WO2011070676A1 - Processeur d'information, procédé de commande pour processeur d'information, programme de commande pour processeur d'information et programme de commande pour contrôleur de système - Google Patents

Processeur d'information, procédé de commande pour processeur d'information, programme de commande pour processeur d'information et programme de commande pour contrôleur de système Download PDF

Info

Publication number
WO2011070676A1
WO2011070676A1 PCT/JP2009/070761 JP2009070761W WO2011070676A1 WO 2011070676 A1 WO2011070676 A1 WO 2011070676A1 JP 2009070761 W JP2009070761 W JP 2009070761W WO 2011070676 A1 WO2011070676 A1 WO 2011070676A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
information
processing device
user information
processing apparatus
Prior art date
Application number
PCT/JP2009/070761
Other languages
English (en)
Japanese (ja)
Inventor
浩二 成廣
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to PCT/JP2009/070761 priority Critical patent/WO2011070676A1/fr
Publication of WO2011070676A1 publication Critical patent/WO2011070676A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the technology disclosed in this specification relates to an information processing apparatus, a control method for the information processing apparatus, a control program for the information processing apparatus, and a control program for the system control apparatus.
  • Hardware resources including computing resources such as a CPU (Central Processing Unit) as an arithmetic processing unit possessed by a server as an information processing device or a system board (System Board) as a processing device are logically divided into a plurality of partitions.
  • a partitioning technique for constructing an independent OS (Operating System) environment in each partition is known.
  • the server divided into a plurality of partitions has a system control device such as a service processor (SVP) that monitors and controls hardware resources.
  • SVP service processor
  • Each partition is provided with a monitoring agent that assists the function of the system control device.
  • the monitoring agent acquires the usage status of hardware resources by the partition in which the monitoring agent is installed, and notifies the usage status to the system control device via a control line connected to the system control device.
  • the system control device monitors and controls hardware resources.
  • the partition and the system control apparatus have independent user authentication functions, and manage users based on independent user information.
  • the user needs to log into the system control device and the OS on the partition separately.
  • the above-described technique has a problem that the workload of an administrator who manages user information in the server increases according to the number of partitions on the server and the number of users. For example, when a user is added or deleted, the administrator must change user information in the partition and the system control device.
  • the present invention has been made to solve the above-described problems, and is an information processing apparatus that can easily change user information, a control method for the information processing apparatus, a control program for the information processing apparatus, and a control for the system control apparatus.
  • the purpose is to provide a program.
  • An information processing device includes a plurality of first processing devices each having an arithmetic processing device, and a second processing device that controls the arithmetic processing devices included in each of the plurality of first processing devices.
  • the first processing device of any one of the plurality of first processing devices includes first user information indicating a first user who has an access right to the first processing device.
  • the second user When the first storage unit to be stored and the second user information indicating the second user are input, based on the second user information and the first user information, by the second user A first determination unit that determines whether or not to permit access to the one first processing device; a detection unit that detects a change in the first user information in the first storage unit; The first user information is changed by the detection unit A first transmission unit that transmits change information indicating a change content of the first user information to the second processing device when the second processing device is issued, and the second processing device includes the second processing.
  • the fourth user When a second storage unit that stores third user information indicating a third user who has authority to access the device and fourth user information indicating a fourth user are input, the fourth user A second determination unit that determines whether to permit access to the second processing device by the fourth user based on the information and the third user information; and the first transmission unit A first receiving unit that receives the change information transmitted from the first update unit, and updates the third user information in the second storage unit based on the change information received by the first receiving unit.
  • a first updating unit A first updating unit.
  • the control program for the information processing device is a control program for the information processing device that controls the information processing device having the arithmetic processing device, and when the first user information indicating the first user is input, the first program
  • the information processing apparatus by the first user based on the user information and the second user information indicating the second user who has the authority to access the information processing apparatus stored in the first storage unit Determining whether to permit access to the device, detecting the change of the second user information in the first storage unit, and detecting the change of the second user information, Transmitting the change information indicating the change contents of the second user information to the system control device that controls the arithmetic processing device included in the information processing device. That.
  • the control program of the system control device is a control program of the system control device that controls the arithmetic processing devices included in each of the plurality of information processing devices, and when the first user information indicating the first user is input,
  • the system by the first user based on first user information and second user information indicating a second user having access authority to the system control device stored in the first storage unit Determining whether or not to permit access to the control device; and the first first stored in the second storage unit of any one of the plurality of information processing devices.
  • the user information can be easily changed.
  • FIG. 1 is a block diagram illustrating a hardware configuration of a server as an information processing apparatus according to an embodiment.
  • the server 1 includes an SVP 11, SB (System board) 12A to 12N, IOB (I / O Board) 13A to 13B, and HDD (Hard Disk Drive) 14.
  • the SVP 11 is connected to the SBs 12A to 12N and the HDD 14 through control lines.
  • the SVP 11 transmits user information, which will be described later, from the SBs 12A to 12N via the control line.
  • the SVP 11 is connected to a console 2 as a terminal device outside the server 1 and a network.
  • the SBs 12A to 12N and the IOBs 13A to 13N are connected via a bus, and the IOBs 13A to 13N are connected to a network.
