JP7423826B1 - Settings management system and settings management method - Google Patents

Abstract

The present invention provides a settings management system and a settings management method for efficiently and accurately managing usage settings of multiple tenants in a cloud service. [Solution] A cloud 20 includes a common function unit that includes individual update units ST2 and ST3 provided in individual function units 23 of a plurality of tenants, and a common update unit ST1 associated with the individual update units ST2 and ST3 of each tenant. 22. Furthermore, the cloud 20 acquires new master authority information, specifies generalization points in the master authority information, creates an update template for defining authority information, and supplies it to the common function unit 22 for provisioning. A section C1 is provided. Then, the common function unit 22 distributes the update template to the individual update units ST2 and ST3 of each individual function unit 23, and the individual update unit of each tenant uses the update template to provide authority information according to each tenant. Update. [Selection diagram] Figure 3

Description

The present disclosure relates to a configuration management system and a configuration management method for managing configuration information when using a cloud service.

Services using cloud computing are provided (for example, see Non-Patent Document 1). This service is known as "AWS (registered trademark)" and "Amazon Web Services (registered trademark)." With the cloud computing described in this document, services such as servers, storage, databases, and software can be used via the Internet. Then, SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) can be realized. For example, by constructing a virtual server (virtual computing environment) using IaaS, applications executed on the cloud are provided to users as a service.

CloudFormation can be used to manage static resources on AWS. With this CloudFormation, the state of AWS resources can be defined using a text file (CloudFormation template) that follows a predetermined grammar. The CloudFormation template is written in a data format such as JSON format or YAML format, for example. By using CloudFormation templates, it is possible to describe resource requirements, including access privileges and the hardware configuration realized in the virtual environment. In this way, "IaC (Infrastructure as Code)" is realized in which hardware (resources) is managed by being described by a program.

Further, with AWS, it is possible to use CDK (AWS Cloud Development Kit: registered trademark). The CDK can efficiently create descriptions of cloud resources by using programming languages such as TypeScript (JavaScript: registered trademark), Python (registered trademark), and Java (registered trademark). CDK functions internally through CloudFormation.

Furthermore, AWS uses AWS Identity and Access Management (IAM). This IAM manages users and groups who can access cloud services and resources. In this IAM, privileges are managed using roles and policies.

CloudFormation templates are managed in a stack, which is a collection of AWS resources. By modifying the template, specifying the stack, and reapplying it, you can change the configuration of your AWS resources. For example, by using CloudFormation templates, IAM can also be managed.

Furthermore, a multi-tenant configuration in which one system is used by multiple user groups may be realized (for example, see Patent Document 1). In the cloud described in this document, the authorization unit grants each user belonging to each tenant the authority to use the system in the tenant.

JP2020-77225A

Amazon Web Services Inc., “Overview of Amazon Web Services”, [online], April 2017, [Retrieved January 10, 2020], Internet <URL: https://d1.awsstatic.com/whitepapers /ja_JP/aws-overview.pdf＞

Among multiple accounts that make up a group, the account may be used by a user department (tenant) that has a parent-child relationship with the supervising department. When multiple child accounts (tenants) use cloud services, it is desirable to manage common usage settings. For example, when applying unified usage settings to tenants, if there are many tenants, it is a heavy burden to perform the task accurately. Furthermore, some usage settings may differ depending on the individual circumstances of the tenant. Furthermore, management of usage settings is updated as appropriate depending on the security environment and service status. Further, the usage setting information for managing each tenant includes resources that include an account ID for identifying an account, a tenant name for uniquely identifying a tenant, and the like. For example, when creating usage setting information for each tenant, if the master file is written in a general expression, the general expression part needs to be replaced with information indicating the tenant. In this way, it takes time and effort to perform individual tasks when updating usage settings for each tenant.

A configuration management system that solves the above problems has an individual update section provided in the individual function sections of multiple tenants, a common function section that has a common update section associated with the individual update section of each tenant, and master setting information. a provisioning unit that newly acquires, specifies generalized locations in the master setting information, creates an update template for defining usage setting information, and supplies the same to the common function unit; The functional unit distributes the update template to the individual update unit of each tenant, and the individual update unit of each individual function unit uses the update template to update usage setting information according to each tenant. .

According to the present invention, usage settings of multiple tenants can be managed efficiently and accurately in a cloud service.

It is a system schematic diagram of an embodiment. FIG. 2 is an explanatory diagram of a hardware configuration example of the embodiment. It is an explanatory diagram of a processing procedure of an embodiment. It is an explanatory diagram of a processing procedure of an embodiment. It is an explanatory diagram of a processing procedure of an embodiment.

An embodiment of a configuration management system and a configuration management method will be described below with reference to FIGS. 1 to 5. In this embodiment, it is assumed that when AWS is used in a parent-child relationship (supervisory department, user department), a parent account centrally manages the usage settings of multiple child accounts (tenants). In this embodiment, authority management is set as the usage setting.

As shown in FIG. 1, this embodiment uses a management terminal 10, a user terminal 15, and a cloud 20 that are connected via a network.
(Hardware configuration example)
FIG. 2 is an example of the hardware configuration of the information processing device H10 that functions as the management terminal 10, the user terminal 15, the cloud 20, etc.

The information processing device H10 includes a communication device H11, an input device H12, a display device H13, a storage device H14, and a processor H15. Note that this hardware configuration is just an example, and other hardware may be included.

The communication device H11 is an interface that establishes a communication path with other devices and sends and receives data, and is, for example, a network interface or a wireless interface.

The input device H12 is a device that receives user input, and is, for example, a mouse, a keyboard, or the like.
The display device H13 is a display, touch panel, or the like that displays various information.

The storage device H14 stores data and various programs for executing various functions of the management terminal 10, the user terminal 15, and the cloud 20. Examples of the storage device H14 include ROM, RAM, hard disk, and the like.

The processor H15 controls each process in the management terminal 10, user terminal 15, and cloud 20 using programs and data stored in the storage device H14. Examples of the processor H15 include a CPU and an MPU. This processor H15 expands a program stored in a ROM or the like into a RAM and executes various processes corresponding to various processing. For example, when the application programs of the management terminal 10, the user terminal 15, and the cloud 20 are started, the processor H15 operates a process that executes each process described below.

The processor H15 is not limited to performing software processing for all processes that it executes. For example, the processor H15 may include a dedicated hardware circuit (for example, an application-specific integrated circuit: ASIC) that performs hardware processing for at least part of the processing that it executes. That is, the processor H15 may be configured as follows.

(1) one or more processors that operate according to a computer program (software); (2) one or more dedicated hardware circuits that execute at least some of the various processes; and (3) a circuit that includes a combination thereof. (circuitry)
The processor H15 includes a CPU and memory such as RAM and ROM, and the memory stores program codes or instructions configured to cause the CPU to execute processing. Memory or computer-readable media includes any available media that can be accessed by a general purpose or special purpose computer.

(Configuration of management terminal 10, user terminal 15, and cloud 20)
The configurations of the management terminal 10, user terminal 15, and cloud 20 will be explained using FIG.
The management terminal 10 is a computer terminal used by an administrator who manages usage settings for multiple tenants. The management terminal 10 accesses the cloud 20 using the authority management account in accordance with instructions from the administrator.

Further, the user terminal 15 is a computer terminal used by each tenant using the cloud 20. This user terminal 15 accesses the cloud 20 using a tenant account in accordance with instructions from the tenant.

The cloud 20 is a computer system (setting management system) that performs authority management (identity management) for each user and provides services such as network management, authority management, log collection, and auditing to each account. This embodiment is implemented using AWS.

The cloud 20 includes an access management section 211, a resource construction section 212, and the like. Furthermore, the cloud 20 includes a common function section 22, an individual function section 23, etc. constructed by an administrator.
The access management unit 211 is a web interface for accessing the cloud 20 from the management terminal 10 and the user terminal 15 to centrally manage it. The access management unit 211 authenticates access from the administrator or each tenant. This access management unit 211 is realized by a management console. Then, the access management unit 211 uses IAM to manage the use of the cloud 20 according to the authority of the accesser.

The resource construction unit 212 is a functional unit that constructs resources of the cloud 20 in JSON format or YAML format. By creating a template of a desired cloud environment using the resource construction unit 212, the time required to create the same environment can be reduced. The resource construction unit 212 is realized by CloudFormation.

The common function unit 22 is a common function for using cloud services, and implements functions such as network management including virtual networks (VPN etc.), authority management, log collection, and auditing.

The common function section 22 includes a provisioning section C1.
The provisioning unit C1 is an open source software development framework for defining cloud application resources using a predetermined programming language (Python in this embodiment). In this embodiment, the provisioning unit C1 is realized by a CDK, which is a development kit, as an IaC tool (configuration management tool). The provisioning unit C1 supplies a template to the common function unit 22. As will be described later, the template generated by the provisioning unit C1 also includes information regarding authority management.

In the authority management process described later, the provisioning unit C1 acquires master authority information recorded in the database within the common function unit 22. The master authority information records basic information regarding generationally managed authority for roles and policies. Then, when acquiring authority change information in which the role or policy has been changed, the provisioning unit C1 updates the master authority information to the next generation master authority information based on the authority change information.

Furthermore, the provisioning unit C1 acquires individual definition information recorded for each tenant in the database within the common function unit 22. In the individual definition information, tenant-specific authority setting information is recorded in each tenant's role.

The individual function unit 23 is a function that realizes the services of each tenant that uses the cloud service. In this case, the individual function unit 23 allows the use of the cloud service within the authority range according to the authority management information (usage setting information) of the authenticated accesser.

Furthermore, in the authority management process to be described later, the individual function unit 23 acquires the account management list recorded in the database within the common function unit 22. Unique information for each tenant (eg, account ID, tenant name), etc. is recorded in the account management book.

(Overview of authority management)
An overview of the authority management process will be explained using FIG. 3.
In this embodiment, usage authority for the cloud 20 is set for each tenant. Therefore, using the provisioning unit C1, the common function unit 22 creates a template TP1 to be used by the resource construction unit 212. Then, authority management is performed using the stack set ST1 (common update section) defined by the template TP1. Note that the stack set ST1 is a collection of stacks used by each tenant.

The stack set ST1 of the common function unit 22 is associated with the stacks ST2 and ST3 (individual update units) of each tenant of the individual function unit 23 in a parent-child relationship. Then, the stack set ST1 distributes the template to the stacks ST2 and ST3 of each tenant. The stacks ST2 and ST3 realize the authority management function of each tenant. This authority management is realized using AWS IAM.

Permission management for each tenant is managed by roles and policies. A role is a user's role in each tenant. In this embodiment, roles to be set for each tenant are determined in advance. Here, for example, three types of roles (service manager, business manager, and developer) are set.

The policy defines the authority to access resources, the authority to use resources, etc.
Then, associate the necessary policies with each role. Thereby, it is possible to specify the role of each tenant accessor, and to specify the usage authority of the cloud 20 based on the policy associated with this role.

(Authority management processing)
Next, policy management processing (FIG. 4) and role management processing (FIG. 5) will be explained. These processes are executed when authority change information is recorded in the database.

(Policy management process)
Policy management processing will be explained using FIG. 4. Here, the provisioning unit C1 implements the policy template generation unit P1.

First, the policy template generation unit P1 executes generalization location identification processing (step S11). Specifically, the policy template generation unit P1 uses the authority change information of the policy to set a part that is set individually for each tenant (a part that differs depending on the tenant) as a generalized part in the master authority information (master setting information). Identify. Here, as the generalization location, for example, a location where an identifier indicating an account ID, tenant name, etc. is written is specified. This generalization location can be specified using a predetermined dictionary or the like.

Next, the policy template generation unit P1 executes a process of changing the expression to one that is rewritten with information for each tenant (step S12). Specifically, the policy template generation unit P1 sets changeable parameters at the generalization location, such as "ACCOUNT_ID" and "TENANT_NAME". This setting can also be performed using a predetermined dictionary or the like. As a result, a common policy template TP10 (update template) is generated.

Next, the common function unit 22 executes a stack set update process common to all tenants (step S13). Specifically, the common function unit 22 updates the common update unit (stack set) using the policy common template TP10.

Next, execute the following process for each tenant.
The individual function unit 23 of tenant [i] executes stack update processing (step S14). Specifically, the individual function unit 23 updates the individual update unit (stack) using the policy common template TP10 distributed in response to the update of the common update unit (stack set). Next, the individual function unit 23 uses the account management book to set unique information for each tenant in the generalized location of the individual update unit.

Next, the individual function unit 23 of tenant [i] updates the authority management policy (step S15). Specifically, the individual function unit 23 uses the individual update unit to update the policy of the authority management information by the resource construction unit 212.

(Manage roles)
An overview of role management processing will be explained using FIG. 5. Here, the provisioning unit C1 implements a role template generation unit P2.

First, the role template generation unit P2 executes generalization location identification processing (step S21). Specifically, the role template generation unit P2 uses the role authority change information to identify a location to be set individually for each tenant (a location that differs for each tenant) in the master authority information as a generalization location. Examples of generalized locations include identifiers such as account IDs and tenant names.

Next, the role template generation unit P2 executes a process of changing the representation to be rewritten with information for each tenant (step S22). Specifically, the role template generation unit P2 sets changeable parameters (for example, "ACCOUNT_ID" and "TENANT_NAME") at the generalization location. As a result, role common definition information TP20 for creating a template is generated.

Next, the provisioning unit C1 executes an individual definition reflection process for each tenant (step S23). Specifically, the provisioning unit C1 acquires individual definition information TP21 for each tenant. Then, the provisioning unit C1 adds individual definition information TP21 to the role common definition information TP20.
For example, when the individual definition information TP21 of tenant [i] is acquired, role template TP22 for tenant [i] is generated.

Next, the common function unit 22 executes stack set update processing (step S24). Specifically, the common function unit 22 distributes the role template TP22 for tenant [i] and updates the common update unit (stack set [i]).

Next, the individual function unit 23 of each tenant [i] executes the stack update process of tenant [i] (step S25). Specifically, the individual function unit 23 updates the individual update unit (stack [i]) using the role template TP22 distributed in response to the update of the common function unit 22 (stack set [i]). . Next, the individual function unit 23 uses the account management book to set unique information for each tenant in the generalized location of the individual update unit.

Next, the individual function unit 23 of each tenant [i] updates the authority management role of tenant [i] (step S26). Specifically, the role of the authority management information is updated by the resource construction unit 212 using the individual update unit.

According to this embodiment, the following effects can be obtained.
(1) In this embodiment, a generalization location identification process (steps S11, S21) and a change process to an expression that can be rewritten with information for each tenant (steps S12, S22) are executed. This makes it possible to set templates for controlling authority management for multiple tenants. As a privilege structure, common control privileges can be granted to each tenant.

(2) In this embodiment, stack set update processing is executed in common to all tenants (step S13). Thereby, templates can be distributed efficiently. Even when applying unified authority to a large number of accounts, the workload can be reduced and work errors can be suppressed.

(3) In this embodiment, stack update processing (step S14) and authority management policy update (step S15) are executed. This makes it possible to set a common policy for related tenants. As a result, in a multi-account environment, each account can be controlled using the same policy.

(4) In this embodiment, an individual definition reflection process is executed for each tenant (step S23). This allows you to define individual permissions in the template even if a tenant requires specific permissions.

(5) In this embodiment, update processing of the stack of tenant [i] (step S25) and update of role of authority management of tenant [i] (step S26) are executed. This allows tenant-specific roles to be set in addition to common roles. In a multi-account environment, each account can, in principle, be controlled by a common role, while allowing the uniqueness of each tenant.

This embodiment can be modified and implemented as follows. This embodiment and the following modified examples can be implemented in combination with each other within a technically consistent range.
- In the above embodiment, the configuration management system was constructed using AWS, but the cloud platform is not limited to AWS.

- In the above embodiment, the provisioning unit C1 executes an individual definition reflection process for each tenant (step S23). Here, a role template is generated, but it may also be applied to a policy template. This allows you to define each tenant's own policy in the template if it is required.

- The above embodiment assumes a case where authority is managed. The scope of application is not limited to authority management, and various functions such as network management, log collection, and auditing provided by the common function unit 22 may be set uniformly for each tenant.

- In the above embodiment, Python is used as the predetermined programming language in the provisioning unit C1. The language is not limited to any language as long as it is easy for the administrator to use.

- In the above embodiment, three types of roles (service manager, business manager, and developer) are set. The types of rolls are not limited to these.
- In the above embodiment, it is assumed that when used in a parent-child relationship (supervising department, user department), a parent account centrally manages the authority of multiple child accounts (tenants). There is no need for an actual parent-child relationship between accounts, and it can be applied when creating a pseudo parent-child relationship between accounts in the form of a common function section and an individual function section. In this case, for example, it is possible to prepare a new account such as a resource management account and make it the parent.
Furthermore, it can also be applied to other IAM resources (users and groups).

- In the above embodiment, the provisioning unit C1 is realized by CDK, but other IaC tools (configuration management tools) may be used. For example, terraform (registered trademark) may be used.

- In the above embodiment, it is possible not only to newly construct the provisioning unit C1, the common function unit 22, and the individual function unit 23, but also to newly convert an already constructed system to IaC. In this case, it can be added later using the import function provided by AWS CloudFormation, for example.

DESCRIPTION OF SYMBOLS 10... Management terminal, 15... User terminal, 20... Cloud, 211... Access management section, 212... Resource construction section, 22... Common function section, 23... Individual function section, C1... Provisioning section, TP21... Individual definition information.

Claims (5)

An individual update department established in the individual functional departments of multiple tenants,
a common function section having a common update section associated with the individual update section of each tenant;
a provisioning unit that newly acquires master setting information, identifies generalized locations in the master setting information, creates an update template for defining usage setting information, and supplies the template to the common function unit; Prepare,
The common function unit distributes the update template to the individual update units of each of the individual function units,
A settings management system characterized in that the individual update unit of each tenant updates usage setting information according to each tenant using the update template. The provisioning unit,
Obtain the individual definition information of each tenant,
2. The settings management system according to claim 1, wherein the update template is created for each tenant using the individual definition information. The usage setting information includes authority information of each tenant,
The authority information includes a policy and a role to which the policy is applied,
3. The settings management system according to claim 2, wherein the provisioning unit uses the individual definition information to create the update template for updating at least one of the role and policy for each tenant. 4. The settings management system according to claim 3, wherein the provisioning unit creates the update template for updating the policy common to all tenants. An individual update department established in the individual functional departments of multiple tenants,
a common function section having a common update section associated with the individual update section of each tenant;
a provisioning unit that newly acquires master setting information, identifies generalized locations in the master setting information, creates an update template for defining usage setting information, and supplies the template to the common function unit; A method of performing authority management using a settings management system equipped with
The common function unit distributes the update template to the individual update units of each of the individual function units,
A settings management method characterized in that the individual update unit of each tenant updates usage setting information according to each tenant using the update template.

Images