CN115913793B - Security authentication method, system, electronic device, distributed storage system and medium - Google Patents
Security authentication method, system, electronic device, distributed storage system and medium Download PDFInfo
- Publication number
- CN115913793B CN115913793B CN202310220803.7A CN202310220803A CN115913793B CN 115913793 B CN115913793 B CN 115913793B CN 202310220803 A CN202310220803 A CN 202310220803A CN 115913793 B CN115913793 B CN 115913793B
- Authority
- CN
- China
- Prior art keywords
- tenant
- authentication
- security authentication
- user information
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a security authentication method, a security authentication system, electronic equipment, a distributed storage system and a medium, and relates to the field of security authentication, wherein the security authentication method comprises the following steps: acquiring a service address and a first mapping relation of a client request; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user; determining tenant authentication user information according to the service address and the first mapping relation; and carrying out security authentication based on tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful. The method and the system can realize that the single-name node can simultaneously butt-joint a plurality of Kerberos services and support Kerberos security authentication of independently opening part of tenants, and can adapt to different security authentication requirements of different big data platforms under a multi-tenant scene.
Description
Technical Field
The present invention relates to the field of security authentication, and in particular, to a security authentication method, system, electronic device, distributed storage system, and medium.
Background
In distributed mass data storage systems, kerberos (a computer network authorization protocol used to authenticate personal communications in an unsecure network in a secure manner) is typically used as a secure authentication for the distributed storage system. The Kerberos protocol is mainly used for Authentication (Authentication) of computer networks, and is characterized in that a user can access a plurality of services, namely SSO (Single Sign On) by means of a ticket (ticket-marking ticket) obtained by the Authentication by only inputting Authentication information once, and the security of the protocol is higher due to the fact that a shared secret key is established between each Client and Service of the server.
In the prior art, each tenant of the distributed big data storage system can provide independent big data service under a multi-tenant scenario, but the whole distributed big data storage system can only be connected with one Kerberos service at the same time, and when different tenants are connected with different big data platforms, different security authentication requirements exist, so that a scenario that different Kerberos services need to be connected with each other at the same time and different tenants use different security authentication modes (Simple or Kerberos) exists. Multi-tenant functionality is also provided in some big data platforms, using a range big data component to implement tenant functionality, but this implementation cannot meet the different security authentication requirements of multiple tenants.
Therefore, how to provide a solution to the above technical problem is a problem that a person skilled in the art needs to solve at present.
Disclosure of Invention
The invention aims to provide a security authentication method, a security authentication system, electronic equipment, a distributed storage system and a medium, which can realize that a single-name node can be simultaneously connected with a plurality of Kerberos services and support Kerberos security authentication of independently opening part of tenants, and can adapt to different security authentication requirements of different big data platforms under a multi-tenant scene.
In order to solve the technical problems, the invention provides a security authentication method, which comprises the following steps:
acquiring a service address and a first mapping relation of a client request; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
determining tenant authentication user information according to the service address and the first mapping relation;
and carrying out security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
Optionally, before obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system;
acquiring a security authentication mode of each tenant, and determining tenant authentication user information based on the security authentication mode;
and obtaining the first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
Optionally, the process of obtaining the tenant list, the namespaces under the tenants and the domain names corresponding to each namespace in the file system includes:
Acquiring a tenant list, a name space under a tenant and a domain name corresponding to each name space in a file system from a configuration file;
correspondingly, the process of obtaining the security authentication mode of each tenant includes:
and acquiring the security authentication mode of each tenant from the configuration file.
Optionally, the process of obtaining the security authentication mode of each tenant and determining the tenant authentication user information based on the security authentication mode includes:
acquiring a security authentication mode of each tenant;
determining the tenant with the security authentication mode being a Kerberos authentication mode as a target tenant;
authenticating all the target tenants to their corresponding KDC servers;
and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
Optionally, after obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information, the security authentication method further includes:
determining a second mapping relation and a third mapping relation based on the first mapping relation;
The second mapping relationship is a mapping relationship between the virtual IP and a security authentication mode, and the third mapping relationship is a mapping relationship between the virtual IP and a negotiation response.
Optionally, the process of obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information includes:
determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and the domain name and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the name space and the virtual IP list under the domain name;
and obtaining the first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
Optionally, the process of performing security authentication based on the tenant authentication user information includes:
and creating interaction between the corresponding saslServer and the KDC server based on the tenant authentication user information so as to perform security authentication.
Optionally, before the obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
The client applies authentication parameters to the KDC server and authenticates itself to the authentication server to obtain an authentication ticket.
Optionally, before the obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
and the client initiates a request to the server after acquiring the authentication ticket so as to create a network socket of the client and the server.
Optionally, before the obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
and creating connection according to the network socket, wherein the service address is the address requested in the network socket.
Optionally, the process of performing security authentication based on the tenant authentication user information includes:
analyzing the client message in the connection, and determining the current message state;
if the current message state is the first state, generating inquiry information and sending the inquiry information to the client;
and when receiving the mark information returned by the client based on the inquiry information, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and judging that the security authentication is successful if the evaluation authentication result is successful.