  • the server 1 logically divides the SBs 12A to 12N, the IOBs 13A to 13N, and the HDD 14 into a plurality of partitions according to a user definition, and constructs an independent OS environment for each. For example, the server 1 cooperates the SBs 12A to 12B, the IOBs 13A to 13C, and the HDD 14 to construct a partition that is operated using one OS. Note that the user appropriately sets the number of partitions and how many SBs and IOBs are used to construct each partition.
  • the SVP 11 realizes a system control device that controls and monitors hardware resources such as the SBs 12A to 12N.
  • the SVP 11 has a CPU 111 and a memory 112.
  • the SVP 11 acquires input information such as a user account and a password input by the user to the console 2. Further, the SVP 11 acquires input information input by a user to an external terminal device via a network.
  • the SBs 12A to 12N have a CPU 121 and a memory 122. Input information and the like are input to the IOBs 13A to 13N from the network.
  • the SBs 12A to 12N obtain input information and the like from the IOBs 13A to 13N via the bus.
  • the HDD 14 stores a plurality of OSs operated on the partition, user information, and the like.
  • FIG. 2 is a diagram for explaining the partitions in the server 1 and the system control apparatus according to the embodiment.
  • the partition 41A includes an OS 411A, a user authentication unit 412A and a monitoring agent unit 413 operating on the OS 411A, user information 414A used for user authentication, and a user information save file 415A.
  • the OS 411A preferably has a user information change notification function for sending a user information change notification indicating the change of the user information 414A to the monitoring agent unit 413 when the user information 414A is changed.
  • the OS 411A is, for example, Linux (registered trademark) having an initiating function for monitoring events in the file system.
  • the partitions 41B to 41N have the same configuration as that of the partition 41A, but the SBs 12A to 12N and IOBs 13A to 13N constituting the partitions are different.
  • the SB and IOB for constructing each partition are different, but one partition may be constructed by a plurality of SBs and IOBs. A plurality of partitions may be constructed by the same SB and IOB.
  • the OSs 411A to 411N, the user authentication units 412A to 412N, the user information save files 415A to 415N, and the user information 414A to 414N are different from each other. Note that these may be the same or only part of the partitions may be the same.
  • the user authentication units 412A to 412N are realized by the cooperation of the CPU 121 and the memory 122, and have user authentication functions that the OSs 411A to 411N support as standard.
  • User authentication units 412A to 412N accept user operations such as login (access) to a partition from a terminal device connected to a network or hardware for building a partition, and determine whether or not the user can log in I do. For example, it is assumed that a user logs in (accesses) to the partition 41A. In this case, the user authentication unit 412A performs a user authentication process based on the input information input by the user and the user information 414A using the user authentication function.
  • the user can access the user authentication units 412A to 412N by any method. If the user can select and set in advance and the user can access the user authentication units 412A to 412N, communication other than via the network may be selected.
  • the monitoring agent unit 413 is realized by the cooperation of the CPU 121 and the program stored in the memory 122, acquires the usage status of the hardware resources that construct the partitions 41A to 41N, and is connected to the system controller 5. The usage status is notified to the system control device 5 via the control line. In addition, the monitoring agent unit 413 transmits data such as user information 414 ⁇ / b> A to the system control device 5 via a control line. The monitoring agent unit 413 generates and updates the user information save file 415A.
  • the system control device 5 is realized by the SVP 11 and includes a user authentication unit 51 and user information 52 used for user authentication.
  • the user authentication unit 51 is realized by the cooperation of the CPU 111 and a program stored in the memory 112.
  • the user authentication unit 51 performs user authentication processing for determining whether or not the user can be authenticated based on the input information input by the user and the user information 52.
  • the user authentication unit 51 makes an authentication request, which will be described later, to the user authentication units 412A to 412N using the user account and password of the user who logs in to the system control device 5.
  • the user authentication unit 51 accesses the user authentication units 412A to 412N via the network.
  • FIG. 3 is a diagram for explaining the user information 414A in the partition 41A.
  • the user information 414A is information indicating a plurality of users having access authority to the partition 41A.
  • the user information 414A has individual information used for user authentication of the plurality of users.
  • the individual information includes valid / invalid information indicating whether or not the individual information is valid, a user account for logging in to the partition 41A, and user detailed information.
  • the user detailed information includes authority information indicating a user authority capable of logging in to the system control device 5, a password for logging in to the partition 41A, and attached information.
  • Examples of the attached information include a user name, a telephone number, and an expiration date when the user can log in to the partition. Note that the format of the user information 414A to 414N differs depending on the type of OS, user authentication unit, etc. of the partitions 41A to 41N.
  • FIG. 4 is a diagram for explaining the user information save file 415A.
  • the user information save file 415A has user accounts of a plurality of users having access authority to the partition 41A. Specifically, the user information 414A has only a user account associated with authority information.
  • the user information save files 415B to 415N have user accounts associated with authority information among users who can log in to the partition.
  • the user information save files 415A to 415N are preferably set so that they cannot be changed by the user.
  • the user information 414A to 414N and the user information saving files 415A to 415N are stored in the storage area of the HDD 14 that constructs each partition.
  • the individual information of the user information 414A to 414N and the contents of the user information save files 415A to 415N are different from each other.
  • the user information 414A to 414N and the user information save files 415A to 415N may be stored in the memory 122.
  • FIG. 5 is a diagram for explaining the user information 52 in the system control device 5.
  • the user information 52 is information indicating a plurality of users having access authority to the system control device 5.
  • the user information 52 includes individual information used for user authentication of the plurality of users.
  • the individual information is information indicating a user account, valid / invalid information, a partition number that is an identifier indicating a partition to which the user of the individual information belongs, a user account for logging in to the system control device 5, and a user Detailed information.
  • the user detailed information includes authority information, a password for logging in to the system control device 5, and attached information.
  • the attached information includes, for example, a user name, a telephone number, and an expiration date when the user can log in to the system control device 5.
  • the partition number when the user does not belong to any of the partitions 41A to 41N, “0” indicating that the user does not belong to the partition is set as the partition number. If the user does not belong to any of the partitions 41A to 41N, the partition number may not be added to the individual information.
  • the user account and password when logging in to the partition 41A of the user associated with the authority information are the same as the user account and password when logging in to the system control device 5.
  • the user information 52 is assumed to be stored in the HDD 14. Note that the user information 52 may be stored in the memory 112.
  • FIG. 6 is a diagram for explaining the operation of the partition 41A and the system control device 5.
  • the administrator 81 has authority to install the OS 411 and the monitoring agent unit 413, and to add and delete user information to the partition 41A.
  • the user 82 has an access right to log in to the partition 41A or the system control device 5.
  • the user authentication processing performed by the user authentication unit 51 differs depending on the state of the partition 41A to which the user 82 belongs.
  • the stopped state is a state in which the SBs 12A to 12N and IOBs 13A to 13N that construct the partition are stopped.
  • the state (1) will be described. In the state (1), the user 82 does not yet have a user account in the partition 41A and the system control device 5.
  • the monitoring agent unit 413 reads the user information 414A.
  • the user information 414A is generated by the administrator 81 at the time of installation. Further, the user information 414A may be stored in advance in the storage area of the HDD 14 that constructs the partition 41A.
  • the monitoring agent unit 413 After reading, the monitoring agent unit 413 generates a user information save file 415A based on the read user information 414A.
  • the monitoring agent unit 413 transmits a part of the user information 414A such as a user account and authority information to the user authentication unit 51, and the user authentication unit 51 monitors the received part of the user information 414A and the transmission source.
  • the user information 52 is updated based on the partition number of the partition 41A to which the agent unit 413 belongs.
  • the user authentication unit 51 searches the user information 52 when access from the user 82, that is, input information is input. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A with the partition number corresponding to the user account of the input information is in operation, the user authentication unit 51 uses the user account and password of the input information to communicate with the user authentication unit 412A via the network or control line. Send authentication request. The authentication request shows the user account and password of the input information. The user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. . After the authentication, the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the password input by the user 82 into the user information 52.
  • the administrator 81 may additionally register user information such as the user account, authority information, and password of the user 82 in the system control device 5.
  • the user authentication unit 51 searches the user information 52 based on the input information from the user 82 and determines whether or not to log in.
  • the user authentication unit 51 searches the user information 52 when input information is input from the user 82. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A of the partition number corresponding to the user account of the input information is not in operation, the user authentication unit 51 acquires a password from the user information 52, searches for the password of the input information, and searches for the password and the password of the user information 52 And compare. When the password input by the user 82 matches the password of the user information 52, the user authentication unit 51 authenticates the user 82 and permits the user 82 to log in.
  • the user authentication unit 51 searches the user information 52 when input information is input from the user 82. After the search, it is determined whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. When the partition 41A having the partition number corresponding to the user account of the input information is in operation, the user authentication unit 51 sends an authentication request to the user authentication unit 412A via the network using the user account and password of the input information. Send.
  • the user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. . After the authentication, the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the password input by the user 82 into the user information 52.
  • the change of the user information 414A performed by the administrator 81 or the user 82 includes the following three types. (1) Add individual information. (2) Deletion of individual information. (3) User detailed information change. First, (1) addition of individual information will be described.
  • the monitoring agent unit 413 monitors whether the user information 414A has been changed.
  • the monitoring agent unit 413 determines that the user information 414A has been changed.
  • the change content of the user information is addition of individual information of the user 82.
  • the authority of an administrator who can add and delete individual information is set in the partition 41A, and the administrator 81 performs setting with this administrator authority.
  • the monitoring agent unit 413 determines that there is an additional change of the individual information, the monitoring agent unit 413 transmits additional information including the user account of the user 82 and the authority information to the user authentication unit 51 via the control line, and user information
  • the save file 415A is updated.
  • the user authentication unit 51 that has received the additional information adds the user account and authority information indicated in the additional information to the user information 52.
  • the user 82 can log in to the system control device 5.
  • the user 82 can log in to the partition 41A.
  • the login to the system control device 5 is the same processing as that in the above-described partition state (3) when the partition is in operation, and the description thereof will be omitted.
  • the monitoring agent unit 413 or the user authentication unit 51 may notify the administrator 81 that the addition of the individual information has ended after the addition of the individual information has been completed.
  • the administrator 81 logs into the partition 41A and deletes the individual information of the user 82.
  • the monitoring agent unit 413 determines that the user information 414A has been changed.
  • the user authentication unit 51 receives the deletion information including the user account and authority information of the individual information of the deleted user 82 via the control line.
  • the user information save file 415A is updated.
  • the user authentication unit 51 that has received the deletion information deletes the individual information from the user information 52.
  • the change of the user detailed information includes a change of authority information and a password.
  • the change of authority information is addition or deletion of authority information.
  • the administrator 81 logs in to the partition 41A and changes the authority information of the user 82.
  • the monitoring agent unit 413 determines that the user information 414A has been changed.
  • the monitoring agent unit 413 transmits additional information including the user account of the user 82 and the authority information to the user authentication unit 51 via the control line, and
  • the information save file 415A is updated.
  • the process of the user authentication unit 51 that has received the additional information is the same process as (1) addition of individual information in the change of the user information 414A described above, and thus the description thereof is omitted.
  • the monitoring agent unit 413 determines that the change content is deletion of authority information
  • the monitoring agent unit 413 sends authority deletion information including the user account of the user 82 and authority information to be deleted to the user authentication unit 51 via the control line.
  • the user information save file 415A is updated.
  • the user authentication unit 51 that has received the authority deletion information deletes the authority information of the user account in the user information 52.
  • the changed authority information in the user information 52 becomes valid from the next login to the system control device 5.
  • the user 82 logs in to the partition 41A and changes the password. After changing the password, the user 82 logs in to the system control device 5 with the changed new password.
  • the user authentication unit 51 searches the user information 52. After the search, it is checked whether or not the partition 41A having the partition number corresponding to the user account of the input information is in operation. If it is in operation, the user authentication unit 51 transmits an authentication request to the user authentication unit 412A via the network using the user account and password of the input information.
  • the user authentication unit 412A searches the user information 414A in response to the authentication request from the user authentication unit 51, and authenticates the user account and password when the user account and password indicated in the authentication request are in the user information 414A. .
  • the user authentication unit 51 permits the user 82 to log in to the system control device 5 and writes the new password of the input information to the user information 52.
  • FIG. 7 is a diagram illustrating functional blocks of the monitoring agent unit 413.
  • the monitoring agent unit 413 includes a determination unit 61, a reading unit 62, an execution unit 63, a change detection unit 64, and a transmission unit 65.
  • the determination unit 61 determines whether or not the user information save files 415A to 415N exist, determines the change contents of the user information 414A to 414N, determines whether or not the user information change notification function exists.
  • the reading unit 62 reads the user information 414A.
  • the execution unit 63 updates the user information save files 415A to 415N, generates the user information save files 415A to 415N, and the like.
  • the change detection unit 64 detects changes in the user information 414A to 414N.
  • the transmission unit 65 transmits change information, additional information, and the like to the user authentication unit 51.
  • FIG. 8 is a diagram showing functional blocks of the user authentication unit 51 of the system control device 5.
  • the user authentication unit 51 includes a determination unit 71, a transmission / reception unit 72, and an execution unit 73.
  • the determination unit 71 determines whether or not the transmission / reception unit 72 has received input information, change information, or the like.
  • the transmission / reception unit 72 receives input information from the user 82, change information from the monitoring agent unit 413, and the like. In addition, the transmission / reception unit 72 transmits an authentication request or the like.
  • the execution unit 73 compares the input information with the user information 52, updates the user information 52, and the like.
  • FIG. 9 is a flowchart illustrating an operation of information synchronization processing in the monitoring agent unit 413 according to the embodiment.
  • the monitoring agent unit 413 of the partition 41A will be described as an example. The same operation is performed in the monitoring agent unit 413 in other partitions.
  • the determination unit 61 determines whether there is a user information save file 415A (S102). When it is determined that the user information save file 415A exists (S102, YES), the reading unit 62 reads the user information 414A (S103). After reading, the determination unit 61 determines whether there is an increase or decrease in the number of users who can log in to the system control device 5 and addition of authority information based on the comparison between the user information save file 415A and the user information 414A (S104). ).
  • the determination unit 61 includes, among the individual information of the user information 414A, a user account associated with authority information (hereinafter referred to as user account A) and a user account of the user information save file 415A (hereinafter referred to as user account A).
  • user account A a user account associated with authority information
  • user account B a user account of the user information save file 415A
  • the determination unit 61 determines whether there is a user account in the user account A that is not in the user account B and whether there is a user account in the user account B that is not in the user account A. If there is a user account in user account A that is not in user account B, determination unit 61 determines that individual information has been added to user information 414A or that authority information has been added to the individual information in user information 414A.
  • the transmission unit 65 transmits the change information indicating the change contents of the user information 414A to the user authentication unit 51 via the control line ( S105).
  • the user authentication unit 52 receives the change information and updates the user information 52 based on the change information.
  • the changed content becomes additional information when individual information is added by the determining unit 61 or when it is determined that authority information is added, and becomes deleted information when it is determined that the individual information is deleted. .
  • the determination unit 61 determines whether the authority information has been deleted based on the user information save file 415A and the user information 414A (S106).
  • the determination unit 61 compares the user account of individual information of the user information 414A (hereinafter referred to as user account C) with the user account B. Based on this comparison, the determination unit 61 determines whether the user account B has a user account that is not associated with the authority information of the user account C. When there is a user account in the user account B that is not associated with the authority information of the user account C, the determining unit 61 determines that the authority information of the user account has been deleted. On the other hand, the determination unit 61 determines that the authority information is not deleted when there is no user account B associated with the authority information of the user account C in the user account B.
  • the transmission unit 65 transmits the change information indicating the change contents of the user information 414A to the user authentication unit 51 via the control line (S107).
  • the user authentication unit 52 receives the change information and updates the user information 52 based on the change information.
  • the change content is authority deletion information.
  • the execution unit 63 updates the user information save file 415A based on the change information (S108).
  • the determination unit 61 determines whether or not the OS 411A has a user information change notification function (S109).
  • the change detection unit 64 waits for a user information change notification notified from the OS 411A (S110).
  • a function for waiting for a user information change notification it is desirable to use an innotify function for monitoring events in the file system when the OS is Linux (registered trademark).
  • step S102 If it is determined in step S102 that there is no user information save file 415A (S102, NO), the reading unit 62 reads the user information 414A (S111). After reading, the execution unit 63 generates the user information save file 415A based on the user information 414A (S112). After the generation, the transmission unit 65 transmits additional information including the user account associated with the authority information in the user information 414A, the authority information, and the like to the user authentication unit 51 based on the user information 414A (S113). . The user authentication unit 51 receives the additional information and updates the user information 52 based on the additional information. After the transmission, processing for determining whether or not there is a user information change notification function is performed in step S109.
  • step S104 when it is determined that there is no increase or decrease of users who can log in to the system control device 5 and no authority information is added (NO in S104), a process for determining whether or not the authority information is deleted in step S106. Done. If it is determined in step S106 that the authority information has not been deleted (S106, NO), a process of updating the user information save file 415A based on the change information is performed in step S108. If there is no change information in step S108, the execution unit 63 does not update the user information save file 415A.
  • the change detection unit 64 monitors the user information 414A and polls until there is a change (S114).
  • the change detection unit 64 periodically reads the user information 414A and detects a change.
  • the change detection unit 64 stores the user information 414A in the memory 122 when read, and compares the user information 414A with the user information 414A read after a certain time. After the comparison, the change detection unit 64 stores the current user information 414A in the memory 122 and repeats this. Further, the change detection unit 64 may detect a command for changing the user information 414A.
  • the process returns to step S102 to determine whether or not the user information save file 415A exists.
  • FIG. 10 is a flowchart showing the operation of the user authentication unit 51 of the system control apparatus 5 according to the embodiment.
  • the determination unit 71 determines whether or not the transmission / reception unit 72 has received input information from the user 82 (S201).
  • S201 YES
  • a user authentication process described later is executed (S202).
  • the process returns to step S201, and a process of determining whether or not input information from the user 82 is received again is performed.
  • the determination unit 71 determines whether the transmission / reception unit 72 has received the change information from the monitoring agent unit 413 (S203). When it is determined that the change information has been received (S203, YES), the execution unit 73 updates the user information 52 based on the received change information. For example, if the change information is additional information, the execution unit 73 writes the user account and authority information indicated in the additional information to the user information 52. If the change content is deletion information, the execution unit 73 indicates the deletion information from the user information 52. Delete the individual information corresponding to the user account. Note that the validity / invalidity information of the user account may be invalidated.
  • the execution unit 73 deletes the authority information of the user account in the user information 52 corresponding to the user account indicated in the authority deletion information.
  • the execution unit 73 determines that the additional information is addition of authority information, and sends the user account and authority information indicated in the additional information to the user information 52. Write. In this case, the authority information is written without changing the user account.
  • step S201 After the update, the process returns to step S201, and the process of determining whether or not the input information from the user 82 has been received again is performed. If it is determined that the change information has not been received (S203, NO), the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received is performed again.
  • FIG. 11 is a flowchart showing an operation of user authentication processing in the user authentication unit 51 of the system control apparatus 5 according to the embodiment.
  • the determination unit 71 determines whether or not the user information 52 is included in the user information 52 (S301).
  • the determination unit 71 determines whether or not the user 82 is a user belonging to a partition (S302). . Specifically, the determination unit 71 determines based on whether or not the individual information having the user account in the user information 52 corresponding to the user account of the input information has a partition number.
  • the determination unit 71 determines whether or not the OS of the partition to which the user 82 belongs is operating ( S303).
  • the partition to which the user 82 belongs is the partition 41A. This determination is made by the determination unit 71 using a function of monitoring hardware resources that construct each partition of the system control device 5. Note that the state of hardware resources for constructing each partition and the operating state of the OS of each partition may be stored in the memory 112 in advance, and the determination unit 71 may read this and make a determination.
  • the transmission / reception unit 72 transmits an authentication request to the user authentication unit 412A of the partition 41A using the user account and password of the received input information ( S304).
  • the determination unit 71 determines whether or not the user account and password indicated in the authentication request have been authenticated (S305). This determination is based on a determination by the user authentication unit 412A as to whether or not the user information and password indicated in the authentication request are in the user information 414A. Specifically, the user authentication unit 412A determines whether or not the user information 414A matches the user account and password indicated in the received authentication request. After the determination, the user authentication unit 412A transmits the determination result to the user authentication unit 51. Here, when it is determined that the user account and the password match, the determination result indicates authentication of the user account and password indicated in the authentication request. On the other hand, when it is determined that the user account and the password do not match, the determination result indicates that the user account and password indicated in the authentication request cannot be authenticated. The transmission / reception unit 72 receives the determination result transmitted from the user authentication unit 412A.
  • the execution unit 73 matches the user information 52 of the input information with the user account of the input information. Is written in the HDD 14 in association with the user account (S306), and the user information 52 is updated. After the writing, the transmission / reception unit 72 notifies the user 82 of login permission (S307). After the notification, the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received again is performed.
  • step S302 determines whether or not the user 82 is not a user belonging to the partition (S302, NO).
  • the determination unit 71 determines whether or not the password of the input information has already been set in the user information 52. (S308). When it is determined that the password is already set in the user information 52 (S308, YES), the determination unit 71 determines the password of the input information and the password of the user account in the user information 52 corresponding to the user account of the input information. To determine whether or not the passwords match (S309). If it is determined that the passwords match (S309, YES), a process of notifying the user 82 of login permission is performed in step S307.
  • step S308 when it is determined in step S308 that the password is not set in the user information 52 (S308, NO), the transmission / reception unit 72 notifies the user 82 of rejection of login (S310). After the notification, the process returns to step S201, and a process for determining whether or not the input information from the user 82 has been received again is performed.
  • step S301 When it is determined in step S301 that the user account indicated in the input information is not in the user information 52 (S301, NO), a process of notifying the user 82 in step S310 of login rejection is performed.
  • step S305 If it is determined in step S305 that the determination result indicates that the user account and password indicated in the authentication request cannot be authenticated (NO in step S305), a process of notifying the user 82 in step S310 of login rejection is performed. Is called. If it is determined in step S309 that the passwords do not match (S309, NO), a process of notifying login rejection to the user 82 in step S310 is performed.
  • the execution unit 73 After the process of determining whether or not the user account indicated in the input information in step S301 is in the user information 52, the execution unit 73 notifies the user 82 to input the password. After the notification, the determination unit 71 determines whether or not a password has been input within a specified time. When the password is input, a process of determining whether or not the user 82 in step S302 is a user belonging to a partition is executed.
  • the user information save files 415A to 415N have been described as having user accounts of a plurality of users having the authority to access their own partitions, but may include all the user information 414A to 414N information.
  • the user information 52 has been described as information indicating a plurality of users having access authority to the system control apparatus 5, but may include information on users who do not have access authority to the system control apparatus 5. .
  • An authentication server is built outside the server 1 or in one partition in the server 1, and the system controller 5 can support the partitions 41A to 41N, and uses LDAP (Lightweight Directory Access Protocol) that accesses the authentication server.
  • LDAP Lightweight Directory Access Protocol
  • a user authentication function (hereinafter referred to as an extended user authentication function) is additionally constructed. By constructing the extended user authentication function and the authentication server, the user information 414A to 414N of the partitions 41A to 41N and the partitions 41A to 41N and the user information 52 of the system control device 5 are synchronized.
  • FIG. 12 is a diagram for explaining a server to which the technology disclosed in this specification is not applied.
  • the server 8 has monitoring agent units 82A to 82N instead of the monitoring agent unit 413 in the partitions 41A to 41N, respectively.
  • the server 8 includes extended user authentication units 83A to 83N having an extended user authentication function in each of the partitions 41A to 41N.
  • the system control device 84 includes a user authentication unit 85 instead of the user authentication unit 51 and an extended user authentication unit 86 having an extended user authentication function that can be selected by setting.
  • the authentication server 87 is constructed on the network.
  • the authentication server 87 is connected to hardware resources and the system control device 84 that construct the partitions 41A to 41N via the network.
  • the authentication server 87 has user information 871 in which user information 414A to 414N and user information 52 are associated with each other.
  • the monitoring agents 82A to 82N acquire the usage status of the hardware resources that construct the partitions 41A to 41N, and notify the usage status to the system control device 84 via the control line connected to the system control device 84.
  • the user authentication unit 85 performs a user authentication process for determining whether or not the user can be authenticated based on a user account and a password input by the user.
  • Extended user authentication units 83A to 83N access user information of a partition to which the extended user authentication unit 83A to 83N belongs.
  • the extended user authentication unit 86 accesses the user information 52 of the system control device 84.
  • the authentication server 87 synchronizes the user information 414A to 414N and the user information 52 via the extended user authentication units 83A to 83N and the extended user authentication unit 86.
  • the user information 414A to 414N and the user information 52 can be easily changed.
  • the user information 414A to 414N, the user information 52, and the like can be obtained using the user authentication units 412A to 412N having the standard user authentication function of each OS without additionally constructing the authentication server 87 and the extended user authentication units 83A to 83N and 86.
  • information on users who can log in to the partition 41A and the system control apparatus 5 can be shared by the partition 41A and the system control apparatus 5.
  • the administrator 81 can add or delete a user to or from the system control apparatus 5 only with the effort of adding or deleting a user to or from the partition 41A.
  • the monitoring agent 413 When synchronizing the user information 414A to 414N and the user information 52, the monitoring agent 413 synchronizes the user account and authority information that are rarely updated by data transmission, but does not synchronize the password by data transmission.
  • the user authentication units 412A to 412N use the input information from the user 82 to determine authentication, and if the password is authenticated, the password of the input information is written in the user information 52. Updated. From this, it is possible to reduce the amount of information such as the number of data transmissions and data transmissions from the partitions 41A to 41N to the system control apparatus 5. Furthermore, since the system controller 5 does not access the partitions 41A to 41N except for the partition status check and the authentication request, the influence on the security of the partitions 41A to 41N can be reduced.
  • the user 82 and the like require a large amount of setting work for additionally constructing the extended user authentication units 83A to 83N, and the setting work becomes complicated when the number of partitions increases. There is a possibility of becoming.
  • the setting work since it is not necessary for the user 82 or the like to additionally construct the extended user authentication units 83A to 83N, the setting work does not require a great effort, and even when the number of partitions increases, Setting work can be facilitated.
  • the extended user authentication function of the extended user authentication units 83A to 83N is limited to the extended user authentication function that can be supported by the system control device 84. Therefore, if the extended user authentication functions of the extended user authentication units 83A to 83N in the partition requested by the user 82 or the like are different for each partition, the authentication server may not be unified into one server or may not be used. However, according to the embodiment, since the extended user authentication units 83A to 83N and the authentication server 87 are not used, this possibility does not exist.
  • the user information of the SE cannot be synchronized between the partitions 41A to 41N and the system control device 84 due to the requirements for construction of the partitions 41A to 41N. Further, due to security such as prohibiting information update in the partitions 41A to 41N from devices outside the partitions 41A to 41N, there is a possibility that the user information of the SE cannot be synchronized between the partitions 41A to 41N and the system controller 84. is there.
  • the embodiment since only one-way data transmission from the monitoring agent unit 413 to the user authentication unit 51 is performed, the information operation of the user information 414A to 414N is not performed from the outside. Therefore, the user information can be synchronized between the partitions 41A to 41N and the system control apparatus 5 without being affected by the security restrictions of the partitions 41A to 41N.
  • the user information 414A to 414N and the user information 52 are not synchronized, but an authentication server is constructed on the partition, and only the user authentication function of the authentication server is used to log in to the partition and the system control device.
  • the authentication server is stopped. Therefore, the user 82 cannot operate the system control device and cannot power on the partition. Therefore, a special user who can operate the system control device is always registered in the system control device.
  • information on users who can log in to the partition 41A and the system control apparatus 5 is shared by the partition 41A and the system control apparatus 5 without using an authentication server.
  • FIG. 13 is a diagram illustrating an example of a server to which the present invention is applied.
  • a server 901 illustrated in FIG. 13 includes a main body 902 that includes a CPU, a disk drive, and the like, and a communication device 903 that accesses an external database and downloads programs and the like stored in another computer system.
  • the communication device 903 may be a network communication card, a modem, or the like.
  • a program for executing the above steps in the server 901 constituting the server 1 can be provided as a control program.
  • the server 901 constituting the server 1 can execute the program.
  • Each program for executing the above steps is stored in a portable recording medium such as a disk 910 or downloaded from a recording medium 920 of another server or computer system by the communication device 903.
  • a control program (control software) that causes the server 901 to have at least a control function is input to the server 901 and compiled.
  • This program causes the server 901 to operate as the server 1 having a control function.
  • these programs may be stored in a computer-readable recording medium such as a disk 910, for example.
  • the recording medium that can be read by the server 901 includes an internal storage device such as a ROM and a RAM, a portable storage medium such as a disk 910, a flexible disk, a DVD disk, a magneto-optical disk, and an IC card. Or a database holding a computer program, or another server or computer system, and these databases, or various recording media accessible by a server or computer system connected via communication means such as the communication device 903 .
  • the first processing device, the first first processing device, and the third processing device are, for example, partitions 41A to 41N, and the second processing device and the system control device are, for example, the system control device 5.
  • the information processing apparatus is, for example, the server 1 or the partitions 41A to 41N.
  • the first storage unit and the second storage unit are, for example, the HDD 14.
  • the first user information and the second user information are, for example, user information 414A to 414N, and the third user information is, for example, the user information 52.
  • the fourth user information is, for example, input information
  • the fifth user information is, for example, authority information.
  • the sixth user information is, for example, user information save files 415A to 415N, and the determination information is, for example, a determination result.
  • the first determination unit, the fourth determination unit, the second reception unit, and the third transmission unit are, for example, user authentication units 412A to 412N.
  • the second update unit is, for example, the execution unit 63
  • the first transmission unit is, for example, the transmission unit 65.
  • the detection unit is, for example, the change detection unit 64.
  • the second determination unit, the third determination unit, and the permission unit are, for example, the determination unit 71, and the first reception unit, the third reception unit, and the second transmission unit are, for example, the transmission / reception unit 72.
  • the first updating unit and writing unit are, for example, the execution unit 73.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Selon l'invention, un premier processeur d'une pluralité de premiers processeurs comprend une première section de stockage pour stocker des premières informations d'utilisateur indiquant un premier utilisateur ayant un droit d'accès à ce premier processeur, une première section de détermination pour déterminer de permettre ou non un accès à ce premier processeur par un deuxième utilisateur lorsque des deuxièmes informations d'utilisateur indiquant le deuxième utilisateur sont introduites, une section de détection pour détecter un changement dans les premières informations d'utilisateur dans la première section de stockage, et une première section d'envoi pour envoyer des informations de changement indiquant le contenu du changement dans les premières informations d'utilisateur à un deuxième processeur, et le deuxième processeur comprend une deuxième section de stockage pour stocker des troisièmes informations d'utilisateur indiquant un troisième utilisateur ayant un droit d'accès au deuxième processeur, une deuxième section de détermination pour déterminer de permettre ou non un accès au deuxième processeur par un quatrième utilisateur lorsque des quatrièmes informations d'utilisateur indiquant le quatrième utilisateur sont introduites, une première section de réception pour recevoir les informations de changement envoyées par la première section d'envoi, et une première section de mise à jour pour mettre à jour les troisièmes informations d'utilisateur dans la deuxième section de stockage.
PCT/JP2009/070761 2009-12-11 2009-12-11 Processeur d'information, procédé de commande pour processeur d'information, programme de commande pour processeur d'information et programme de commande pour contrôleur de système WO2011070676A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2009/070761 WO2011070676A1 (fr) 2009-12-11 2009-12-11 Processeur d'information, procédé de commande pour processeur d'information, programme de commande pour processeur d'information et programme de commande pour contrôleur de système

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2009/070761 WO2011070676A1 (fr) 2009-12-11 2009-12-11 Processeur d'information, procédé de commande pour processeur d'information, programme de commande pour processeur d'information et programme de commande pour contrôleur de système

Publications (1)

Publication Number Publication Date
WO2011070676A1 true WO2011070676A1 (fr) 2011-06-16

Family

ID=44145245

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/070761 WO2011070676A1 (fr) 2009-12-11 2009-12-11 Processeur d'information, procédé de commande pour processeur d'information, programme de commande pour processeur d'information et programme de commande pour contrôleur de système

Country Status (1)

Country Link
WO (1) WO2011070676A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016134104A (ja) * 2015-01-21 2016-07-25 日立電線ネットワークス株式会社 認証システムおよび認証サーバ

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000194630A (ja) * 1998-12-28 2000-07-14 Fujitsu Ltd 複数システムの情報管理装置および記録媒体
JP2001067318A (ja) * 1999-08-30 2001-03-16 Nec Corp ユーザ/パスワード一括管理方式
JP2003044442A (ja) * 2001-07-30 2003-02-14 Fujitsu Support & Service Kk データ認証方法及びデータ認証装置
JP2004070935A (ja) * 2002-06-27 2004-03-04 Internatl Business Mach Corp <Ibm> 論理パーティションのリソースを動的に再構成するための方法、プログラム、システム
JP2007537520A (ja) * 2004-05-13 2007-12-20 インターナショナル・ビジネス・マシーンズ・コーポレーション 論理パーティション化データ処理システムにおける未割り振りメモリの動的メモリ管理

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000194630A (ja) * 1998-12-28 2000-07-14 Fujitsu Ltd 複数システムの情報管理装置および記録媒体
JP2001067318A (ja) * 1999-08-30 2001-03-16 Nec Corp ユーザ/パスワード一括管理方式
JP2003044442A (ja) * 2001-07-30 2003-02-14 Fujitsu Support & Service Kk データ認証方法及びデータ認証装置
JP2004070935A (ja) * 2002-06-27 2004-03-04 Internatl Business Mach Corp <Ibm> 論理パーティションのリソースを動的に再構成するための方法、プログラム、システム
JP2007537520A (ja) * 2004-05-13 2007-12-20 インターナショナル・ビジネス・マシーンズ・コーポレーション 論理パーティション化データ処理システムにおける未割り振りメモリの動的メモリ管理

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PETER PAWLAK: "Windows Server 2003 R2 de Kyoka suru Saishin ID Kanri (Windows Server 2003 R2 ID Management)", DIRECTIONS ON MICROSOFT JAPANESE VERSION, vol. 1, no. 20, 16 November 2005 (2005-11-16), pages 14 - 20 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016134104A (ja) * 2015-01-21 2016-07-25 日立電線ネットワークス株式会社 認証システムおよび認証サーバ

Similar Documents

Publication Publication Date Title
US10244001B2 (en) System, apparatus and method for access control list processing in a constrained environment
US8254579B1 (en) Cryptographic key distribution using a trusted computing platform
US8935560B2 (en) System and method of file locking in a network file system federated namespace
US20160205541A1 (en) Apparatus For End-User Transparent Utilization of Computational, Storage, and Network Capacity of Mobile Devices, and Associated Methods
US10484383B2 (en) Pre-authorizing a client application to access a user account on a content management system
JP2018537740A (ja) デジタルコンテンツアイテムのマルチプレミスホスティングのための同期プロトコル
JP2018536207A (ja) デジタルコンテンツアイテムのマルチプレミスホスティングのための同期プロトコル
JP5340610B2 (ja) 複数の構成要素を管理するためのコンピュータ・システム、並びにその方法及びコンピュータ・プログラム
CA2910249C (fr) Synchronisation de donnees d&#39;association de dispositifs parmi des dispositifs informatiques
KR20110128846A (ko) 장치와 웹 서비스 간에 브라우저 캐시를 동기화하는 프로그래밍 모델
CN102763095A (zh) 便携式存储接口
US11356531B2 (en) Data caching for cloud services
US9001364B2 (en) Management system, image forming apparatus, management system control method, and image forming apparatus control method for migration of setting values of an application that operates in the image forimng apparatus
CN1964262A (zh) 信息处理系统以及信息处理装置的分配方法
WO2015074512A1 (fr) Procédé et appareil d&#39;accès à des ressources physiques
US8930532B2 (en) Session management in a thin client system for effective use of the client environment
CN113010498B (zh) 一种数据同步方法、装置、计算机设备及存储介质
JP2011215688A (ja) データベースアクセスシステム及び方法
KR102665749B1 (ko) 클라우드 저하 모드에서 지속적인 디바이스 동작 안정성을 보장하기 위한 방법 및 장치
WO2011070676A1 (fr) Processeur d&#39;information, procédé de commande pour processeur d&#39;information, programme de commande pour processeur d&#39;information et programme de commande pour contrôleur de système
KR101182464B1 (ko) 서비스 제공자에 의한 사용자용 가상머신 관리 시스템 및 방법
KR101593899B1 (ko) 클라우드 컴퓨팅 방법, 이를 수행하는 클라우드 컴퓨팅 서버 및 이를 저장하는 기록매체

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09852072

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09852072

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP