CN117609980A - Login verification method and device, electronic equipment and storage medium - Google Patents

Login verification method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117609980A
CN117609980A CN202311650487.3A CN202311650487A CN117609980A CN 117609980 A CN117609980 A CN 117609980A CN 202311650487 A CN202311650487 A CN 202311650487A CN 117609980 A CN117609980 A CN 117609980A
Authority
CN
China
Prior art keywords
target
security
verification
user
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311650487.3A
Other languages
Chinese (zh)
Inventor
邹德柱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongdian Cloud Computing Technology Co ltd
Original Assignee
Zhongdian Cloud Computing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongdian Cloud Computing Technology Co ltd filed Critical Zhongdian Cloud Computing Technology Co ltd
Priority to CN202311650487.3A priority Critical patent/CN117609980A/en
Publication of CN117609980A publication Critical patent/CN117609980A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses a login verification method and device based on Openshift software, electronic equipment and storage medium, which are applied to the technical field of login verification of the Openshift software and can be used for solving the problems that the security performance of an Openshift user system is low and the use of a user is affected. The method comprises the following steps: acquiring a target security policy of a user component, and extracting target login information from a login information base; performing security verification on the target login information according to the target security policy to obtain a security verification result; under the condition that the security verification result indicates that verification is passed, a user identity component object is created, and a security verification result is output; the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy.

Description

Login verification method and device, electronic equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of login verification of Openshif software, in particular to a login verification method and device based on Openshif software, electronic equipment and a storage medium.
Background
OpenShift is a free and open source cloud computing platform that allows developers to create, test, and run applications and deploy those applications to the cloud. The current OpenShift native user system adopts the simplest password to log in and verify, so that the security performance is low; and the default IDP mode can not meet the current requirement on password encryption, and the password modifying process is complicated, so that the use of a user is influenced.
Disclosure of Invention
In order to solve the technical problems or at least partially solve the technical problems, embodiments of the present application provide a login verification method, device, electronic device and storage medium based on OpenShift software, so as to solve the problem that the security performance of an OpenShift user system is low and the use of a user is affected.
In order to achieve the above object, the technical solution provided in the embodiments of the present application is as follows:
in a first aspect, an embodiment of the present application provides a login verification method based on openshift software, where the login verification method based on openshift software includes: acquiring a target security policy of a user component, and extracting target login information from a login information base;
according to the target security policy, performing security verification on the target login information to obtain a security verification result;
Under the condition that the security verification result indicates that verification is passed, a user identity component object is created, and the security verification result is output;
wherein the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy.
As an optional implementation manner, in the first aspect of the embodiment of the present application, before the obtaining the target security policy of the user component and extracting the target login information from the login information base, the method further includes:
creating the login information base;
when the login information updating operation of the user is detected, acquiring login information input by the user through a preset interface;
and storing the login information into the login information base so as to update the login information base.
In a first aspect of the embodiments of the present application, the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
acquiring the session time of the user component;
and comparing the session duration with a preset session duration threshold to obtain a comparison result, and determining the comparison result as the security verification result.
In a first aspect of the embodiments of the present application, the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
acquiring an access address of the user component;
when the access address is in the address range allowing access, determining that the security verification result is verification passing;
and when the access address is in the address range of access prohibition, determining that the security verification result is verification failure.
In a first aspect of the embodiments of the present application, the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
determining target account information and target password information from the target login information;
and under the condition that the target account information is detected not to be in a locking state and the target password information accords with the pre-stored password information, determining that the security verification result is verification passing.
In a first aspect of the embodiments of the present application, the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
When the double-factor authentication is detected to be in an open state, sending target verification code information to a user component;
receiving a verification code to be authenticated input by a user;
and when the verification code to be authenticated accords with the target verification code information, determining that the security verification result is verification passing.
As an optional implementation manner, in the first aspect of the embodiment of the present application, the method further includes:
creating a user security policy setting module and a user-defined identity providing module in a user system architecture;
the user security policy setting module stores the target security policy, and the user defined identity providing module stores the login information base.
In a second aspect, an embodiment of the present application provides an openshift software-based login verification device, where the openshift software-based login verification device includes: the acquisition module is used for acquiring a target security policy of the user component and extracting target login information from the login information base;
the processing module is used for carrying out security verification on the target login information according to the target security policy to obtain a security verification result;
the processing module is further used for creating a user identity component object and outputting the security verification result when the security verification result indicates that verification is passed;
Wherein the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy.
As an optional implementation manner, in a second aspect of the embodiment of the present application, the processing module is further configured to create the login information base;
the acquisition module is further used for acquiring login information input by a user through a preset interface when login information updating operation of the user is detected;
the processing module is further configured to store the login information into the login information base, so as to update the login information base.
As an optional implementation manner, in a second aspect of the embodiment of the present application, the obtaining module is specifically configured to obtain a session duration of a user component;
the processing module is specifically configured to compare the session duration with a preset session duration threshold to obtain a comparison result, and determine the comparison result as the security verification result.
As an optional implementation manner, in a second aspect of the embodiment of the present application, the obtaining module is specifically configured to obtain an access address of the user component;
The processing module is specifically configured to determine that the security verification result is verification passing when the access address is in an address range allowing access;
the processing module is specifically configured to determine that the security verification result is verification failure when the access address is in an address range where access is prohibited.
As an optional implementation manner, in a second aspect of the embodiment of the present application, the processing module is specifically configured to determine target account information and target password information from the target login information;
the processing module is specifically configured to determine that the security verification result is verification passing when it is detected that the target account information is not in a locked state and the target password information matches with pre-stored password information.
As an optional implementation manner, in a second aspect of the embodiment of the present application, the processing module is specifically configured to send, when it is detected that the two-factor authentication is in an on state, target verification code information to the user component;
the processing module is specifically used for receiving a verification code to be authenticated input by a user;
the processing module is specifically configured to determine that the security verification result is verification pass when the verification code to be authenticated matches the target verification code information.
As an optional implementation manner, in the second aspect of the embodiment of the present application, the processing module is further configured to create a user security policy setting module and a custom identity providing module in a user system architecture;
the user security policy setting module stores the target security policy, and the user defined identity providing module stores the login information base.
In a third aspect, an embodiment of the present application provides an electronic device, including:
a memory storing executable program code;
a processor coupled to the memory;
the processor calls the executable program code stored in the memory, and executes the login verification method based on the Openshif software in the first aspect of the embodiment of the application.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program that causes a computer to execute the login verification method based on Openshif software in the first aspect of embodiments of the present application. The computer readable storage medium includes ROM/RAM, magnetic disk or optical disk, etc.
In a fifth aspect, embodiments of the present application provide a computer program product which, when run on a computer, causes the computer to perform part or all of the steps of any one of the methods of the first aspect.
In a sixth aspect, embodiments of the present application provide an application publishing platform for publishing a computer program product, wherein the computer program product, when run on a computer, causes the computer to perform some or all of the steps of any one of the methods of the first aspect.
Compared with the prior art, the embodiment of the application has the following beneficial effects:
the embodiment of the application provides a login verification method, a login verification device, electronic equipment and a storage medium based on Openshif software, which are used for acquiring a target security policy of a user component and extracting target login information from a login information base; performing security verification on the target login information according to the target security policy to obtain a security verification result; under the condition that the security verification result indicates that verification is passed, a user identity component object is created, and a security verification result is output; the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy. According to the scheme, at least five security verification strategies related to user login are introduced, and at least one layer of protection is added to the whole system through the newly added security authentication, so that the security of the OpenShift native user system can be effectively improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a user system architecture according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a login verification method based on openshift software according to an embodiment of the present application;
fig. 3 is a second flowchart of a login verification method based on openshift software according to an embodiment of the present application;
fig. 4 is a flowchart of a login verification method based on openshift software according to the third embodiment of the present application;
fig. 5 is a flowchart of a login verification method based on openshift software according to an embodiment of the present application;
Fig. 6 is a schematic diagram of a second architecture of a user system according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a login verification device based on openshift software according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to more clearly understand the foregoing objects, features and advantages of the present application, a technical solution of an embodiment of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiment of the present application, and it should be noted that, without conflict, the embodiment of the present application and features in the embodiment may be combined with each other, and it is apparent that the described embodiment is a part of the embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms "first" and "second" and the like in the description and in the claims, are used for distinguishing between different objects and not for describing a particular sequential order of objects.
The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
OpenShift is an open-source-based cloud platform of Red Hat corporation, is platform as a service (PaaS), is a free and open-source cloud computing platform, and allows developers to create, test and run their applications and deploy those applications to the cloud. It supports multiple programming languages and frameworks such as Java, ruby, PHP, etc., while providing a variety of integrated development tools such as Eclipse integration, JBoss Developer Studio, jenkins, etc.
OpenShift provides support for mobile applications, database services, etc., based on an open source ecosystem. In the OpenShift Online service, red-cap enterprise-level Linux provides an integrated application program, a runtime, and an operating system configured with scalable multi-user single instances to meet various requirements of enterprise-level applications. The system adds tools on the K8S core, so that faster application development, deployment and expansion are realized, and the OpenShift is provided with a user system. The user overview framework of OpenShift, as shown in fig. 1, supports administrator user login, and the user login system of third party identity provider.
Where K8S is an abbreviation for kubernetes, which is an abbreviation in which 8 replaces the 8 characters "ubernete" in the middle of the name. kubernetes is an open source for managing containerized applications on multiple hosts in a cloud platform, and the goal of kubernetes is to make deploying containerized applications simple and efficient (powerfull), a mechanism that provides application deployment, planning, updating, and maintenance.
The OpenShift native user system only passes through simple login information verification, as shown in FIG. 2, the web browser accesses the page to the con-server, then oauth-server requests to identity provider to authenticate the user account and the password, identity provider authenticates the correctness of the account password to obtain an authentication result, the oauth-server returns the authentication result to the con-server and confirms the user information, and the con-server returns a corresponding prompt to the web browser. The whole login process only verifies the correctness of the account passwords, has no other authentication, and has low security.
In addition, in the manner that OpenShift defaults identity provider to htpasswd, htpasswd is an apache built-in tool, and the file generated by htpasswd is called an htpasswd file. The htpasswd file itself may be understood as a codebook, or similar to a database, used to store some cryptographic (credential) information. The format of the generated password data is the built-in fixed encryption generation of the apache htpasswd software, and the requirements of encryption modes such as custom encryption, national encryption and the like cannot be met. In addition, by default, htpasswd identity provider mode, the backend auth-server service is restarted after the password is modified, the startup can be completed after a few minutes, the system can not be logged in during the restarting period, and the password can be validated after a few minutes. The above method cannot meet more encryption requirements, and affects the time length of modifying the password.
In order to solve the above part of technical problems or all of the technical problems, embodiments of the present application provide a login verification method, device, electronic device and storage medium based on Openshif software, which acquire a target security policy of a user component, and extract target login information from a login information base; performing security verification on the target login information according to the target security policy to obtain a security verification result; under the condition that the security verification result indicates that verification is passed, a user identity component object is created, and a security verification result is output; the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy. According to the scheme, at least five security verification strategies related to user login are introduced, and at least one layer of protection is added to the whole system through the newly added security authentication, so that the security of the OpenShift native user system can be effectively improved.
As shown in fig. 3, fig. 3 is a flowchart of a login verification method based on openshift software according to an embodiment of the present application, where the method may include the following steps:
301. and acquiring a target security policy of the user component, and extracting target login information from a login information base.
In an embodiment of the present application, the target security policy includes: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy. The login information base is preset, a large amount of information such as login account passwords can be stored in the login information base, and a user can modify and update the information in the login information base. The target login information is the login information corresponding to the user component, and security verification needs to be performed on the target login information.
In some embodiments, the password authentication policy may be understood as common password authentication, that is, an account number and a password input by a user are compared with an account number and a password pre-stored in a system, if they are consistent, the password authentication is determined to be passed, and if they are inconsistent, the password authentication is determined to be failed.
In some embodiments, the session authentication policy detects a session duration, and if the session duration is timeout, it is determined that the session authentication is not passed.
In some embodiments, the account locking authentication policy is to detect whether an account is locked, and some accounts may be locked for some reasons (user authority setting, account being sealed, etc.), that is, the account is limited to be unable to log in, so if the account is detected to be in a locked state, it is determined that the account locking authentication is not passed.
In some embodiments, the access address authentication policy is to detect an IP address, where some allowed access IP segments and forbidden access IP segments may be stored in advance in the system, where the IP segments may be set by a user, detect an IP address of the current device, and determine that the access address authentication passes if the IP address is in the allowed access IP segment; if the IP address is within the access-prohibited IP segment, it is determined that the access address is not authenticated.
In some embodiments, a two-factor authentication policy is a secure verification process that requires a user to provide two different authentication factors to prove identity information, which may generally include: the secret known to the user (e.g., a password, PIN code, or other type of shared key), and what the user has (e.g., an identification card, security token, smart phone, or other mobile device), both of which must be independent, incoherent evidence in two-factor authentication. Thus, knowing the user's password alone is insufficient to pass authentication checks, and two-factor authentication achieves the goal of adding an additional layer of security to the authentication process by increasing the difficulty of an attacker accessing the user device and online account.
The existing common two-factor authentication application is logging in an online payment platform such as an online banking application program or a payment application program. In such applications, the user first needs to enter a user name and password, which is the first authentication factor (secret known to the user). The system will then send a verification code to the user's handset, which is the second authentication factor (what the user has, i.e., the handset). After the user inputs the correct verification code, the user can successfully log in and finish operations such as payment or transfer. This two-factor authentication approach can effectively prevent illegal user intrusion because it is necessary to have the user's handset in addition to knowing the user's username and password in order to receive the authentication code. If the mobile phone is not available, the account cannot be logged in even if the user name and password are known. Therefore, the two-factor authentication mode greatly enhances the security of the account.
In some embodiments, the login information base may also be created before the target security policy of the user component is obtained and the target login information is extracted from the login information base; when the login information updating operation of the user is detected, login information input by the user is acquired through a preset interface; and storing the login information into a login information base so as to update the login information base.
When the user needs to update the login information in the login information base, the login information input by the user can be obtained through the preset interface, and the login information originally stored in the login information base is updated according to the newly input login information.
In some embodiments, the login information base may be a database, as shown in fig. 4, and the original default manner for password modification is as shown in the upper right corner of fig. 4, and the key is generated by the Htpassd manner by the open source fixed encryption algorithm; the default mode is optimized in this scheme, that is, as shown in the lower right corner of fig. 4, an interface for verifying the correctness of the user password is provided, where the interface is an API capable of implementing the Basic-Auth verification mode, when accessing an Http Basic Auth website, a user name and a password need to be provided, otherwise, the process returns to 401 (without authoration). Http Basic Authentication authentication has 2 ways: 1. the base64 encoded string requesting the header authentication to add the username/password. 2. The user name and password are spelled in url. In this embodiment, an interface capable of implementing basic-auth checking mode is newly added, and a method for supporting access to OpenShift is needed.
302. And carrying out security verification on the target login information according to the target security policy to obtain a security verification result.
In the embodiment of the application, at least one policy of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy and an access address authentication policy is provided, so that security verification can be performed on target login information to be authenticated according to the policies to obtain a security verification result, and the security verification result can include verification passing or verification failing.
The following will describe each of the authentication policies described above.
In some embodiments, a session duration of a user component may be obtained; and comparing the session duration with a preset session duration threshold value to obtain a comparison result, and determining the comparison result as a security verification result.
It should be noted that, in this embodiment, a session authentication policy is adopted, it may be understood that sessions between a user system, a network device, a background service and the like are limited by a duration, if the exceeding duration is not reacted, it may be determined that the session is not responded, and then the session may be interrupted, so that the session duration may be compared with a preset session duration threshold, if the session duration is greater than the preset session duration threshold, it may be illustrated that the session is overtime, and session authentication is not passed, that is, the security verification result is that verification is not passed; if the session duration is less than or equal to the preset session duration threshold, the session can be indicated to be not overtime, and the session authentication is passed, namely the security verification result is verification passing.
In some embodiments, an access address of a user component may be obtained; when the access address is in the address range allowing access, determining the security verification result as verification passing; and when the access address is in the address range of access prohibition, determining that the security verification result is verification failure.
It should be noted that, in this embodiment, an access address authentication policy is adopted, it may be understood that each device provides its own IP address when accessing, and due to the influence of environment, network, etc., part of IP may be forbidden to log in, so after the access address is acquired, the access address is compared with the address range allowed to access, and the access address is compared with the address range forbidden to access, if the access address is in the address range allowed to access, it may be stated that the access address authentication is passed, that is, the security verification result is verification passing; if the access address is in the address range where access is prohibited, it can be stated that the access address is not authenticated, i.e., the security verification result is that the verification is not passed.
In some embodiments, the target account information and the target password information may be determined from the target login information; and under the condition that the target account information is detected not to be in a locked state and the target password information accords with the pre-stored password information, determining that the security verification result is verification passing.
In this embodiment, a password authentication policy and an account locking authentication policy are adopted, and the two authentication policies may be separately verified, or may be verified simultaneously, which is not limited in this embodiment.
When verification is carried out independently, if the target account information is detected not to be in a locked state, account locking authentication can be described as passing, namely, the security verification result is verification passing; if the target account information is detected to be in a locked state, the account locking authentication is not passed, namely the security verification result is that the verification is not passed.
In addition, if the target password information is detected to be consistent with the pre-stored password information, the password authentication can be proved to be passed, namely the security verification result is verification passing; if the target password information does not accord with the pre-stored password information, the password authentication is not passed, namely the security verification result is that the verification is not passed.
When verification is performed simultaneously, if the target account information is detected not to be in a locked state and the target password information accords with the pre-stored password information, the account locking authentication and the password authentication can be both proved to pass, namely, the safety verification result is verification passing; if the target account information is detected to be in a locked state, the target password information accords with the prestored password information, so that the account locking authentication is not passed, namely the password authentication is passed, namely the safety verification result is that the verification is not passed; if the target account information is detected not to be in a locked state, the target password information is not consistent with the pre-stored password information, so that account locking authentication can be indicated to pass, and the password authentication is not passed, namely the security verification result is that verification is not passed; if the target account information is detected to be in a locked state, the target password information is not consistent with the pre-stored password information, so that the account locking authentication is not passed, and the password authentication is not passed, namely the security verification result is that the verification is not passed.
In some embodiments, the target passcode information may be sent to the user component when the two-factor authentication is detected to be in an on state; receiving a verification code to be authenticated input by a user; and when the verification code to be authenticated accords with the target verification code information, determining that the security verification result is verification passing.
It should be noted that, in this embodiment, a dual-factor authentication policy is adopted, the dual-factor authentication is a function, and is manually started or closed, and only when the dual-factor authentication is in an on state, the dual-factor authentication is performed, that is, the target verification code information is sent, the target verification code information is randomly generated in real time, and when the verification code to be authenticated input by the user is received and the verification code sent by the system is the same, the dual-factor authentication can be illustrated to pass, that is, the security verification result is verification passing; when the verification code to be authenticated input by the user is received and the verification code sent by the system is different, the fact that the two-factor authentication is not passed, namely the safety verification result is that the verification is not passed, can be indicated.
In some embodiments, the above-listed embodiments describe the verification process of each target security policy, where the target security policy may be implemented simultaneously to perform security verification, only one of the target security policies may be selected to perform security verification, or a plurality of target security policies may be arbitrarily selected to perform security verification, and the embodiments of the present application are not limited in particular.
303. And under the condition that the security verification result indicates that the verification is passed, creating a user identity component object and outputting the security verification result.
In the embodiment of the application, if the security verification result obtained after passing the above security verification indicates that the verification is passed, a k8s user identity object may be created on the system, and the security verification result may be output.
In some embodiments, all the above-mentioned security verification processes may be implemented through a flowchart shown in fig. 5, where, as shown in fig. 5, the user component updates the session time to CM (K8S cofigMap) to the session-server, and CM is a way to store data on K8S, and the session-server checks whether the session duration is timeout, and reads the local CM (i.e. session authentication policy); the method comprises the steps that a secure policy is requested by a client component, the secure policy is returned to the client component by the client component, and the access IP setting policy (namely an access address authentication policy) is checked by the client component; the oauth-server requests the user component to authenticate the user password, and the user component automatically verifies the account locking strategy and the password verification strategy (namely the password authentication strategy and the account locking authentication strategy); the user component returns an authentication result to the oauth-server, the oauth-server authenticates whether the return structure can return to the front-end user information to the con-server, and the con-server judges whether the current identity provider opens double factors to the web browser; the web browser sends a verification code to the oauth-server; the oauth-server sends a verification code to the user component; the front end of the web browser inputs a verification code to the back end oauth-server for verification; the oauth-server performs verification code verification on the user component; the oauth-server verification is successful, and a k8s user identity object is created; the oauth-server sends the verification result to the web browser.
In some embodiments, in the Openshift user system, a user component is further extended to support implementation of a security policy, storage of password information, and the like, as shown in fig. 6, compared with the original user frame diagram of Openshift shown in fig. 1, gray components are added, that is, the user frame diagram includes a user group role component, a user security policy setting module, and a custom identity providing module, where the user security policy setting module stores a target security policy, and the custom identity providing module stores a login information base.
According to the login verification method based on the Openshif software, a target security policy of a user component is obtained, and target login information is extracted from a login information base; performing security verification on the target login information according to the target security policy to obtain a security verification result; under the condition that the security verification result indicates that verification is passed, a user identity component object is created, and a security verification result is output; the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy. According to the scheme, at least five security verification strategies related to user login are introduced, and at least one layer of protection is added to the whole system through the newly added security authentication, so that the security of the OpenShift native user system can be effectively improved.
As shown in fig. 7, an embodiment of the present application provides a login verification device based on openshift software, where the login verification device based on openshift software may include:
the obtaining module 701 is configured to obtain a target security policy of the user component, and extract target login information from the login information base;
the processing module 702 is configured to perform security verification on the target login information according to the target security policy, so as to obtain a security verification result;
the processing module 702 is further configured to create a user identity component object and output a security verification result if the security verification result indicates that verification is passed;
the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy.
In some embodiments, the processing module 702 is further configured to create a login information base;
the obtaining module 701 is further configured to obtain login information input by the user through a preset interface when a login information update operation of the user is detected;
the processing module 702 is further configured to store login information in the login information base to update the login information base.
In some embodiments, the obtaining module 701 is specifically configured to obtain a session duration of the user component;
The processing module 702 is specifically configured to compare the session duration with a preset session duration threshold to obtain a comparison result, and determine the comparison result as a security verification result.
In some embodiments, the obtaining module 701 is specifically configured to obtain an access address of the user component;
the processing module 702 is specifically configured to determine that the security verification result is verification pass when the access address is in an address range where access is allowed;
the processing module 702 is specifically configured to determine that the security verification result is verification failed when the access address is in the address range where access is prohibited.
In some embodiments, the processing module 702 is specifically configured to determine target account information and target password information from the target login information;
the processing module 702 is specifically configured to determine that the security verification result is verification pass when it is detected that the target account information is not in a locked state and the target password information matches the pre-stored password information.
In some embodiments, the processing module 702 is specifically configured to send the target verification code information to the user component when the two-factor authentication is detected to be in the on state;
the processing module 702 is specifically configured to receive a verification code to be authenticated input by a user;
The processing module 702 is specifically configured to determine that the security verification result is verification pass when the verification code to be authenticated matches the target verification code information.
In some embodiments, the processing module 702 is further configured to create a user security policy setting module in the user system architecture, and a custom identity providing module;
the user security policy setting module stores a target security policy, and the user defined identity providing module stores a login information base.
In this embodiment of the present application, each module may implement the login verification method based on Openshif software provided in the foregoing method embodiment, and may achieve the same technical effect, so that repetition is avoided, and details are not repeated here.
As shown in fig. 8, an embodiment of the present application further provides an electronic device, where the electronic device may include:
a memory 801 storing executable program code;
a processor 802 coupled to the memory 801;
the processor 802 invokes executable program codes stored in the memory 801 to execute the login verification method based on openshift software executed by the electronic device in the above method embodiments.
The embodiment of the application provides a computer readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements each process of the login verification method based on Openshif software in the above method embodiment, and can achieve the same technical effect, so that repetition is avoided, and details are not repeated here.
The embodiment of the application further provides a computer program product, which stores a computer program, and when the computer program is executed by a processor, the computer program realizes each process of the login verification method based on Openshif software in the embodiment of the method, and can achieve the same technical effect, so that repetition is avoided, and no redundant description is provided herein.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In this application, the processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In the present application, the memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory in a computer readable medium, such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
In this application, it will be understood by those skilled in the art that all or part of the steps in the various methods of the above embodiments may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, including permanent and non-permanent, removable and non-removable storage media. Storage media may embody any method or technology for storage of information, which may be computer readable instructions, data structures, program modules, or other data. Examples of storage media for a computer include, but are not limited to, phase change Memory (Parallel Random Access Memory, PRAM), static random access Memory (Static Random Access Memory, SRAM), dynamic random access Memory (Dynamic Random Access Memory, DRAM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read Only Memory (Erasable Programmable Read Only Memory, EPROM), other types of random access Memory (Random Access Memory, RAM), read-Only Memory (ROM), one-time programmable Read Only Memory (OTPROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash Memory or other Memory technology, read Only Memory (Compact Disc Read-Only Memory, CD-ROM), digital Versatile Disk (DVD) or other optical storage, magnetic cassettes, magnetic disk storage or other magnetic storage devices, or any other non-transmission media, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments and that the acts and modules referred to are not necessarily required in the present application. The above embodiments are not necessarily independent embodiments, and the separation into the embodiments is merely used to highlight different technical features in different embodiments, and those skilled in the art should appreciate that the above embodiments may be combined arbitrarily.
In various embodiments of the present application, it should be understood that the size of the sequence numbers of the above processes does not mean that the execution sequence of the processes is necessarily sequential, and the execution sequence of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer-accessible memory. Based on such understanding, the technical solution of the present application, or a part contributing to the prior art or all or part of the technical solution, may be embodied in the form of a software product stored in a memory, including several requests for a computer device (which may be a personal computer, a server or a network device, etc., in particular may be a processor in the computer device) to perform part or all of the steps of the above-mentioned method of the various embodiments of the present application.
The foregoing is merely a specific embodiment of the application to enable one skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A login verification method based on openshift software, the method comprising:
acquiring a target security policy of a user component, and extracting target login information from a login information base;
according to the target security policy, performing security verification on the target login information to obtain a security verification result;
under the condition that the security verification result indicates that verification is passed, a user identity component object is created, and the security verification result is output;
wherein the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy.
2. The method of claim 1, wherein prior to obtaining the target security policy for the user component and extracting the target login information from the login information repository, the method further comprises:
creating the login information base;
when the login information updating operation of the user is detected, acquiring login information input by the user through a preset interface;
and storing the login information into the login information base so as to update the login information base.
3. The method according to claim 1, wherein the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
acquiring the session time of the user component;
and comparing the session duration with a preset session duration threshold to obtain a comparison result, and determining the comparison result as the security verification result.
4. The method according to claim 1, wherein the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
acquiring an access address of the user component;
when the access address is in the address range allowing access, determining that the security verification result is verification passing;
And when the access address is in the address range of access prohibition, determining that the security verification result is verification failure.
5. The method according to claim 1, wherein the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
determining target account information and target password information from the target login information;
and under the condition that the target account information is detected not to be in a locking state and the target password information accords with the pre-stored password information, determining that the security verification result is verification passing.
6. The method according to claim 1, wherein the performing security verification on the target login information according to the target security policy, to obtain a security verification result, includes:
when the double-factor authentication is detected to be in an open state, sending target verification code information to a user component;
receiving a verification code to be authenticated input by a user;
and when the verification code to be authenticated accords with the target verification code information, determining that the security verification result is verification passing.
7. The method according to any one of claims 1 to 6, further comprising:
Creating a user security policy setting module and a user-defined identity providing module in a user system architecture;
the user security policy setting module stores the target security policy, and the user defined identity providing module stores the login information base.
8. A login verification device based on openshift software, comprising:
the acquisition module is used for acquiring a target security policy of the user component and extracting target login information from the login information base;
the processing module is used for carrying out security verification on the target login information according to the target security policy to obtain a security verification result;
the processing module is further used for creating a user identity component object and outputting the security verification result when the security verification result indicates that verification is passed;
wherein the target security policy comprises: at least one of a password authentication policy, a session authentication policy, an account locking authentication policy, a two-factor authentication policy, and an access address authentication policy.
9. An electronic device, comprising:
a memory storing executable program code;
and a processor coupled to the memory;
The processor invokes the executable program code stored in the memory for performing the openshift software-based login authentication method according to any one of claims 1 to 7.
10. A computer-readable storage medium, comprising: computer instructions stored on the computer readable storage medium, which when executed by a processor, implement the openshift software-based login authentication method according to any one of claims 1 to 7.
CN202311650487.3A 2023-12-01 2023-12-01 Login verification method and device, electronic equipment and storage medium Pending CN117609980A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311650487.3A CN117609980A (en) 2023-12-01 2023-12-01 Login verification method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311650487.3A CN117609980A (en) 2023-12-01 2023-12-01 Login verification method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117609980A true CN117609980A (en) 2024-02-27

Family

ID=89946041

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311650487.3A Pending CN117609980A (en) 2023-12-01 2023-12-01 Login verification method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117609980A (en)

Similar Documents

Publication Publication Date Title
US11882108B2 (en) Application user single sign-on
US11281762B2 (en) Method and apparatus for facilitating the login of an account
TWI725958B (en) Cloud host service authority control method, device and system
US9325708B2 (en) Secure access to data in a device
US8387119B2 (en) Secure application network
US9780950B1 (en) Authentication of PKI credential by use of a one time password and pin
CN108965250B (en) Digital certificate installation method and system
CN106161348B (en) Single sign-on method, system and terminal
US10038685B2 (en) Service request authentication method and apparatus
CN111371725A (en) Method for improving security of session mechanism, terminal equipment and storage medium
CN112398799A (en) Single sign-on method, device and system
CN109286620B (en) User right management method, system, device and computer readable storage medium
US10521573B1 (en) Authentication using third-party data
CN116192483A (en) Authentication method, device, equipment and medium
CN113726774A (en) Client login authentication method, system and computer equipment
CN111125665A (en) Authentication method and device
US20230198751A1 (en) Authentication and validation procedure for improved security in communications systems
CN111988279A (en) Method, system, device and medium for accessing memory cache service through SASL authentication
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
CN113448681A (en) Registration method, device and storage medium for public key of virtual machine monitor
KR102016976B1 (en) Unified login method and system based on single sign on service
CN111404946B (en) Account authentication method based on browser and server
CN117609980A (en) Login verification method and device, electronic equipment and storage medium
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
CN113901428A (en) Login method and device of multi-tenant system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination