WO2013071890A1

WO2013071890A1 - Resource access system and method based on identity and session

Info

Publication number: WO2013071890A1
Application number: PCT/CN2012/084810
Authority: WO
Inventors: 汤传斌; 熊丽
Original assignee: 运软网络科技(上海)有限公司
Priority date: 2011-11-18
Filing date: 2012-11-19
Publication date: 2013-05-23
Also published as: CN102347959A; CN102347959B

Abstract

Disclosed are a resource access system and method based on identity and session, the system comprising a client-side, a session management center, a resource center and an identity manager; the client-side sends a service request and defines the resource information required for executing the service request; the session management center receives the service request, creates a streaming session according to the service request, creates a controlled session according to the streaming session, negotiates about the resources required for the streaming session and the service provider required for session control, and routes the request to the resource center; the resource center comprises an entity server, a network and a memory unit; the resource center receives the service request and manages the operation of the request; a virtual machine on the entity server runs the service request and feeds back the running result to the client-side; and the identity manager manages the identity information of the objects such as resource, service provider, session, applications and the like, and also manages the life cycle of the identity information.

Description

Field of invention

The present invention relates to the field of computer system applications, and more particularly to a system scenario including multiple servers, networks, and storage, and proposes an identity-based and session-based resource access system. Background technique

How to use data center resources to support the business operations of enterprises is the primary issue considered in data center management. Especially in the case of rapid development of technology and the emergence of application models, the various devices in the data center, including servers, storage, and networks, are buying more and more, showing an explosive trend. However, a business planning method for a set of devices has formed. Numerous equipment islands make these devices rarely utilized, resulting in serious waste of resources. On the other hand, resource planning and business operations are separated, resource planning is off-line, and business operations are online. In the on-line mode, resources cannot be shared between services. The traditional manual mode also makes the service deployment cycle longer and affects the efficiency of the enterprise. At this time, how to effectively provide resource provisioning services, that is, to realize resource sharing, dynamic provisioning, and automation of business processes, is particularly important. At this time, a powerful and timely management method and system is needed to better cope with "new problems" and to effectively and comprehensively manage the data center.

At present, virtualization is almost an indispensable application in the data center, and more and more users are beginning to transfer data centers to virtualized environments. According to a recent study by an authoritative organization, 90% of enterprises have implemented virtualization technology to some extent. This also brings new propositions to data center management tools. How to design an effective resource supply method and system in the era of virtualization "prevailing" to maintain and improve the efficiency of data center management?

When the data center resources are dynamically supplied on demand, quality of service guarantee is the primary problem to be solved. The processing of concurrent requests, the reuse of resources, and the reuse of services are the key to improving efficiency. This requires identity and session management. . In response to these problems, a number of solutions have been proposed, the US Patent No. US 7,860,975, entitled "System and method for secure sticky routing of requests within a server farm", which proposes an upstream device in a server farm. , such as a load balancer or router, to route requests to the server. The server uses a secure and unique ID or a deterministic request from the request to process the network address of the server farm route. Those requested sessions. This method can solve the problem of routing requests to servers in the data center, but does not solve the problem of routing requests through control session level, nor does it involve access to virtual resources. US Patent No. 7,930,734, entitled "Method and system for creating and tracking network session", proposes a method of creating and tracking a network session by collecting authenticated identity information, network address information, and network addressing information. And bind this information in the central database of the session manager to form a session record that reflects the user's access to the network, and is used to detect the occurrence of anomalies such as intrusions in real time. This method is also the communication level of the network session, and does not involve the control plane. U.S. Patent No. 7,953,918 entitled "Service Bus linking method and service bus for linking multiple of service buses together" proposes a service bus linking method and a method of linking a large number of service buses together. The method uses the node identifier to mark the service bus, adds the identity and service bus locations to the bus node table, and updates the table. This method is designed to address the identity management of the service bus itself, without mentioning resources (various hardware and software resources) and application identity management. There are also some telecommunications companies that separate control sessions from streaming sessions, but their protocol stacks only include communication resources, not computing resources, and even virtual computing resources. Summary of invention

The present invention addresses these problems, especially in the network instance environment of a data center, introducing the idea of separating service providers and resource providers in traditional telecommunications into the access of enterprise data center resources, thereby realizing the separation of load and control sessions. And use identity management methods to manage the identity of these resources.

The technical solution of the present invention is as follows: The present invention discloses an identity and session based resource access system, including:

a client, the client sends a service request and defines resource information required to execute the service request; the session management center receives a service request sent by the client, creates a flow session according to the service request, and creates a control session according to the flow session, and negotiates The resources required to stream the session and the service providers required to control the session, and route the request to the resource center;

a resource center, including an entity server, a network, and a storage, where the virtual server runs one or more virtual machines, the resource center receives the service request, and manages the running of the request, the virtual machine runs the service request and runs The results are fed back to the client;

Identity manager, which communicates with the session management center and the resource center, and the identity manager manages resources, The service provider, the session, the identity information of the applied object, and the identity manager also manages the lifecycle of the identity information.

According to an embodiment of the identity and session based resource access system of the present invention, the session management center includes:

a stream session manager, receiving a service request sent by the client, creating a stream session according to the service request, and negotiating resources required for the stream session, and the stream session manager forwarding the service request;

a proxy server, in communication with the streaming session manager, the proxy server receives the service request forwarded by the streaming session manager and maintains the connection, the proxy server obtains the streaming session information created by the streaming session manager, and the proxy server schedules the concurrent service request;

Controlling the session manager, communicating with the proxy server, obtaining flow session information from the proxy server, and creating a control session according to the flow session information and negotiating a service provider required to control the session, and controlling the session manager to forward the service request;

a service bus, connected to the control session manager, and connected to a plurality of service providers to transfer requests and control session identity information between service providers;

The session database saves the service request from the client to the virtual machine running on the virtual machine and the result of running the flow session, control session and user session in the process of feeding back the result from the resource center to the client

According to an embodiment of the identity and session based resource access system of the present invention, the streaming session manager includes:

The stream session generator creates a stream session for the received service request and manages the life cycle of the stream session, and the stream session generator also negotiates resources required for the stream session;

The flow signaling plane is formed in communication with the flow session generator, and is formed by a communication protocol stack between resources involved in the flow session, and separates physical resources and dynamic resources in the resource.

According to an embodiment of the identity and session based resource access system of the present invention, the flow signaling plane includes:

The protocol stack formed by the I/O link resource, the local network port resource and the computing resource, wherein the computing resource protocol stack includes a local physical computing working stack, a virtual machine manager, and a local logical computing working stack.

According to an embodiment of the identity and session based resource access system of the present invention, the proxy server comprises: The application container saves request information related to the service request, including an IP address, a port number, and a protocol.

According to an embodiment of the identity and session based resource access system of the present invention, the control session manager comprises:

a session controller, creating a control session according to the flow session and managing a life cycle of the control session, the session controller also negotiating a service provider required to execute the control session;

The control signaling plane is formed by a communication protocol stack between service providers involved in the control session, and the control signaling plane separates the service provider from the resource provider.

According to an embodiment of the identity-based and session-based resource access system of the present invention, the entity server includes a server resource manager, a hardware architecture, a virtual machine manager, and a plurality of virtual machines, and the server resource manager manages service requests at Running on the virtual machine, the virtual machine manager manages the virtual machine;

The network includes a network resource manager, and the network resource manager manages network resources and groups virtual machines in the physical server;

The memory includes a storage resource manager, and the storage resource manager manages storage resources.

According to an embodiment of the identity and session based resource access system of the present invention, the identity manager comprises:

The shank solving system determines the location of the resource and the relationship between the objects involved in the service request through the tree structure and the graphical structure solution;

a generator that generates unique identity information for each defined resource and service provider, and generates identity information for each session, application;

The registrar registers each object with an identity manager, and the registrar invokes the generator to generate an identity for the object;

An identity store that stores identity information for various objects, including sessions, service providers, resources, and applications.

The invention also discloses an identity and session based resource access method, the method comprising: an upstream stream session manager receiving a resource request of a client;

The stream session manager creates a stream session for the request to negotiate the resources required to perform the client load, and sends the request and stream session information to the upstream proxy server;

The proxy server acts as a relay agent for multiple requests, and sends request and stream session information to the upstream control. Session manager

The control session manager generates, for the request, a control session of the service provider associated with the streaming session for negotiating the control service request;

The control session manager interacts with the upstream service bus, the service bus is connected to a plurality of service providers, requesting and controlling session identity information is passed between the plurality of service providers over the service bus, and the request is routed to the downstream resources by the service provider Central entity server;

There are one or more virtual machines on the physical server. The resource manager manages the running of the request on the virtual machine. The virtual machine runs the request and feeds back the result of the running to the client.

According to an embodiment of the identity and session based resource access method of the present invention, the method further comprises:

The streaming session manager creates a streaming session and accesses the identity manager to obtain the streaming session identity; the proxy server creates the virtual application and accesses the identity manager, and obtains the virtual application identity associated with the streaming session identity through the relationship solving service;

The control session manager creates a control session associated with the streaming session, accesses the identity manager, and obtains the control session identity associated with the stream session identity described above by the relationship solving service.

The resource manager accesses the identity manager, obtains the unique identity of the resource, and can find the location of the resource through the address solving service according to the unique identity of the resource.

After receiving the request and the stream session information sent by the stream session controller, the proxy server continues to maintain the TCP/UDP connection with the stream session controller;

After requesting to run on the virtual machine on the physical server in the resource center, disconnect the TCP/UDP connection between the proxy server and the streaming session controller, and directly return the running result to the client through redirection.

The stream session manager creates a stream session, generates a stream signaling plane, separates physical resources and dynamic resource requirements, and controls the logical core network generated on demand.

According to an embodiment of the identity and session-based resource access method of the present invention, the method further includes: The control session manager creates a control session, generates a control session plane, and arbitrarily dynamically combines the service providers according to the request to generate multiple service provider planes.

The bridging is used to establish the identity correspondence between the virtual machine and various virtual resources on it.

Set two identities for the virtual machine, one is the virtual machine itself, the other is the reference identity, pointing to the above components, establishing the identity relationship between the virtual machine and the component. The identity and session-based resource access system of the present invention can introduce the idea of separating the service provider and the resource provider in the traditional telecommunication into the access of the enterprise data center resource in the network instance environment of the data center, and realize the load and control session. Separation, and use identity management methods to manage the identity of these resources. DRAWINGS

The above and other features, aspects and advantages of the present invention will become more apparent from the description of the appended claims appended claims A block diagram of the identity and session based resource access system of one embodiment of the present invention.

2 is a general flow diagram of the operation of an identity-based and session-based resource access system, describing the entire process from an application request by a user to an application instance returning to the client, in accordance with one embodiment of the present invention.

3 is a flow plan diagram of an identity and session based resource access system in accordance with an embodiment of the present invention, embodying communication resources and computing resource protocol stacks through which client loads are required.

4 is a block diagram of interaction of a proxy server with control session management and control session manager in an identity and session based resource access system, in accordance with one embodiment of the present invention.

5 is a flow diagram of interaction of a proxy server with control session management in an identity and session based resource access system, in accordance with one embodiment of the present invention. 6 is a partial storage structure of a session database storing session relationships in an identity-based and session-based resource access system, in accordance with one embodiment of the present invention.

Figure 7 is a block diagram showing the structure of an identity manager in an identity and session based resource access system in accordance with one embodiment of the present invention.

Figure 8 is the relationship resolution service implementation in the identity manager of Figure 7 (Relationship Resolution

A description block diagram of the Service Implementation).

Figure 9 is a relational diagram of address resolution in the identity manager of Figure 7.

Figure 10 is a flow diagram of the use of an identity manager in an identity and session based resource access system in accordance with one embodiment of the present invention. DETAILED DESCRIPTION OF THE INVENTION Figure 1 is a block diagram showing the structure of an identity and session based resource access system in accordance with one embodiment of the present invention. Referring to FIG. 1, the present invention discloses an identity and session based resource access system, including: a client 1 1 , a session management center 12 , a resource center 14 , and an identity manager 13 .

The client 1 1 issues a service request and defines the resource information needed to execute the service request.

The session management center 12 receives the service request issued by the client 11, and in the present invention, the service request may also be referred to as an application request. The session management center 12 creates a streaming session according to the service request and creates a control session according to the streaming session. The session management center 12 negotiates the resources required for the streaming session and the service providers required to control the session, and routes the request to the resource center.

Resource Center 14 includes physical servers, networks, and storage, and one or more virtual machines are running on the physical servers. The resource center 14 receives the service request and manages the running of the request, and the virtual machine runs the service request and feeds back the result of the running to the client 1 1.

The identity manager 13 is in communication with the session management center and the resource center. The identity manager 13 manages the identity information of objects such as resources, service providers, sessions, applications, etc. The identity manager 13 also manages the lifecycle of the identity information.

Referring to FIG. 1, the session management center 12 includes: a stream session manager 121, a proxy server 122, a control session manager 123, and a session database 125. Stream session manager 121 manages real time The network session manager, the stream session manager 121 receives the service request sent by the client 11, and creates a stream session according to the service request and negotiates resources required for the stream session, and the stream session manager 121 forwards the service request. In the embodiment shown in FIG. 1, the stream session manager 121 includes a stream session generator 121 1 and a stream signaling plane 1212. The stream session generator 121 1 creates a stream session for the received service request and manages the life cycle of the stream session, and the stream session generator 121 1 also negotiates the resources required for the stream session, that is, the resources required to run the user load. The flow signaling plane 1212 is in communication with the flow session generator 121 1 , and the flow signaling plane 1212 separates the physical resources and the dynamic resources in the resource by the communication protocol stack between the resources involved in the flow session. The proxy server 122 is in communication with the streaming session manager 121, which is an intermediary or broker between the user and the resource, the proxy server can identify the user's request, and the proxy server 122 receives the service request forwarded by the streaming session manager 121 and maintains Connected, the proxy server 122 obtains the stream session information created by the stream session manager, and the proxy server 122 schedules the concurrent service request. In the embodiment shown in FIG. 1, the proxy server 122 includes an application container 1221 that stores request information related to the service request, including an IP address, a port number, and a protocol. The control session manager 123 is in communication with the proxy server 122, and the control session manager 123 obtains streaming session information from the proxy server 122 and creates a corresponding control session and negotiates the service provider required to control the session, ie, the service provider that controls the user request. . The control session manager 123 forwards the service request. In the embodiment shown in FIG. 1, the control session manager 123 includes a session controller 123 1 and a control signaling plane 1232. The session controller 123 1 creates a control session according to the flow session and manages the life cycle of the control session, and the session controller 1231 also negotiates the service provider required to control the session. The control signaling plane 1232 is formed by a communication protocol stack between service providers participating in the control session, and the control signaling plane 1232 separates the service provider from the resource provider. The service bus 124 is coupled to a control session manager 123, which is implemented by a middleware infrastructure that includes an event driven and messaging engine and is coupled to a plurality of service providers. The session database saves the streaming session, control session, and user session information in the process of the service request from the client to the virtual machine running in the resource center and running the result from the resource center to the client. The session database 125 stores the streaming session, control session, and user session information in the process of the service request being transmitted from the client 11 to the virtual machine of the resource center 14 and the result of the operation being fed back from the resource center 14 to the client 11. Session database 125 can run on one or more servers.

With continued reference to FIG. 1, the entity server 141 in the resource center 14 includes a server resource manager. 141 1. Hardware architecture 1412, virtual machine manager 1413, and several virtual machines 1414. The server resource manager 141 1 manages the operation of the service request on the virtual machine, and the virtual machine manager 1413 manages the virtual machine 1414. The network 142 includes a network resource manager 1421 that manages network resources and networkes the virtual machines 1414 in the entity server 141. The memory 143 includes a storage resource manager 143 1. The storage resource manager 143 1 manages storage resources and provides storage services for various information such as a virtual machine image.

Referring to FIG. 1, the identity manager 13 includes a handle solving system 131, a generator 132, a register 133, and an identity store 134. The shank solving system 13 1 solves the relationship between the location of the resource and the objects involved in the service request by solving the tree structure and the graphic structure. The generator 132 generates unique identity information for each defined resource and service provider, and the generator 132 also generates identity information for each real-time session. The Registrar 133 registers the object with the Identity Manager, which invokes the generator to generate an identity for the object. The identity store 134 stores identity information for various objects, including sessions, service providers, resources, applications, and the like.

With continued reference to Figure 1, the identity and session based resource access system operates as follows: Client 11 can be a user, client 11 issues a service request, such as requesting to create a lamp, and defining the resource information needed to create the lamp. . The service request first arrives at a streaming session manager 121 in the session management center 12, and a session creator 121 1 in the streaming session manager 121 creates a streaming session for the service request, negotiating The resources required to perform user loads and manage the lifecycle of the session. The communication protocol stack between the resources involved in the flow session forms a flow signaling plane 1212, which can separate physical resources and dynamic resource requirements, and control the logical core network generated on demand. The stream session manager 121 herein may be a four- to seven-layer switch or an application delivery controller, and may specifically be a device such as an F5 LTM or a Cisco ACE. The streaming session manager 12 passes the request to the broker 122 via the TCP/UDP protocol and maintains the TCP/UDP connection. The proxy server 122 is an intermediary or broker between the user and the resource, receives the application request from the client, and stores the user's request information including IP, port, protocol, etc. in the application container 1221, and the proxy server 122 performs the concurrent request. Scheduling. The proxy server 122 then sends the request to the control session manager 123, which consists of the session controller 1231 and the control signaling plane 1232. The session controller 123 1 creates an associated control session according to the flow session, negotiates the service provider required to control the session, that is, controls the service provider requested by the user, and manages the life cycle of the session. Control the communication protocol stack between service providers involved in the session Forming a control signaling plane 1232, the service provider can be separated from the resource provider, providing any dynamic combination of service providers as needed. Control session manager 123 is coupled to service bus 124, which is implemented by middleware infrastructure technology, a software architecture architecture provided for service oriented architecture through event driven and messaging engines. In the present invention, each service provider is connected to a service bus 124, and user requests and session identities are propagated between service providers over the service bus. Through the service provider's process and certain policies, the request is finally routed to the server 141 in the resource center 14, and the entity server 141 is the hardware device that finally runs the request with respect to the intermediary role of the previous proxy server 122. . Each physical server 141 has a hardware architecture 1412, a virtual machine manager 1413, and a plurality of virtual machines 1414, and a server resource manager 141 1 . The network resource manager 1421 in the network 142 manages network resources and the networking of the virtual machines, and the storage resource manager 143 1 in the memory 143 manages the storage resources. The service request is finally run by the server resource manager 141 1 on a plurality of virtual machines 1414 on the entity server 141. The operation of a virtual machine instance requires the use of both network resources and storage resources. When the service request is run, the result is directly returned to the client 1 1. This is the transfer process of the payload, and the TCP/UDP connection between the stream session manager 12 and the broker 122 is broken, and the control signaling is The process ends. Information such as streaming sessions, control sessions, user sessions, and the like are stored in the session database 125, and the data in the session database 125 can be stored in memory or on disk. The session manager interacts with the identity manager to obtain the identity of the session and store session related information in the session database. The identity manager 13 manages the life cycle of the identity information (ID), that is, the generation, maintenance, and deletion of the identity information, the identity manager 13 by the handle resolution system 131, the generator 132, the registry (Registry) 133, the identity storage (Store) 134 is composed, the handle solving system 13 1 is the core of the identity manager 13, and the location and application relationship of the resource are mainly solved by the tree structure and the graphic structure. The registrar 133 manages the resources to register with the identity manager 13, and the generator 132 generates identifiers for each of the defined objects in accordance with certain rules. The identity store 134 is a data storage center in the identity manager 13, which stores identity information of objects such as resources, service providers, sessions, applications, etc., solves information, configures services, and the like. In one or more preferred embodiments of the present invention, when the request to the host resource manager 141 1 is a start VM (starting the virtual machine), the host resource manager 141 1 needs to obtain the virtual machine from the identity manager 13. URL. The virtual machine image is stored in the shared storage 143. When the request is create Vm (create virtual machine), the URL of the virtual machine template needs to be obtained from the storage 143. Here, the storage resource manager 1431 on the storage 143 is used. . 2 is a general flow diagram of the operation of an identity-based and session-based resource access system, describing the entire process from an application request by a user to an application instance returning to the client, in accordance with an embodiment of the present invention. Specific steps are as follows:

Step 201: The user sends an application request (the user requests the application, including IP, port, protocol, etc.), where the application request is a service request, for example, creating a lamp, requesting a resource;

Step 202: Determine whether the user passes the authentication and authorization. If yes, the request is transferred to 203, otherwise the request is transferred to 201;

Step 203, the request arrives at the stream session manager, the stream session manager generates a session for the request, accesses the identity manager, obtains a streaming session ID, and stores the stream session identity into the stream session table. In a record;

Step 204, the streaming session manager transfers the request and the streaming session ID to the proxy server as a fake server, and maintains the TCP/UDP connection. The purpose of the connection is to transfer the request. To the control signaling process, to achieve effective control of the request, routing, and quality of service assurance, regarding the proxy server, can be seen as a middleman or broker between the user and the resource, the proxy server can identify the user's request, and transfer the request The processing system to the back will be described in detail in Figure 4;

Step 205: The proxy server accesses the identity manager, obtains the virtual application identity associated with the flow session identity by using the relationship solving service, and sends the request and the streaming session ID to the control session manager, where the entire The system is regarded as an application that executes the request, and the request is regarded as an application request (APP) issued by the user to the application, and the request is sent by the user, and when the proxy server is reached, the application request at this time is a user-oriented application described by the user. Also known as a virtual application request;

Step 206: The control session manager creates an associated controlling session for the request according to the streaming session, and accesses the identity manager to obtain a Controlling Session ID related to the streaming session identity through the relationship solving service.

Step 207: The control session manager invokes a service bus, and the service bus converts the virtual application into an application through a plurality of service providers connected thereto, controls the request direction, and controls the session to be transmitted between the service providers through the service bus, and The request is routed to the physical server of the resource center; Step 208, the resource manager on the server manages the execution of the application request, by accessing the identity tube The processor obtains the resources required to execute the application request;

Step 209, determining whether the resource is ready, if the resource is ready, then proceeds to step 21 1, otherwise proceeds to step 210;

Step 210, wait until the resources are ready;

Step 21 1. Execute the request to generate an application instance (APP INSTANT);

Step 212, the stream session manager manages the running data load, and disconnects the TCP/UDP connection established with the proxy server for the request;

Step 213: The result of the request execution is directly returned to the client by redirecting, and after the session ends, the resource information related thereto is released.

3 is a flow plan diagram of an identity and session based resource access system in accordance with an embodiment of the present invention, embodying communication resources and computing resource protocol stacks through which client loads are required. In the flow session plane, the execution of a client load 38 first requires computing resources. In a virtualized environment, computing resources can be divided into virtual computing resources and physical computing resources. Virtual computing resources are what we usually call virtual machines, which are provided in the form of virtual machine files. It is in the local logical computing work stack 37 in the protocol stack. Below the local logical computing work stack 37 is a virtual machine manager VMM 36 that manages and controls the virtual machine. The VMM 36 provides exchange and arbitration of computing resources and maps the local logical working stack 37 to the local physical computing work stack. That is, the physical resources on the server, specifically the CPU, memory, disk, I/O, etc. on the server. Of course, the local physical computing work stack 35 can also be mapped to the local logical work stack 37. The customer load 38 gets the physical resources and can actually run. The load needs to be exchanged and transmitted. At this time, network resources for communication, including local network port resources and IO link resources, are required. The communication between the loads is first communicated through the local port resource and the TCP/UDP port 34, and mapped to the network communication of the IP layer 33 in the IO link layer by layer according to the hierarchy of the communication protocol stack, the data link of the data link layer 32 Road communication, until the transmission of the lowest physical medium 31, completes the entire communication process. The results of the operation are returned to the client, and the communication process is managed by the stream session manager, thereby ensuring the operation of the network instance of the customer load and the quality of service. This flow session plane (signaling network) can separate physical resources and dynamic resource requirements to achieve on-demand provisioning of resources.

4 is a block diagram of an interaction of a proxy server with control session management and a control session manager in an identity and session based resource access system, in accordance with one embodiment of the present invention. Stream session manager 41 (or application delivery controller) to generate a streaming session, the address and server pool in the streaming session manager 41 can dynamically configure the resources required for the streaming session, due to the user's request (user-oriented application request) is the user's attention Application information, such as IP, port, protocol, etc., does not accurately provide resource-oriented application descriptions. Stream session manager 41 cannot route requests to specific servers for execution based on this information, so first redirect the request to a A fake server, that is, a proxy server 42. The proxy server 42 is equivalent to a broker between the user and the resource, and includes an application container 421, which stores application information requested by the user, that is, a virtual application, from the virtual application 1 to the virtual application n. Here, the whole system is regarded as an application that executes the request, and the request is regarded as an application request (APP) issued by the user to the application, and the request is sent by the user. When the proxy server is reached, the application request at this time is the user-oriented user description. An application, also called a virtual application; when a request arrives at a resource through the service provider's processing, the application request becomes a resource-oriented application that describes the resource requirement, also known as an application. The proxy server 42 forwards the request to the control session manager 43 (to control the direction of the request), and the session controller 43 1 in the control session manager 43 creates a control session associated with the streaming session for the request, negotiating to perform the service requested by the user. Communicate between providers and manage the lifecycle of the session. The communication protocol stack between the service providers involved in the control session forms a control signaling plane 432, which can separate the service provider from the resource provider, and provide any dynamic combination of service providers as needed, that is, dynamically generate multiple services. The provider plane, from the service provider plane 4321, the service provider plane 4322, to the service provider plane 432n. Control session manager 43 is coupled to service bus 44, which is implemented by middleware infrastructure technology, a software architecture architecture provided for service oriented architecture through event driven and messaging engines. In the present invention, each service provider in the service provider set 441 is connected to the service bus 44 and registered under the service bus 44. The service bus 44 controls and manages the interaction between these service providers, service routing, protocol conversion. Wait. User requests and session identities are propagated between service providers through the service bus. The service provider here is a plurality of functional modules for providing application services to support and optimize resource access, such as service enabler, service factory; functional modules of virtual resource management, such as virtual machine manager 441 1, storage manager 4412, network management 4413, etc.; and some functional modules that improve performance, such as monitor, NMS, etc. The control session manager 43 runs on a central server. The access to the service provider is implemented by the agent 45, and each service provider has an agent 45. The agent 45 monitors the request, dispatches the request, and sends the request to the corresponding service provider. 45 The processing of concurrent requests can be implemented. Through the service provider's process and certain policies, the request is finally routed to the physical server in the resource center, which is relative to the previous proxy server.

Figure 5 is a flow diagram of the interaction of a proxy server with a control session manager in an identity and session based resource access system, in accordance with one embodiment of the present invention. The specific process is as follows:

Step 501, the stream session manager sends the request to the proxy server;

Step 502: Determine whether the authentication authorization is passed. If the authentication authorization is passed, the process proceeds to step 503, otherwise, the process returns to step 502 to determine;

Step 503, determining whether it is a concurrent request, and if so, proceeding to step 504, otherwise proceeding to step 505;

Step 504: The application container in the proxy server schedules the request.

Step 505, the proxy server sends the request to the control session manager;

Step 506: The session controller creates a control session related to the streaming session for the request. Step 507: Controlling session ID is transmitted between the multiple service providers through the service bus, thereby forming a control message. Service provider plane ;

Step 508, determining whether multiple requests simultaneously request to use a service (service), and if so, proceeding to step 510, otherwise proceeding to step 509;

Step 509, the service bus allocates a service provider for the request;

Step 510, an agent on a service provider registered under the service bus allocates a service (service) for the request. Through this process, requests can be routed to the physical server for execution, even if they request access to real physical resources.

6 is a partial storage structure of a session database storing session relationships in an identity-based and session-based resource access system, in accordance with one embodiment of the present invention. Stored in the session database 6 are a plurality of session relationship tables, which are composed of a stream session table 61, a control session table 62, a user session table 63, and a session relationship table 64. The user sends an application request. In the present invention, the application requested by the user is a resource, in order to implement a user corresponding to multiple requests, resource multiplexing, service (service) multiplexing, and separating the user-requested session into a streaming session. Control session, user session. The stream session table 61 mainly stores a stream session and a network address and network addressing identity information bound to the stream session. Specifically, there are streaming session ID, network ID, and I/O ID, where the ID is obtained by accessing the identity manager. The Network ID includes the identity of the network device switch, router, etc. The I/O ID refers to the identity of the port, and the address of these resources can be found by identity. The flow session table corresponds to the I/O link resource and local network port resource portion in the flow session plane. The control session is a session about the control plane, and the control session table 62 mainly stores the control session and the service provider identity information bound to the control session, specifically

Controlling session ID and multiple service provider IDs whose ID is provided by the identity manager. The control session table corresponds to the control signaling plane. A user session is a session in which a user requests an application (app), indicating the relationship between the user (user) and the application (app), and the component relationship of the application (app). The user session table 63 mainly stores the identity information of these objects, including User Session ID, User ID, App ID, vApp ID, Domain ID, Component ID, VM ID, Server ID, and Storage ID. The relationship between them is a dynamic relationship. These IDs are obtained through the Identity Manager and are represented by the handle system in the Identity Manager, as detailed in the following figures. Streaming sessions, controlling sessions, user sessions are three aspects of a request, and there is a close relationship between them. In this case, a session relationship table 64 is needed to represent the relationship between them. Since we can consider the application (app) requested by the user as the service request, the service session ID is used as the primary key of the relational table. The other attribute fields are User session Id, streaming session ID, controlling session ID, and these attributes. Both are the primary keys of the previous tables, thus associating these separate sessions in one request. When a session is created, session-related data is stored in the Session Store. When a session is terminated, the corresponding resources need to be released. The session ID is created temporarily. Other resource identities (IDs), including data center resources and service provider identities (IDs), are unchanged. When a session ends, the temporary table needs to be deleted. In the session, and release the corresponding resources, this process is equivalent to subscription, subscription end, release resources.

7 is a structural block diagram of an identity manager in an identity and session based resource access system, in accordance with one embodiment of the present invention. The core of the identity manager 7 is a handle solving system 71 and an ID store 72 for storing identity information and various management configuration information, which are marked by an identifier, wherein the invariant objects such as resources and the service provider have a unique identifier. Invariant identifiers, dynamic objects such as sessions have a temporary identifier. Invariance (handle resolution) System) 71 to guarantee. Handle resolution system 71 Reference implementation 711, protocol 712, namespace (Namaspace)

713, Administrative Service 714 is composed of four parts, of which Reference Implementation 711 is the core of the handle resolution system 71, providing solution services and distributed category services. The distributed class service 7113 receives different types of concurrent requests, and according to the type of the request, the request is dispatched and sent to the Address Resolution service 7111 or the relationship resolution service 7112. The Address Resolution Service 7111 has a tree structure of address relationships through which the location of the resource is found based on the resource identity. Relationship Resolution Service 7112 uses a relational solution service that stores users

The structure of the relationship between (User), application (app), resource (resource), session, etc., effectively connects these objects; because of the complex relationship between them, there are often many-to-many relationship mappings. It can be described by various structures such as trees, diagrams, and so on. When a user accesses a resolution or administrative process in the system, a protocol 712 is required to authenticate the client. Namespace 713 is a type name of a large number of different types of identifiers. It also includes grammar rules for specific object names. Different namespaces can be divided according to types. Each namespace 713 has multiple different specifics. name. Management service

(Administrative service) 714 provides various configuration management services in the system. The ID Store 72 is a storage device for storing various pieces of information such as identity information, management configuration information, and the like in the Identity Manager 7, and various assets, processes, applications, services, and the like are stored in the ID Warehouse 72. In one or more preferred embodiments of the present invention, the identity manager provides an identity service, a relationship solving service, and an address solving service for the session manager and the resource manager, and provides a resource location for solving the relationship between the objects. support. The Identity Manager runs on an ID server.

8 is a block diagram depicting the implementation of a Relationship Resolution Service in the Identity Manager of FIG. The relationship solving embodiment 81 of the present invention is composed of three parts: an object identifier 811, an object description 812, and a solution service 813. The object identifier 811 represents the identity of the object, and the object here may be a resource of the data center, such as a virtual machine, a server, etc., or may be a user request such as an application (app), a domain, or a component. Application relationships, etc., can also be various sessions, or can be a management program in the system (also known as For the service provider). The object description 812 represents a description of the attributes, characteristics, and the like of the respective objects. The solution service 813 is composed of a data type 8131, a structural metadata 8132, and a meta-objects 8133. The structure metadata 8132 describes the structural relationship between the objects, because the relationship is complicated. There are many-to-many situations, such as a user can use multiple applications (app) at the same time, an application (app) can be used by multiple users at the same time, so it is represented by a graph structure, which can guarantee the reference from the above object. To the following object, you can also refer to the many-to-many reference relationship of the above object from the following object. Metadata refers to objects about objects, and data types are categories of data. The main objects that need to be solved are listed in 82, including user 821, application (app) 822, domain 823, component 824, virtual resource 825, physical resource (physical resource). 826 and so on. The relationship between these objects is also a user session relationship. In a user session, one user 821 can use multiple applications (app) 822 at the same time, and one application (app) can be used simultaneously by multiple users 821, one application. (app) 822 corresponds to a domain 823, and a domain 823 is composed of a plurality of components 824, since the component 824 is a special domain containing only one virtual machine instance (VM instance) ( Domain 823, a domain component 823 corresponds to a virtual machine VM, a virtual machine VM can be referenced by multiple domains 823, and one VM corresponds to multiple physical resources, such as cpu, memory, nic, and the like. There are two IDs in the VM, one is Vm's own, and the other is the Reference ID, which points to the above component 824, establishing an identity correspondence with the component 824. 83 is the main resource required for a user to request to run, including the relationship between VM 831, LUN 832, Raid 833, vswitch 834, Nic 835 and the like by ID.

Figure 9 is a diagram showing the relationship of address resolution in the identity manager of Figure 7. In the Identity Manager, each resource is uniquely tagged. Each resource has a unique identity tag and a variable logical ID to establish a logical relationship between resources. Unlike the domain name system, the domain name system corresponds to IP, and each ID is unique and constant, so no matter where the resource is moved, it can be found by ID. The address solution is implemented by a tree structure, which is an inheritance relationship from root to leaf in identity. Taking the data center as an example, one data center 91 can be divided into multiple groups 92, one group 92 has multiple hosts 93, one host 93 has multiple virtual machines 94, and one virtual machine 94 uses vCPU 951, vMemory 952. , vNic 953, VHBA 954 and other virtual hardware resources, virtual hardware resources are mapped to the corresponding physical hardware resources CPU 971, Memory 972, Nic 973, HBA974 through the virtual machine manager VMM, a physical hardware device can correspond to multiple virtual hardware devices, wherein, vNic 953 Connect to the vSwitch 96 in the Virtual Machine Manager VMM. There may be one or more vSwitches 96 in the VMM, one vSwitch 96 connected to multiple vnic 953, vswitch 953 connected to the physical Nic 973, and Nic 973 connected to the Switch (switch) On the 98, a Switch 98 can be connected to multiple Nic 973s, that is, multiple hosts 93, and can also be connected to a shared storage 99 via Switch 98. For the underlying, resources on the host, use the Tap Bridge to establish the identity relationship between the virtual machine 94 and various virtual resources on it. A virtual machine can have multiple vSwitches 96, which respectively manage different vlans and are connected to different vswitches. The virtual machines are divided into different vlans, and one vswitch can connect different virtual machines on different hosts. When the address of the resource is requested by the ID of the resource, the request arrives at the address solving service, and the address solving service solves the location of the resource by the identity of the resource.

Figure 10 is a flow diagram of the use of an identity manager in an identity and session based resource access system, in accordance with one embodiment of the present invention. Specifically, the following steps are included:

Step 1001, the client sends a request, and proceeds to step 1002;

Step 1002, the request arrives at the identity manager, and proceeds to step 1003;

Step 1003: Determine whether the requested object is registered in the identity manager. If registered, go to step 1004, otherwise proceed to step 1008;

Step 1004: Solving the system according to the ID to the query manager in the identity manager, and proceeding to step 1005; Step 1005, determining whether to query the resource address, and if yes, proceeding to step 1006, otherwise proceeding to step 1010;

Step 1006: Find the location of the resource by using the address solving service, and proceed to step 1007; Step 1007, return the location information to the requesting party, and end;

Step 1008, registering the object using the registrar, and proceeding to step 1009;

Step 1009, the generator creates a delete identifier for the object according to the object type and the string rule.

ID, and proceeds to step 1004;

Step 1010: The relationship finding service finds the object of the relationship, and proceeds to step 101 1; Step 101, returns the relationship object information to the requesting party, and ends.

The identity and session based resource access system of the present invention can be in a network instance environment of a data center Next, the idea of separating service providers and resource providers in traditional telecommunications is introduced into the access of enterprise data center resources, realizing the separation of load and control sessions, and using identity management methods to manage the identity of these resources.

The above embodiments are provided to those skilled in the art to implement or use the present invention. Those skilled in the art can make various modifications or changes to the above embodiments without departing from the inventive concept. The scope of the invention is not limited by the embodiments described above, but should be the maximum range of the innovative features mentioned in the claims.

Claims

Claim

What is claimed is: 1. An identity and session based resource access system, comprising:

The identity manager is in communication with the session management center and the resource center. The identity manager manages the identity information of the resource, the service provider, the session, and the object of the application, and the identity manager also manages the life cycle of the identity information.

2. The identity and session based resource access system of claim 1, wherein the session management center comprises:

The session database saves the service request from the client to the virtual machine running on the virtual machine and the result of running the flow session, control session and user session in the process of feeding back from the resource center to the client

3. The identity and session based resource access system of claim 2, wherein the stream session manager comprises:

The identity and session-based resource access system according to claim 3, wherein the flow signaling plane comprises:

A protocol stack formed by an I/O link resource, a local network port resource, and a computing resource, wherein the computing resource protocol stack includes a local physical computing working stack, a virtual machine manager, and a local logical computing working stack.

5. The identity and session based resource access system of claim 2, wherein the proxy server comprises:

The application container saves request information related to the service request, including an IP address, a port number, and a protocol.

6. The identity and session based resource access system of claim 2, wherein the control session manager comprises:

7. The identity and session based resource access system of claim 1, wherein the entity server comprises a server resource manager, a hardware architecture, a virtual machine manager, and a plurality of virtual machines, the server resource management. The management service requests the operation on the virtual machine, and the virtual machine manager manages the virtual machine; The network includes a network resource manager, and the network resource manager manages the network resources and performs networking on the virtual machines in the entity server;

8. The identity and session based resource access system of claim 1, wherein the identity manager comprises:

An identity-based and session-based resource access method, the method comprising: receiving, by an upstream stream session manager, a resource request of a client;

The proxy server acts as a relay agent for multiple requests, and sends request and stream session information to the upstream control session manager;

10. The method according to claim 9, wherein the method further comprises:

The method according to claim 9, wherein the method further comprises:

12. The method according to claim 9, wherein the method further comprises:

The method according to claim 9, wherein the method further comprises:

The control session manager creates a control session, generates a control session plane, and arbitrarily dynamically combines the service providers according to the request to generate multiple service provider planes.

14. The identity and session based resource access method of claim 9, wherein The method further includes:

The method according to claim 9, wherein the method further comprises:

Set two identities for the virtual machine, one is the virtual machine itself, the other is the reference identity, pointing to the above components, establishing the identity relationship between the virtual machine and the component.