Optionally, the process of parsing the client message in the connection includes:
analyzing the remote call Id of the client message;
correspondingly, if the current message state is the first state, the process of generating the inquiry information and sending the inquiry information to the client comprises the following steps:
and if the current message state is the first state and the remote call Id is the target value, generating inquiry information and sending the inquiry information to the client.
Optionally, after the generating the challenge information and sending the challenge information to the client, the security authentication method further includes:
after the client analyzes the inquiry information, the inquiry information is evaluated to a KDC server to generate marking information, and the current message state is modified to be a second state.
Optionally, the first state is a new state, and the second state is an initial state.
Optionally, the process of generating the challenge information includes:
creating a first saslServer with an authentication method as TOKEN according to authentication user information of the current tenant;
and calling the method of the first saslServer to evaluate response information sent by the client to the KDC server and generate inquiry information.
Optionally, the process of acquiring the evaluation authentication result of the tag information based on the tenant authentication user information includes:
Creating a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
invoking a method in the second saslServer to evaluate the marking information to the KDC server;
and determining an evaluation authentication result according to the received feedback information.
In order to solve the technical problem, the present invention further provides a security authentication system, including:
the first acquisition module is used for acquiring a service address requested by the client and a first mapping relation; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
the first determining module is used for determining tenant authentication user information according to the service address and the first mapping relation;
and the authentication module is used for carrying out security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
In order to solve the technical problem, the present invention further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the security authentication method as claimed in any one of the preceding claims when executing the computer program.
In order to solve the technical problem, the invention also provides a distributed storage system which comprises a plurality of name nodes, wherein each name node comprises the electronic equipment.
To solve the above technical problem, the present invention also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the security authentication method as described in any one of the above.
The invention provides a security authentication method, which is characterized in that independent security authentication configuration is configured for each tenant, tenant user authentication is respectively carried out when service is started, different user authentications are carried out according to a requested service address when a client request is processed, so that the single-name node service is realized to simultaneously butt-joint a plurality of Kerberos services and support Kerberos security authentication of independently opening part of tenants, and different security authentication requirements of different large data platforms can be adapted under a multi-tenant scene. The invention also provides a security authentication system, electronic equipment, a distributed storage system and a computer readable storage medium, which have the same beneficial effects as the security authentication method.
Drawings
For a clearer description of embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
FIG. 1 is a diagram of a distributed big data storage system multi-tenant architecture provided by the present invention;
fig. 2 is a schematic structural diagram of a name node service system according to the present invention;
FIG. 3 is a flowchart illustrating a security authentication method according to the present invention;
FIG. 4 is a diagram of a distributed big data storage security authentication architecture provided by the present invention;
fig. 5 is a schematic structural diagram of a security authentication system according to the present invention.
Detailed Description
The core of the invention is to provide a security authentication method, a system, electronic equipment, a distributed storage system and a medium, which can realize that a single-name node can be simultaneously connected with a plurality of Kerberos services and support Kerberos security authentication of independently opening part of tenants, and can adapt to different security authentication requirements of different big data platforms under a multi-tenant scene.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the invention, based on a multi-tenant scenario of a distributed big data storage system, referring to fig. 1, fig. 1 is a diagram of a multi-tenant architecture of the distributed big data storage system provided by the invention, in order to facilitate understanding of the scheme of the invention, firstly, description is made on multi-tenants, namely, unified shared resources are divided into a plurality of independent resources which are isolated from each other, the multi-tenant characteristics provide unified resource management based on tenant granularity, and resources are allocated and managed by taking tenants as units. The multi-tenant characteristic can enable a set of storage system to be shared by a plurality of tenants, the running cost of the system is reduced by sharing software and hardware resources, the resource utilization rate of the system is improved, and inter-tenant resource isolation is achieved, so that safety and privacy are ensured. Referring to fig. 2, a description is given below of a name node service system provided by the present invention, where the name node service system includes a tenant management module and a server module, and a security authentication scheme in the present invention may be implemented by the server module, and a description is given below of a security authentication scheme provided by the present invention.
Referring to fig. 3, fig. 3 is a flowchart illustrating a security authentication method according to the present invention, where the security authentication method includes:
S101: acquiring a service address and a first mapping relation of a client request; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
s102: determining tenant authentication user information according to the service address and the first mapping relation;
specifically, the first mapping relationship is prestored in a storage space of the server module, after a request sent by the client is obtained, the first mapping relationship is obtained from the storage space, and a service address serverIP is analyzed from the request, wherein the first mapping relationship in the embodiment is the mapping relationship between the virtual IP and the tenant authentication user.
It may be understood that, the ServerIP in the request sent by the client may be any virtual IP in the first mapping relationship, or may be any known virtual IP, if the ServerIP is any virtual IP in the first mapping relationship, determining tenant authentication user information corresponding to the ServerIP according to the first mapping relationship, and if the ServerIP is any known virtual IP, indicating that no tenant exists, and at this time, acquiring preset cluster authentication user information as tenant authentication user information corresponding to the service address.
S103: and carrying out security authentication based on tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
Specifically, the interaction between the corresponding saslServer and the KDC server is created according to the tenant authentication user information so as to inquire and verify the client Token, and after authentication is completed, the client and the server complete connection establishment.
In this embodiment, by configuring separate security authentication configuration for each tenant, tenant user authentication is performed when the service is started, and different user authentications are performed according to the requested service address when the client request is processed, so that a single-name node service is realized to simultaneously interface with multiple Kerberos services and support Kerberos security authentication of separately opening part of tenants, and different security authentication requirements of different big data platforms can be adapted under a multi-tenant scenario.
Based on the above embodiments:
as an optional embodiment, before obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system;
acquiring a security authentication mode of each tenant, and determining tenant authentication user information based on the security authentication mode;
and obtaining a first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information. As an optional embodiment, the process of obtaining a tenant list, namespaces under tenants, and domain names corresponding to each namespace in a file system includes:
Acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system from a configuration file;
correspondingly, the process of obtaining the security authentication mode of each tenant comprises the following steps:
and acquiring the security authentication mode of each tenant from the configuration file.
As an optional embodiment, the process of obtaining the security authentication mode of each tenant and determining the tenant authentication user information based on the security authentication mode includes:
acquiring a security authentication mode of each tenant;
determining a tenant with a security authentication mode of Kerberos authentication mode as a target tenant;
authenticating all target tenants to their corresponding KDC servers;
and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an optional embodiment, after obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information, the security authentication method further includes:
determining a second mapping relation and a third mapping relation based on the first mapping relation;
the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an optional embodiment, the process of obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information includes:
determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under a domain name based on the tenant list, the name space and the virtual IP list under the domain name;
and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
Specifically, in this embodiment, a first mapping relationship between the virtual IP and the tenant authentication user is established in advance through the tenant management module. It can be understood that when the name node service is started, the name node synchronously starts the tenant management module, and the tenant management module reads a tenant list, a tenant lower name space and domain name information corresponding to the name space in the file system from the configuration file, and it can be understood that the domain name information comprises a set of fixed virtual IP and a load balancing policy of the domain name.
Meanwhile, the security authentication mode corresponding to each tenant is read from the configuration file, if the security authentication mode is a Kerberos mode, the principle and the Keytab corresponding to the tenant are further obtained, authentication is carried out on each tenant to the corresponding KDC server through the Kerberos mode, the principle and the Keytab, and after authentication is finished, the starting user information of the tenant is recorded in the tenant management module, so that the starting user information can be understood to comprise credentials with successful authentication. The tenant management module mainly has several corresponding relations: after the user authentication of the tenant is completed, a first mapping relation between the virtual IP and the tenant authentication user can be finally obtained through conversion of the corresponding relations, after the starting of the service end module is completed, and after the initialization of the tenant management module is completed, the first mapping relation between the virtual IP and the tenant authentication user in the tenant management module is transmitted to the service end module.
The server side module acquires a security authentication mode corresponding to the tenant from each tenant authentication user according to the first mapping relation, and generates a mapping relation between the virtual IP and the security authentication mode and a mapping relation between the virtual IP and Negotiate Response negotiation response, wherein the two mapping relations are used when the client side accesses.
Further, after the name node service is started, the data node registers with the name node service, and after the registration is completed, heartbeat information is periodically sent to the name node, and referring to the distributed big data storage security authentication structure diagram shown in fig. 4, the data node registers with the name node and sends heartbeats through RPC, so that Kerberos authentication is needed, and the part can be used according to the existing logic.
Referring to fig. 4, the authentication process of creating a saslServer to interact with a KDC server to challenge and verify the completion of the client Token according to the tenant authentication user information is as follows:
as an optional embodiment, before obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
the client applies authentication parameters to the KDC server and authenticates itself to the authentication server to obtain an authentication ticket.
As an optional embodiment, before obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
the client initiates a request to the server after acquiring the authentication ticket so as to create a network socket between the client and the server.
As an optional embodiment, before obtaining the service address and the first mapping relationship of the client request, the security authentication method further includes:
a connection is created from the socket and the service address is the address of the request in the socket.
Specifically, the client needs to apply authentication parameters Principal and keytag to the KDC server first, and before accessing, needs to authenticate itself to an Authentication Server (AS), obtain an authentication ticket TGT (Ticket GrantingTicket), initiate a request to the server after the client obtains the TGT, establish a Connection socket between the client and the server, and create a Connection according to the socket, where the Connection creates a corresponding tenant authentication user information according to a first mapping relationship between a virtual IP of a servericp requested in the socket in a server module and a tenant authentication user. As an alternative embodiment, the process of performing security authentication based on tenant authentication user information includes:
Analyzing the client message in the connection, and determining the current message state;
if the current message state is the first state, generating inquiry information and sending the inquiry information to the client;
and when the mark information returned by the client based on the inquiry information is received, acquiring an evaluation authentication result of the mark information based on tenant authentication user information, and judging that the security authentication is successful if the evaluation authentication result is successful.
As an alternative embodiment, the process of parsing the client message in the connection includes:
analyzing a remote call Id of the client message;
correspondingly, if the current message state is the first state, the process of generating the inquiry information and sending the inquiry information to the client comprises the following steps:
if the current message state is the first state, remotely calling Id as a target value, generating inquiry information and sending the inquiry information to the client.
As an alternative embodiment, after generating the challenge information and sending the challenge information to the client, the security authentication method further includes:
after the client analyzes the query information, the client evaluates the query information to the KDC server to generate marking information, and modifies the current message state to a second state.
As an alternative embodiment, the first state is a negative state and the second state is an initial state.
As an alternative embodiment, the process of generating the challenge information includes:
creating a first saslServer with an authentication method as TOKEN according to authentication user information of the current tenant;
and calling a first saslServer method to evaluate response information sent by the client to the KDC server and generate inquiry information.
As an alternative embodiment, the process of acquiring the evaluation authentication result of the mark information based on the tenant authentication user information includes:
creating a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
invoking a method in a second saslServer to evaluate the marking information to a KDC server;
and determining an evaluation authentication result according to the received feedback information.
Specifically, a client message (saslMessage) is processed in Connection, firstly, a call Id in the client message (saslMessage), namely a remote call Id, is analyzed, a fixed value is set for the remote call Id in the Connection establishment process, a specific remote call Id after Kerberos security authentication is opened to be-33, then, the current message state is analyzed from the client message (saslMessage), the message state is a new state when the Connection is established for the first time, and sasl negotiation response information is constructed at the moment. When constructing the sasl negotiation response information, firstly creating a saslsserver with an authentication method being TOKEN according to the authentication user information of the current tenant (when starting Kerberos security authentication, the implementation class is GssKrb5 Server), then calling the method in the saslsserver to evaluate the response data sent by the client to the KDC Server and generate inquiry information, and sending the inquiry information to the client by the Server.
After receiving the inquiry, the client analyzes the inquiry information to evaluate the inquiry information to the KDC Server and generate a Token, the client sends the Token to the name node and sets the saslMessage message state as the initial state, after receiving the message of the initial state, the Server analyzes the Token information, and re-creates an authentication method according to the current tenant authentication user information to be the SaslServer of KERBEROS (when Kerberos security authentication is started, the implementation class is GssKrb5 Server), and then invokes the method in the SaslServer to evaluate the Token information sent by the client to the KDC Server, and after the authentication is completed, the SUCCESS is returned, so that the client and the Server complete the connection.
In summary, the method has obvious advantages for security authentication in a multi-tenant storage scene of the distributed big data storage system: firstly, the distributed file system can provide services for a plurality of big data services at the same time, and can provide different security authentication requirements; secondly, as different tenants access respective KDC services, users not under the tenant cannot access resources under the tenant, and the security is high; thirdly, simultaneously maintaining security authentication configuration and security authentication user information of each tenant in a single-name node process, mutually fault-tolerant a plurality of name node services, and relatively stable overall system; the invention can be compatible with the existing security authentication mode, and is integrated into the existing distributed big data storage system, so that the compatibility is strong; fifthly, the multi-tenant scenario of the distributed big data storage system can provide services for a plurality of big data services at the same time, and the cost is low.
In a second aspect, referring to fig. 5, fig. 5 is a schematic structural diagram of a security authentication system according to the present invention, where the security authentication system includes:
a first obtaining module 51, configured to obtain a service address requested by a client and a first mapping relationship; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
a first determining module 52, configured to determine tenant authentication user information according to the service address and the first mapping relationship;
the authentication module 53 is configured to perform security authentication based on tenant authentication user information, and establish a connection between the client and the server after the security authentication is successful.
In this embodiment, by configuring separate security authentication configuration for each tenant, tenant user authentication is performed when the service is started, and different user authentications are performed according to the requested service address when the client request is processed, so that a single-name node service is realized to simultaneously interface with multiple Kerberos services and support Kerberos security authentication of separately opening part of tenants, and different security authentication requirements of different big data platforms can be adapted under a multi-tenant scenario.
As an alternative embodiment, the security authentication system further comprises:
the preprocessing module is used for acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in the file system;
Acquiring a security authentication mode of each tenant, and determining tenant authentication user information based on the security authentication mode;
and obtaining a first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
As an optional embodiment, the process of obtaining a tenant list, namespaces under tenants, and domain names corresponding to each namespace in a file system includes:
acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system from a configuration file;
correspondingly, the process of obtaining the security authentication mode of each tenant comprises the following steps:
and acquiring the security authentication mode of each tenant from the configuration file.
As an optional embodiment, the process of obtaining the security authentication mode of each tenant and determining the tenant authentication user information based on the security authentication mode includes:
acquiring a security authentication mode of each tenant;
determining a tenant with a security authentication mode of Kerberos authentication mode as a target tenant;
authenticating all target tenants to their corresponding KDC servers;
and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an alternative embodiment, the preprocessing module is specifically configured to:
determining a second mapping relation and a third mapping relation based on the first mapping relation;
the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an optional embodiment, the process of obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information includes:
determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under a domain name based on the tenant list, the name space and the virtual IP list under the domain name;
and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
As an alternative embodiment, the process of performing security authentication based on tenant authentication user information includes:
and establishing a corresponding saslServer based on tenant authentication user information to interact with the KDC server so as to perform security authentication.
As an alternative embodiment, the security authentication system further comprises:
The authentication module is used for applying authentication parameters to the KDC server by the client and authenticating the client to the authentication server to acquire an authentication bill.
As an alternative embodiment, the security authentication system further comprises:
and the connection establishment module is used for establishing a network socket of the client and the server after receiving a request initiated by the client to the server after acquiring the authentication ticket.
As an alternative embodiment, the establishing connection module is further configured to:
a connection is created from the socket and the service address is the address of the request in the socket.
As an alternative embodiment, the process of performing security authentication based on tenant authentication user information includes:
analyzing the client message in the connection, and determining the current message state;
if the current message state is the first state, generating inquiry information and sending the inquiry information to the client;
and when the mark information returned by the client based on the inquiry information is received, acquiring an evaluation authentication result of the mark information based on tenant authentication user information, and judging that the security authentication is successful if the evaluation authentication result is successful.
As an alternative embodiment, the process of parsing the client message in the connection includes:
analyzing a remote call Id of the client message;
Correspondingly, if the current message state is the first state, the process of generating the inquiry information and sending the inquiry information to the client comprises the following steps:
if the current message state is the first state, remotely calling Id as a target value, generating inquiry information and sending the inquiry information to the client.
As an alternative embodiment, the security authentication system further comprises:
and the adjustment module is used for evaluating the inquiry information to the KDC server to generate marking information after the client analyzes the inquiry information, and modifying the current message state into a second state.
As an alternative embodiment, the first state is a negative state and the second state is an initial state.
As an alternative embodiment, the process of generating the challenge information includes:
creating a first saslServer with an authentication method as TOKEN according to authentication user information of the current tenant;
and calling a first saslServer method to evaluate response information sent by the client to the KDC server and generate inquiry information.
As an alternative embodiment, the process of acquiring the evaluation authentication result of the mark information based on the tenant authentication user information includes:
creating a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
Invoking a method in a second saslServer to evaluate the marking information to a KDC server;
and determining an evaluation authentication result according to the received feedback information.
In a third aspect, the present invention also provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the security authentication method as described in any one of the embodiments above when executing a computer program.
Specifically, the memory includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and computer readable instructions, and the internal memory provides an environment for the operating system and the execution of the computer readable instructions in the non-volatile storage medium. The processor provides computing and control capabilities for the electronic device, and when executing the computer program stored in the memory, the following steps may be implemented: acquiring a service address and a first mapping relation of a client request; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user; determining tenant authentication user information according to the service address and the first mapping relation; and carrying out security authentication based on tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
In this embodiment, by configuring separate security authentication configuration for each tenant, tenant user authentication is performed when the service is started, and different user authentications are performed according to the requested service address when the client request is processed, so that a single-name node service is realized to simultaneously interface with multiple Kerberos services and support Kerberos security authentication of separately opening part of tenants, and different security authentication requirements of different big data platforms can be adapted under a multi-tenant scenario.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system; acquiring a security authentication mode of each tenant, and determining tenant authentication user information based on the security authentication mode; and obtaining a first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system from a configuration file; and acquiring the security authentication mode of each tenant from the configuration file.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: acquiring a security authentication mode of each tenant; determining a tenant with a security authentication mode of Kerberos authentication mode as a target tenant; authenticating all target tenants to their corresponding KDC servers; and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: determining a second mapping relation and a third mapping relation based on the first mapping relation; the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under a domain name based on the tenant list, the name space and the virtual IP list under the domain name; and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: and establishing a corresponding saslServer based on tenant authentication user information to interact with the KDC server so as to perform security authentication.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: the client applies authentication parameters to the KDC server and authenticates itself to the authentication server to obtain an authentication ticket.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: the client initiates a request to the server after acquiring the authentication ticket so as to create a network socket between the client and the server.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: a connection is created from the socket and the service address is the address of the request in the socket.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: analyzing the client message in the connection, and determining the current message state; if the current message state is the first state, generating inquiry information and sending the inquiry information to the client; and when the mark information returned by the client based on the inquiry information is received, acquiring an evaluation authentication result of the mark information based on tenant authentication user information, and judging that the security authentication is successful if the evaluation authentication result is successful.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: analyzing a remote call Id of the client message; correspondingly, if the current message state is the first state, the process of generating the inquiry information and sending the inquiry information to the client comprises the following steps: if the current message state is the first state, remotely calling Id as a target value, generating inquiry information and sending the inquiry information to the client.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: after the client analyzes the query information, the client evaluates the query information to the KDC server to generate marking information, and modifies the current message state to a second state.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: creating a first saslServer with an authentication method as TOKEN according to authentication user information of the current tenant; and calling a first saslServer method to evaluate response information sent by the client to the KDC server and generate inquiry information.
As an alternative embodiment, the processor may implement the following steps when executing the computer subroutine stored in the memory: creating a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information; invoking a method in a second saslServer to evaluate the marking information to a KDC server; and determining an evaluation authentication result according to the received feedback information.
On the basis of the above embodiment, as a preferred implementation manner, the electronic device further includes:
the input interface is connected with the processor and used for acquiring the externally imported computer programs, parameters and instructions, and the externally imported computer programs, parameters and instructions are controlled by the processor and stored in the memory. The input interface may be coupled to an input device for receiving parameters or instructions manually entered by a user. The input device can be a touch layer covered on a display screen, or can be a key, a track ball or a touch pad arranged on a terminal shell.
And the display unit is connected with the processor and used for displaying the data sent by the processor. The display unit may be a liquid crystal display or an electronic ink display, etc.
And the network port is connected with the processor and used for carrying out communication connection with external terminal equipment. The communication technology adopted by the communication connection can be a wired communication technology or a wireless communication technology, such as a mobile high definition link technology (MHL), a Universal Serial Bus (USB), a High Definition Multimedia Interface (HDMI), a wireless fidelity technology (WiFi), a Bluetooth communication technology with low power consumption, a communication technology based on IEEE802.11s, and the like.
In a fourth aspect, the present invention also provides a distributed storage system comprising a plurality of name nodes, each name node comprising an electronic device as above.
For an introduction to the distributed storage system provided in this embodiment, reference is made to the foregoing embodiment, and this embodiment is not repeated herein.
The distributed storage system provided by the invention has the same beneficial effects as the security authentication method.
In a fifth aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the security authentication method as described in any one of the embodiments above.
The storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes. The storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of: acquiring a service address and a first mapping relation of a client request; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user; determining tenant authentication user information according to the service address and the first mapping relation; and carrying out security authentication based on tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful.
In this embodiment, by configuring separate security authentication configuration for each tenant, tenant user authentication is performed when the service is started, and different user authentications are performed according to the requested service address when the client request is processed, so that a single-name node service is realized to simultaneously interface with multiple Kerberos services and support Kerberos security authentication of separately opening part of tenants, and different security authentication requirements of different big data platforms can be adapted under a multi-tenant scenario.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system; acquiring a security authentication mode of each tenant, and determining tenant authentication user information based on the security authentication mode; and obtaining a first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system from a configuration file; and acquiring the security authentication mode of each tenant from the configuration file.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: acquiring a security authentication mode of each tenant; determining a tenant with a security authentication mode of Kerberos authentication mode as a target tenant; authenticating all target tenants to their corresponding KDC servers; and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: determining a second mapping relation and a third mapping relation based on the first mapping relation; the second mapping relation is the mapping relation between the virtual IP and the security authentication mode, and the third mapping relation is the mapping relation between the virtual IP and the negotiation response.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and a domain name and a third corresponding relation between the domain name and a virtual IP list under a domain name based on the tenant list, the name space and the virtual IP list under the domain name; and obtaining a first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: and establishing a corresponding saslServer based on tenant authentication user information to interact with the KDC server so as to perform security authentication.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: the client applies authentication parameters to the KDC server and authenticates itself to the authentication server to obtain an authentication ticket.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: the client initiates a request to the server after acquiring the authentication ticket so as to create a network socket between the client and the server.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: a connection is created from the socket and the service address is the address of the request in the socket.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: analyzing the client message in the connection, and determining the current message state; if the current message state is the first state, generating inquiry information and sending the inquiry information to the client; and when the mark information returned by the client based on the inquiry information is received, acquiring an evaluation authentication result of the mark information based on tenant authentication user information, and judging that the security authentication is successful if the evaluation authentication result is successful.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: analyzing a remote call Id of the client message; correspondingly, if the current message state is the first state, the process of generating the inquiry information and sending the inquiry information to the client comprises the following steps: if the current message state is the first state, remotely calling Id as a target value, generating inquiry information and sending the inquiry information to the client.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: after the client analyzes the query information, the client evaluates the query information to the KDC server to generate marking information, and modifies the current message state to a second state.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: creating a first saslServer with an authentication method as TOKEN according to authentication user information of the current tenant; and calling a first saslServer method to evaluate response information sent by the client to the KDC server and generate inquiry information.
As an alternative embodiment, the following steps may be implemented in particular when a computer subroutine stored in a computer readable storage medium is executed by a processor: creating a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information; invoking a method in a second saslServer to evaluate the marking information to a KDC server; and determining an evaluation authentication result according to the received feedback information.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (20)
1. A security authentication method, characterized in that the security authentication method comprises:
acquiring a service address and a first mapping relation of a client request; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
determining tenant authentication user information according to the service address and the first mapping relation;
performing security authentication based on the tenant authentication user information, and establishing connection between the client and the server after the security authentication is successful;
the process of determining tenant authentication user information according to the service address and the first mapping relation comprises the following steps:
when the service address is any virtual IP in the first mapping relation, determining tenant authentication user information corresponding to the service address based on the first mapping relation;
And when the service address is not any virtual IP in the first mapping relation, determining preset cluster authentication user information as tenant authentication user information corresponding to the service address.
2. The security authentication method according to claim 1, wherein before acquiring the service address and the first mapping relation of the client request, the security authentication method further comprises:
acquiring a tenant list, namespaces under tenants and domain names corresponding to each namespace in a file system;
acquiring a security authentication mode of each tenant, and determining tenant authentication user information based on the security authentication mode;
and obtaining the first mapping relation based on the tenant list, the name space, the virtual IP list under the domain name and the tenant authentication user information.
3. The security authentication method according to claim 2, wherein the process of obtaining the tenant list, the namespaces under the tenants, and the domain names corresponding to each of the namespaces in the file system includes:
acquiring a tenant list, a name space under a tenant and a domain name corresponding to each name space in a file system from a configuration file;
Correspondingly, the process of obtaining the security authentication mode of each tenant includes:
and acquiring the security authentication mode of each tenant from the configuration file.
4. The security authentication method according to claim 2, wherein the process of obtaining the security authentication method of each tenant and determining tenant authentication user information based on the security authentication method comprises:
acquiring a security authentication mode of each tenant;
determining the tenant with the security authentication mode being a Kerberos authentication mode as a target tenant;
authenticating all the target tenants to their corresponding KDC servers;
and adding the successfully authenticated credential information into the starting user information of the target tenant to determine tenant authentication user information of the target tenant.
5. The security authentication method according to claim 2, wherein after obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information, the security authentication method further comprises:
determining a second mapping relation and a third mapping relation based on the first mapping relation;
The second mapping relationship is a mapping relationship between the virtual IP and a security authentication mode, and the third mapping relationship is a mapping relationship between the virtual IP and a negotiation response.
6. The security authentication method according to claim 2, wherein the process of obtaining the first mapping relationship based on the tenant list, the namespace, the virtual IP list under the domain name, and the tenant authentication user information comprises:
determining a first corresponding relation between a tenant and a name space, a second corresponding relation between the name space and the domain name and a third corresponding relation between the domain name and a virtual IP list under the domain name based on the tenant list, the name space and the virtual IP list under the domain name;
and obtaining the first mapping relation according to the first corresponding relation, the second corresponding relation, the third corresponding relation and the tenant authentication user information.
7. The security authentication method according to claim 1, wherein the process of performing security authentication based on the tenant authentication user information comprises:
and creating interaction between the corresponding saslServer and the KDC server based on the tenant authentication user information so as to perform security authentication.
8. The security authentication method according to any one of claims 1 to 7, wherein before the obtaining the service address and the first mapping relation of the client request, the security authentication method further includes:
the client applies authentication parameters to the KDC server and authenticates itself to the authentication server to obtain an authentication ticket.
9. The security authentication method according to claim 8, wherein before the obtaining the service address and the first mapping relation of the client request, the security authentication method further comprises:
and the client initiates a request to the server after acquiring the authentication ticket so as to create a network socket of the client and the server.
10. The security authentication method according to claim 9, wherein before the obtaining the service address and the first mapping relation of the client request, the security authentication method further comprises:
and creating connection according to the network socket, wherein the service address is the address requested in the network socket.
11. The security authentication method of claim 10, wherein the process of performing security authentication based on the tenant authentication user information comprises:
Analyzing the client message in the connection, and determining the current message state;
if the current message state is the first state, generating inquiry information and sending the inquiry information to the client;
and when receiving the mark information returned by the client based on the inquiry information, acquiring an evaluation authentication result of the mark information based on the tenant authentication user information, and judging that the security authentication is successful if the evaluation authentication result is successful.
12. The security authentication method of claim 11, wherein parsing the client message in the connection comprises:
analyzing the remote call Id of the client message;
correspondingly, if the current message state is the first state, the process of generating the inquiry information and sending the inquiry information to the client comprises the following steps:
and if the current message state is the first state and the remote call Id is the target value, generating inquiry information and sending the inquiry information to the client.
13. The security authentication method according to claim 11, wherein after the challenge information is generated and transmitted to the client, the security authentication method further comprises:
after the client analyzes the inquiry information, the inquiry information is evaluated to a KDC server to generate marking information, and the current message state is modified to be a second state.
14. The security authentication method of claim 13, wherein the first state is a new state and the second state is an Initiate state.
15. The security authentication method of claim 11, wherein the generating challenge information comprises:
creating a first saslServer with an authentication method as TOKEN according to authentication user information of the current tenant;
and calling the method of the first saslServer to evaluate response information sent by the client to the KDC server and generate inquiry information.
16. The security authentication method according to claim 15, wherein the process of acquiring the evaluation authentication result of the flag information based on the tenant authentication user information comprises:
creating a second saslServer with an authentication method of Kerberos according to the current tenant authentication user information;
invoking a method in the second saslServer to evaluate the marking information to the KDC server;
and determining an evaluation authentication result according to the received feedback information.
17. A security authentication system, comprising:
the first acquisition module is used for acquiring a service address requested by the client and a first mapping relation; the first mapping relation is the mapping relation between the virtual IP and the tenant authentication user;
The first determining module is used for determining tenant authentication user information according to the service address and the first mapping relation;
the authentication module is used for carrying out security authentication based on the tenant authentication user information, and after the security authentication is successful, the client and the server establish connection;
the process of determining tenant authentication user information according to the service address and the first mapping relation comprises the following steps:
when the service address is any virtual IP in the first mapping relation, determining tenant authentication user information corresponding to the service address based on the first mapping relation;
and when the service address is not any virtual IP in the first mapping relation, determining preset cluster authentication user information as tenant authentication user information corresponding to the service address.
18. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the security authentication method according to any one of claims 1-16 when executing the computer program.
19. A distributed storage system comprising a plurality of name nodes, each of the name nodes comprising the electronic device of claim 18.
20. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the security authentication method according to any of claims 1-16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310220803.7A CN115913793B (en) | 2023-03-09 | 2023-03-09 | Security authentication method, system, electronic device, distributed storage system and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310220803.7A CN115913793B (en) | 2023-03-09 | 2023-03-09 | Security authentication method, system, electronic device, distributed storage system and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115913793A CN115913793A (en) | 2023-04-04 |
| CN115913793B true CN115913793B (en) | 2023-05-30 |
Family
ID=85730211
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310220803.7A Active CN115913793B (en) | 2023-03-09 | 2023-03-09 | Security authentication method, system, electronic device, distributed storage system and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913793B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113342617A (en) * | 2021-06-30 | 2021-09-03 | 成都商汤科技有限公司 | Equipment monitoring method, system, device, computer equipment and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106375323A (en) * | 2016-09-09 | 2017-02-01 | 浪潮软件股份有限公司 | Kerberos identity authentication method in multi-tenant mode |
| US10454915B2 (en) * | 2017-05-18 | 2019-10-22 | Oracle International Corporation | User authentication using kerberos with identity cloud service |
| CN110691089B (en) * | 2019-09-29 | 2020-08-11 | 星环信息科技(上海)有限公司 | Authentication method applied to cloud service, computer equipment and storage medium |
| CN115525880A (en) * | 2021-10-19 | 2022-12-27 | 闽都创新实验室 | Method, device, equipment and medium for providing SAAS service facing multi-tenant |
-
2023
- 2023-03-09 CN CN202310220803.7A patent/CN115913793B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113342617A (en) * | 2021-06-30 | 2021-09-03 | 成都商汤科技有限公司 | Equipment monitoring method, system, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115913793A (en) | 2023-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10637661B2 (en) | System for user-friendly access control setup using a protected setup | |
| US11159517B2 (en) | Self-federation in authentication systems | |
| US9473419B2 (en) | Multi-tenant cloud storage system | |
| CN108650262B (en) | Cloud platform expansion method and system based on micro-service architecture | |
| US9584515B2 (en) | Enterprise system authentication and authorization via gateway | |
| US9197417B2 (en) | Hosted application sandbox model | |
| US9178868B1 (en) | Persistent login support in a hybrid application with multilogin and push notifications | |
| WO2017024791A1 (en) | Authorization processing method and device | |
| CN105024975B (en) | The method, apparatus and system that account logs in | |
| US9584615B2 (en) | Redirecting access requests to an authorized server system for a cloud service | |
| US20080028453A1 (en) | Identity and access management framework | |
| WO2017024842A1 (en) | Internet access authentication method, client, computer storage medium | |
| US20130212653A1 (en) | Systems and methods for password-free authentication | |
| CN115021991A (en) | Single sign-on for unmanaged mobile devices | |
| JP2010531516A (en) | Device provisioning and domain join emulation over insecure networks | |
| US20120240184A1 (en) | System and method for on the fly protocol conversion in obtaining policy enforcement information | |
| JP2005519501A (en) | System, method and apparatus for single sign-on service | |
| KR20080053298A (en) | Creating secure interactive connections with remote resources | |
| CN104022875A (en) | Bidirectional authorization system, client and method | |
| US7540020B1 (en) | Method and apparatus for facilitating single sign-on to applications | |
| WO2023241331A1 (en) | Internet of things system, authentication and communication method therefor, and related device | |
| CN111049946A (en) | Portal authentication method, Portal authentication system, electronic equipment and storage medium | |
| US7784085B2 (en) | Enabling identity information exchange between circles of trust | |
| Gonçalves et al. | A federated authentication and authorization approach for IoT farming | |
| CN103069741A (en) | Credential authentication method and single sign-on server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |