corresponding to the name spaces;
acquiring a security authentication mode of each tenant, and determining user information authenticated by the tenant based on the security authentication mode;
and obtaining a first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
As an optional embodiment, the process of obtaining a tenant list, namespaces under the tenant, and a domain name corresponding to each namespace in a file system includes:
acquiring a tenant list, namespaces under the tenant and a domain name corresponding to each namespace in a file system from a configuration file;
correspondingly, the process of acquiring the security authentication mode of each tenant comprises the following steps:
and acquiring the security authentication mode of each tenant from the configuration file.
As an optional embodiment, the process of obtaining the security authentication manner of each tenant and determining the tenant authentication user information based on the security authentication manner includes:
acquiring a security authentication mode of each tenant;
determining the tenants with the security authentication mode of Kerberos authentication mode as target tenants;
authenticating all target tenants to the KDC servers corresponding to the target tenants;
and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an optional embodiment, the preprocessing module is specifically configured to:
determining a second mapping relation and a third mapping relation based on the first mapping relation;
the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an optional embodiment, the process of obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information includes:
determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the name space and the virtual IP list under the domain name;
and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
As an alternative embodiment, the process of performing security authentication based on tenant authentication user information includes:
and establishing a corresponding saslServer based on the tenant authentication user information to interact with the KDC server so as to perform security authentication.
As an optional embodiment, the security authentication system further comprises:
and the identity verification module is used for applying authentication parameters to the KDC server by the client and authenticating the identity verification module with the authentication server to acquire an authentication bill.
As an optional embodiment, the security authentication system further comprises:
and the connection establishing module is used for establishing a network socket between the client and the server after receiving a request initiated by the client to the server after the client acquires the authentication ticket.
As an alternative embodiment, the connection establishing module is further configured to:
a connection is created from the socket and the service address is the address requested in the socket.
As an alternative embodiment, the process of performing security authentication based on tenant authentication user information includes:
analyzing the client message in the connection and determining the current message state;
if the current message state is the first state, generating inquiry information and sending the inquiry information to the client;
and when the mark information returned by the client based on the inquiry information is received, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and if the evaluation authentication result is successful, judging that the security authentication is successful.
As an alternative embodiment, the process of parsing the client message in the connection includes:
analyzing the remote call Id of the client message;
correspondingly, if the current message state is the first state, the process of generating the challenge information and sending the challenge information to the client comprises the following steps:
and if the current message state is the first state, the remote call Id is a target value, and inquiry information is generated and sent to the client.
As an optional embodiment, the security authentication system further comprises:
and the adjusting module is used for evaluating the inquiry information to the KDC server to generate marking information after the client analyzes the inquiry information, and modifying the current message state into a second state.
As an alternative embodiment, the first state is a negative state and the second state is an initial state.
As an alternative embodiment, the process of generating challenge information includes:
establishing a first saslServer with an authentication method of TOKEN according to the authentication user information of the current tenant;
and calling a method of the first sasServer to evaluate the response information sent by the client to the KDC server and generate challenge information.
As an alternative embodiment, the process of obtaining the evaluation authentication result of the tag information based on the tenant authentication user information includes:
establishing a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
calling a method in the second saslServer to evaluate the marking information to the KDC server;
and determining an evaluation authentication result according to the received feedback information.
In a third aspect, the present invention further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the security authentication method as described in any one of the above embodiments when executing the computer program.
Specifically, the memory includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and computer readable instructions, and the internal memory provides an environment for the operating system and the computer readable instructions in the non-volatile storage medium to run. The processor provides computing and control capabilities for the electronic device, and when executing the computer program stored in the memory, the following steps may be implemented: acquiring a service address requested by a client and a first mapping relation; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user; determining tenant authentication user information according to the service address and the first mapping relation; and performing security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
In the embodiment, independent security authentication configuration is configured for each tenant, tenant user authentication is performed when the service is started, different user authentication is performed according to the requested service address when the client request is processed, a single-name node service is enabled to simultaneously dock a plurality of Kerberos services and support independent opening of Kerberos security authentication of part of tenants, and different security authentication requirements of different large data platforms can be met in a multi-tenant scene.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: acquiring a tenant list in a file system, namespaces under the tenant and a domain name corresponding to each namespace; acquiring a security authentication mode of each tenant, and determining user information authenticated by the tenant based on the security authentication mode; and obtaining a first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: acquiring a tenant list, namespaces under the tenant and a domain name corresponding to each namespace in a file system from a configuration file; and acquiring the security authentication mode of each tenant from the configuration file.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: acquiring a security authentication mode of each tenant; determining the tenants with the security authentication mode of Kerberos authentication mode as target tenants; authenticating all target tenants to the KDC servers corresponding to the target tenants; and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: determining a second mapping relation and a third mapping relation based on the first mapping relation; the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the name space and the virtual IP list under the domain name; and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
As an alternative embodiment, when the processor executes the computer subprogram stored in the memory, the following steps may be implemented: and establishing a corresponding saslServer based on the tenant authentication user information to interact with the KDC server so as to perform security authentication.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: the client applies for the authentication parameters to the KDC server and authenticates itself to the authentication server to obtain an authentication bill.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: the client side sends a request to the server side after obtaining the authentication ticket so as to create network sockets of the client side and the server side.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: a connection is created from the socket and the service address is the address requested in the socket.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: analyzing the client message in the connection and determining the current message state; if the current message state is the first state, generating inquiry information and sending the inquiry information to the client; and when receiving the mark information returned by the client based on the challenge information, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and if the evaluation authentication result is successful, judging that the security authentication is successful.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: analyzing the remote call Id of the client message; correspondingly, if the current message state is the first state, the process of generating the challenge information and sending the challenge information to the client comprises the following steps: and if the current message state is the first state, remotely calling the Id as a target value, generating inquiry information and sending the inquiry information to the client.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: and after the client analyzes the challenge information, evaluating the challenge information to the KDC server to generate marking information, and modifying the current message state into a second state.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: establishing a first saslServer with an authentication method of TOKEN according to the authentication user information of the current tenant; and calling a method of the first sasServer to evaluate the response information sent by the client to the KDC server and generate challenge information.
As an alternative embodiment, the processor, when executing the computer subroutine stored in the memory, may perform the following steps: re-establishing a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information; calling a method in the second saslServer to evaluate the marking information to the KDC server; and determining an evaluation authentication result according to the received feedback information.
On the basis of the above embodiment, as a preferred embodiment, the electronic device further includes:
and the input interface is connected with the processor and used for acquiring computer programs, parameters and instructions imported from the outside, and storing the computer programs, the parameters and the instructions into the memory under the control of the processor. The input interface may be coupled to an input device for receiving parameters or instructions manually input by a user. The input device can be a touch layer covered on a display screen, and can also be a key, a track ball or a touch pad arranged on a terminal shell.
And the display unit is connected with the processor and is used for displaying the data sent by the processor. The display unit can be a liquid crystal display screen or an electronic ink display screen.
And the network port is connected with the processor and is used for carrying out communication connection with each external terminal device. The communication technology adopted by the communication connection can be a wired communication technology or a wireless communication technology, such as a mobile high definition link (MHL) technology, a Universal Serial Bus (USB), a High Definition Multimedia Interface (HDMI), a wireless fidelity (WiFi), a bluetooth communication technology, a low power consumption bluetooth communication technology, an ieee802.11 s-based communication technology, and the like.
In a fourth aspect, the present invention also provides a distributed storage system, including a plurality of name nodes, each including an electronic device as above.
For an introduction of the distributed storage system provided in this embodiment, please refer to the above embodiments, which are not described herein again.
The distributed storage system provided by the invention has the same beneficial effects as the safety authentication method.
In a fifth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the security authentication method as described in any one of the above embodiments.
The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk. The storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of: acquiring a service address requested by a client and a first mapping relation; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user; determining tenant authentication user information according to the service address and the first mapping relation; and performing security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
In the embodiment, independent security authentication configuration is configured for each tenant, tenant user authentication is performed when the service is started, different user authentication is performed according to the requested service address when the client request is processed, a single-name node service is enabled to simultaneously dock a plurality of Kerberos services and support independent opening of Kerberos security authentication of part of tenants, and different security authentication requirements of different large data platforms can be met in a multi-tenant scene.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: acquiring a tenant list in a file system, namespaces under the tenant and a domain name corresponding to each namespace; acquiring a security authentication mode of each tenant, and determining user information authenticated by the tenant based on the security authentication mode; and obtaining a first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: acquiring a tenant list, namespaces under the tenant and a domain name corresponding to each namespace in a file system from a configuration file; and acquiring the security authentication mode of each tenant from the configuration file.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the steps of: acquiring a security authentication mode of each tenant; determining the tenant with the security authentication mode of Kerberos as a target tenant; authenticating all target tenants to the KDC servers corresponding to the target tenants; and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: determining a second mapping relation and a third mapping relation based on the first mapping relation; the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the name space and the virtual IP list under the domain name; and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: and establishing a corresponding sasServer to interact with the KDC server based on the tenant authentication user information so as to perform security authentication.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: the client applies for the authentication parameters to the KDC server and authenticates itself to the authentication server to obtain the authentication bill.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: the client side sends a request to the server side after obtaining the authentication ticket so as to create network sockets of the client side and the server side.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: a connection is created from the socket and the service address is the address requested in the socket.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: analyzing the client message in the connection and determining the current message state; if the current message state is the first state, generating inquiry information and sending the inquiry information to the client; and when receiving the mark information returned by the client based on the challenge information, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and if the evaluation authentication result is successful, judging that the security authentication is successful.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: analyzing the remote call Id of the client message; correspondingly, if the current message state is the first state, the process of generating the challenge information and sending the challenge information to the client comprises the following steps: and if the current message state is the first state, remotely calling the Id as a target value, generating inquiry information and sending the inquiry information to the client.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the steps of: and after the client analyzes the challenge information, evaluating the challenge information to the KDC server to generate marking information, and modifying the current message state into a second state.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: establishing an authentication method as a first saslServer of the TOKEN according to the authentication user information of the current tenant; and calling a method of the first sasServer to evaluate the response information sent by the client to the KDC server and generate challenge information.
As an alternative embodiment, when executed by a processor, a computer subroutine stored in a computer readable storage medium may specifically implement the following steps: re-establishing a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information; calling a method in the second saslServer to evaluate the marking information to the KDC server; and determining an evaluation authentication result according to the received feedback information.
It should also be noted that, in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (20)
1. A security authentication method, comprising:
acquiring a service address requested by a client and a first mapping relation; the first mapping relation is a mapping relation between the virtual IP and a tenant authentication user;
determining tenant authentication user information according to the service address and the first mapping relation;
and performing security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
2. The security authentication method of claim 1, wherein before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further comprises:
acquiring a tenant list in a file system, namespaces under the tenant and a domain name corresponding to each namespace;
acquiring a security authentication mode of each tenant, and determining user information authenticated by the tenant based on the security authentication mode;
and obtaining the first mapping relation based on the tenant list, the namespace, the virtual IP list under the domain name and the tenant authentication user information.
3. The security authentication method according to claim 2, wherein the process of obtaining the tenant list in the file system, the namespaces under the tenant, and the domain name corresponding to each of the namespaces comprises:
acquiring a tenant list, namespaces under the tenant and a domain name corresponding to each namespace in a file system from a configuration file;
correspondingly, the process of acquiring the security authentication mode of each tenant includes:
and acquiring the security authentication mode of each tenant from the configuration file.
4. The security authentication method according to claim 2, wherein the process of obtaining the security authentication mode of each tenant and determining the tenant authentication user information based on the security authentication mode comprises:
acquiring a security authentication mode of each tenant;
determining the tenant of which the security authentication mode is a Kerberos authentication mode as a target tenant;
authenticating all the target tenants to the KDC servers corresponding to the target tenants;
and adding the successfully authenticated credential information to the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
5. The security authentication method according to claim 2, wherein after obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information, the security authentication method further comprises:
determining a second mapping relationship and a third mapping relationship based on the first mapping relationship;
the second mapping relationship is a mapping relationship between a virtual IP and a security authentication method, and the third mapping relationship is a mapping relationship between the virtual IP and a negotiation response.
6. The security authentication method according to claim 2, wherein obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information comprises:
determining a first corresponding relation between a tenant and a namespace, a second corresponding relation between the namespace and the domain name, and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the namespace, and the virtual IP list under the domain name;
and obtaining the first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
7. The security authentication method according to claim 1, wherein the process of performing security authentication based on the tenant authentication user information includes:
and establishing interaction between the corresponding saslServer and the KDC server based on the tenant authentication user information so as to perform security authentication.
8. The security authentication method according to any one of claims 1 to 7, wherein before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further comprises:
and the client applies for the authentication parameters to the KDC server and authenticates itself to the authentication server to acquire the authentication bill.
9. The security authentication method of claim 8, wherein before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further comprises:
and the client initiates a request to the server after acquiring the authentication ticket so as to create network sockets of the client and the server.
10. The security authentication method of claim 9, wherein before obtaining the service address requested by the client and the first mapping relationship, the security authentication method further comprises:
and establishing connection according to the network socket, wherein the service address is the address requested in the network socket.
11. The security authentication method according to claim 10, wherein the process of performing security authentication based on the tenant authentication user information comprises:
analyzing the client message in the connection and determining the current message state;
if the current message state is the first state, generating challenge information and sending the challenge information to the client;
and when receiving the mark information returned by the client based on the challenge information, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and if the evaluation authentication result is successful, judging that the security authentication is successful.
12. The secure authentication method of claim 11, wherein parsing the client message in the connection comprises:
analyzing the remote call Id of the client message;
correspondingly, if the current message state is the first state, the process of generating the challenge information and sending the challenge information to the client comprises the following steps:
and if the current message state is the first state and the remote call Id is the target value, generating challenge information and sending the challenge information to the client.
13. The secure authentication method according to claim 11, wherein after generating the challenge information and sending the challenge information to the client, the secure authentication method further comprises:
and after the client analyzes the challenge information, evaluating the challenge information to a KDC server to generate marking information, and modifying the current message state into a second state.
14. The method of claim 13, wherein the first state is a Negotiate state and the second state is an Initiate state.
15. The secure authentication method of claim 11, wherein the process of generating the challenge information comprises:
establishing an authentication method as a first saslServer of the TOKEN according to the authentication user information of the current tenant;
and calling the method of the first saslServer to evaluate the response information sent by the client to the KDC server and generate challenge information.
16. The security authentication method according to claim 15, wherein the process of obtaining the evaluation authentication result of the tag information based on the tenant authentication user information comprises:
establishing a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
calling a method in the second saslServer to evaluate the marking information to the KDC server;
and determining an evaluation authentication result according to the received feedback information.
17. A security authentication system, comprising:
the first acquisition module is used for acquiring a service address requested by a client and a first mapping relation; the first mapping relation is a mapping relation between the virtual IP and a tenant authentication user;
the first determining module is used for determining tenant authentication user information according to the service address and the first mapping relation;
and the authentication module is used for carrying out security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
18. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the secure authentication method of any one of claims 1 to 16 when executing the computer program.
19. A distributed storage system comprising a plurality of name nodes, each of said name nodes comprising an electronic device according to claim 18.
20. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the security authentication method according to any one of claims 1 to 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310220803.7A CN115913793B (en) | 2023-03-09 | 2023-03-09 | Security authentication method, system, electronic device, distributed storage system and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310220803.7A CN115913793B (en) | 2023-03-09 | 2023-03-09 | Security authentication method, system, electronic device, distributed storage system and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115913793A true CN115913793A (en) | 2023-04-04 |
| CN115913793B CN115913793B (en) | 2023-05-30 |
Family
ID=85730211
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310220803.7A Active CN115913793B (en) | 2023-03-09 | 2023-03-09 | Security authentication method, system, electronic device, distributed storage system and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913793B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106375323A (en) * | 2016-09-09 | 2017-02-01 | 浪潮软件股份有限公司 | Kerberos identity authentication method in multi-tenant mode |
| US20180337914A1 (en) * | 2017-05-18 | 2018-11-22 | Oracle International Corporation | User authentication using kerberos with identity cloud service |
| CN110691089A (en) * | 2019-09-29 | 2020-01-14 | 星环信息科技(上海)有限公司 | Authentication method applied to cloud service, computer equipment and storage medium |
| CN113342617A (en) * | 2021-06-30 | 2021-09-03 | 成都商汤科技有限公司 | Equipment monitoring method, system, device, computer equipment and storage medium |
| CN115525880A (en) * | 2021-10-19 | 2022-12-27 | 闽都创新实验室 | Method, device, equipment and medium for providing SAAS service facing multi-tenant |
-
2023
- 2023-03-09 CN CN202310220803.7A patent/CN115913793B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106375323A (en) * | 2016-09-09 | 2017-02-01 | 浪潮软件股份有限公司 | Kerberos identity authentication method in multi-tenant mode |
| US20180337914A1 (en) * | 2017-05-18 | 2018-11-22 | Oracle International Corporation | User authentication using kerberos with identity cloud service |
| CN110691089A (en) * | 2019-09-29 | 2020-01-14 | 星环信息科技(上海)有限公司 | Authentication method applied to cloud service, computer equipment and storage medium |
| CN113342617A (en) * | 2021-06-30 | 2021-09-03 | 成都商汤科技有限公司 | Equipment monitoring method, system, device, computer equipment and storage medium |
| CN115525880A (en) * | 2021-10-19 | 2022-12-27 | 闽都创新实验室 | Method, device, equipment and medium for providing SAAS service facing multi-tenant |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115913793B (en) | 2023-05-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9473419B2 (en) | Multi-tenant cloud storage system | |
| US20220014517A1 (en) | Self-federation in authentication systems | |
| CN110944330B (en) | MEC platform deployment method and device | |
| US8220042B2 (en) | Creating secure interactive connections with remote resources | |
| US9584515B2 (en) | Enterprise system authentication and authorization via gateway | |
| JP4303130B2 (en) | System, method and apparatus for single sign-on service | |
| US8099768B2 (en) | Method and system for multi-protocol single logout | |
| US8171538B2 (en) | Authentication and authorization of extranet clients to a secure intranet business application in a perimeter network topology | |
| WO2017024791A1 (en) | Authorization processing method and device | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| JP2010531516A (en) | Device provisioning and domain join emulation over insecure networks | |
| CN110138718A (en) | Information processing system and its control method | |
| JP2015005202A (en) | Authority transfer system, approval server system, control method and program | |
| CA2647997A1 (en) | Identity and access management framework | |
| US7540020B1 (en) | Method and apparatus for facilitating single sign-on to applications | |
| CN104168304A (en) | System and method for single-sign-on in virtual desktop infrastructure environment | |
| CN111049946B (en) | Portal authentication method, portal authentication system, electronic equipment and storage medium | |
| US20190028460A1 (en) | Low-overhead single sign on | |
| CN102420808B (en) | Method for realizing single signon on telecom on-line business hall | |
| US7784085B2 (en) | Enabling identity information exchange between circles of trust | |
| US9985947B1 (en) | Method and system for communication of devices using dynamic routes encoded in security tokens and a dynamic optical label | |
| CN114500082A (en) | Access authentication method and device, equipment, server, storage medium and system | |
| WO2023241331A1 (en) | Internet of things system, authentication and communication method therefor, and related device | |
| CN103118025A (en) | Single sign-on method based on network access certification, single sign-on device and certificating server | |
| CN115913793B (en) | Security authentication method, system, electronic device, distributed storage system and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |