CN116886286A - Big data authentication service self-adaption method, device and equipment - Google Patents

Big data authentication service self-adaption method, device and equipment Download PDF

Info

Publication number
CN116886286A
CN116886286A CN202310864286.7A CN202310864286A CN116886286A CN 116886286 A CN116886286 A CN 116886286A CN 202310864286 A CN202310864286 A CN 202310864286A CN 116886286 A CN116886286 A CN 116886286A
Authority
CN
China
Prior art keywords
kerberos
server
kdc
module
addresses
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310864286.7A
Other languages
Chinese (zh)
Inventor
燕鹏举
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Big Data Technologies Co Ltd
Original Assignee
New H3C Big Data Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Big Data Technologies Co Ltd filed Critical New H3C Big Data Technologies Co Ltd
Priority to CN202310864286.7A priority Critical patent/CN116886286A/en
Publication of CN116886286A publication Critical patent/CN116886286A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

The invention discloses a big data authentication service self-adaption method, a device and equipment, which are applied to a client, wherein the client stores a first address linked list in advance, and the method comprises the following steps: receiving notification messages sent by at least one server, wherein the at least one notification message comes from N servers according to server identifiers carried in each notification message, and Kerberos modules operated by the N servers are abnormal; n KDC addresses corresponding to the N servers are searched in the first address linked list, the N KDC addresses are reordered to generate a second address linked list, after the N KDC addresses in the second address linked list are ranked at all KDC addresses of the servers which are not abnormal, communication connection is established according to the ranking of the KDC addresses in the second address linked list and the servers which are ranked in front, and data access is performed.

Description

Big data authentication service self-adaption method, device and equipment
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a big data authentication service adaptive method, apparatus, and device.
Background
The big data management platform can realize unified management of big data service components, wherein the unified management comprises installation and deployment of services, service operation, service monitoring and service configuration management. Because the Hadoop (an open-source distributed computing and storage framework) cluster supports Kerberos security authentication, kerberos is used in a large data platform DataEngine to provide powerful security advantages for relevant services such as Hadoop, authentication information is ensured not to be used by attackers through credential information of users, and imitated threats are eliminated. Under the safety mode (Kerberos service is started), the Hadoop service is ensured to be safely accessed, and the condition that the Hadoop service is not perceived to continue to provide service when the Kerberos service is abnormally hung is ensured. At this point, it is necessary to guarantee a high availability of Kerberos services, while a second handoff of Kerberos services can be achieved.
In the case of a Kerberos service with high availability (High Availability, HA), when two Kerberos Server addresses are configured in a Kerberos service profile, such as file name/etc/krb 5.Conf, a Kerberos Client (Client) will sequentially traverse to access two KDC (Key Distribution Center ) addresses, if the first Kerberos Server fails abnormally, the Kerberos Client will first access the first address KDC-1, and then will access the second address KDC-2 after 30000 ms×3 trials and access times over time, and authenticate access to the second Kerberos Server.
In the polling access mode, if the first Kerberos server is abnormal, the first Kerberos server can try to access for a plurality of times, but the first Kerberos server still cannot access after a plurality of attempts, and can consume a long time, so that an accessing user waits for a long time, the access speed is influenced, and the related requirements of the user under the condition of multiple scenes can not be met.
Disclosure of Invention
In view of the above, the invention provides a big data authentication service self-adaptive method and device, which are used for saving access time, improving access efficiency and meeting the requirements of users in multiple scenes.
In a first aspect, the present invention provides a big data authentication service adaptive method, where the method is applied to a client, the client stores a first address linked list in advance, and the first address linked list records the KDC addresses of all servers connected to the client, and the method includes:
receiving at least one notification message, wherein each notification message comprises a server identifier for running a Kerberos module;
determining that at least one notification message comes from N servers according to the server identification carried in each notification message, wherein N is more than or equal to 1 and is a positive integer, and the Kerberos modules operated by the N servers are abnormal;
searching N KDC addresses corresponding to the N servers in the first address linked list, and reordering the N KDC addresses to generate a second address linked list, wherein the N KDC addresses in the second address linked list are ranked behind the KDC addresses of all servers which are not abnormal;
And establishing communication connection with the server with the front order according to the order of the KDC addresses in the second address linked list, and performing data access.
With reference to the first aspect, in a possible implementation manner of the first aspect, before receiving the at least one notification message, the method further includes: in agreement with each server, a notification message is sent to the client when an exception occurs in the Kerberos module running on the server.
With reference to the first aspect, in another possible implementation manner of the first aspect, reordering the N KDC addresses to generate a second address linked list includes: determining the comprehensive load value of each server in the first address linked list, wherein the comprehensive load values of N servers are preset maximum values; and sequencing the KDC addresses of all the servers according to the comprehensive load value from small to large, and generating a second address linked list, wherein the KDC addresses of all the servers comprise N KDC addresses with abnormality.
With reference to the first aspect, in a further possible implementation manner of the first aspect, determining a comprehensive load value of each server in the first address linked list includes: respectively acquiring one or more of CPU utilization rate, memory utilization rate and network IO bandwidth of each server and weight vectors configured to each server; calculating a performance vector of each server according to one or more of CPU utilization rate, memory utilization rate and bandwidth of network IO; and calculating the comprehensive load value of the server according to the performance vector and the weight vector.
With reference to the first aspect, in a further possible implementation manner of the first aspect, reordering the N KDC addresses to generate a second address linked list includes: obtaining access quantity of each server in a first address linked list, and determining a service weight value of each server; calculating a pressure value of each server according to each access amount and service weight value, wherein N servers corresponding to N KDC addresses are set to be inaccessible; and ordering the KDC addresses of all servers in the first address linked list according to the order of the pressure values from small to large, and generating a second address linked list.
With reference to the first aspect, in a further possible implementation manner of the first aspect, before receiving the at least one notification message, the method further includes: and sending a registration request to at least one server, wherein the registration request is used for starting a monitoring flow on the server so as to monitor whether the Kerberos module running on the server is abnormal.
In a second aspect, the present invention also provides a big data authentication service adaptation method, where the method is applied to a server, and the server includes a Kerberos module, and the method includes:
when the Kerberos module running on the server is monitored to be abnormal, pulling up the Kerberos module by using a script, and generating a notification message, wherein the notification message comprises a server identifier for running the Kerberos module;
And sending the notification message to the client.
With reference to the second aspect, in a possible implementation manner of the second aspect, the method further includes: the monitoring module records log information of abnormal states of the Kerberos module;
the script pulls up the Kerberos module, comprising: if the Kerberos module is detected to be in an operation state, the Kerberos module is pulled up to operate successfully, and first log information of an abnormal state of the Kerberos module is recorded;
if the operation of pulling up the Kerberos module fails, the Kerberos module is retried, and if the operation of pulling up the Kerberos module still fails, second log information of the Kerberos module abnormal state is recorded.
With reference to the second aspect, in another possible implementation manner of the second aspect, the monitoring module, when monitoring that the Kerberos module running on the server is abnormal, includes:
the monitoring module monitors whether abnormality occurs according to the acquired performance parameters of the Kerberos module during operation, wherein the performance parameters comprise one or more of the following: CPU usage, memory usage, network IO bandwidth and Kerberos module connection number.
In a third aspect, the present invention also provides a big data authentication service adaptation apparatus, the apparatus comprising:
The receiving module is used for receiving at least one notification message, and each notification message comprises a server identifier of the Kerberos module;
the determining module is used for determining that the at least one notification message is from N servers according to the server identification carried in each notification message, wherein the Kerberos modules operated by the N servers are abnormal, and N is more than or equal to 1 and is a positive integer;
the generation module is used for searching N key distribution center KDC addresses corresponding to the N servers in the first address linked list, and reordering the N KDC addresses to generate a second address linked list; n KDC addresses in the second address linked list are arranged behind KDC addresses of all servers which are not abnormal;
and the connection module is used for establishing communication connection with the server with the front ordering according to the ordering of the KDC addresses in the second address linked list and performing data access.
In a fourth aspect, the present invention also provides another big data authentication service adaptation apparatus, the apparatus comprising:
the monitoring module is used for monitoring whether the Kerberos module running on the server is abnormal or not;
the processing module is used for pulling up the Kerberos module by using a script when the monitoring module detects that an abnormality occurs, and generating a notification message, wherein the notification message comprises a server identifier for running the Kerberos module;
And the sending module is used for sending the notification message to the client.
In a fifth aspect, the present invention provides an electronic device, comprising: the processor is connected with the memory, the memory stores computer instructions, and the processor executes the computer instructions to perform the big data authentication service adaptation method according to the first aspect or any implementation manner corresponding to the second aspect.
In addition, the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to execute the big data authentication service adaptation method according to the first aspect, the second aspect or any one of the embodiments corresponding thereto.
According to the method, the device and the equipment provided by the embodiment of the invention, the client determines the Kerberos server with abnormal operation of the Kerberos module according to at least one notification message reported by the server, sorts the KDC addresses of the servers with abnormal operation to the end of the whole address chain table, and generates a new address chain table, so that in the authentication and access process of the client, the previous KDC addresses are normal and accessible according to the updated address chain table sequence, the KDC address sorting with abnormal operation is avoided before, and the repeated test and the time consumption increase are repeated. The method ensures that the servers in the KDC address list which are sequenced in the front are all servers which work normally, and the self-adaptive high-availability load algorithm is used, so that the authentication success rate is improved, the waiting time is reduced, and the high availability and load balancing are realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an identity authentication system according to an embodiment of the present invention;
FIG. 2 is an architectural diagram of a Kerberos service scenario, according to an embodiment of the present invention;
fig. 3 is a flowchart of a big data authentication service adaptation method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of generating a second address linked list in accordance with an embodiment of the invention;
FIG. 5 is a block diagram of the structure of a Kerberos server according to an embodiment of the present invention;
fig. 6 is a flow diagram of a big data authentication service adaptation method according to an embodiment of the present invention;
FIG. 7 is a flow chart of a method of generating a second address linked list in accordance with an embodiment of the present invention;
FIG. 8 is a flow chart of another method of generating a second address linked list in accordance with an embodiment of the present invention;
FIG. 9 is a schematic diagram of generating a second address linked list according to pressure value ordering in accordance with an embodiment of the invention;
fig. 10 is a flowchart of another big data authentication service adaptation method according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of yet another generation of a second address linked list in accordance with an embodiment of the invention;
FIG. 12 is a schematic diagram of yet another generation of a second address linked list in accordance with an embodiment of the invention;
fig. 13 is a block diagram of a big data authentication service adaptation apparatus according to an embodiment of the present invention;
fig. 14 is a block diagram of another big data authentication service adaptation apparatus according to an embodiment of the present invention;
fig. 15 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention.
Firstly, an application scene and related data of the technical scheme of the embodiment of the invention are introduced.
The technical scheme of the invention can be applied to an authentication system, such as a Kerberos authentication system, or other authentication systems.
In the Kerberos authentication system, a client/server structure and encryption techniques such as DES and AES are adopted, and mutual authentication can be performed, that is, both the client and the server can perform identity authentication on each other. Specific implementations include MIT KDC, and the like.
Referring to fig. 1, a schematic architecture diagram of an authentication system provided in this embodiment is shown, where Kerberos is an authentication protocol based on an encryption key Ticket. Kerberos consists essentially of three parts: key Distribution Center (i.e., KDC), client, and server Service.
One or more Kerberos clients can form a big data cluster, and each Kerberos Client is connected with a Kerberos service by using an OpenJDK related method, so that the access and authentication of the Kerberos service are realized. In fig. 1, a Kerberos client connects with servers such as Kerberos KDC and OpenLDAP through account information.
LDAP (Lightweight Directory Access Protocol ) is an open, neutral, industry-standard application protocol that provides access control and maintains directory information for distributed information via the IP protocol, which is a system of a directory database and a set of access protocols. The KDC is understood to be a web service that provides a ticket and temporary session keys.
OpenLDAP is a free, open-source implementation of the LDAP protocol. OpenLDAP is also known as "LDAP" because it is a common, free iterative product that can be used by anyone. It is not just a protocol, but is also lightweight LDAP directory software. OpenLDAP may be used on any platform. In contrast to other implementations that provide more powerful functions (e.g., GUIs) and often suites of other protocols and functions (often more costly), openLDAP is a highly focused LDAP option, supporting customization and being applicable to all major computing platforms.
In fig. 1, a Kerberos client performs identity authentication with a Kerberos KDC through account information, and performs SSSD synchronization with OpenLDAP through account information. In particular, the authentication and SSSD synchronization process is not described in detail in this embodiment.
Keepalive: keepalive is a high availability realized based on the VRRP protocol. When a failure occurs in the host, automatic switching of the IP address can be achieved.
Currently, the Kerberos authentication procedure provides a polling method for users, that is, the Kerberos client sequentially accesses the Kerberos server recorded in the linked list, as shown in fig. 2, accesses the server 1 (Kerberos-1) and the server 2 (Kerberos-2), respectively, and performs the timeout time for accessing the KDC and the number of retries for accessing the KDC according to two parameters recorded in the configuration file, such as the timeout parameter kdc_timeout and the maximum trial number max_retries, and the KDC address. In general, these two parameters may be or are configured by default to 30000 milliseconds and 3 times, i.e., the default time period is 90 seconds.
When a Kerberos server hangs up or fails, the big data component accesses the problem of slow Kerberos response, such as default retry and waiting time of 90 seconds, longer waiting time, and few built-in algorithms for user selection, which cannot meet the requirement of complex scenes.
According to the technical scheme provided by the embodiment of the invention, the algorithm module is added in the scheduler, and different algorithms are set, so that different requests are distributed to a specific server in the Kerberos cluster, thereby improving the access speed of accessing the Kerberos server and reducing the waiting time.
The present invention provides embodiments in which the steps shown in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowcharts, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
Example 1
In this embodiment, a big data authentication service adaptive method is provided, and the method can be applied to a client, such as a Kerberos client, where the client stores a first address linked list in advance, where the first address linked list records the key distribution center KDC addresses of all servers connected to the client. As shown in fig. 3, the method includes:
Step 101: at least one notification message is received, each notification message including a server identification running a Kerberos module.
Wherein at least one notification message may come from one or more servers, such as Kerberos servers, wherein each Kerberos server generates a notification message according to the situation of the Kerberos module running on its own and sends the notification message to the Kerberos client. Specifically, the process of generating the notification message will be described in detail below.
The server identification in each notification message may be an ID of the server, such as a server IP address, etc. The information of the occurrence of the abnormality of the Kerberos module may be a preset field or a character/symbol, etc., which is not limited in this embodiment.
Step 102: and determining that the at least one notification message is from N servers according to the server identification carried in each notification message, wherein Kerberos modules operated by the N servers are abnormal, and N is more than or equal to 1 and is a positive integer.
Wherein before the client receives the at least one notification message, the method further comprises: the client side agrees with each server, and when the Kerberos module runs on the server abnormally, a notification message is sent to the client side.
Specifically, when the client receives a notification message sent by a Kerberos server, it is determined that the Kerberos module in the Kerberos server is running abnormally, because the server running the Kerberos module normally does not report the notification message, and only the server with the abnormality reports the notification message to the client. The Kerberos client counts all notification messages received in a period of time, further determines N servers, and determines which server running Kerberos module is abnormal according to the identification of the server, such as the IP address, carried in each notification message.
The Kerberos module is a functional module, such as a process, running on a Kerberos server. Since each Kerberos module corresponds to one KDC address one by one, after the Kerberos module is determined, one KDC address corresponding to the Kerberos module can be determined, that is, N servers correspond to N KDC addresses.
Step 103: and searching N KDC addresses corresponding to the N servers in the first address linked list, and reordering the N KDC addresses to generate a second address linked list.
The first address linked list comprises KDC addresses of all servers connected with the client before, and the number of the KDC addresses in the first address linked list is greater than or equal to N. The N KDC addresses in the second address linked list are arranged after all the KDC addresses of the servers where no anomaly has occurred. The reordering of the N KDC addresses refers to ordering the N KDC addresses with abnormality from the original position to the last of the whole linked list, and ordering the KDC addresses of the normal operation Kerberos module to the front.
It should be understood that the first address linked list and the second address linked list include at least one KDC address, and the ordering of all KDC addresses, and the storage form is not limited to the form of the address linked list, but may be an address set, an address list, an address sequence, or the like, which is not limited in this embodiment.
Step 104: and establishing communication connection with the server with the front order according to the order of the KDC addresses in the second address linked list, and performing data access.
As shown in FIG. 4, in a specific example, a Kerberos client receives a notification message from a server 1 (Kerberos-1), and determines from the notification message that a Kerberos module running on Kerberos-1 is abnormal. Moreover, the Kerberos client does not receive notification messages sent from both Kerberos-2 and Kerberos-3, so it is determined that servers 2 and 3 are normal when the Kerberos module is running, and at this time, it is determined that the target KDC address is the KDC-1 address corresponding to Kerberos-1.
Before the Kerberos-1 server does not report the notification message, the first address linked list includes KDC addresses 1-3, and the order is as follows: KDC-1, KDC-2, KDC-3. In this example, when step 102 determines that the Kerberos server 1 is abnormal when the Kerberos module is running, the target address KDC-1 is ordered into common addresses (KDC-2 and KDC-3), and then a second address linked list is generated, where the order of the KDC addresses in the second address linked list is: KDC-2, KDC-3, KDC-1.
According to the method provided by the embodiment, the client determines that the Kerberos module operates the Kerberos server with the abnormality according to at least one notification message reported by the server, sorts the KDC addresses of the servers with the abnormality to the end of the whole address chain table, and generates a new address chain table, so that in the authentication and access process of the client, the previous KDC addresses are normal and accessible according to the updated address chain table sequence, the KDC addresses with the abnormality are prevented from being sorted before, and the time consumption is increased by trial and error. The method ensures that the servers in the KDC address list which are sequenced in the front are all servers which work normally, and the self-adaptive high-availability load algorithm is used, so that the authentication success rate is improved, the waiting time is reduced, and the high availability and load balancing are realized.
Optionally, in step 101 of the present embodiment, receiving at least one notification message sent by at least one server includes: the server monitors whether the Kerberos module running per se is abnormal or not, and when an abnormal condition occurs, a notification message is reported to the client.
Specifically, the embodiment also provides a Kerberos module abnormality detection method, which can be used for the monitoring module in the Kerberos server, as shown in fig. 5, and the monitoring module is connected with the Kerberos module and is used for monitoring the operation condition of the Kerberos module in real time. As shown in fig. 6, the method includes the steps of:
Step 201: and monitoring the Kerberos module running on the server, and acquiring the performance parameters of the Kerberos module in running.
Specifically, the monitoring module detects performance parameters of the Kerberos module in real time, wherein the performance parameters include a CPU and a memory usage rate, and in addition, the performance parameters can also include network IO, the service connection number of the Kerberos module, and the like.
Step 202: and monitoring whether the Kerberos module is abnormal according to the performance parameters.
For example, according to the usage rate of the currently acquired CPU, whether the threshold is exceeded or not is judged, and if yes, it is determined that the current Kerberos module is abnormal. Or judging whether the maximum network bandwidth input output quantity is exceeded according to the network input/output IO condition, if so, determining that the Kerberos module is abnormal; in addition, whether the memory usage rate exceeds a preset value, the number of devices or apparatuses currently connected to the Kerberos module is abnormal or not can be determined according to the memory usage rate, and the embodiment is not limited to this.
It should be appreciated that one or more of the above performance parameters may be combined, i.e., whether two or more of the performance parameters of the Kerberos module meet the preset condition may be determined, and if one does not meet the preset condition, then an anomaly may be determined in the Kerberos module.
Step 203: if so, the Kerberos module is pulled up using the script and a notification message is generated.
The notification message includes a server identifier running a Kerberos module, which corresponds to the notification message in step 101. The pulling up of the Kerberos module may be understood as restarting the Kerberos module.
Alternatively, the information that the Kerberos module is running to be abnormal may be transmitted through a preset field or a character/symbol, etc., which is not limited in this embodiment.
In the judgment of step 202, if no, i.e., no abnormality is detected, the authentication and access flow is continued.
Step 204: and sending the notification message to the Kerberos client. Correspondingly, the kerberos client receives the notification message, step 101.
In the step 203, the method further includes: logging information of abnormal states of the Kerberos module is recorded. Further, step 203: and pulling up the Kerberos module by using a script, and recording log information of abnormal states of the Kerberos module, wherein the method specifically comprises the following steps:
detecting whether the Kerberos module is in an operating state; if yes, the operation of the Kerberos module is successfully pulled up, and the first log information of the abnormal state of the Kerberos module is recorded; if not, the operation of pulling up the Kerberos module fails, the Kerberos module is retried, and if still fails, the second log information of the abnormal state of the Kerberos module is recorded.
Further, in the step 201, the performance parameters of the Kerberos module during operation specifically include: obtaining, via one or more configuration files, one or more of the following information in the performance parameters: CPU usage, memory usage, network IO bandwidth and Kerberos module connection number.
The Kerberos server obtains performance parameters of the Kerberos module running on the Kerberos server, and in one specific implementation, one or more of the following information in the performance parameters is obtained through one or more configuration files: CPU usage, memory usage, network IO bandwidth and Kerberos module connection number. For example, CPU usage is obtained via a first configuration file (e.g.,/proc/stat file), bandwidth usage of network IO is obtained via a second configuration file (e.g.,/proc/meminfo file), etc.
Further, CPU use conditions are obtained through a/proc/stat file in a Linux system. The calculation method of the CPU utilization is to take the values of two sampling points at intervals. In addition, the client can acquire the memory use condition through the acquisition/proc/meminfo file. Wherein, memory utilization= (memtotal-memfree-buffers-cached)/memtotal.
For another example, the Kerberos server obtains the bandwidth usage by collecting/proc/net/dev files, counts the change of the number of bytes sent and received in a period of time, obtains the transmission rate of the network port, and divides the bandwidth of the network port to obtain the bandwidth usage.
Bandwidth usage = flow rate/bandwidth
Wherein the flow rate comprises the sum of the input flow rate and the output flow rate, and the flow rate can be obtained through the/proc/net/dev file to obtain the difference value between the number of input bytes and the number of output bytes. The bandwidth of the system is then checked by means of the etkool command.
The monitoring module will typically collect every 10 s. When the exception of the Kerberos module running by the native Kerberos Server is monitored, a notify Observer method is called to notify the Kerberos client.
According to the method provided by the embodiment, the Kerberos servers detect whether the Kerberos servers are abnormal according to the performance parameters of the Kerberos servers, and the detected log information is sent to the Kerberos clients, so that the Kerberos clients can timely acquire the running condition of each Kerberos server, and a kDC address linked list of each Kerberos server is padded for generating and updating the Kerberos server.
In addition, in the foregoing step 103, specifically, the method includes: and determining that one or more servers are abnormal when the Kerberos modules are operated according to the server identification and the abnormal information, and one or more target Kerberos modules are abnormal. And then, determining the target address corresponding to each target Kerberos module according to the corresponding relation between each target Kerberos module and one target address.
Further, in step 103, at least one address in the first address linked list is ordered according to all the target addresses, and a second address linked list is generated, as shown in fig. 7, which specifically includes:
step 103-1: and determining the comprehensive load value of each server in the first address linked list.
The KDC address in the first address linked list comprises: the KDC addresses of N servers with the exception and KDC addresses without the exception are run by the Kerberos module. Wherein the integrated load values of the N servers may default to a preset maximum value.
Step 103-2: and sequencing all the KDC addresses of the servers according to the comprehensive load value from small to large, and generating the second address linked list, wherein the KDC addresses of all the servers comprise the N KDC addresses with the abnormality.
In an example, assume that a normal Kerberos server includes a first server and a second server, where the address corresponding to the first server is KDC-1 and the address corresponding to the second server is KDC-2; each Kerberos server corresponds to a KDC address.
In the step 103-2, sorting the addresses of all the servers in order from small to large according to the integrated load value includes:
The first step: and respectively acquiring one or more of CPU utilization rate, memory utilization rate and network IO bandwidth of each of the plurality of servers.
In the Linux system, the Kerberos client can acquire the CPU service condition through files such as/proc/stat. The calculation method of the CPU utilization is to take the values of two sampling points at intervals.
And a second step of: and calculating the performance vector of each server according to one or more of CPU utilization rate, memory utilization rate and bandwidth of network IO, and configuring the weight vector of each server.
And a third step of: and calculating the comprehensive load value of the server according to the performance vector and the weight vector set by each server.
Defining a performance vector Ui and a weight vector alpha i of each parameter of the server, wherein the server performance vector Ui comprises:
U i =[U cpu ,U mem ,U network ,U num ]
weight vector α, α= [ α ] 1 ,α 2 ,α 3 ,α 4 ],α i E (0, 1) and
generally, the weight vectors α can be customized by a configuration file, and each weight vector α 1 ,α 2 ,α 3 ,α 4 Respectively correspond to U cpu ,U mem ,U network ,U num The 4 performance vectors, the value range of each weight vector is more than 0 and less than 1, and the sum alpha of the four weight vectors 1+ α 2+ α 3+ α 4 1. Alpha i Is alpha 1 ,α 2 ,α 3 ,α 4 Any of the above.
More specifically, the weight vector α may be set according to a server-specific configuration, such as the server-specific configuration including: 32 core 64G memory and gigabit bandwidth, or 64 core 128G memory, tera bandwidth, etc., typically the weight vector set by a server device configured high will be higher than the weight vector of a server configured low. The same weight vector may be configured if the configurations of the two servers are the same or similar.
Optionally, the weight vector α 1 ,α 2 ,α 3 ,α 4 May also be configured to be 0.
The comprehensive load value Q is as follows:
wherein Q is load For the comprehensive load value, ucpu corresponds to a performance vector, and Umem corresponds to the memory utilization rate; the Unetwork is a performance vector corresponding to the network; unum is the performance vector corresponding to the number of Kerberos module connections.
Calculate the integrated load value Q load The Kerberos client then obtains the aggregate load value for each Kerberos server, wherein the smaller the aggregate load value, the higher the probability that the Kerberos server is selected, and the higher the probability that the Kerberos server will be accessed. If two or more comprehensive load values are the same, a host CPU and a server host with high memory configuration are selected for access.
And finally, according to the comprehensive load value of each server, comparing the magnitude of the comprehensive load value, and sequencing KDC addresses according to the order of the comprehensive load value from small to large to generate a second address linked list.
For example, if the comprehensive load value calculated by server Kerberos-1 is less than server Kerberos-2, the ordering generates a second address linked list as: address KDC-1 takes precedence over address KDC-2. If the comprehensive load value calculated by the server Kerberos-1 is greater than the server Kerberos-2, the ordered address list is: address KDC-2 takes precedence over address KDC-1.
It should be noted that, for a server of a Kerberos module with an exception, a heartbeat monitoring mechanism may be used to monitor Kerberos services and timely detect a failure, for example, the monitoring module may monitor that the server is abnormal, i.e. when the connection number is acquired or the server resource fails, determine that the current server is abnormal, at this time, it may be set that a comprehensive load value corresponding to the server defaults to-1, and when the comprehensive load value is-1, it may be determined that the Kerberos server is unavailable.
In addition, other parameters, such as other negative numbers, may be set in addition to the integrated load value of "-1", which is not limited in this embodiment.
In this embodiment, the client only needs to introduce one Jar packet to make fool access to the Kerberos server, and the access is successful.
In a specific example, a set of attribute information for Kerberos1 is obtained; and evaluating according to the performance (such as CPU, memory and the like) of the server and specific load conditions (such as CPU utilization rate, memory utilization condition, network IO and the number of Kerberos service connections), monitoring Kerberos service through a heartbeat monitoring mechanism, and timely detecting whether Kerberos1 has faults/anomalies.
If the Kerberos server on a certain host is abnormal, the Kerberos service is automatically pulled up by using the script, and the pulling operation can be understood as restarting the Kerberos server, and further, whether the Kerberos service is successfully pulled up can be determined by detecting whether the KDC is in the RUNNING state.
If the state is the RUNNING state, the successful pulling operation is determined; and log information of the service abnormal state is recorded for later abnormal analysis. If the RUNNING state is not detected, the automatic pulling operation is stopped, and log information of service abnormality is stored. The method can determine that an abnormal Kerberos1 server, such as a load abnormality, occurs.
In addition, at the Kerberos Client end: the Client is presented in the form of a Jar packet, and a user can realize a self-adaptive high-availability load algorithm by only introducing the Jar packet. The main functions of the Kerberos Client include: registering with each Kerberos Server, acquiring the resource condition related to each Kerberos Server, determining the processing capacity of each host according to the CPU utilization rate, the memory utilization rate and the network bandwidth utilization rate, correspondingly using the processing capacity as a weight value, and calculating the load of each host according to the connection number weight value requested by each Kerberos Server client.
The method provided by the embodiment is a function of noninvasively integrating high-availability load of Kerberos, and the client can access Kerberos services according to different scene conditions by only introducing one Jar packet. The Kerberos servers are managed adaptively, achieving high availability and load balancing. Thereby greatly reducing the probability of Kerberos service failure and reducing the risk of Kerberos failure due to other component failures.
According to the method, the number of connections of the Kerberos server is used as an influence factor to comprehensively analyze various performance parameters of the server, and finally, the Kerberos client makes a decision on strategy selection, so that the flexibility and diversity of Kerberos client selection are improved.
Example two
In this embodiment, a big data authentication service adaptive method is also provided, which is applied to a Kerberos client, and the difference between the method and the first embodiment is that step 103 is that in the first embodiment, the second address linked list is generated according to the calculated comprehensive load value of each server in order from small to large. The second address linked list is generated by calculating the pressure value of each server in this embodiment.
As shown in fig. 8, the step 103 specifically includes:
Step 1031: and obtaining the access quantity of each server in the first address linked list, and determining the service weight value of each server.
The server is a Kerberos server, and each Kerberos server runs a Kerberos module and corresponds to a KDC address.
Step 1032: and calculating the pressure value of each server according to each access amount and the service weight value.
N servers corresponding to the N KDC addresses with the abnormality are set to be inaccessible.
Step 1033: and sequencing at least one address in the first address linked list and the target address according to the order of the pressure values from small to large, and generating the second address linked list.
Specifically, the method comprises the following steps: detecting whether the Kerberos module running in each Kerberos server is abnormal; if so, updating the first address linked list, and sequencing KDC addresses corresponding to the Kerberos server with the abnormality to the back of all normal KDC addresses to generate a second address list.
In a specific example, each Kerberos server "weighted polling" for a profile, because of the different presence server configurations, access requests may be scheduled according to the processing capabilities of the servers. Thus, the server with strong processing capacity can be ensured to process more access traffic. The higher the weight, the more requests are distributed, and the range of the weight is 0-100.
The Kerberos Server counts the total access amount of the service, and the scheduler obtains the access amount of each Kerberos Server, and calculates the access amount of the current Kerberos Server/the current service weight, for example: there are 3 Kerberos servers, a Kerberos-1 server, a Kerberos-2 server and a Kerberos-3 server, and the access amounts of these 3 servers are 0, 300 and 500, respectively. Setting each corresponding weight value to be 3, 10 and 20 respectively, and calculating the pressure value: server weights are set to 3, 10 and 20 according to Kerberos server configuration size, respectively, as shown in fig. 9, calculated:
kerberos-1 pressure value = current Kerberos 1 service access volume/3 = 0
Kerberos-2 pressure value = current Kerberos 2 service access volume/10 = 300/10 = 30
Kerberos-3 pressure value = current Kerberos 3 service access volume/20 = 500/20 = 25
The smaller the pressure value calculated by the Kerberos server, the more new access requests should be allocated, the earlier the KDC address linked list ordering. If the two calculated pressure values are similar, the greater the weight, the more preferentially the request is dispatched, and the earlier the KDC address ordering. At this time, the ordering is performed from small to large according to the pressure value, and if the first Kerberos service anomaly is the first, the access is polled in turn according to the ordering. The specific implementation is shown in fig. 9.
For example, setting the first address linked list includes: 3 KDC addresses are added to KDC-1, KDC-2 and KDC-3, and the pressure values of Kerberos servers respectively corresponding to KDC-1, KDC-2 and KDC-3 are calculated; judging whether the Kerberos servers corresponding to the KDC-1, the KDC-2 and the KDC-3 are abnormal or not respectively; if so, updating the first address linked list to generate a second address linked list. For example, as shown in fig. 9, assuming that the Kerberos server 1 is abnormal and the address KDC-1 is inaccessible, the generated second address linked list sorts the KDC-1 corresponding to the Kerberos server 1 to the end, sorts the address KDC-2 and the address KDC-3 in front of the address KDC-1, so as to access the address KDC-2 and the address KDC-3 preferentially when accessing.
In addition, since the Kerberos server 3 has a smaller pressure value than the Kerberos server 2, i.e., the weight value is compared, the Kerberos server 2 is smaller than the Kerberos server 3, and thus the address KDC-3 corresponding to the Kerberos server 3 is arranged in front of the address KDC-2, and the result after the sorting is shown in fig. 9.
The method provided in this embodiment is also called a "weighted poll" method because the weight value of each Kerberos server is calculated.
Example III
The present embodiment also provides a big data authentication service adaptation method, which is applied to any one of the Kerberos clients in the foregoing embodiments, and is different from the foregoing first and second embodiments in that the scheme is a "watcher mode", or also referred to as a "publish-subscribe mode", and the mode defines a one-to-many dependency relationship, that is, a plurality of Kerberos clients correspond to one Kerberos server, so that each Kerberos client serves as a watcher, and a plurality of watcher objects simultaneously monitor a certain subject object (that is, kerberos server). When the status of a Kerberos module running in a Kerberos server changes, all observers (Kerberos clients) are notified, so that the Kerberos clients can automatically update the address linked list, and the specific design scheme is as follows:
As shown in fig. 10, before receiving at least one notification message in the foregoing step 101, the method includes:
step 100: the Kerberos client sends at least one registration request to at least one server.
The Kerberos client can send one or more registration requests to all Kerberos servers connected with the Kerberos client, each registration request is used for starting a monitoring module on the server, and the monitoring module is used for monitoring whether the Kerberos module running on the server is abnormal or not. Specifically, the process of determining whether an abnormality occurs is referred to step 201 and step 202 in the first embodiment, and the description of this embodiment is omitted here.
And the monitoring module generates a notification message after detecting that the running Kerberos module is abnormal, and sends the notification message to the Kerberos client.
Step 101: the Kerberos client receives at least one notification message fed back by the at least one server according to the at least one registration request.
The notification message includes a KDC address identifier of the Kerberos server.
Step 102 'and step 103': the specific process refers to steps 102 and 103 of the first embodiment, and will not be described herein.
Optionally, in step 103', the process of generating the second address linked list specifically includes:
the pressure value is calculated first, specifically, the pressure value of the Kerberos server may be calculated according to the weight value, and the KDC addresses may be sorted according to the pressure value. For example, in order of decreasing pressure values, the smaller the Kerberos service pressure value, the more new access requests should be allocated.
As shown in FIG. 11, in a specific example, assume that a Kerberos client registers with Kerberos Server 1, and a monitoring module in Kerberos Server 1 (i.e., a Kerberos-1 Server) listens to the behavior of Kerberos modules in Kerberos-1 Server in real time. At this point, the Kerberos client is similar to a viewer. The Kerberos client needs to register with each Kerberos Server to become an observer. Such as Kerberos clients registering with Kerberos-1 server (abbreviated as "Kerberos-1"), kerberos-2, and Kerberos-3, respectively. Specifically, each Kerberos server may be implemented internally via a registration interface, such as a subscreen server. In addition, a remove interface un-subscnibebserver (for removing itself from the watcher list) is included, and a notify Server is employed to notify all watchers of Kerberos Server status changes.
Each Kerberos Server has a resident process, such as a monitoring module, and monitors whether the Kerberos Server is normal or not at all times, if so, a nonfyobserver method is called to inform the Kerberos client, and after the Kerberos client receives the nonofyobserver address, the nonofyobserver address is put into the last of the sequential address linked list.
If the Kerberos Client registers with the Kerberos Server for the first time, the Kerberos Server is abnormal, and then the KDC address corresponding to the Kerberos Server is still discharged to the end of the KDC address linked list, so that when the Kerberos Client accesses, whether the Kerberos Server is abnormal or not is not perceived, thereby improving the speed of accessing the Kerberos Server and reducing the waiting time of users.
Example IV
The embodiment also provides a redundancy algorithm, which is used for the design method flow of the error condition of the Kerberos HA, as shown in the following figure 12, when two Kerberos Server addresses are configured in the configuration file/etc/krb 5.Conf of the Kerberos service. The implementation mode of the scheme is as follows: the Kerberos client improves on the original polling access Kerberos address. The method is therefore also referred to as a "redundancy algorithm" or "polling algorithm".
Specifically, the Kerberos client first reads all KDC addresses (such as KDC addresses IP 1-IP 3) of the per-etc/krb 5.Conf configuration file, assigns the KDC addresses to the thread-safe linked list a, and loads the linked list a into the server memory, so that the linked list a contains the KDC addresses IP 1-IP 3. And the linked list A is a first address linked list.
When the Kerberos client accesses the KDC address linked list sequentially for the first time and reads the KDC address IP1 first, if the KDC-1 at the first position is inaccessible, the Kerberos client stores the KDC-1 address in another thread-safe linked list B. If the linked list A (KDC-1, KDC-2, KDC-3) is updated to the linked list B, the difference is that the addresses of the linked list B are ordered to KDC-2, KDC-3, KDC-1.
For the linked list B, or called a second address linked list, when a second KDC address KDC-2 is accessed, when the address can be accessed, the accessed KDC address is ensured to be normally accessible when the next Kerberos client accesses.
It should be noted that, in this embodiment, 3 KDC addresses are used as examples, it should be understood that two or more than 3 KDC addresses may be actually included, and the logic is the same as that described above, and the KDC addresses corresponding to the abnormal Kerberos server are ordered to the last, so as to ensure that the KDC addresses of the previous access authentication are normal.
According to the method provided by the embodiment, when KDC _timeout and max_retries in the configuration file are identical to the parameters in the prior art, when the address KDC-2 of the Kerberos service is accessed for the second time, polling access to each KDC address is not needed to access the Kerberos service, so that the time of one access failure is shortened, and the authentication and access speed of the Kerberos are improved.
According to the method provided by the embodiment, the scheduler algorithm module is realized, the third-party software is not used, the weight is lighter, the redundancy algorithm, the weighted polling, the observer mode, the combination of the observer mode and the weighted polling and the self-adaptive high-availability load algorithm are added, different algorithms can be configured in the configuration file by a user to meet different scene requirements (for example, the configuration can be performed according to different processing capacities of a server), the speed of accessing the Kerberos service by a big data component can be improved, and the purpose of accessing the Kerberos high-availability self-adaptation is achieved.
According to the method, through the function of noninvasively integrating Kerberos high available load developed by an algorithm, a client only needs to introduce one Jar packet, and Kerberos service access can be performed according to different scene conditions. The Kerberos servers are managed adaptively, achieving high availability and load balancing. The probability of Kerberos service failure is minimized, and the risk of Kerberos failure due to other component failures is reduced. Meanwhile, the method takes the connection number of the Kerberos Server as an influence factor to comprehensively analyze various performance parameters of the Server, and finally, the policy selection is decided by the Kerberos client, so that the flexibility and diversity of Kerberos client selection are improved.
The embodiment also provides a big data authentication service adaptive device, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Referring to fig. 13, a block diagram of a big data authentication service adaptive device according to the present embodiment is provided, where the device includes:
and the receiving module 1301 is configured to receive notification messages sent by at least one server, where each notification message includes a server identifier of the Kerberos module running.
The determining module 1302 is configured to determine, according to the server identifier carried in each notification message, that at least one notification message is from N servers, where N is greater than or equal to 1 and is a positive integer, where a Kerberos module operated by the N servers is abnormal.
The generating module 1303 is configured to search the N key distribution center KDC addresses corresponding to the N servers in the first address linked list, reorder the N KDC addresses, and generate a second address linked list.
The N KDC addresses in the second address linked list are arranged behind the KDC addresses of all servers which are not abnormal.
And a connection module 1304, configured to establish a communication connection with a server that is ranked in front according to the ranking of KDC addresses in the second address linked list, and perform data access.
Optionally, in a specific implementation manner of this embodiment, the determining module 1302 is further configured to, in agreement with each server, send a notification message to the client when the Kerberos module runs abnormally on the server.
Optionally, in a specific implementation manner of this embodiment, the determining module 1302 is specifically configured to determine a comprehensive load value of each server in the first address linked list, where the comprehensive load values of the N servers are preset maximum values.
The generating module 1303 is specifically configured to sort KDC addresses of all the servers according to the comprehensive load value from small to large, and generate the second address linked list.
Optionally, in another specific implementation manner of this embodiment, the generating module 1303 is specifically further configured to obtain one or more of a CPU usage rate, a memory usage rate, and a bandwidth of a network IO of each server; calculating a performance vector of each server according to one or more of CPU utilization rate, memory utilization rate and bandwidth of network IO; and calculating the comprehensive load value of the server according to the performance vector and the weight vector.
Optionally, in another specific implementation manner of this embodiment, the generating module 1303 is specifically further configured to obtain an access amount of each server in the first address linked list, and determine a service weight value of each server; calculating a pressure value of each server according to the access quantity and the service weight value of each server; and ordering the KDC addresses of all servers in the first address linked list according to the order of the pressure values from small to large, and generating a second address linked list. And setting N servers corresponding to the N KDC addresses to be inaccessible.
Optionally, in another specific implementation manner of this embodiment, the apparatus further includes a sending module, where the sending module is not shown in fig. 13.
The sending module is used for sending at least one registration request to at least one server, each registration request is used for starting a monitoring module on the server, and the monitoring module is used for monitoring whether the Kerberos module running on the server is abnormal or not.
The receiving module 1301 is further configured to receive at least one notification message fed back by at least one server according to at least one registration request.
In addition, the further functional description of each module and unit is the same as that of the corresponding embodiments one to four, and the description of this embodiment is omitted here.
In addition, the embodiment of the invention also provides another big data authentication service self-adapting device, as shown in fig. 14, which comprises:
a monitoring module 1401 for monitoring whether the Kerberos module running on the server is abnormal;
and the processing module 1402 is configured to pull up the Kerberos module using a script when the monitoring module detects that an abnormality occurs, and generate a notification message, where the notification message includes a server identifier for running the Kerberos module.
A sending module 1403 is configured to send the notification message to the client.
Optionally, in a specific implementation manner of this embodiment, the apparatus further includes a recording module, where the recording module is configured to record log information of an abnormal state of the Kerberos module.
The monitoring module 1401 is further configured to detect whether the Kerberos module is in an operating state; if yes, the operation of the Kerberos module is successfully pulled up, and the first log information of the abnormal state of the Kerberos module is recorded through the recording module;
if not, the operation of pulling up the Kerberos module fails, the Kerberos module is retried, and if still fails, the second log information of the Kerberos module abnormal state is recorded through the recording module.
Optionally, in another specific implementation manner of this embodiment, the apparatus further includes an obtaining module, specifically configured to obtain, via one or more configuration files, one or more of the following information in the performance parameters: CPU usage, memory usage, network IO bandwidth and Kerberos module connection number.
Optionally, in another specific implementation manner of this embodiment, the foregoing apparatus further includes a receiving module, which is not shown in fig. 14, and is configured to receive a registration request sent by the Kerberos client; the monitoring module 1401 is further configured to start and monitor the Kerberos module according to the registration request.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments one to four, and are not repeated here.
The embodiment of the invention also provides electronic equipment, which is provided with the abnormality detection device and/or the KDC address linked list generation device shown in the figure 15.
Referring to fig. 15, a schematic structural diagram of an electronic device according to an alternative embodiment of the present invention is shown in fig. 15, where the electronic device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the electronic device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple electronic devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 15.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform the methods shown in implementing the above embodiments.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the electronic device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device.
In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The electronic device also includes a communication interface 30 for the electronic device to communicate with other devices or communication networks.
Furthermore, the electronic device comprises input means and output means (not shown in fig. 15). The processor 10, memory 20, input devices, and output devices may be connected by a bus or other means, which is not limited in this embodiment.
The device and the equipment provided by the embodiment integrate the function of high-availability load of Kerberos, so that the client can access Kerberos services according to different scene conditions by only introducing one Jar packet. The method and the system for managing the Kerberos server adaptively realize high availability and load balancing, reduce the probability of Kerberos service faults to the greatest extent, and reduce the risk of Kerberos faults caused by faults of other components.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware.
The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above.
It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a memory component that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the big data authentication service adaptation method illustrated by the above embodiments.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims (13)

1. The self-adapting method of the big data authentication service is characterized in that the method is applied to a client, the client prestores a first address linked list, and key distribution center KDC addresses of all servers connected with the client are recorded in the first address linked list, and the method comprises the following steps:
Receiving at least one notification message, wherein each notification message comprises a server identifier of a Kerberos module;
determining that the at least one notification message is from N servers according to the server identification carried in each notification message, wherein Kerberos modules operated by the N servers are abnormal, and N is more than or equal to 1 and is a positive integer;
searching N KDC addresses corresponding to the N servers in the first address linked list, and reordering the N KDC addresses to generate a second address linked list, wherein the N KDC addresses in the second address linked list are ranked behind the KDC addresses of all servers which are not abnormal;
and establishing communication connection with the server with the front order according to the order of the KDC addresses in the second address linked list, and performing data access.
2. The method of claim 1, wherein prior to receiving the at least one notification message, further comprising:
in agreement with each server, a notification message is sent to the client when an exception occurs in the Kerberos module running on the server.
3. The method of claim 2, wherein the reordering the N KDC addresses to generate a second address linked list comprises:
Determining the comprehensive load value of each server in the first address linked list, wherein the comprehensive load values of the N servers are preset maximum values;
and sequencing all the KDC addresses of the servers according to the comprehensive load value from small to large, and generating the second address linked list, wherein the KDC addresses of all the servers comprise the N KDC addresses with the abnormality.
4. The method of claim 3, wherein said determining the aggregate load value for each server in the first address linked list comprises:
respectively acquiring one or more of CPU utilization rate, memory utilization rate and network IO bandwidth of each server and weight vectors configured to each server;
calculating a performance vector of each server according to one or more of the CPU utilization rate, the memory utilization rate and the bandwidth of the network IO;
and calculating the comprehensive load value of the server according to the performance vector and the weight vector.
5. The method of claim 3, wherein the reordering the N KDC addresses to generate a second address linked list comprises:
acquiring access quantity of each server in the first address linked list, and determining a service weight value of each server;
Calculating a pressure value of each server according to each access amount and the service weight value, wherein N servers corresponding to the N KDC addresses are set as inaccessible;
and sequencing KDC addresses of all servers in the first address linked list according to the order of the pressure values from small to large, and generating the second address linked list.
6. The method according to any of claims 1-5, wherein prior to said receiving at least one notification message, the method further comprises:
and sending a registration request to the at least one server, wherein the registration request is used for starting a monitoring flow on the server so as to monitor whether the Kerberos module running on the server is abnormal or not.
7. A big data authentication service adaptation method, wherein the method is applied to a server, and the server comprises a Kerberos module, and the method comprises:
when the Kerberos module running on the server is monitored to be abnormal, pulling up the Kerberos module by using a script, and generating a notification message, wherein the notification message comprises a server identifier for running the Kerberos module;
and sending the notification message to the client.
8. The method of claim 7, wherein the method further comprises:
recording log information of abnormal states of the Kerberos module;
the script pulls up the Kerberos module, comprising:
if the Kerberos module is detected to be in an operation state, the Kerberos module is pulled up to operate successfully, and first log information of an abnormal state of the Kerberos module is recorded;
if the operation of pulling up the Kerberos module fails, the Kerberos module is retried, and if the operation of pulling up the Kerberos module still fails, second log information of the Kerberos module abnormal state is recorded.
9. The method of claim 7 or 8, wherein upon monitoring that the Kerberos module running on the server is abnormal, comprising:
monitoring whether an abnormality occurs according to the acquired performance parameters of the Kerberos module during operation, wherein the performance parameters comprise one or more of the following: CPU usage, memory usage, network IO bandwidth and Kerberos module connection number.
10. A big data authentication service adaptation apparatus, the apparatus comprising:
the receiving module is used for receiving at least one notification message, and each notification message comprises a server identifier of the Kerberos module;
The determining module is used for determining that the at least one notification message is from N servers according to the server identification carried in each notification message, wherein the Kerberos modules operated by the N servers are abnormal, and N is more than or equal to 1 and is a positive integer;
the generation module is used for searching N key distribution center KDC addresses corresponding to the N servers in the first address linked list, and reordering the N KDC addresses to generate a second address linked list; n KDC addresses in the second address linked list are arranged behind KDC addresses of all servers which are not abnormal;
and the connection module is used for establishing communication connection with the server with the front ordering according to the ordering of the KDC addresses in the second address linked list and performing data access.
11. A big data authentication service adaptation apparatus, the apparatus comprising:
the monitoring module is used for monitoring whether the Kerberos module running on the server is abnormal or not;
the processing module is used for pulling up the Kerberos module by using a script when the monitoring module detects that an abnormality occurs, and generating a notification message, wherein the notification message comprises a server identifier for running the Kerberos module;
And the sending module is used for sending the notification message to the client.
12. An electronic device, comprising: the memory is connected with the processor,
the memory has stored therein computer instructions which, upon execution by the processor, perform the big data authentication service adaptation method of any of claims 1 to 6, or 7 to 9.
13. A computer-readable storage medium having stored thereon computer instructions;
the computer instructions for causing a computer to perform the big data authentication service adaptation method of any of claims 1 to 6, or 7 to 9.
CN202310864286.7A 2023-07-13 2023-07-13 Big data authentication service self-adaption method, device and equipment Pending CN116886286A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310864286.7A CN116886286A (en) 2023-07-13 2023-07-13 Big data authentication service self-adaption method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310864286.7A CN116886286A (en) 2023-07-13 2023-07-13 Big data authentication service self-adaption method, device and equipment

Publications (1)

Publication Number Publication Date
CN116886286A true CN116886286A (en) 2023-10-13

Family

ID=88261705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310864286.7A Pending CN116886286A (en) 2023-07-13 2023-07-13 Big data authentication service self-adaption method, device and equipment

Country Status (1)

Country Link
CN (1) CN116886286A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117076139A (en) * 2023-10-17 2023-11-17 北京融为科技有限公司 Data processing method and related equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117076139A (en) * 2023-10-17 2023-11-17 北京融为科技有限公司 Data processing method and related equipment
CN117076139B (en) * 2023-10-17 2024-04-02 北京融为科技有限公司 Data processing method and related equipment

Similar Documents

Publication Publication Date Title
CN107947960B (en) Configuration information pushing method and system and configuration information receiving method and system
JP6600373B2 (en) System and method for active-passive routing and control of traffic in a traffic director environment
US8208381B2 (en) Root-cause approach to problem diagnosis in data networks
CN106302565B (en) Scheduling method and system of service server
USRE45806E1 (en) System and method for the optimization of database access in data base networks
US7225356B2 (en) System for managing operational failure occurrences in processing devices
US7996525B2 (en) Systems and methods for dynamically provisioning cloud computing resources
CN109960634B (en) Application program monitoring method, device and system
CN106911648B (en) Environment isolation method and equipment
US10924326B2 (en) Method and system for clustered real-time correlation of trace data fragments describing distributed transaction executions
CN109787827B (en) CDN network monitoring method and device
US20220318071A1 (en) Load balancing method and related device
CN116886286A (en) Big data authentication service self-adaption method, device and equipment
CN110768812B (en) Server management system and method
CN107453888B (en) High-availability virtual machine cluster management method and device
US7350065B2 (en) Method, apparatus and program storage device for providing a remote power reset at a remote server through a network connection
JP5381247B2 (en) Load distribution device, load distribution method, load distribution program, and load distribution system
Kitamura et al. Development of a Server Management System Incorporating a Peer-to-Peer Method for Constructing a High-availability Server System
CN111064636B (en) Control method, device and system for connection of front-end processor and computer equipment
US11057478B2 (en) Hybrid cluster architecture for reverse proxies
CN111614649B (en) Method and device for closing TCP short connection
CN117478600B (en) Flow control method and system for serving high concurrency multi-center business center
US20230135240A1 (en) Scanning engine with multiple perspectives
CN108173775A (en) For the method and system of server current limliting
CN110493051A (en) A kind of load balancing means of communication and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination