WO2018177013A1 - 提供PaaS服务的方法、管理系统和云计算服务架构 - Google Patents

提供PaaS服务的方法、管理系统和云计算服务架构 Download PDF

Info

Publication number
WO2018177013A1
WO2018177013A1 PCT/CN2018/074278 CN2018074278W WO2018177013A1 WO 2018177013 A1 WO2018177013 A1 WO 2018177013A1 CN 2018074278 W CN2018074278 W CN 2018074278W WO 2018177013 A1 WO2018177013 A1 WO 2018177013A1
Authority
WO
WIPO (PCT)
Prior art keywords
paas
tenant
management system
iaas
real
Prior art date
Application number
PCT/CN2018/074278
Other languages
English (en)
French (fr)
Inventor
王非
何雄辉
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP18774532.8A priority Critical patent/EP3591939B1/en
Publication of WO2018177013A1 publication Critical patent/WO2018177013A1/zh
Priority to US16/589,918 priority patent/US11438242B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • the present application relates to the field of cloud computing services, and more particularly, to a method, a management system, and a cloud computing service architecture that provide a Platform as a Service (PaaS) service.
  • PaaS Platform as a Service
  • the services provided by the cloud computing service architecture for the user usually include Infrastructure as a Service (IaaS) service, Platform as a Service (PaaS) service and Software as a service (Software as a Service, SaaS) service, etc.
  • IaaS Infrastructure as a Service
  • PaaS Platform as a Service
  • SaaS Software as a Service
  • the existing management system may cause conflicts between the IaaS service and the resource management of the PaaS service.
  • the IaaS service manages the user's infrastructure resources, such as at least one of infrastructure resources such as a central processing unit (CPU), memory, storage media, networks, and routers, including The infrastructure resources for running the software services provided by the PaaS service.
  • the PaaS service is based on the IaaS service
  • the PaaS service deploys common software services on the infrastructure resources provided by the IaaS service. This allows the PaaS service and the IaaS service to jointly manage the infrastructure resources, thereby causing conflicts in the management of the two.
  • the service page of the IaaS service can delete the infrastructure resources of the software service provided by the PaaS service; for example, the network policy of the IaaS service will affect the internal communication of the PaaS service, and the like.
  • the present application provides a method, a management system, and a cloud computing service architecture for providing a PaaS service, which can solve the problem of management conflicts between the IaaS service and the PaaS service on the infrastructure resources in ensuring the multi-tenant demand.
  • a method for providing a platform-as-a-service PaaS service comprising: a PaaS management system receiving a PaaS operation request issued by a first real tenant, the PaaS operation request for indicating a PaaS operation for a PaaS resource
  • the PaaS management system determines the information of the first virtual tenant corresponding to the first real tenant, wherein the real tenant and the virtual tenant have a one-to-one correspondence, the first real tenant and the first virtual tenant are a pair of one-to-one correspondences; the PaaS management system processes the PaaS by the first virtual tenant control infrastructure, ie, the service IaaS management system, according to the PaaS operation request and the information of the first virtual tenant Operate the corresponding IaaS operation.
  • the first aspect of the method for providing a PaaS service by introducing a one-to-one virtual tenant for each real tenant in the PaaS management system, so that the PaaS management system manages the infrastructure resources through the virtual tenant, the first real tenant and the first virtual tenant It is a pair of one-to-one correspondences, so that the management of the first real tenant corresponding to the PaaS service is isolated from the management of other tenants, thereby ensuring the isolation of the management among the multi-tenants, and further solving the IaaS service. Management conflicts with infrastructure resources with PaaS services.
  • the IaaS management system is a management system for processing IaaS operations in a cloud computing service architecture, where the cloud computing service architecture is based on a first infrastructure resource group.
  • a real tenant provides an IaaS service, and only the first real tenant has management rights to an infrastructure resource in the first infrastructure resource group
  • the PaaS management system is a cloud computing service architecture for processing PaaS operations.
  • the cloud computing service architecture provides a PaaS service for the first real tenant based on a second infrastructure resource group, and only the first virtual tenant has management rights to infrastructure resources in the second infrastructure resource group .
  • the infrastructure resources corresponding to the IaaS operation request initiated by the real tenant through the IaaS management system and the infrastructure resources corresponding to the PaaS operation request initiated by the real tenant through the PaaS management system are isolated from each other. It can not only solve the management conflict between IaaS service and PaaS service, but also improve the security of cloud computing service.
  • the cloud computing service architecture includes a management network card in the PaaS instance provided by the first real tenant, the method further includes: the PaaS management system adopts the management The network card performs management communication between the infrastructure resources in the second infrastructure resource group.
  • the PaaS management system performs internal communication of the PaaS service and control communication of the background of the PaaS management system by managing the network card.
  • the cloud computing service architecture includes a data network card in the PaaS instance provided by the first real tenant, the method further includes: the data passing by the PaaS management system The network card performs data communication between the PaaS instance and the first infrastructure resource group.
  • the PaaS management system performs external communication with the PaaS service through the data network card.
  • the PaaS management system receives a PaaS operation request sent by the first real tenant, including: the PaaS management system receives an indication sent by the first real tenant to apply for a PaaS instance. a PaaS operation request; the PaaS management system processes the IaaS operation corresponding to the PaaS operation by the first virtual tenant control infrastructure, ie, the service IaaS management system, according to the PaaS operation request and the information of the first virtual tenant, The method includes: the PaaS management system determines, according to the PaaS operation request, the IaaS operation corresponding to the PaaS operation to create a PaaS instance and create a data network card; and the PaaS management system controls the IaaS by using the first virtual tenant The management system creates a PaaS instance and creates a data network card.
  • This possible implementation is applicable to the case where a real tenant first applies for a PaaS instance.
  • the receiving, by the PaaS management system, a PaaS operation request sent by the first real tenant the: the PaaS management system receiving the indication sent by the first real tenant to change the PaaS instance. a PaaS operation request; the PaaS management system processes the IaaS operation corresponding to the PaaS operation by the first virtual tenant control infrastructure, ie, the service IaaS management system, according to the PaaS operation request and the information of the first virtual tenant,
  • the method includes: the PaaS management system determines, according to the PaaS operation request, that the IaaS operation corresponding to the PaaS operation is a parameter for changing a PaaS instance; and the PaaS management system controls the IaaS management system by using the first virtual tenant. Change the parameters of the PaaS instance.
  • This possible implementation is applicable to real tenants changing the PaaS instance.
  • a platform-as-a-service PaaS management system includes: a receiving module, configured to receive a PaaS operation request sent by a first real tenant, where the PaaS operation request is used to indicate a resource for a PaaS a processing module, configured to determine information of the first virtual tenant corresponding to the first real tenant, where the real tenant and the virtual tenant have a one-to-one correspondence, the first real tenant and the first virtual tenant a pair of the one-to-one correspondence; the processing module is further configured to control the infrastructure-as-a-service IaaS management system by using the first virtual tenant according to the PaaS operation request and the information of the first virtual tenant Processing the IaaS operation corresponding to the PaaS operation.
  • the IaaS management system is a management system for processing IaaS operations in a cloud computing service architecture, where the cloud computing service architecture is based on a first infrastructure resource group.
  • a real tenant provides an IaaS service, and only the first real tenant has management rights to an infrastructure resource in the first infrastructure resource group
  • the PaaS management system is a cloud computing service architecture for processing PaaS operations.
  • the cloud computing service architecture provides a PaaS service for the first real tenant based on a second infrastructure resource group, and only the first virtual tenant has management rights to infrastructure resources in the second infrastructure resource group .
  • the cloud computing service architecture includes a management network card in the PaaS instance provided by the first real tenant, where the management network card is used in the second infrastructure resource group. Management communication between infrastructure resources.
  • the cloud computing service architecture includes a data network card in the PaaS instance provided by the first real tenant, where the data network card is used in the PaaS instance and the first Data communication between infrastructure resource groups.
  • the receiving module is specifically configured to: receive a PaaS operation request that is sent by the first real tenant to indicate an application for a PaaS instance, where the processing module is specifically configured to: The PaaS operation request determines that the IaaS operation corresponding to the PaaS operation is to create a PaaS instance and create a data network card; and the first virtual tenant controls the IaaS management system to create a PaaS instance and create a data network card.
  • the receiving module is specifically configured to: receive a PaaS operation request that is sent by the first real tenant to change a PaaS instance; the processing module is specifically configured to: according to the The PaaS operation request determines that the IaaS operation corresponding to the PaaS operation is a parameter for changing a PaaS instance; and the first virtual tenant controls the IaaS management system to change a parameter of the PaaS instance.
  • a cloud computing service architecture providing an infrastructure-as-a-service IaaS service and a platform-as-a-service PaaS service for a first real tenant, the cloud computing service architecture including a first infrastructure resource And a second infrastructure resource group, wherein the cloud computing service architecture provides an IaaS service for the first real tenant based on the first infrastructure resource group, and only the first real tenant pairs the first The infrastructure resource in the infrastructure resource group has a management right, the cloud computing service architecture provides a PaaS service for the first real tenant based on the second infrastructure resource group, and only the first virtual tenant pairs the second The infrastructure resource in the infrastructure resource group has a management right, and the real tenant and the virtual tenant have a one-to-one correspondence, and the first real tenant and the first virtual tenant are a pair in the one-to-one correspondence.
  • the second infrastructure resource group includes a PaaS instance, where the PaaS instance includes a data network card, where the data network card is used for the PaaS instance and the first Data communication between infrastructure resource groups.
  • a platform as a service PaaS management system comprising a network interface, a processor and a memory, the memory is for storing instructions, and the processor and the network interface are used to execute The instruction stored in the memory, when the processor and the network interface execute the instruction stored by the memory, the PaaS management system is used to complete the provision of the PaaS service of any of the implementations of the first aspect or the first aspect. method.
  • a computer storage medium is provided, characterized in that the computer storage medium is for storing a computer program, the computer program comprising a PaaS for performing the implementation of the first aspect or the first aspect Instructions for the method of service.
  • the computer storage medium includes, but is not limited to, a read only memory, a random access memory, a flash memory, a hard disk drive (HDD), or a solid state drive (SSD).
  • a computer program product comprising program instructions, when the computer program product is executed by a computing device, the computing device performing the provision of any of the foregoing first aspect or the first aspect The method of PaaS service.
  • the computer program product can be a software installation package, and if the method for providing a PaaS service of any of the foregoing first aspect or the first aspect is required, the computer program product can be downloaded and executed on the computing device Computer program product.
  • the real tenant in the present application refers to a tenant who rents a PaaS service and can initiate a PaaS operation request through the PaaS management system.
  • the real tenant has no management right for the final corresponding infrastructure resource of the PaaS operation request; in other words, the real tenant There is no authority to manage the infrastructure resources corresponding to the PaaS operation request through the IaaS management system.
  • the real tenant can also rent the IaaS service, and the tenant who can initiate the IaaS operation request through the IaaS management system, and the real tenant has the authority to manage the infrastructure resources corresponding to the IaaS operation request initiated by the real tenant through the IaaS management system.
  • the virtual tenant is not a real tenant, and refers to a tenant that is allocated by the PaaS management system to the real tenant and used to represent the real tenant, and has the right to manage the infrastructure resources corresponding to the PaaS operation request; in other words
  • the virtual tenant has the authority to manage the infrastructure resources corresponding to the PaaS operation request through the IaaS management system.
  • the virtual tenant has no management rights to the infrastructure resources corresponding to the IaaS operations initiated by the real tenant through the IaaS management system.
  • FIG. 1 is a schematic block diagram of a PaaS management system according to an embodiment of the present application.
  • FIG. 2 is a schematic block diagram of an application PaaS management system according to an embodiment of the present application.
  • FIG. 3 is a schematic block diagram of a cloud computing service architecture of an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of a method for providing a PaaS service according to an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of a method for providing a PaaS service according to another embodiment of the present application.
  • FIG. 6 is a schematic flowchart of a method for providing a PaaS service according to another embodiment of the present application.
  • FIG. 7 is a schematic block diagram of a PaaS management system according to another embodiment of the present application.
  • the services provided by the cloud computing service architecture for the user usually include Infrastructure as a Service (IaaS) service, Platform as a Service (PaaS) service and Software as a service (Software as a Service, SaaS) service, etc.
  • IaaS Infrastructure as a Service
  • PaaS Platform as a Service
  • SaaS Software as a Service
  • the IaaS service provides the user with the right to use at least one of infrastructure resources such as CPU, memory, storage medium, network, and router in the form of a service.
  • infrastructure resources such as CPU, memory, storage medium, network, and router
  • IaaS services enable users to pay on demand, out-of-the-box, greatly improving users.
  • IT Information Technology
  • the PaaS service provides users with a software platform based on IaaS services in the form of services. It invokes hardware resources through the Application Programming Interface (API) provided by the IaaS service, integrates with common software business capabilities, and provides users with complete application infrastructure resources such as database services, message services, and caches. Service, etc. PaaS services allow users to focus more on software services on the application software platform without focusing on the application, expansion and maintenance of infrastructure resources.
  • API Application Programming Interface
  • the SaaS service is a mode of providing software services through the Internet.
  • the vendors deploy the software on their own servers. Users can order the required software services through the internet according to their actual needs.
  • Multi-tenancy technology is a software architecture technology that explores and implements how to share the same system or program components in a multi-tenant environment and still ensures inter-tenancy The isolation of the data.
  • Multi-tenant technology is commonly used in SaaS services and IaaS services and is a key technology for SaaS services.
  • multi-tenant technology is generally divided into different categories from isolation: multi-tenant technology for virtualized hardware, multi-tenant technology for isolated databases, and technology for sharing databases.
  • multi-tenant technology can be more detailed, such as multi-tenant technology that is subdivided into shared hardware, multi-tenant technology that shares operating systems (OS), Multi-tenant technology for shared databases and sharing of all multi-tenant technologies and other categories.
  • OS operating systems
  • IaaS services choose to share hardware to implement multi-tenancy technology.
  • the technology of virtualized hardware is mature, the difficulty is moderate;
  • the virtualization hardware is in line with the concept of IaaS service.
  • SaaS services are highly consistent because of their own business, that is, the services provided are oriented to a specific field, and the common needs of users are common. Companies with deep data sharing capabilities, such as google, mostly choose to share all multi-tenant technologies. .
  • the existing management system may cause conflicts between the IaaS service and the resource management of the PaaS service.
  • the IaaS service manages the user's infrastructure resources, such as at least one of the infrastructure resources such as CPU, memory, storage media, network, router, etc., including the infrastructure for running the software services provided by the PaaS service. Resources.
  • the PaaS service is based on the IaaS service
  • the PaaS service deploys common software services on the infrastructure resources provided by the IaaS service. This allows the PaaS service and the IaaS service to jointly manage the infrastructure resources, thereby causing conflicts in the management of the two.
  • the service page of the IaaS service can delete the infrastructure resources of the software service provided by the PaaS service; for example, the network policy of the IaaS service will affect the internal communication of the PaaS service.
  • the PaaS service only provides the user service address and port.
  • the infrastructure resources corresponding to the PaaS service are exposed to the user, and the user needs to care about Various issues, such as port security issues and firewall access rules. These ensuing jobs are not what the user needs, but they also pose a security risk to the user.
  • the PaaS management system 100 can include:
  • the receiving module 110 is configured to receive a PaaS operation request sent by the first real tenant, where the PaaS operation request is used to indicate a PaaS operation for the PaaS resource;
  • the processing module 120 is configured to determine information of the first virtual tenant corresponding to the first real tenant, where the real tenant and the virtual tenant have a one-to-one correspondence, and the first real tenant and the first virtual tenant have one-to-one correspondence Correct;
  • the processing module 120 is further configured to process the IaaS operation corresponding to the PaaS operation by using the first virtual tenant control IaaS management system according to the PaaS operation request and the information of the first virtual tenant.
  • the cloud computing service architecture can provide the first real tenant with the PaaS service through the PaaS management system 100 of the embodiment of the present application.
  • the cloud computing service architecture provides IaaS services to the first real tenant through the IaaS management system.
  • the receiving module 110 in the PaaS management system 100 may specifically include a PaaS tenant service component for interacting with a real tenant; the processing module 120 may specifically include a part of the functions of the PaaS tenant service component, and manage a one-to-one correspondence between the real tenant and the virtual tenant.
  • the virtual tenant resource pool component and the PaaS tenant agent component that performs real IaaS operations for the real tenant.
  • FIG. 2 is a schematic block diagram of an application PaaS management system 200 according to an embodiment of the present application.
  • the PaaS management system 200 is a management system of a cloud computing service architecture at the platform (Platform, P) level; in other words, the PaaS management system is a management system for processing PaaS operations in a cloud computing service architecture.
  • the IaaS management system 300 is a management system of the cloud computing service architecture at the infrastructure (I) layer; in other words, the IaaS management system is a management system for processing IaaS operations in the cloud computing service architecture.
  • the cloud computing service architecture For a tenant, for example, the first real tenant, the cloud computing service architecture provides PaaS services to the first real tenant through the PaaS management system 200.
  • the cloud computing service architecture can also provide the IaaS service to the first real tenant through the IaaS management system 300, but the embodiment of the present application does not limit this.
  • the PaaS management system 200 shown in FIG. 2 includes a PaaS tenant service component 210, a virtual tenant resource pool component 220, and a PaaS tenant agent component 230.
  • the PaaS tenant service component 210 is configured to receive a PaaS operation request sent by the first real tenant to the PaaS management system 100, and the PaaS operation request is used to indicate PaaS operation for the PaaS resource.
  • PaaS resources refer to infrastructure resources and software resources thereon.
  • the PaaS tenant service component 210 is configured to interact with a real tenant in response to a real tenant's PaaS operation request.
  • the PaaS tenant service component 210 can be an application deployed in a web resource of an infrastructure resource, providing an interface to the cloud computing service page in the form of http.
  • the real tenant can send a PaaS operation request to the PaaS tenant service component 210 through the cloud computing service page.
  • the PaaS tenant service component 210 responds to PaaS operation requests and processes related PaaS operations, such as applying for a PaaS instance, restarting a PaaS instance, changing or deleting a PaaS instance, and the like.
  • the PaaS tenant service component 210 is also used to interact with the virtual tenant resource pool component 220 and the PaaS tenant proxy component 230 to complete the PaaS operation of the real tenant.
  • the PaaS tenant service component 210 requests the virtual tenant resource pool component 220 for the first virtual tenant corresponding to the first real tenant.
  • the PaaS tenant service component 210 also performs corresponding processing to separate the IaaS operations corresponding to the PaaS operations indicated by the PaaS operation request, so that the subsequent PaaS tenant agent component 230 performs IaaS operations.
  • the PaaS tenant service component 210 can perform necessary authentication and security checks and the like through identity and access management (IAM) components.
  • IAM identity and access management
  • the virtual tenant resource pool component 220 is configured to manage a one-to-one correspondence between the real tenant and the virtual tenant, wherein the first real tenant and the first virtual tenant are in a one-to-one correspondence, and the virtual tenant resource pool component 220 is further used.
  • the information of the first virtual tenant is sent to the PaaS tenant service component 210.
  • the virtual tenant resource pool component 220 can also be a built-in component that interacts with the PaaS tenant service component 210 in the form of a program interface, which are simultaneously deployed in the same application of the same web container.
  • the cloud computing service architecture may preset a plurality of virtual tenants, and form a resource pool to be stored in the virtual tenant resource pool component 220 for use.
  • the PaaS tenant service component 210 initiates a call to the virtual tenant resource pool component 220 to select the virtual tenant, at this time the virtual tenant resource.
  • the pool component 220 allocates an unoccupied virtual tenant to the real tenant in the internal resource pool, records the correspondence between the real tenant and the virtual tenant, and returns the information of the virtual tenant to the PaaS tenant service component 210.
  • the virtual tenant resource pool component 220 After the virtual tenant resource pool component 220 allocates virtual tenants to each real tenant, the virtual tenant and the virtual tenant are recorded one by one. During the subsequent PaaS operation request process (for example, when the real tenant applies, changes, or deletes the PaaS instance again), the virtual tenant resource pool component 220 directly returns information to the virtual tenant corresponding to the PaaS tenant service component 210.
  • the real tenant in the embodiments of the present application refers to a tenant who rents a PaaS service and can initiate a PaaS operation request through the PaaS management system.
  • the real tenant has no management right for the final corresponding infrastructure resource of the PaaS operation request; in other words The real tenant does not have the authority to manage the infrastructure resources corresponding to the PaaS operation request through the IaaS management system.
  • the real tenant can also rent the IaaS service, and the tenant who can initiate the IaaS operation request through the IaaS management system, and the real tenant has the authority to manage the infrastructure resources corresponding to the IaaS operation request initiated by the real tenant through the IaaS management system.
  • the real tenant is registered by the user in the PaaS management system, and the user can set the username and password for the PaaS management system to authenticate to log in to the PaaS management system to use the PaaS service.
  • the virtual tenant is not a real tenant. It refers to the tenant assigned by the PaaS management system to the real tenant. It is used to represent the real tenant and has the right to manage the infrastructure resources corresponding to the PaaS operation request. In other words, the virtual tenant has the IaaS.
  • the management system manages the permissions of the infrastructure resources corresponding to the PaaS operation request.
  • a virtual tenant is an ID or number assigned by the PaaS system to a registered real user.
  • the virtual tenant has no management rights to the infrastructure resources corresponding to the IaaS operations initiated by the real tenant through the IaaS management system.
  • the real tenant and the virtual tenant are two different tenants, and the IaaS management system isolates the management rights of the two.
  • the PaaS tenant agent component 230 is configured to receive information about the first virtual tenant sent by the PaaS tenant service component 310 and related information of the IaaS operation corresponding to the PaaS operation, and control the IaaS management system 300 to process the PaaS through the first virtual tenant agent first real tenant. Operate the corresponding IaaS operation.
  • the PaaS tenant agent component 230 mainly performs the identity agent work of the real tenant, and controls the IaaS management system 300 to manage the corresponding basic setting resources by the agent identity of the real tenant.
  • the information of the first virtual tenant is sent to the PaaS tenant service component 210.
  • the PaaS tenant service component 210 transmits information of the first virtual tenant and related information of the IaaS operation corresponding to the PaaS operation to the PaaS tenant agent component 230.
  • the PaaS tenant agent component 230 controls the IaaS management system 300 to process IaaS operations corresponding to the PaaS operation by the first virtual tenant agent first real tenant, such as creating a virtual machine (VM) (ie, creating a PaaS instance), changing or deleting the VM. Resources, etc.
  • VM virtual machine
  • the PaaS tenant agent component 230 can complete the authentication of the first virtual tenant through the IAM component, and obtain the identity authentication token of the first virtual tenant.
  • the PaaS tenant agent component 230 authenticates the token with the identity of the first virtual tenant, and the proxy first real tenant initiates a corresponding IaaS operation instruction to the IaaS management system 300.
  • the cloud computing service architecture provides an IaaS service for the first real tenant based on the first infrastructure resource group, and only the first real tenant has the right to manage the infrastructure resources in the first infrastructure resource group.
  • the cloud computing service architecture provides the first real tenant with the PaaS service based on the second infrastructure resource group, and only the first virtual tenant has the management right to the infrastructure resource in the second infrastructure resource group.
  • the PaaS management system in the embodiment of the present application introduces a one-to-one virtual tenant for each real tenant in the PaaS management system, so that the PaaS management system manages the infrastructure resources through the virtual tenant, and the first real tenant and the first virtual tenant are A pair of one-to-one correspondences makes the management of the first real tenant corresponding to the PaaS service isolated from the management of other tenants, thereby ensuring the isolation of management among the multi-tenants, and further solving the IaaS service and the PaaS service pair. Management conflicts in infrastructure resources. .
  • the real tenant and the virtual tenant are two different tenants, and the real tenant only has the management authority for the infrastructure resource corresponding to the IaaS operation request initiated by the real tenant through the IaaS management system, and the virtual tenant Only the infrastructure resources corresponding to the PaaS operation request initiated by the real tenant through the PaaS management system have the management authority.
  • the IaaS management system isolates the management rights of the two, which not only solves the management conflict problem, but also enhances the cloud computing service. safety.
  • the PaaS management system introduces one-to-one virtual tenants for each real tenant, which ensures the isolation of resources among multi-tenants.
  • the PaaS management system in the embodiment of the present application can isolate the infrastructure resources corresponding to the IaaS service and the PaaS service on the basis of ensuring the multi-tenant demand, thereby solving the management of the infrastructure resources of the IaaS service and the PaaS service.
  • Conflict issues can also improve the security of the entire cloud computing service.
  • FIG. 3 is a schematic block diagram of a cloud computing service architecture 400 in accordance with an embodiment of the present application.
  • the cloud computing service architecture 400 provides an infrastructure-as-a-service IaaS service and a platform-as-a-service PaaS service for a first real tenant, the cloud computing service architecture 400 including a first infrastructure resource group 410 and a second infrastructure resource group 420, wherein the cloud computing
  • the service architecture 400 provides IaaS services for the first real tenant based on the first infrastructure resource group 410, and only the first real tenant has management rights to the infrastructure resources in the first infrastructure resource group 410, and the cloud computing service architecture 400 is based on the first
  • the second infrastructure resource group 420 provides the first real tenant with the PaaS service, and only the first virtual tenant has the management right of the infrastructure resource in the second infrastructure resource group 420, and the real tenant and the virtual tenant have a one-to-one correspondence.
  • the PaaS management system of the cloud computing service architecture 400 generates a corresponding virtual tenant for each real tenant accepting the PaaS.
  • the PaaS management system uses the identity of the first virtual tenant to manage the second infrastructure resource group 420 corresponding to the PaaS instance, for example, the VM, the storage medium, the network, or the router corresponding to the PaaS instance.
  • the facility resources are within the scope of the management of the first virtual tenant.
  • All of the infrastructure resources for the PaaS instance of the first real tenant ie the operation of the second infrastructure resource group 420 managed by the first virtual tenant (eg, releasing the PaaS instance, changing the PaaS, restarting the PaaS, or adding disks, etc.), It can only be carried out by the identity of the first virtual tenant corresponding to the first real tenant, and this correspondence is only stored in the background of the PaaS management system. That is, the cloud computing service architecture 400 provides PaaS services to the first real tenant based on the second infrastructure resource group 420, and only the first virtual tenant has management rights to the infrastructure resources in the second infrastructure resource group 420.
  • the infrastructure resources created by the PaaS instance are subordinate to the virtual tenant, and only the virtual tenant has the right to manage it. The real tenant cannot manage it through the IaaS management system.
  • the cloud computing service architecture 400 based on the first infrastructure resource group 410 providing IaaS services for the first real tenant, only the first real tenant has administrative rights to the infrastructure resources in the first infrastructure resource group 410.
  • the infrastructure resources that provide IaaS services for real tenants are subordinate to real tenants, and only real tenants have management rights to them, and virtual tenants cannot manage them through the PaaS management system.
  • the first infrastructure resource group 410 and the second infrastructure resource group 420 do not have the same infrastructure resources.
  • the second infrastructure resource group 420 may include a PaaS instance, and the PaaS instance includes a data network card, and the data network card is used for data communication between the PaaS instance and the first infrastructure resource group 410.
  • the infrastructure resources corresponding to the two services are divided into two parts: the second infrastructure resource group corresponding to the PaaS service.
  • At least one of the infrastructure resources such as VM, network, CPU, memory, storage medium, and router of the 420 is controlled by the real tenant through the PaaS management system to control the virtual tenant through the IaaS management system, such as the PaaS shown in FIG.
  • the management domain; at least one of the VM, network, CPU, memory, storage medium, and router and other infrastructure resources of the first infrastructure resource group 410 corresponding to the IaaS is managed by the real tenant through the IaaS management system, as shown in FIG.
  • the real tenant can control the application and destruction of the resources of the PaaS instance through the PaaS management system. Only the network address and port of the PaaS instance can be seen in the real tenant's network, and the infrastructure resources corresponding to the PaaS instance cannot be seen.
  • the infrastructure resources corresponding to the PaaS instance can only be managed by virtual tenants.
  • the PaaS instance can be designed with multiple network cards so that the management network and the data network are independent of each other. Specifically, in the process of creating a PaaS instance, multiple network cards can be created on the VM, and the management network card and the data network card are independent of each other, and they belong to the management network and the data network.
  • the communication in the management network is management communication, which refers to the internal communication of the PaaS service and the control communication in the background of the PaaS management system.
  • the communication in the data network is data communication, which refers to the external communication of the PaaS service, which is used to transmit data generated or required by the user during use.
  • the cloud computing service architecture includes a management network card for the PaaS instance (ie, virtual machine) provided by the first real tenant, and the management network card is used for management communication between the infrastructure resources in the second infrastructure resource group 420.
  • the management network card is responsible for the internal communication of the PaaS service and the control communication function of the background of the PaaS management system, which is independent of the data communication of the real tenant.
  • the management network accesses the virtual tenant's virtual network without external interference.
  • the cloud computing service architecture includes a data network card for the PaaS instance (ie, virtual machine) provided by the first real tenant, and the data network card is used for data communication between the PaaS instance and the first infrastructure resource group 410.
  • the data network is connected to the real tenant's virtual network, which only accepts the management of real tenants.
  • the cloud computing service architecture of the embodiment of the present application is used to provide hardware or software services for tenants.
  • the cloud computing service architecture includes infrastructure resources and software deployed on infrastructure resources.
  • the hardware of the cloud computing service architecture may include one or more of infrastructure resources such as CPU, memory, storage media, network, and router.
  • the hardware of the cloud computing service architecture is based on physical device connectivity.
  • the software of the cloud computing service architecture may include a PaaS management system deployed on the above hardware, an IasS management system, and application software corresponding to the PaaS service rented by the tenant.
  • the cloud computing service architecture deploys software in hardware that can be implemented through virtualization technology.
  • the specific form of the cloud computing service architecture is not limited in this embodiment.
  • the real tenant has the right to manage the data network card of the PaaS instance, and the real tenant's security group policy and other capabilities can be effective for the data network card.
  • different real tenants correspond to different virtual tenants, and networks between different virtual tenants are independent and isolated networks. This makes the resources between the tenants separate from each other for multiple tenants of the PaaS service.
  • FIG. 4 is a schematic flowchart of a method 500 for providing a PaaS according to an embodiment of the present application.
  • the method 500 is based on a cloud computing service architecture.
  • the cloud computing service architecture provides PaaS to a first real tenant through a PaaS management system.
  • the method 500 can include:
  • the PaaS management system receives a PaaS operation request sent by the first real tenant, where the PaaS operation request is used to indicate a PaaS operation for the PaaS resource.
  • the PaaS management system determines the information of the first virtual tenant corresponding to the first real tenant, wherein the real tenant and the virtual tenant have a one-to-one correspondence, and the first real tenant and the first virtual tenant have a one-to-one correspondence ;
  • the PaaS management system processes the IaaS operation corresponding to the PaaS operation by the IaaS management system of the first virtual tenant control cloud computing service architecture according to the PaaS operation request and the information of the first virtual tenant.
  • the method for providing PaaS in the embodiment of the present application by introducing a one-to-one virtual tenant for each real tenant in the PaaS management system, enables the PaaS management system to manage the infrastructure resources through the virtual tenant, the first real tenant and the first virtual tenant. It is a pair of one-to-one correspondences, so that the management of the first real tenant corresponding to the PaaS service is isolated from the management of other tenants, thereby ensuring the isolation of management among the multi-tenants, and further solving the IaaS service and the PaaS service. Management conflicts with infrastructure resources. .
  • FIG. 5 shows a schematic flow chart of a method 600 for providing PaaS according to an embodiment of the present application.
  • the S510PaaS management system receives the PaaS operation request sent by the first real tenant, and the method includes: the PaaS management system receives a PaaS operation request sent by the first real tenant to apply for the PaaS instance; and the S530PaaS management system requests the first virtual tenant according to the PaaS operation request.
  • the information may be processed by the first virtual tenant control infrastructure-as-a-service IaaS management system to process the IaaS operation corresponding to the PaaS operation, and may include: the PaaS management system determines, according to the PaaS operation request, the IaaS operation corresponding to the PaaS operation to create a PaaS instance and create a data network card.
  • the PaaS management system creates a PaaS instance and creates a data network card through the first virtual tenant control IaaS management system.
  • FIG. 5 is a schematic flowchart of a method for providing PaaS according to an embodiment of the present application.
  • the scenario shown in FIG. 5 is a scenario in which a real tenant first applies for a PaaS instance.
  • the first time a real tenant applies for a PaaS instance may include the following process.
  • the real tenant clicks the button for applying for the PaaS instance through the cloud computing service page, which may also be called the console of the PaaS.
  • the cloud computing service page will send an http message to the PaaS management system, specifically a PaaS tenant service component 210.
  • the PaaS tenant service component 210 initiates a call to the virtual tenant resource pool component 220 to select a virtual tenant, that is, select a virtual tenant ().
  • the virtual tenant resource pool component 220 allocates an unoccupied virtual tenant to the real tenant in the internal resource pool, and records the correspondence between the real tenant and the virtual tenant.
  • the virtual tenant resource pool component 220 returns the information of the virtual tenant to the PaaS tenant service component 210.
  • the PaaS tenant service component 210 After receiving the information of the virtual tenant, the PaaS tenant service component 210 transmits the information of the virtual tenant to the PaaS tenant agent component 230, and simultaneously initiates a call to create a VM, that is, creates a VM ().
  • the PaaS tenant agent component 230 After receiving the call to create the virtual machine, the PaaS tenant agent component 230 sends an http message to the IAM component to obtain the identity token of the virtual tenant.
  • the IAM component returns the virtual tenant's identity authentication token to the PaaS tenant agent component 230.
  • the PaaS tenant proxy component 230 After obtaining the identity authentication token, the PaaS tenant proxy component 230 initiates an http message for creating a VM (ie, creating a PaaS instance) to the IaaS management system 300.
  • the IaaS management system 300 returns an acknowledgement message to the PaaS tenant agent component 230 after the VM is successfully created.
  • the PaaS tenant service component 210 initiates an http message for creating a data network card to the IaaS management system 300, instructing the IaaS management system 300 to create a data network card for communicating with the first infrastructure resource group.
  • the IaaS management system 300 After completing the creation of the data network card, the IaaS management system 300 returns an acknowledgement message to the PaaS tenant agent component 230.
  • the PaaS tenant service component 210 initiates a message to the PaaS tenant agent component 230 to mount the data network card.
  • the PaaS tenant agent component 230 After receiving the data network card message, the PaaS tenant agent component 230 initiates an http message to the IaaS management system 300 to mount the data network card to the VM.
  • the IaaS management system 300 queries the IAM whether the virtual tenant has been authorized for the operation of mounting the data network card to the VM. After the authorization is passed, the operation of mounting the data network card to the VM can be performed.
  • the PaaS management system can enable the real tenant's data network card to be mounted to the virtual tenant, and the PaaS VM resource is connected to the real tenant's network through the real tenant's data network card.
  • FIG. 6 is a schematic flowchart of a method 700 for providing a PaaS according to an embodiment of the present application.
  • the scenario shown in Figure 6 is a scenario in which a real tenant changes a PaaS instance.
  • the S510PaaS management system receives the PaaS operation request sent by the first real tenant, and the method includes: the PaaS management system receives the PaaS operation request sent by the first real tenant to change the PaaS instance; and the S530PaaS management system requests the first virtual tenant according to the PaaS operation request.
  • the information, the processing of the IaaS operation corresponding to the PaaS operation by the first virtual tenant control infrastructure-as-a-service IaaS management system may include: the PaaS management system determines, according to the PaaS operation request, the IaaS operation corresponding to the PaaS operation as a parameter for changing the PaaS instance; PaaS The management system changes the parameters of the PaaS instance through the first virtual tenant control IaaS management system.
  • the real tenant changing the PaaS instance may include the following process.
  • the cloud computing service page will send an http message to the PaaS management system, specifically a PaaS tenant service component 210.
  • the PaaS tenant service component 210 initiates a call to the virtual tenant resource pool component 220 to determine the virtual tenant, ie, determine the virtual tenant ().
  • the virtual tenant resource pool component 220 determines the virtual tenant corresponding to the real tenant according to the corresponding relationship between the real tenant and the virtual tenant.
  • the virtual tenant resource pool component 220 returns the information of the virtual tenant to the PaaS tenant service component 210.
  • the PaaS tenant service component 210 After receiving the information of the virtual tenant, the PaaS tenant service component 210 transmits the information of the virtual tenant to the PaaS tenant agent component 130, and simultaneously initiates a call to change the VM, that is, changes the VM ().
  • the PaaS tenant agent component 230 After receiving the change of the VM, the PaaS tenant agent component 230 sends an http message to the IAM component to obtain the identity token of the virtual tenant.
  • the PaaS tenant agent component 230 obtains an identity authentication token.
  • the PaaS tenant proxy component 230 After obtaining the identity authentication token, the PaaS tenant proxy component 230 initiates an http message for changing the VM to the IaaS management system 300.
  • the IaaS management system 300 After receiving the http message of the changed VM, the IaaS management system 300 changes the parameters of the virtual machine.
  • PaaS management system 800 can include a processor 810, a network interface 820, and a memory 830.
  • the memory 830 can be used to store instructions and the like executed by the processor 810.
  • the processor 810 and the network interface 820 are configured to execute instructions stored by the memory 830, and when the processor 810 and the network interface 820 execute an instruction stored by the memory 830, the PaaS management system 800 A method of providing a PaaS service for performing various embodiments of the present application.
  • the various components in the PaaS management system 800 can communicate with one another via internal connection paths to communicate control and/or data signals.
  • the processor may be an integrated circuit chip with signal processing capabilities.
  • each step of the foregoing method embodiment may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the processor may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA), or the like. Programming logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • the methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory, and the processor reads the information in the memory and combines the hardware to complete the steps of the above method.
  • the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory may be a read-only memory (ROM), a programmable read only memory (PROM), an erasable programmable read only memory (Erasable PROM, EPROM), or an electric Erase programmable read only memory (EEPROM) or flash memory.
  • the volatile memory can be a Random Access Memory (RAM) that acts as an external cache.
  • RAM Random Access Memory
  • many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (Synchronous DRAM).
  • SDRAM Double Data Rate SDRAM
  • DDR SDRAM Double Data Rate SDRAM
  • ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM Synchronous Connection Dynamic Random Access Memory
  • DR RAM direct memory bus random access memory
  • the network interface is configured to receive a PaaS operation request sent by the first real tenant.
  • the network interface 820 can be a network interface or multiple network interfaces.
  • the network interface may be a wired interface, such as a Fiber Distributed Data Interface (FDDI) or a Gigabit Ethernet (GE) interface; the network interface may also be a wireless interface.
  • FDDI Fiber Distributed Data Interface
  • GE Gigabit Ethernet
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present application which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

本申请提供了一种提供PaaS服务的方法、管理系统和云计算服务架构。该方法包括:接收第一真实租户发出的PaaS操作请求,PaaS操作请求用于指示针对PaaS资源的PaaS操作;确定第一真实租户对应的第一虚拟租户的信息,真实租户和虚拟租户具有一一对应关系,第一真实租户与第一虚拟租户为一一对应关系中的一对;根据PaaS操作请求和第一虚拟租户的信息,通过第一虚拟租户控制IaaS管理系统处理PaaS操作对应的IaaS操作。本申请的提供PaaS服务的方法为每个真实租户引入一一对应的虚拟租户,通过虚拟租户管理基础设施资源,在保证多租户需求的基础上,解决IaaS服务与PaaS服务对基础设施资源的管理冲突问题。

Description

提供PaaS服务的方法、管理系统和云计算服务架构
本申请要求于2017年04月01日提交中国专利局、申请号为201710216079.5、申请名称为“提供PaaS服务的方法、管理系统和云计算服务架构”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及云计算服务领域,并且更具体地,涉及一种提供平台即服务(Platform as a Service,PaaS)服务的方法、管理系统和云计算服务架构。
背景技术
在云计算服务中,云计算服务架构为用户提供的服务通常包括基础设施即服务(Infrastructure as a Service,IaaS)服务、平台即服务(Platform as a Service,PaaS)服务和软件即服务(Software as a Service,SaaS)服务等。
当一个用户在云计算服务架构中既租用PaaS服务又租用IaaS服务时,现有的管理系统会使得IaaS服务与PaaS服务的资源管理出现冲突。这是由于,IaaS服务管理着用户的基础设施资源,例如中央处理器(Central Processing Unit,CPU)、内存、存储介质、网络和路由器(router)等基础设施资源中的至少一种,其中包括用于运行PaaS服务所提供的软件服务的基础设施资源。而PaaS服务基于IaaS服务,PaaS服务在IaaS服务提供的基础设施资源上部署常用的软件服务。这使得PaaS服务与IaaS服务能共同管理基础设施资源,从而使二者的管理产生冲突。例如,在IaaS服务的服务页面能删除掉运行PaaS服务所提供的软件服务的基础设施资源;又如,IaaS服务的网络策略会使得PaaS服务的内部通信受到影响,等等。
发明内容
本申请提供一种提供PaaS服务的方法、管理系统和云计算服务架构,能够在保证多租户需求的上,解决IaaS服务与PaaS服务对基础设施资源的管理冲突问题。
第一方面,提供了一种提供平台即服务PaaS服务的方法,所述方法包括:PaaS管理系统接收第一真实租户发出的PaaS操作请求,所述PaaS操作请求用于指示针对PaaS资源的PaaS操作;所述PaaS管理系统确定所述第一真实租户对应的第一虚拟租户的信息,其中,真实租户和虚拟租户具有一一对应关系,所述第一真实租户与所述第一虚拟租户为所述一一对应关系中的一对;所述PaaS管理系统根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作。
第一方面的提供PaaS服务的方法,通过在PaaS管理系统中为每个真实租户引入一一对应的虚拟租户,使得PaaS管理系统通过虚拟租户管理基础设施资源,第一真实租户与 第一虚拟租户是多对一一对应关系中的一对,使得第一真实租户对应PaaS服务的管理与其他租户的管理相互隔离,从而保证多租户之间管理的相互隔离的基础上,并能进一步解决IaaS服务与PaaS服务对基础设施资源的管理冲突问题。在第一方面的一种可能的实现方式中,所述IaaS管理系统是云计算服务架构中用于处理IaaS操作的管理系统,所述云计算服务架构基于第一基础设施资源组为所述第一真实租户提供IaaS服务,仅有所述第一真实租户对所述第一基础设施资源组中的基础设施资源具有管理权,所述PaaS管理系统是云计算服务架构中用于处理PaaS操作的管理系统,所述云计算服务架构基于第二基础设施资源组为所述第一真实租户提供PaaS服务,仅有第一虚拟租户对所述第二基础设施资源组中的基础设施资源具有管理权。本可能的实现方式,云计算服务架构中,真实租户通过IaaS管理系统发起的IaaS操作请求对应的基础设施资源和真实租户通过PaaS管理系统发起的PaaS操作请求对应的基础设施资源二者是相互隔离的,不仅可以解决IaaS服务与PaaS服务的管理冲突问题,还能提升云计算服务的安全性。
在第一方面的一种可能的实现方式中,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括管理网卡,所述方法还包括:所述PaaS管理系统通过所述管理网卡进行所述第二基础设施资源组中的基础设施资源之间的管理通信。在本可能的实现方式中,PaaS管理系统通过管理网卡进行PaaS服务的内部通信和PaaS管理系统后台的控制通信。
在第一方面的一种可能的实现方式中,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括数据网卡,所述方法还包括:所述PaaS管理系统通过所述数据网卡进行所述PaaS实例和所述第一基础设施资源组之间的数据通信。在本可能的实现方式中,PaaS管理系统通过数据网卡进行与PaaS服务的外部通信。
在第一方面的一种可能的实现方式中,所述PaaS管理系统接收第一真实租户发出的PaaS操作请求,包括:所述PaaS管理系统接收所述第一真实租户发出的指示申请PaaS实例的PaaS操作请求;所述PaaS管理系统根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作,包括:所述PaaS管理系统根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为创建PaaS实例和创建数据网卡;所述PaaS管理系统通过所述第一虚拟租户控制所述IaaS管理系统创建PaaS实例和创建数据网卡。本可能的实现方式适用于真实租户首次申请PaaS实例的情况。
在第一方面的一种可能的实现方式中,所述PaaS管理系统接收第一真实租户发出的PaaS操作请求,包括:所述PaaS管理系统接收所述第一真实租户发出的指示变更PaaS实例的PaaS操作请求;所述PaaS管理系统根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作,包括:所述PaaS管理系统根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为变更PaaS实例的参数;所述PaaS管理系统通过所述第一虚拟租户控制所述IaaS管理系统变更PaaS实例的参数。本可能的实现方式适用于真实租户变更PaaS实例的情况。
第二方面,提供了一种平台即服务PaaS管理系统,所述PaaS管理系统包括:接收模块,用于接收第一真实租户发出的PaaS操作请求,所述PaaS操作请求用于指示针对PaaS资源的PaaS操作;处理模块,用于确定所述第一真实租户对应的第一虚拟租户的信息, 其中,真实租户和虚拟租户具有一一对应关系,所述第一真实租户与所述第一虚拟租户为所述一一对应关系中的一对;所述处理模块还用于根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作。
在第二方面的一种可能的实现方式中,所述IaaS管理系统是云计算服务架构中用于处理IaaS操作的管理系统,所述云计算服务架构基于第一基础设施资源组为所述第一真实租户提供IaaS服务,仅有所述第一真实租户对所述第一基础设施资源组中的基础设施资源具有管理权,所述PaaS管理系统是云计算服务架构中用于处理PaaS操作的管理系统,所述云计算服务架构基于第二基础设施资源组为所述第一真实租户提供PaaS服务,仅有第一虚拟租户对所述第二基础设施资源组中的基础设施资源具有管理权。
在第二方面的一种可能的实现方式中,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括管理网卡,所述管理网卡用于所述第二基础设施资源组中的基础设施资源之间进行管理通信。
在第二方面的一种可能的实现方式中,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括数据网卡,所述数据网卡用于所述PaaS实例和所述第一基础设施资源组之间进行数据通信。
在第二方面的一种可能的实现方式中,所述接收模块具体用于:接收所述第一真实租户发出的指示申请PaaS实例的PaaS操作请求;所述处理模块具体用于:根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为创建PaaS实例和创建数据网卡;通过所述第一虚拟租户控制所述IaaS管理系统创建PaaS实例和创建数据网卡。
在第二方面的一种可能的实现方式中,所述接收模块具体用于:接收所述第一真实租户发出的指示变更PaaS实例的PaaS操作请求;所述处理模块具体用于:根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为变更PaaS实例的参数;通过所述第一虚拟租户控制所述IaaS管理系统变更PaaS实例的参数。
第三方面,提供了一种云计算服务架构,所述云计算服务架构为第一真实租户提供基础设施即服务IaaS服务和平台即服务PaaS服务,所述云计算服务架构包括第一基础设施资源组和第二基础设施资源组,其中,所述云计算服务架构基于所述第一基础设施资源组为所述第一真实租户提供IaaS服务,仅有所述第一真实租户对所述第一基础设施资源组中的基础设施资源具有管理权,所述云计算服务架构基于所述第二基础设施资源组为所述第一真实租户提供PaaS服务,仅有第一虚拟租户对所述第二基础设施资源组中的基础设施资源具有管理权,真实租户和虚拟租户具有一一对应关系,所述第一真实租户与所述第一虚拟租户为所述一一对应关系中的一对。
在第三方面的一种可能的实现方式中,所述第二基础设施资源组上包括PaaS实例,所述PaaS实例中包括数据网卡,所述数据网卡用于所述PaaS实例和所述第一基础设施资源组之间进行数据通信。
第四方面,提供了一种平台即服务PaaS管理系统,所述PaaS管理系统包括网络接口、处理器和存储器,所述存储器用于存储指令,所述处理器和所述网络接口用于执行所述存储器存储的指令,当所述处理器和所述网络接口执行所述存储器存储的指令时,所述PaaS管理系统用于完成第一方面或第一方面的任一实现方式的提供PaaS服务的方法。
第五方面,提供了一种计算机存储介质,其特征在于,所述计算机存储介质用于存储计算机程序,所述计算机程序包括用于执行第一方面或第一方面的任一实现方式的提供PaaS服务的方法的指令。该计算机存储介质包括但不限于只读存储器,随机访问存储器,快闪存储器、硬盘驱动器(Hard Disk Drive,HDD)或固态硬盘(Solid State Drives,SSD)。
第六方面,提供了一种计算机程序产品,该计算机程序产品包括程序指令,当该计算机程序产品被计算设备执行时,该计算设备执行前述第一方面或第一方面的任一实现方式的提供PaaS服务的方法。该计算机程序产品可以为一个软件安装包,在需要使用前述第一方面或第一方面的任一实现方式的提供PaaS服务的方法的情况下,可以下载该计算机程序产品并在计算设备上执行该计算机程序产品。
应理解,本申请中真实租户是指租用PaaS服务,能够通过PaaS管理系统发起PaaS操作请求的租户,然而,真实租户对PaaS操作请求最终对应的基础设施资源没有管理权;换句话说,真实租户没有通过IaaS管理系统管理PaaS操作请求对应的基础设施资源的权限。真实租户还可以租用IaaS服务,能够通过IaaS管理系统发起IaaS操作请求的租户,真实租户具有管理真实租户通过IaaS管理系统发起的IaaS操作请求对应的基础设施资源的权限。
应理解,本申请中虚拟租户不是真实存在的租户,是指PaaS管理系统为真实租户分配的,用于代理真实租户的,对PaaS操作请求对应的基础设施资源具有管理权的租户;换句话说,虚拟租户具有通过IaaS管理系统管理PaaS操作请求对应的基础设施资源的权限。然而,虚拟租户对真实租户通过IaaS管理系统发起的IaaS操作对应的基础设施资源没有管理权。
附图说明
图1是本申请一个实施例的PaaS管理系统的示意性框图。
图2是本申请一个实施例的应用PaaS管理系统的示意性框图。
图3是本申请一个实施例的云计算服务架构的示意性框图。
图4是本申请一个实施例的提供PaaS服务的方法的示意性流程图。
图5是本申请另一个实施例的提供PaaS服务的方法的示意性流程图。
图6是本申请另一个实施例的提供PaaS服务的方法的示意性流程图。
图7是本申请另一个实施例的PaaS管理系统的示意性框图。
具体实施方式
下面将结合附图,对本申请中的技术方案进行描述。
在云计算服务中,云计算服务架构为用户提供的服务通常包括基础设施即服务(Infrastructure as a Service,IaaS)服务、平台即服务(Platform as a Service,PaaS)服务和软件即服务(Software as a Service,SaaS)服务等。
其中,IaaS服务以服务的形式向用户提供对CPU、内存、存储介质、网络和路由器等基础设施资源中的至少一种的使用权。一方面,用户不需要关心或者管理任何具体的硬件资源,该服务使得节省了场地、维护费用及人力;另一方面,IaaS服务还使得用户能够按需付费、即开即用,大大提高了用户管理信息技术(Information Technology,IT)基础设 施资源的灵活度。
PaaS服务以服务的形式向用户提供基于IaaS服务的软件平台。其通过IaaS服务提供的应用程序编程接口(Application Programming Interface,API)调用硬件资源,与常用的软件业务能力进行整合,向用户提供完整的应用基础设施资源的服务,例如数据库服务、消息服务和缓存服务等。PaaS服务可让用户更专注于应用软件平台上的软件服务,而不用关注基础设施资源的应用、扩展和维护。
SaaS服务是一种通过互联网(internet)提供软件服务的模式,厂商将软件统一部署在自己的服务器上,用户可以根据自己的实际需求,通过internet向厂商定购所需的软件服务。
多租户技术(multi-tenancy technology)或称多重租赁技术,是一种软件架构技术,它是在探讨与实现如何在多租户的环境下共用相同的系统或程序组件,并且仍可确保各租户间数据的隔离性。
多租户技术普遍运用在SaaS服务与IaaS服务中,并成为SaaS服务的关键技术。在业界的共识中,普遍将多租户技术从隔离程度上分为不同的类别:虚拟化硬件的多租户技术、隔离数据库的多租户技术及共享数据库的技术等。参考IT咨询公司高德纳(Gartner)的分类,可以将多租户技术进行更为详尽的分类,例如细分为共享硬件的多租户技术、共享操作系统(Operating System,OS)的多租户技术、共享数据库的多租户技术及共享所有的多租户技术等类别。
在业界,绝大多数IaaS服务均选择共享硬件的方法实现多租户技术。一来,因为虚拟化硬件的技术成熟,难度适中;二来,虚拟化硬件与IaaS服务的理念相符合。SaaS服务因为其自身的业务具有高度一致性,即提供的业务是面向某一特定领域的,用户需求共性明显,有深厚数据共享能力的公司,例如google等,大多数选择共享所有的多租户技术。
当一个用户在云计算服务架构中既租用PaaS服务又租用IaaS服务时,现有的管理系统会使得IaaS服务与PaaS服务的资源管理出现冲突。这是由于,IaaS服务管理着用户的基础设施资源,例如CPU、内存、存储介质、网络、路由器等基础设施资源中的至少一种,其中包括用于运行PaaS服务所提供的软件服务的基础设施资源。而PaaS服务基于IaaS服务,PaaS服务在IaaS服务提供的基础设施资源上部署常用的软件服务。这使得PaaS服务与IaaS服务能共同管理基础设施资源,从而使二者的管理产生冲突。例如,在IaaS服务的服务页面能删除掉运行PaaS服务所提供的软件服务的基础设施资源;又如,IaaS服务的网络策略会使得PaaS服务的内部通信受到影响。
同时,PaaS服务为了减轻了用户的管理工作,只提供给用户服务地址及端口。然而,现有的方案中,当一个用户既租用PaaS服务又租用IaaS服务时,对于该用户而言,通过IaaS管理系统,PaaS服务对应的基础设施资源会暴露在用户面前,用户就需要关心随之而来的各项问题,例如端口的安全问题和防火墙的访问规则问题等。这些随之而来的工作本不是用户需要的,同时也会给用户带来安全风险。
针对上述问题,本申请在共享硬件的IaaS基础上,提出一种能够实现多租户需求的改进的PaaS管理系统。图1是本申请一个实施例的PaaS管理系统100的示意性框图。PaaS管理系统100可以包括:
接收模块110,用于接收第一真实租户发出的PaaS操作请求,PaaS操作请求用于指 示针对PaaS资源的PaaS操作;
处理模块120,用于确定第一真实租户对应的第一虚拟租户的信息,其中,真实租户和虚拟租户具有一一对应关系,第一真实租户与第一虚拟租户为一一对应关系中的一对;
处理模块120还用于根据PaaS操作请求和第一虚拟租户的信息,通过第一虚拟租户控制IaaS管理系统处理PaaS操作对应的IaaS操作。
其中,云计算服务架构通过本申请实施例的PaaS管理系统100可以为第一真实租户提供PaaS服务。云计算服务架构通过IaaS管理系统可以为第一真实租户提供IaaS服务。
PaaS管理系统100中的接收模块110具体可以包括用于和真实租户交互的PaaS租户服务组件;处理模块120具体可以包括PaaS租户服务组件的部分功能、管理真实租户与虚拟租户的一一对应关系的虚拟租户资源池组件和代理真实租户进行IaaS操作的PaaS租户代理组件。
下面结合图2进行详细的介绍,图2是本申请一个实施例的应用PaaS管理系统200的示意性框图。如图2所示,PaaS管理系统200是云计算服务架构在平台(Platform,P)层的管理系统;换而言之,PaaS管理系统是云计算服务架构中用于处理PaaS操作的管理系统。IaaS管理系统300是云计算服务架构在基础设施(Infrastructure,I)层的管理系统;换而言之,IaaS管理系统是云计算服务架构中用于处理IaaS操作的管理系统。对于一个租户而言,例如,第一真实租户,云计算服务架构通过PaaS管理系统200为第一真实租户提供PaaS服务。此外,云计算服务架构还可以通过IaaS管理系统300为第一真实租户提供IaaS服务,但本申请实施例对此不作限定。
图2所示的PaaS管理系统200包括PaaS租户服务组件210、虚拟租户资源池组件220和PaaS租户代理组件230。
PaaS租户服务组件210用于接收第一真实租户对PaaS管理系统100发出的PaaS操作请求,PaaS操作请求用于指示针对PaaS资源的PaaS操作。这里,PaaS资源是指基础设施资源以及其上的软件资源。具体而言,PaaS租户服务组件210用于和真实租户交互,响应真实租户的PaaS操作请求。PaaS租户服务组件210可以是部署在基础设施资源的网络(web)容器中的一个应用,以http的形式对外云计算服务页面提供接口。真实租户可以通过云计算服务页面向PaaS租户服务组件210发送PaaS操作请求。PaaS租户服务组件210响应PaaS操作请求并处理相关的PaaS操作,例如申请PaaS实例、重启PaaS实例、变更或删除PaaS实例等等。
PaaS租户服务组件210还用于和虚拟租户资源池组件220、PaaS租户代理组件230进行交互,完成真实租户的PaaS操作。其中,PaaS租户服务组件210向虚拟租户资源池组件220请求第一真实租户对应的第一虚拟租户。PaaS租户服务组件210还会进行相应的处理,将PaaS操作请求所指示的PaaS操作对应的IaaS操作分离出来,以便于后续PaaS租户代理组件230进行IaaS操作。
应理解,如图2所示,PaaS租户服务组件210可以通过身份识别与访问管理(Identity and Access Management,IAM)组件完成必要的鉴权和安全检查等逻辑。
虚拟租户资源池组件220用于管理真实租户与虚拟租户的一一对应关系,其中,第一真实租户与第一虚拟租户为一一对应关系中的一对,虚拟租户资源池组件220还用于向PaaS租户服务组件210发送第一虚拟租户的信息。
具体而言,虚拟租户资源池组件220也可以为一个内置组件,以程序接口的形式与PaaS租户服务组件210交互,它们同时部署在同一个web容器的同一个应用中。在本申请的一个实施例中,云计算服务架构可以预先设置多个虚拟租户,形成一个资源池存储在虚拟租户资源池组件220中供使用。对于既租用了IaaS服务又租用了PaaS服务的一个真实租户,当其在初次申请PaaS实例时,PaaS租户服务组件210会向虚拟租户资源池组件220发起选取虚拟租户的调用,此时虚拟租户资源池组件220会在内部的资源池中为该真实租户分配一个未被占用的虚拟租户,并记录真实租户与虚拟租户的对应关系,将虚拟租户的信息返回给PaaS租户服务组件210。
虚拟租户资源池组件220在为每一个真实租户分配虚拟租户后,会一一记录真实租户与虚拟租户的对应关系。在后续的PaaS操作请求过程中(例如,真实租户再次申请、变更或删除PaaS实例时),虚拟租户资源池组件220会直接返回给PaaS租户服务组件210对应的虚拟租户的信息。
应理解,本申请各实施例中真实租户是指租用PaaS服务,能够通过PaaS管理系统发起PaaS操作请求的租户,然而,真实租户对PaaS操作请求最终对应的基础设施资源没有管理权;换句话说,真实租户没有通过IaaS管理系统管理PaaS操作请求对应的基础设施资源的权限。真实租户还可以租用IaaS服务,能够通过IaaS管理系统发起IaaS操作请求的租户,真实租户具有管理真实租户通过IaaS管理系统发起的IaaS操作请求对应的基础设施资源的权限。例如,真实租户是用户在该PaaS管理系统中注册的,用户可自行设置用户名和密码供该PaaS管理系统进行身份验证,以便登录该PaaS管理系统使用PaaS服务。虚拟租户不是真实存在的租户,是指PaaS管理系统为真实租户分配的,用于代理真实租户的,对PaaS操作请求对应的基础设施资源具有管理权的租户;换句话说,虚拟租户具有通过IaaS管理系统管理PaaS操作请求对应的基础设施资源的权限。例如,虚拟租户是PaaS系统为已注册的真实用户分配的一个ID或者编号。然而,虚拟租户对真实租户通过IaaS管理系统发起的IaaS操作对应的基础设施资源没有管理权。对于IaaS管理系统而言,真实租户和虚拟租户是两个不同的租户,IaaS管理系统会对二者的管理权进行隔离。
PaaS租户代理组件230用于接收PaaS租户服务组件310发送的第一虚拟租户的信息和PaaS操作对应的IaaS操作的相关信息,通过第一虚拟租户代理第一真实租户,控制IaaS管理系统300处理PaaS操作对应的IaaS操作。
具体而言,PaaS租户代理组件230主要完成真实租户的身份代理工作,以真实租户的代理身份来控制IaaS管理系统300管理相应的基础设置资源。
在虚拟租户资源池组件220选取或者检索到第一真实租户对应的第一虚拟租户后,将第一虚拟租户的信息发送给PaaS租户服务组件210。PaaS租户服务组件210向PaaS租户代理组件230发送第一虚拟租户的信息和PaaS操作对应的IaaS操作的相关信息。PaaS租户代理组件230通过第一虚拟租户代理第一真实租户,控制IaaS管理系统300处理PaaS操作对应的IaaS操作,例如创建虚拟机(Virtual Machine,VM)(即创建PaaS实例)、变更或删除VM资源等。
可选地,在本申请实施例中,PaaS租户代理组件230可以通过IAM组件完成对第一虚拟租户的鉴权,获取第一虚拟租户的身份认证令牌(token)。PaaS租户代理组件230以第一虚拟租户的身份认证令牌,代理第一真实租户向IaaS管理系统300发起相应的IaaS 操作指令。
应理解,本申请实施例中,云计算服务架构基于第一基础设施资源组为第一真实租户提供IaaS服务,仅有第一真实租户对第一基础设施资源组中的基础设施资源具有管理权,云计算服务架构基于第二基础设施资源组为第一真实租户提供PaaS服务,仅有第一虚拟租户对第二基础设施资源组中的基础设施资源具有管理权。
本申请实施例的PaaS管理系统,通过在PaaS管理系统中为每个真实租户引入一一对应的虚拟租户,使得PaaS管理系统通过虚拟租户管理基础设施资源,第一真实租户与第一虚拟租户是多对一一对应关系中的一对,使得第一真实租户对应PaaS服务的管理与其他租户的管理相互隔离,从而保证多租户之间管理的相互隔离,并能进一步解决IaaS服务与PaaS服务对基础设施资源的管理冲突问题。。
这是由于,对于IaaS管理系统而言,真实租户和虚拟租户是两个不同的租户,真实租户仅有对真实租户通过IaaS管理系统发起的IaaS操作请求对应的基础设施资源具有管理权限,虚拟租户仅有对真实租户通过PaaS管理系统发起的PaaS操作请求对应的基础设施资源具有管理权限,IaaS管理系统会对二者的管理权进行隔离,不仅可以解决管理冲突问题,还能提升云计算服务的安全性。PaaS管理系统为每个真实租户引入一一对应的虚拟租户,可以保证多租户之间资源的相互隔离。综上,本申请实施例的PaaS管理系统在保证多租户需求的基础上,能够将IaaS服务与PaaS服务分别对应的基础设施资源进行网络隔离,从而解决IaaS服务与PaaS服务对基础设施资源的管理冲突问题,同时能够提升整个云计算服务的安全性。
本申请实施例还提供一种云计算服务架构。图3是本申请一个实施例的云计算服务架构400的示意性框图。云计算服务架构400为第一真实租户提供基础设施即服务IaaS服务和平台即服务PaaS服务,云计算服务架构400包括第一基础设施资源组410和第二基础设施资源组420,其中,云计算服务架构400基于第一基础设施资源组410为第一真实租户提供IaaS服务,仅有第一真实租户对第一基础设施资源组410中的基础设施资源具有管理权,云计算服务架构400基于第二基础设施资源组420为第一真实租户提供PaaS服务,仅有第一虚拟租户对第二基础设施资源组420中的基础设施资源具有管理权,真实租户和虚拟租户具有一一对应关系,第一真实租户与第一虚拟租户为一一对应关系中的一对。
具体而言,云计算服务架构400的PaaS管理系统会为接受PaaS的每一个真实租户生成一个对应的虚拟租户。第一真实租户在申请PaaS实例时,PaaS管理系统会使用第一虚拟租户的身份管理PaaS实例对应的第二基础设施资源组420,例如,PaaS实例对应的VM、存储介质、网络或路由器等基础设施资源均属于第一虚拟租户的管理权范围内。所有对关于第一真实租户的PaaS实例的基础设施资源,即对第一虚拟租户管理的第二基础设施资源组420的操作(例如,释放PaaS实例、变更PaaS、重启PaaS或增加磁盘等),只能通过第一真实租户对应的第一虚拟租户的身份进行,而这个对应关系只有在PaaS管理系统的后台才会存储。即,云计算服务架构400基于第二基础设施资源组420为第一真实租户提供PaaS服务,仅有第一虚拟租户对第二基础设施资源组420中的基础设施资源具有管理权。PaaS实例创建的基础设施资源从属于虚拟租户,仅虚拟租户对其有管理权,真实租户无法通过IaaS管理系统对其进行管理。
对于云计算服务架构400还基于第一基础设施资源组410为第一真实租户提供IaaS服务的情况,仅有第一真实租户对第一基础设施资源组410中的基础设施资源具有管理权。为真实租户提供IaaS服务的基础设施资源从属于真实租户,仅真实租户对其有管理权,虚拟租户无法通过PaaS管理系统对其进行管理。这里第一基础设施资源组410与第二基础设施资源组420中没有相同的基础设施资源。
应理解,对于一个真实租户而言,在一些情况下,真实租户所租用的IaaS服务和PaaS服务分别对应的基础设施资源之间需要进行数据通信。第二基础设施资源组420上可以包括PaaS实例,PaaS实例中包括数据网卡,数据网卡用于PaaS实例和第一基础设施资源组410之间进行数据通信。
本申请实施例的云计算服务架构,对于一个既租用IaaS服务又租用PaaS服务的真实租户来说,两种服务分别对应的基础设施资源分为两部分:PaaS服务对应的第二基础设施资源组420的VM、网络、CPU、内存、存储介质和路由器等基础设施资源中的至少一种,均由真实租户通过PaaS管理系统控制虚拟租户通过IaaS管理系统进行管理,如图3中所示的PaaS管理域;IaaS对应的第一基础设施资源组410的VM、网络、CPU、内存、存储介质和路由器等基础设施资源中的至少一种,均由真实租户通过IaaS管理系统管理,如图3中所示的IaaS管理域。真实租户可通过PaaS管理系统控制PaaS实例的资源的申请与销毁等,在真实租户的网络内只可见PaaS实例的网络地址及端口,而不能看到PaaS实例对应的基础设施资源。PaaS实例对应的基础设施资源仅能通过虚拟租户管理。
PaaS实例可以进行多网卡设计,使得管理网络与数据网络相互独立。具体而言,在PaaS实例的创建过程,可以在VM上创建多个网卡,管理网卡与数据网卡相互独立,它们分属于管理网络和数据网络。管理网络中的通信为管理通信,是指PaaS服务的内部通信和PaaS管理系统后台的控制通信。数据网络中的通信为数据通信,是指PaaS服务的外部通信,用于传输用户使用过程中产生或需要的数据。云计算服务架构为第一真实租户提供的PaaS实例(即虚拟机)上包括管理网卡,管理网卡用于第二基础设施资源组420中的基础设施资源之间进行管理通信。管理网卡承担着PaaS服务的内部通信和PaaS管理系统后台的控制通信功能,与真实租户的数据通信相独立。管理网络接入虚拟租户的虚拟网络中,不受外界干扰。云计算服务架构为第一真实租户提供的PaaS实例(即虚拟机)上包括数据网卡,数据网卡用于PaaS实例和第一基础设施资源组410进行数据通信。数据网络接入到真实租户的虚拟网络中,它只接受真实租户的管理。
应理解,本申请实施例的云计算服务架构用于为租户提供硬件或软件服务。云计算服务架构包括基础设施资源以及部署在基础设施资源上的软件。例如,云计算服务架构的硬件,可以包括CPU、内存、存储介质、网络和路由器等基础设施资源中的一种或多种。云计算服务架构的硬件之间基于物理设备连接。云计算服务架构的软件则可以包括部署在上述硬件上的PaaS管理系统、IasS管理系统以及租户租用的PaaS服务对应的应用软件等等。云计算服务架构将软件部署在硬件可以通过虚拟化技术实现。本申请实施例对云计算服务架构的具体形式不作限定。
真实租户对PaaS实例的数据网卡有管理权,真实租户的安全组策略等能力可以对数据网卡生效。这使得真实租户可以仅关注数据网卡,不需要关心其它网卡,能够简化真实租户的管理工作,也可以增强PaaS服务对应的基础设施资源的网络隔离能力。本申请实 施例中,由于不同的真实租户对应着不同的虚拟租户,并且不同虚拟租户之间的网络是独立的相互隔离的网络。这使得对于PaaS服务的多个租户而言,各租户之间资源是相互隔离的。
图4是本申请一个实施例的提供PaaS的方法500的示意性流程图。方法500基于云计算服务架构,云计算服务架构通过PaaS管理系统为第一真实租户提供PaaS,方法500可以包括:
S510,PaaS管理系统接收第一真实租户发出的PaaS操作请求,PaaS操作请求用于指示针对PaaS资源的PaaS操作;
S520,PaaS管理系统确定第一真实租户对应的第一虚拟租户的信息,其中,真实租户和虚拟租户具有一一对应关系,第一真实租户与第一虚拟租户为一一对应关系中的一对;
S530,PaaS管理系统根据PaaS操作请求和第一虚拟租户的信息,通过第一虚拟租户控制云计算服务架构的IaaS管理系统处理PaaS操作对应的IaaS操作。
本申请实施例的提供PaaS的方法,通过在PaaS管理系统中为每个真实租户引入一一对应的虚拟租户,使得PaaS管理系统通过虚拟租户管理基础设施资源,第一真实租户与第一虚拟租户是多对一一对应关系中的一对,使得第一真实租户对应PaaS服务的管理与其他租户的管理相互隔离,从而保证多租户之间管理的相互隔离,并能进一步解决IaaS服务与PaaS服务对基础设施资源的管理冲突问题。。
下面以两个具体的场景对本申请实施例的提供PaaS的方法进行详细说明。图5示出了本申请一个实施例的提供PaaS的方法600的示意性流程图。其中,S510PaaS管理系统接收第一真实租户发出的PaaS操作请求,可以包括:PaaS管理系统接收第一真实租户发出的指示申请PaaS实例的PaaS操作请求;S530PaaS管理系统根据PaaS操作请求和第一虚拟租户的信息,通过第一虚拟租户控制基础设施即服务IaaS管理系统处理PaaS操作对应的IaaS操作,可以包括:PaaS管理系统根据PaaS操作请求,确定PaaS操作对应的IaaS操作为创建PaaS实例和创建数据网卡;PaaS管理系统通过第一虚拟租户控制IaaS管理系统创建PaaS实例和创建数据网卡。
图5是本申请一个实施例的提供PaaS的方法的示意性流程图。图5示出的场景是真实租户首次申请PaaS实例的场景。如图5所示,真实租户首次申请PaaS实例可以包括以下流程。
S605,真实租户通过云计算服务页面,也可以称为PaaS的控制台(console)上点击申请PaaS实例的按钮。云计算服务页面会发送http消息到PaaS管理系统,具体而言可以是PaaS租户服务组件210。
S610,PaaS租户服务组件210向虚拟租户资源池组件220发起选取虚拟租户的调用,即选取虚拟租户()。
S615,虚拟租户资源池组件220在其内部的资源池中为该真实租户分配一个未被占用的虚拟租户,并且记录真实租户与虚拟租户的对应关系。
S620,虚拟租户资源池组件220将虚拟租户的信息返回给PaaS租户服务组件210。
S625,PaaS租户服务组件210收到虚拟租户的信息后,向PaaS租户代理组件230传递虚拟租户的信息,并且同时发起创建VM的调用,即创建VM()。
S630,PaaS租户代理组件230收到创建虚拟机的调用后,向IAM组件发送http消息,获取虚拟租户的身份认证token。
S635,IAM组件向PaaS租户代理组件230返回虚拟租户的身份认证token。
S640,PaaS租户代理组件230在获取身份认证token后,向IaaS管理系统300发起创建VM(即创建PaaS实例)的http消息。
S645,IaaS管理系统300在VM创建成功后,向PaaS租户代理组件230返回确认消息。
S650,在VM创建成功后,PaaS租户服务组件210向IaaS管理系统300发起创建数据网卡的http消息,指示IaaS管理系统300创建用于与第一基础设施资源组通信的数据网卡。
S655,IaaS管理系统300在完成创建数据网卡后,向PaaS租户代理组件230返回确认消息。
S660,PaaS租户服务组件210向PaaS租户代理组件230发起挂载数据网卡的消息。
S665,PaaS租户代理组件230收到挂载数据网卡消息后,向IaaS管理系统300发起挂载数据网卡到VM的http消息。
S670,IaaS管理系统300针对挂载数据网卡到VM的操作向IAM查询虚拟租户是否已经授权,授权通过后可以执行挂载数据网卡到VM的操作。
至此,PaaS管理系统才可以使真实租户的数据网卡挂载到虚拟租户下,将PaaS的VM的资源通过真实租户的数据网卡接入到真实租户的网络。
图6是本申请一个实施例的提供PaaS的方法700的示意性流程图。图6示出的场景是真实租户变更PaaS实例的场景。其中,S510PaaS管理系统接收第一真实租户发出的PaaS操作请求,可以包括:PaaS管理系统接收第一真实租户发出的指示变更PaaS实例的PaaS操作请求;S530PaaS管理系统根据PaaS操作请求和第一虚拟租户的信息,通过第一虚拟租户控制基础设施即服务IaaS管理系统处理PaaS操作对应的IaaS操作,可以包括:PaaS管理系统根据PaaS操作请求,确定PaaS操作对应的IaaS操作为变更PaaS实例的参数;PaaS管理系统通过第一虚拟租户控制IaaS管理系统变更PaaS实例的参数。
如图6所示,真实租户变更PaaS实例可以包括以下流程。
S705,真实租户通过云计算服务页面,点击变更PaaS实例的按钮。云计算服务页面会发送http消息到PaaS管理系统,具体而言可以是PaaS租户服务组件210。
S710,PaaS租户服务组件210向虚拟租户资源池组件220发起确定虚拟租户的调用,即确定虚拟租户()。
S715,虚拟租户资源池组件220根据已记录真实租户与虚拟租户的对应关系,确定真实租户对应的虚拟租户。
S720,虚拟租户资源池组件220将虚拟租户的信息返回给PaaS租户服务组件210。
S725,PaaS租户服务组件210收到虚拟租户的信息后,向PaaS租户代理组件130传递虚拟租户的信息,并且同时发起变更VM的调用,即变更VM()。
S730,PaaS租户代理组件230收到变更VM的调用后,向IAM组件发送http消息,获取虚拟租户的身份认证token。
S735,PaaS租户代理组件230获取身份认证token。
S740,PaaS租户代理组件230在获取身份认证token后,向IaaS管理系统300发起变更VM的http消息。
S745,IaaS管理系统300收到变更VM的http消息后,变更虚拟机的参数。
应注意,本申请实施例中,PaaS管理系统的接收模块110可以由网络接口实现,处理模块120可以由处理器实现。如图7所示,PaaS管理系统800可以包括处理器810、网络接口820和存储器830。其中,存储器830可以用于存储处理器810执行的指令等。所述处理器810和所述网络接口820用于执行所述存储器830存储的指令,当所述处理器810和所述网络接口820执行所述存储器830存储的指令时,所述PaaS管理系统800用于完成本申请各实施例的提供PaaS服务的方法。
PaaS管理系统800中的各个组件之间可以通过内部连接通路互相通信,传递控制和/或数据信号。
应注意,本申请上述方法实施例可以应用于处理器中,或者由处理器实现。处理器可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。
可以理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。
所述网络接口用于接收第一真实租户发出的PaaS操作请求。网络接口820可以是一个网络接口,也可以是多个网络接口。网络接口可以是有线接口,例如光纤分布式数据接口(Fiber Distributed Data Interface,FDDI)、千兆以太网(Gigabit Ethernet,GE)接口;网络接口也可以是无线接口。本领域普通技术人员可以意识到,结合本文中所公开的实施 例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。

Claims (16)

  1. 一种提供平台即服务PaaS服务的方法,其特征在于,所述方法包括:
    PaaS管理系统接收第一真实租户发出的PaaS操作请求,所述PaaS操作请求用于指示针对PaaS资源的PaaS操作;
    所述PaaS管理系统确定所述第一真实租户对应的第一虚拟租户的信息,其中,真实租户和虚拟租户具有一一对应关系,所述第一真实租户与所述第一虚拟租户为所述一一对应关系中的一对;
    所述PaaS管理系统根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作。
  2. 根据权利要求1所述的方法,其特征在于,所述IaaS管理系统是云计算服务架构中用于处理IaaS操作的管理系统,所述云计算服务架构基于第一基础设施资源组为所述第一真实租户提供IaaS服务,仅有所述第一真实租户对所述第一基础设施资源组中的基础设施资源具有管理权,所述PaaS管理系统是云计算服务架构中用于处理PaaS操作的管理系统,所述云计算服务架构基于第二基础设施资源组为所述第一真实租户提供PaaS服务,仅有第一虚拟租户对所述第二基础设施资源组中的基础设施资源具有管理权。
  3. 根据权利要求2所述的方法,其特征在于,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括管理网卡,所述方法还包括:
    所述PaaS管理系统通过所述管理网卡进行所述第二基础设施资源组中的基础设施资源之间的管理通信。
  4. 根据权利要求2或3所述的方法,其特征在于,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括数据网卡,所述方法还包括:
    所述PaaS管理系统通过所述数据网卡进行所述PaaS实例和所述第一基础设施资源组之间的数据通信。
  5. 根据权利要求1至4中任一项所述的方法,其特征在于,所述PaaS管理系统接收第一真实租户发出的PaaS操作请求,包括:
    所述PaaS管理系统接收所述第一真实租户发出的指示申请PaaS实例的PaaS操作请求;
    所述PaaS管理系统根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作,包括:
    所述PaaS管理系统根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为创建PaaS实例和创建数据网卡;
    所述PaaS管理系统通过所述第一虚拟租户控制所述IaaS管理系统创建PaaS实例和创建数据网卡。
  6. 根据权利要求1至4中任一项所述的方法,其特征在于,所述PaaS管理系统接收第一真实租户发出的PaaS操作请求,包括:
    所述PaaS管理系统接收所述第一真实租户发出的指示变更PaaS实例的PaaS操作请求;
    所述PaaS管理系统根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作,包括:
    所述PaaS管理系统根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为变更PaaS实例的参数;
    所述PaaS管理系统通过所述第一虚拟租户控制所述IaaS管理系统变更PaaS实例的参数。
  7. 一种平台即服务PaaS管理系统,其特征在于,所述PaaS管理系统包括:
    接收模块,用于接收第一真实租户发出的PaaS操作请求,所述PaaS操作请求用于指示针对PaaS资源的PaaS操作;
    处理模块,用于确定所述第一真实租户对应的第一虚拟租户的信息,其中,真实租户和虚拟租户具有一一对应关系,所述第一真实租户与所述第一虚拟租户为所述一一对应关系中的一对;
    所述处理模块还用于根据所述PaaS操作请求和所述第一虚拟租户的信息,通过所述第一虚拟租户控制基础设施即服务IaaS管理系统处理所述PaaS操作对应的IaaS操作。
  8. 根据权利要求7所述的PaaS管理系统,其特征在于,所述IaaS管理系统是云计算服务架构中用于处理IaaS操作的管理系统,所述云计算服务架构基于第一基础设施资源组为所述第一真实租户提供IaaS服务,仅有所述第一真实租户对所述第一基础设施资源组中的基础设施资源具有管理权,所述PaaS管理系统是云计算服务架构中用于处理PaaS操作的管理系统,所述云计算服务架构基于第二基础设施资源组为所述第一真实租户提供PaaS服务,仅有第一虚拟租户对所述第二基础设施资源组中的基础设施资源具有管理权。
  9. 根据权利要求8所述的PaaS管理系统,其特征在于,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括管理网卡,所述管理网卡用于所述第二基础设施资源组中的基础设施资源之间进行管理通信。
  10. 根据权利要求8或9所述的PaaS管理系统,其特征在于,所述云计算服务架构为所述第一真实租户提供的PaaS实例中包括数据网卡,所述数据网卡用于所述PaaS实例和所述第一基础设施资源组之间进行数据通信。
  11. 根据权利要求7至10中任一项所述的PaaS管理系统,其特征在于,所述接收模块具体用于:
    接收所述第一真实租户发出的指示申请PaaS实例的PaaS操作请求;
    所述处理模块具体用于:
    根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为创建PaaS实例和创建数据网卡;
    通过所述第一虚拟租户控制所述IaaS管理系统创建PaaS实例和创建数据网卡。
  12. 根据权利要求7至10中任一项所述的PaaS管理系统,其特征在于,所述接收模块具体用于:
    接收所述第一真实租户发出的指示变更PaaS实例的PaaS操作请求;
    所述处理模块具体用于:
    根据所述PaaS操作请求,确定所述PaaS操作对应的所述IaaS操作为变更PaaS实例的参数;
    通过所述第一虚拟租户控制所述IaaS管理系统变更PaaS实例的参数。
  13. 一种云计算服务架构,其特征在于,所述云计算服务架构为第一真实租户提供基础设施即服务IaaS服务和平台即服务PaaS服务,所述云计算服务架构包括第一基础设施资源组和第二基础设施资源组,其中,所述云计算服务架构基于所述第一基础设施资源组为所述第一真实租户提供IaaS服务,仅有所述第一真实租户对所述第一基础设施资源组中的基础设施资源具有管理权,所述云计算服务架构基于所述第二基础设施资源组为所述第一真实租户提供PaaS服务,仅有第一虚拟租户对所述第二基础设施资源组中的基础设施资源具有管理权,真实租户和虚拟租户具有一一对应关系,所述第一真实租户与所述第一虚拟租户为所述一一对应关系中的一对。
  14. 根据权利要求13所述的云计算服务架构,其特征在于,所述第二基础设施资源组上包括PaaS实例,所述PaaS实例中包括数据网卡,所述数据网卡用于所述PaaS实例和所述第一基础设施资源组之间进行数据通信。
  15. 一种平台即服务PaaS管理系统,其特征在于,所述PaaS管理系统包括网络接口、处理器和存储器,所述存储器用于存储指令,所述处理器和所述网络接口用于执行所述存储器存储的指令,当所述处理器和所述网络接口执行所述存储器存储的指令时,所述PaaS管理系统用于完成如权利要求1至6中任一项所述的方法。
  16. 一种计算机存储介质,其特征在于,所述计算机存储介质用于存储计算机程序,所述计算机程序包括用于执行权利要求1至6中任一项所述的方法的指令。
PCT/CN2018/074278 2017-04-01 2018-01-26 提供PaaS服务的方法、管理系统和云计算服务架构 WO2018177013A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP18774532.8A EP3591939B1 (en) 2017-04-01 2018-01-26 Method for providing paas service and management system
US16/589,918 US11438242B2 (en) 2017-04-01 2019-10-01 Method for providing PaaS service, management system, and cloud computing service architecture

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710216079.5 2017-04-01
CN201710216079.5A CN108667886B (zh) 2017-04-01 2017-04-01 提供PaaS服务的方法、管理系统和云计算服务架构

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/589,918 Continuation US11438242B2 (en) 2017-04-01 2019-10-01 Method for providing PaaS service, management system, and cloud computing service architecture

Publications (1)

Publication Number Publication Date
WO2018177013A1 true WO2018177013A1 (zh) 2018-10-04

Family

ID=63675193

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/074278 WO2018177013A1 (zh) 2017-04-01 2018-01-26 提供PaaS服务的方法、管理系统和云计算服务架构

Country Status (4)

Country Link
US (1) US11438242B2 (zh)
EP (1) EP3591939B1 (zh)
CN (1) CN108667886B (zh)
WO (1) WO2018177013A1 (zh)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111784076A (zh) * 2020-07-22 2020-10-16 济源国泰自动化信息技术有限公司 一种关于工业互联网的云端计量系统及其使用方法
CN112667216A (zh) * 2021-02-10 2021-04-16 开放智能机器(上海)有限公司 一种边缘计算终端软件框架及其运行方法
CN113111327A (zh) * 2021-04-27 2021-07-13 北京赛博云睿智能科技有限公司 基于PaaS的服务门户管理系统的资源管理方法及装置
CN114827136A (zh) * 2021-01-13 2022-07-29 新智数字科技有限公司 边云协同方法及终端设备
CN115102827A (zh) * 2022-05-27 2022-09-23 燕山大学 一种中小型制造业的数字产品实时监测通用互联网平台

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10911558B1 (en) * 2019-05-15 2021-02-02 Pivotal Software, Inc. On-demand network segmentation
US11082526B2 (en) * 2019-08-19 2021-08-03 International Business Machines Corporation Optimizing large parameter passing in a service mesh
CN110545205B (zh) * 2019-09-03 2021-11-30 北京首都在线科技股份有限公司 基于Paas网络的租户数据处理方法及处理装置
CN110535964B (zh) * 2019-09-03 2021-12-14 北京首都在线科技股份有限公司 基于Paas连接器实现的数据处理方法及装置
CN110708310B (zh) * 2019-09-30 2022-02-08 杭州数梦工场科技有限公司 租户级权限管理方法、装置及设备
CN112579999A (zh) * 2019-09-30 2021-03-30 北京国双科技有限公司 数据处理方法和装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140074905A1 (en) * 2012-09-07 2014-03-13 Oracle International Corporation System and method for workflow orchestration for use with a cloud computing environment
CN104683125A (zh) * 2013-11-27 2015-06-03 上海墨芋电子科技有限公司 一种云计算的网络存储管理调试系统
CN106294435A (zh) * 2015-05-27 2017-01-04 陈志高 一种基于PaaS云平台的云内容管理系统

Family Cites Families (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050192999A1 (en) * 2003-11-21 2005-09-01 Cook Scott J. System and method of virtualizing physical locations
US9282097B2 (en) * 2010-05-07 2016-03-08 Citrix Systems, Inc. Systems and methods for providing single sign on access to enterprise SAAS and cloud hosted applications
US8448171B2 (en) * 2011-01-07 2013-05-21 International Business Machines Corporation Communications between virtual machines that have been migrated
US20120221346A1 (en) * 2011-02-25 2012-08-30 International Business Machines Corporation Administering Medical Digital Images In A Distributed Medical Digital Image Computing Environment
US9704207B2 (en) * 2011-02-25 2017-07-11 International Business Machines Corporation Administering medical digital images in a distributed medical digital image computing environment with medical image caching
US9836485B2 (en) * 2011-02-25 2017-12-05 International Business Machines Corporation Auditing database access in a distributed medical computing environment
US8949427B2 (en) * 2011-02-25 2015-02-03 International Business Machines Corporation Administering medical digital images with intelligent analytic execution of workflows
CN103167003A (zh) * 2011-12-16 2013-06-19 上海博腾信息科技有限公司 云计算应用平台
JP5939791B2 (ja) * 2011-12-22 2016-06-22 キヤノン株式会社 サーバ装置、システム、情報処理方法及びプログラム
US20140007189A1 (en) * 2012-06-28 2014-01-02 International Business Machines Corporation Secure access to shared storage resources
US8972725B2 (en) * 2012-09-07 2015-03-03 Oracle International Corporation Security infrastructure for cloud services
US8959195B1 (en) * 2012-09-27 2015-02-17 Emc Corporation Cloud service level attestation
CA2894894C (en) * 2012-12-11 2019-10-22 Deutsche Telekom Ag Computer-implemented method, system and computer program product for deploying an application on a computing resource
US9467395B2 (en) * 2013-03-13 2016-10-11 Vmware, Inc. Cloud computing nodes for aggregating cloud computing resources from multiple sources
US10454999B2 (en) * 2013-03-14 2019-10-22 Red Hat, Inc. Coordination of inter-operable infrastructure as a service (IAAS) and platform as a service (PAAS)
DE112013006414T5 (de) * 2013-05-15 2015-10-01 Hitachi, Ltd. Computersystem und Betriebsmittelmanagementverfahren
RU2643451C2 (ru) * 2013-08-27 2018-02-01 Хуавей Текнолоджиз Ко., Лтд. Система и способ виртуализации функции мобильной сети
US10452373B2 (en) * 2013-10-30 2019-10-22 Oracle International Corporation System and method for service import/export in a cloud platform environment
US10476760B2 (en) * 2013-10-30 2019-11-12 Oracle International Corporation System and method for placement logic in a cloud platform environment
US9544188B2 (en) * 2013-10-30 2017-01-10 Oracle International Corporation System and method for webtier providers in a cloud platform environment
CN103544319B (zh) * 2013-11-06 2016-09-21 浪潮(北京)电子信息产业有限公司 一种多租户共享数据库的方法和多租户数据库即服务系统
CN103699428A (zh) * 2013-12-20 2014-04-02 华为技术有限公司 一种虚拟网卡中断亲和性绑定的方法和计算机设备
US9503447B2 (en) * 2014-01-30 2016-11-22 Sap Se Secure communication between processes in cloud
US9912609B2 (en) * 2014-08-08 2018-03-06 Oracle International Corporation Placement policy-based allocation of computing resources
US10181349B2 (en) * 2014-12-15 2019-01-15 Hewlett Packard Enterprise Development Lp Nonvolatile memory cross-bar array
CN105897805B (zh) * 2015-01-04 2019-12-27 伊姆西公司 对多层架构的数据中心的资源进行跨层调度的方法和装置
CN105893139B (zh) * 2015-01-04 2020-09-04 伊姆西Ip控股有限责任公司 在云存储环境中用于向租户提供存储服务的方法和装置
US9775008B2 (en) * 2015-01-14 2017-09-26 Kodiak Networks, Inc. System and method for elastic scaling in a push to talk (PTT) platform using user affinity groups
US9887961B2 (en) * 2015-05-22 2018-02-06 International Business Machines Corporation Multi-tenant aware dynamic host configuration protocol (DHCP) mechanism for cloud networking
CN104883369A (zh) * 2015-05-29 2015-09-02 天津大学 云架构安全评估方法
US10361995B2 (en) * 2015-11-09 2019-07-23 International Business Machines Corporation Management of clustered and replicated systems in dynamic computing environments
US10110450B2 (en) * 2015-12-29 2018-10-23 Vmware, Inc. Monitoring element hierarchies in a cloud computing system
CN105653370A (zh) * 2015-12-29 2016-06-08 中国银联股份有限公司 在PaaS平台上实现的获取虚拟机资源的系统和方法
US11212125B2 (en) * 2016-02-05 2021-12-28 International Business Machines Corporation Asset management with respect to a shared pool of configurable computing resources
US10878079B2 (en) * 2016-05-11 2020-12-29 Oracle International Corporation Identity cloud service authorization model with dynamic roles and scopes
US10387167B2 (en) * 2016-05-26 2019-08-20 CloudBolt Software Inc. Action-based computing resource configuration
US10768920B2 (en) * 2016-06-15 2020-09-08 Microsoft Technology Licensing, Llc Update coordination in a multi-tenant cloud computing environment
US10263898B2 (en) * 2016-07-20 2019-04-16 Cisco Technology, Inc. System and method for implementing universal cloud classification (UCC) as a service (UCCaaS)
US10237240B2 (en) * 2016-07-21 2019-03-19 AT&T Global Network Services (U.K.) B.V. Assessing risk associated with firewall rules
CN107733799B (zh) * 2016-08-11 2021-09-21 新华三技术有限公司 一种报文传输方法和装置
CN107733670B (zh) * 2016-08-11 2020-05-12 新华三技术有限公司 一种转发策略配置方法和装置
CN106354544A (zh) * 2016-08-24 2017-01-25 华为技术有限公司 虚拟机创建方法、系统以及主机
US10225140B2 (en) * 2017-04-26 2019-03-05 Oracle International Corporation Portable instance provisioning framework for cloud services
US11086646B2 (en) * 2018-05-18 2021-08-10 Adobe Inc. Tenant-side detection, classification, and mitigation of noisy-neighbor-induced performance degradation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140074905A1 (en) * 2012-09-07 2014-03-13 Oracle International Corporation System and method for workflow orchestration for use with a cloud computing environment
CN104683125A (zh) * 2013-11-27 2015-06-03 上海墨芋电子科技有限公司 一种云计算的网络存储管理调试系统
CN106294435A (zh) * 2015-05-27 2017-01-04 陈志高 一种基于PaaS云平台的云内容管理系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3591939A4

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111784076A (zh) * 2020-07-22 2020-10-16 济源国泰自动化信息技术有限公司 一种关于工业互联网的云端计量系统及其使用方法
CN114827136A (zh) * 2021-01-13 2022-07-29 新智数字科技有限公司 边云协同方法及终端设备
CN112667216A (zh) * 2021-02-10 2021-04-16 开放智能机器(上海)有限公司 一种边缘计算终端软件框架及其运行方法
CN112667216B (zh) * 2021-02-10 2023-07-14 开放智能机器(上海)有限公司 一种边缘计算终端软件框架系统及其运行方法
CN113111327A (zh) * 2021-04-27 2021-07-13 北京赛博云睿智能科技有限公司 基于PaaS的服务门户管理系统的资源管理方法及装置
CN113111327B (zh) * 2021-04-27 2024-02-13 北京赛博云睿智能科技有限公司 基于PaaS的服务门户管理系统的资源管理方法及装置
CN115102827A (zh) * 2022-05-27 2022-09-23 燕山大学 一种中小型制造业的数字产品实时监测通用互联网平台
CN115102827B (zh) * 2022-05-27 2024-01-09 燕山大学 一种中小型制造业的数字产品实时监测通用互联网平台

Also Published As

Publication number Publication date
EP3591939A1 (en) 2020-01-08
CN108667886A (zh) 2018-10-16
CN108667886B (zh) 2020-07-28
US11438242B2 (en) 2022-09-06
US20200036601A1 (en) 2020-01-30
EP3591939A4 (en) 2020-01-08
EP3591939B1 (en) 2023-08-02

Similar Documents

Publication Publication Date Title
WO2018177013A1 (zh) 提供PaaS服务的方法、管理系统和云计算服务架构
JP6957764B2 (ja) 高速スマートカードログオン
US11627124B2 (en) Secured login management to container image registry in a virtualized computer system
US10650156B2 (en) Environmental security controls to prevent unauthorized access to files, programs, and objects
US20180367528A1 (en) Seamless Provision of Authentication Credential Data to Cloud-Based Assets on Demand
US8505083B2 (en) Remote resources single sign on
US10833949B2 (en) Extension resource groups of provider network services
US10509574B2 (en) Container credentialing by host
US8365294B2 (en) Hardware platform authentication and multi-platform validation
EP4018617B1 (en) Managing permissions to cloud-based resources with session-specific attributes
JP2017535843A (ja) スマートカードによるログオンおよび連携されたフルドメインログオン
US9197644B1 (en) System and method for multitenant management of domains
JP2017510013A (ja) ジャスト・イン・タイムでプロビジョニングされるアカウントによってネットワーク・セキュリティを設ける技法
US11196749B2 (en) System and method for controlling a multi-tenant service-oriented architecture
US10459752B2 (en) Hybrid remote desktop logon
US20180183665A1 (en) Method and Device for Integrating Multiple Virtual Desktop Architectures
CN112948842A (zh) 一种鉴权方法及相关设备
EP4172818B1 (en) Shared resource identification
CN116391186B (zh) 用于身份系统中的角色可达性分析的组合推理技术
US10318767B2 (en) Multi-tier security framework
US10334043B2 (en) Secure sharing of storage area networks in a cloud
US11798001B2 (en) Progressively validating access tokens
US11949680B2 (en) Framework for customer control and auditing of operator access to infrastructure in a cloud service
EP4303746A1 (en) Optimized creation of identity information for provisioned virtual machines
CN117176415A (zh) 集群访问方法、装置、电子设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18774532

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018774532

Country of ref document: EP

Effective date: 20191002