WO2019127973A1 - Authority authentication method, system and device for mirror repository, and storage medium - Google Patents

Authority authentication method, system and device for mirror repository, and storage medium Download PDF

Info

Publication number
WO2019127973A1
WO2019127973A1 PCT/CN2018/082269 CN2018082269W WO2019127973A1 WO 2019127973 A1 WO2019127973 A1 WO 2019127973A1 CN 2018082269 W CN2018082269 W CN 2018082269W WO 2019127973 A1 WO2019127973 A1 WO 2019127973A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
request
information
token
warehouse
Prior art date
Application number
PCT/CN2018/082269
Other languages
French (fr)
Chinese (zh)
Inventor
刘俊杰
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019127973A1 publication Critical patent/WO2019127973A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Definitions

  • the present application relates to the field of Docker technology, and specifically relates to a method, system, device and storage medium for authenticating a mirror warehouse.
  • Docker (Docker Is an open source application container engine that allows developers to package their applications and dependencies into a portable container and then publish them to any popular Linux On the machine, virtualization can also be implemented.
  • the container technology provided allows several containers to be run on the same host or virtual machine, each container being a separate virtual environment or application.
  • Container from Docker Mirroring which can be generated by the user or by a running container commit. After the image is generated, it can be pushed to the image repository for saving or mirroring. The repository pulls to the local to run the container.
  • Docker provides an official image repository (Docker hub), while allowing users to build their own private image repository (private Registry). For most organizations and organizations, it is necessary to use a private image repository to protect the mirrored content and use of the repository.
  • the access control needs to be refined for images in different mirrored warehouses.
  • a public image that is, access to the official image repository
  • any user can pull (Pull) the image, and only the system administrator can push (Push) the image
  • the user's own namespace Name Mirror under space
  • the authorization verification can pull/push the image, that is, when accessing, it is necessary to judge which mirrors in the warehouse can be pulled according to the identity of the user terminal, or which mirrors can be pushed to which warehouse. Can improve the security of the image.
  • the permission setting of the Docker image server is relatively simple, generally adopting two methods.
  • the first way is to check whether the user authentication information is provided together at the request, and does not verify the true and false; the second way is to configure static
  • the username and password are correct, and the password file needs to be generated in advance.
  • the mirror service can be operated by simple user login.
  • the present application provides a method, system, device and storage medium for authenticating a mirror warehouse, which mainly solves the problem that the existing Docker image access is not secure.
  • a method for authenticating a mirrored warehouse includes the following steps:
  • the proxy server When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
  • the token server is deployed in the cloud management area
  • the parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, and the step of the proxy server sending the rights authentication request to the token server for performing the rights authentication includes:
  • the authority authentication request information is sent to the proxy server, and the proxy server sends the authority authentication request to the token server for authority authentication.
  • the step of generating the rights authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information includes:
  • the user authentication information is encrypted according to the authentication method prompt information, placed in the request header of the https request, and the requested mirror content range is placed in the request parameter of the https request, and the permission authentication request is generated based on the request header and the request parameter of the https request. information.
  • the proxy server sends the rights authentication request to the token server for the rights authentication, and receives the token returned by the token server in the cloud management area, and Before the step of sending the access request to the mirror warehouse, the rights authentication method further includes:
  • the proxy server performs secure transport layer protocol authentication according to the domain name entered by the client, and receives the data access request of the client after the verification is passed and sends it to the token server of the cloud management area;
  • the token server of the cloud management area parses the authority authentication request information, and verifies the user authentication information
  • the token is generated and returned to the client according to the user authentication information and the requested mirrored content range.
  • the method further includes:
  • the mirror repository receives the token, parses and verifies the token, and returns a mirror to the client when the verification passes.
  • a permission authentication system for a mirrored warehouse comprising a plurality of available zones, each of which is provided with a rights authentication device and a proxy server,
  • the authorization authentication device is configured to access the mirrored warehouse, and when the access mirror warehouse is rejected, receiving the unauthorized error information returned by the mirror warehouse, where the response header of the unauthorized error information includes the authentication method prompt information; And parsing the unauthorized error information, and generating a rights authentication request according to the authentication method prompt information and sending it to the proxy server; and receiving the token returned by the token server; and carrying the token to send the access to the mirror warehouse Request; and receive the image returned by the mirror repository;
  • the proxy server is configured to send a rights authentication request to a token server of the cloud management area.
  • the rights authentication system of the mirrored warehouse further includes a token server disposed in the cloud management zone, the token server is configured to parse the authority authentication request information, and verify user authentication information; and authenticate the user.
  • the token server is configured to parse the authority authentication request information, and verify user authentication information; and authenticate the user.
  • the token server is configured to parse the authority authentication request information, and verify user authentication information; and authenticate the user.
  • determining whether the client can access the requested mirrored content according to the scope of the requested mirrored content and when the client can access the requested mirrored content, generating a token according to the user authentication information and the requested mirrored content range is returned to the client end.
  • the proxy server is further configured to perform a secure transport layer protocol authentication according to the domain name input by the client, and receive the data access request of the client after the verification is passed and send the data access request to the token server of the cloud management area.
  • the number of the token servers is one.
  • the rights authentication system of the mirror warehouse further includes a mirror warehouse disposed in the cloud management area, the image warehouse is configured to receive the token, parse and verify the token, and when the verification passes, to the client Return to the image.
  • a rights authentication device for mirroring a warehouse comprising a processor, a memory, and a rights authentication program stored on the memory and executable by the processor, the rights authentication program being used by the processor When executed, implement the following steps:
  • the proxy server When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
  • the token server is deployed in the cloud management area
  • a storage medium storing a rights authentication program, the rights authentication program being executed by a processor, implementing the following steps:
  • the proxy server When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
  • the token server is deployed in the cloud management area
  • the privilege authentication method first receives the unauthorized error information returned by the mirror warehouse when the proxy server accesses the mirror warehouse is rejected, wherein the mirror warehouse Deployed in the cloud management area, the response header of the unauthorized error information includes authentication method prompt information; afterwards, the unauthorized error information is parsed, and the authority authentication request is generated according to the authentication method prompt information and sent to the proxy server,
  • the proxy server sends a rights authentication request to the token server for rights authentication, wherein the proxy server is deployed in the available area, and the token server is deployed in the cloud management area; afterwards, the token returned by the token server in the cloud management area is received, And carrying the token to send an access request to the mirror warehouse; receiving the image returned by the mirror warehouse, that is, completing the private Docker The access operation of the mirrored warehouse.
  • the application improves the security of the image according to the request token issuance authority, and by setting the token server in the cloud management area, it is no longer necessary to set the authentication component in each available area, avoiding each
  • the API of the cloud management area needs to be called to authenticate the user's domain account, which avoids the waste of resources.
  • the proxy server since the maintenance of the proxy server is much less difficult than the authentication component of the self-research, only the need is needed. Maintain a token server in the cloud zone.
  • FIG. 1 is a flowchart of a preferred embodiment of a method for authenticating a mirrored warehouse provided by the present application
  • step S20 is a flowchart of a preferred embodiment of step S20 in the method for authenticating a mirrored warehouse provided by the present application;
  • FIG. 3 is a functional block diagram of a preferred embodiment of a rights authentication system for a mirrored warehouse provided by the present application;
  • FIG. 4 is a functional block diagram of a preferred embodiment of the rights authentication device in the rights authentication system of the mirrored warehouse provided by the present application;
  • FIG. 5 is a functional block diagram of a parsing module of a rights authentication device in a rights authentication system of a mirrored warehouse provided by the present application;
  • FIG. 6 is a functional block diagram of a token processing module of a token server in a rights authentication system of a mirrored warehouse provided by the present application.
  • the present application is directed to the current image permission management requirement, and the authentication program is deployed in the mirror warehouse of the cloud management area, and the token server of the cloud management area is designated by the mirror warehouse to provide authentication services for the user to access the private Docker image warehouse and its image.
  • the mirroring warehouse receives a request for access to the image by a user of an available area, instructs the available area client to send the user information, the accessed mirror information, and the access action to the token of the cloud management area through the proxy server of the available area.
  • the server, the token server determines whether to grant the user the requested access rights based on the user information.
  • FIG. 1 is a flowchart of a preferred embodiment of a method for authenticating a mirrored warehouse provided by the present application. As shown in FIG. 1 , the following steps are performed on the authority authentication method of the mirror warehouse in the preferred embodiment of the present application:
  • the mirrored warehouse is a unique mirrored warehouse set in the cloud management area, and is not a mirrored warehouse of an available area. All the private Docker images are stored in the mirrored warehouse of the cloud management area, and each available area can be mirrored.
  • the warehouse initiates an access request.
  • the client uses the command to log in to the Docker image repository, push the docker image, and pull the docker image, the docker client process sends a request to the mirror repository through the proxy server.
  • the image repository When the image repository identifies the client as the first access, it returns an unauthorized error message to the client, and prompts the client authentication method in the file header of the authorization error message, prompting the client to go to the token server of the cloud management area. Get the token.
  • the client receives the unauthorized error message, first parses the unauthorized error information to obtain the authentication method prompt information, and then requests the token from the token server according to the prompt of the authentication method.
  • FIG. 2 is a flowchart of a preferred embodiment of step S20 in the method for authenticating the mirrored warehouse provided by the present application.
  • the step S20 includes:
  • S22 Generate permission authentication request information by using user authentication information and requesting a mirrored content range according to the prompt of the authentication method prompt information;
  • step S22 when the rights authentication request information is generated, the user authentication information is encrypted by the docker client process according to the authentication method prompt information, placed in the request header of the https request, and the requested mirror content range is placed in the request of the https request.
  • the authority authentication request information is generated based on the request header and the request parameter of the https request.
  • the authentication information includes a user name and a password.
  • the authentication process information of the user is first encrypted by the docker client process according to the prompt returned by the mirroring repository, and then placed in https (Hypertext) Transfer Protocol over Secure Socket Layer, which is a security-oriented HTTP channel, which is simply a secure version of HTTP) AUTHORIZATIONHeader (authorization header) of the request, and the scope of the image content requested by the user is placed in the request parameter of the https request, and sent to the proxy server through the domain name.
  • https Hypertext Transfer Protocol over Secure Socket Layer
  • AUTHORIZATIONHeader authorization header
  • Each of the available areas is deployed with a set of proxy servers, which are Nginx proxy servers.
  • the clients of each available area send the permission authentication request to the token server of the cloud management area through the proxy server set in the area.
  • the domain name, certificate, and key of the proxy server in the Availability Zone are the same, so the consistency of the system is guaranteed.
  • All clients in all available areas in this application have the same mirror service and image authentication service. Only the centralized management area has a set of image libraries and authentication servers. Only the cloud management area needs to deploy mirrored warehouses and token servers. Only need to deploy the proxy server, which saves the deployment cost; the mirrored warehouse only needs one configuration, and the authentication service address in the response header of the first request returning the 401 response is specified as the authentication service domain name of the DNS resolution of each region, and then All areas can be used to make expansion, configuration and maintenance easier; moreover, the token server can be connected to other systems to extend the docking of other user information systems, which provides the possibility of integrating users of other systems.
  • the method for the client to send the permission authentication request to the token server through the proxy server is specifically: the client accesses the proxy server through the domain name, and the proxy server performs the secure transport layer protocol authentication according to the domain name input by the client, and passes the verification.
  • the client accesses the proxy server through the domain name and the proxy server performs the secure transport layer protocol authentication according to the domain name input by the client, and passes the verification.
  • the proxy server After receiving the client's data access request and sending it to the token server of the cloud zone, due to the domain name of the proxy server of each Availability Zone.
  • the certificate and key are the same, so the consistency of the system is guaranteed.
  • the docker client process After the docker client process gets the token, it takes the token to request the same mirror content from the mirror warehouse again. After the token is received by the mirrored warehouse, the token is parsed to determine whether to release or block the user's request.
  • the method further includes:
  • the proxy server performs secure transport layer protocol authentication according to the domain name entered by the client, and receives the data access request of the client after the verification is passed and sends it to the token server of the cloud management area;
  • the token server of the cloud management area parses the authority authentication request information, and verifies the user authentication information
  • the token is generated and returned to the client according to the user authentication information and the requested mirrored content range.
  • the proxy server after the client uploads the rights authentication request information to the proxy server, the proxy server performs the following steps: performing security transport layer protocol authentication according to the domain name input by the client, and receiving the data access request of the client after the verification is passed. Send it to the token server in the cloud zone. The proxy server verifies that when the domain name is entered incorrectly, it returns the domain name error message to the client, prompting the client to re-enter the domain name.
  • the token server of the cloud management area performs the following actions:
  • the client When the user authentication passes, it is determined according to the scope of the requested mirror content whether the client can access the mirrored content of the request.
  • the error token is returned when the user authentication fails, and the client is not authorized to access the mirror repository.
  • the token is generated and returned to the client according to the user authentication information and the requested mirrored content range.
  • the user authentication information is verified, but the client cannot access the specified image content, an error message is generated and returned to the docker client process, indicating that the client does not have permission to access the content of the request.
  • the pull mirror and the push image of the present application further include: the mirror warehouse receives the token, parses and verifies the token, and returns a mirror to the client when the verification passes.
  • the first step the client of the Availability Zone uses docker login, docker push, docker pull
  • the docker client process of the client in the available area issues a request to the mirror warehouse of the cloud management area
  • the mirror warehouse of the cloud management area After receiving the request, the mirror warehouse of the cloud management area returns an unauthorized error message to the client of the requesting available area, where the response header of the unauthorized error information includes a method for prompting the client authentication;
  • the third step the docker client process of the available area encrypts the user's authentication information according to the prompt and puts it in https.
  • the AUTHORIZATION header of the request, and the content range requested by the user is placed in the request parameter and sent to the proxy server of the Availability Zone;
  • the proxy server of the available area performs the secure transport layer protocol authentication according to the domain name input by the client, and receives the data access request of the client after the verification is passed and sends the data access request to the token server of the cloud management area;
  • the token server of the cloud management area parses and verifies the user authentication token and the scope of the request mirror content, and sends the corresponding token to the client of the available area by verifying the corresponding token;
  • Step 6 After obtaining the token, the docker client process of the available area requests the same content to the mirror warehouse of the cloud management area with the token again;
  • the token warehouse of the cloud management area obtains the token
  • the token is parsed and verified, and the docker client process returns the corresponding image when the verification is passed.
  • the present application further provides a rights authentication system for a mirrored warehouse, as shown in FIG. 3, the rights authentication system includes a plurality of available areas, and each of the available areas includes rights authentication.
  • Device 1 and proxy server 2 which can be considered as a Docker client for accessing the mirror repository and receiving unauthorized error information returned by the mirror repository when the access mirror repository is rejected,
  • the response header of the unauthorized error message includes authentication method prompt information; and is used for parsing the unauthorized error information, and generates a rights authentication request according to the authentication method prompt information and sends it to the proxy server; and receiving the token server to return The token; and carrying the token to send an access request to the mirror repository; and receiving the image returned by the mirror repository.
  • the rights authentication device referred to in the present application may be divided into one or more modules, which refers to a series of computer program instruction segments capable of performing a specific function, which is more suitable for describing the authority authentication program of the image warehouse than the program.
  • the execution process in the Docker client The following description divides the rights authentication device into modules to introduce its functions.
  • the authority authentication device 1 includes an access module 11 for accessing a mirror warehouse
  • the receiving module 12 is configured to receive the unauthorized error information returned by the mirror warehouse when the access mirror warehouse is rejected, and the response header of the unauthorized error information includes the authentication method prompt information;
  • the parsing module 13 is configured to parse the unauthorized error information, and generate a rights authentication request according to the authentication method prompt information and send the same to the proxy server;
  • the receiving module 12 is further configured to receive a token returned by the token server;
  • the authority authentication requesting module 14 is configured to carry the token to send an access request to the mirror warehouse;
  • the receiving module 12 is further configured to receive a mirror returned by the mirror warehouse.
  • the proxy server 2 is configured to send a rights authentication request to the token server of the cloud management area.
  • the proxy server is specifically configured to perform security transport layer protocol authentication according to the domain name input by the client, and receive the authentication after the verification is passed.
  • the client's data access request is sent to the token server in the cloud zone.
  • the parsing module 13 includes:
  • the parsing unit 131 is configured to parse the unauthorized error information, and the response header for obtaining the unauthorized error information includes the authentication method prompt information;
  • the request information generating unit 132 is configured to generate the authority authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information;
  • the sending unit 133 is configured to send the rights authentication request information to the proxy server, and the proxy server sends the rights authentication request to the token server for rights authentication.
  • the request information generating unit 132 is specifically configured to encrypt the user authentication information according to the authentication method prompt information, put it in the request header of the https request, and place the requested mirror content range in the request parameter of the https request, based on the request parameter.
  • the request header and request parameters of the https request generate permission authentication request information.
  • the authority authentication system of the mirror warehouse of the present application further includes a token server 3 disposed in the cloud management area, where the token server is configured to parse the authority authentication request information and verify user authentication information; When the user authentication is passed, it is determined whether the client can access the requested mirrored content according to the requested mirror content range; and when the client can access the mirrored content of the request, the token is generated according to the user authentication information and the requested mirrored content range.
  • the token server referred to in this application can also be divided into one or more modules, which are a series of computer program instructions that are capable of performing a particular function, and are more suitable than the program to describe the execution process. The following description divides the token server into modules to introduce its functions.
  • the token server 3 includes:
  • the verification module 31 is configured to parse the authority authentication request information, and verify user authentication information
  • the determining module 32 is configured to determine, according to the scope of the mirrored content of the request, whether the client can access the mirrored content of the request when the user passes the authentication;
  • the token processing module 33 is configured to: when the client can access the requested mirrored content, generate a token according to the user authentication information and the requested mirrored content range, and return the token to the client.
  • the number of the token servers is one, and the token server is not required to be set in each available area, so that each time the authority authentication is performed, the API of the cloud management area needs to be called to authenticate the user's domain account, thereby avoiding resources. Waste, after using the proxy server, because the maintenance of the Nginx proxy server is much less difficult than the maintenance of the token server, the maintenance cost of the system is reduced, and only one token server of the cloud management area needs to be maintained.
  • the rights authentication system of the mirrored warehouse of the present application further includes a mirrored warehouse 4 for receiving the token, parsing and verifying the token, and returning the image to the client when the verification is passed.
  • the number of mirrored warehouses is only one, so the authentication of the mirror is the same for all clients, maintaining system consistency.
  • the present application improves the security of the image by granting the authority authentication to the third party for verification, according to the request token issuance authority, and by setting the token server in the cloud management area, it is no longer necessary to set the reference in each available area.
  • the right component avoids the need to call the cloud management area API to authenticate the user's domain account every time the authority authentication is performed, thereby avoiding waste of resources.
  • the maintenance of the proxy server is much less difficult than the self-research authentication. Component, so you only need to maintain a token server in the cloud zone.
  • the present application also provides a rights authentication device for a mirrored warehouse, the rights authentication device including a processor, a memory, and a rights authentication program stored on the memory and executable by the processor, the rights authentication program When executed by the processor, the steps of the rights authentication method as described above are implemented.
  • the present application also provides a storage medium storing a rights authentication program, and when the rights authentication program is executed by the processor, implementing the steps of the rights authentication method as described above.
  • a computer program to instruct related hardware (such as a processor, a controller, etc.), and the program can be stored in one.
  • the program when executed, may include the processes of the various method embodiments as described above.
  • the storage medium described therein may be a memory, a magnetic disk, an optical disk, or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

Disclosed are an authority authentication method and system for a mirror repository. The authority authentication method comprises: first, when access to a Docker mirror repository by means of a proxy server is rejected, receiving unauthorized error information returned by the mirror repository; then, parsing the authorized error information, generating an authority authentication request according to authentication method prompt information, and sending same to the proxy server, so that the proxy server sends the authority authentication request to a token server for authority authentication; then, receiving a token returned by the token server in a cloud management area, and sending an access request carrying the token to the mirror repository; and receiving a mirror returned by the mirror repository, so that the operation of accessing a private Docker mirror repository is completed.

Description

镜像仓库的权限认证方法、系统、设备及存储介质  Authenticated authentication method, system, device and storage medium for mirrored warehouse
本申请要求于2017年12月29日提交中国专利局、申请号为201711476882.9、发明名称为“Docker镜像仓库的权限认证方法和系统”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of the Chinese Patent Application filed on Dec. 29, 2017, the Chinese Patent Office, the application number is 201711476882.9, and the invention is entitled "Authorization Method and System for Docker Image Warehouse", the entire contents of which are incorporated by reference. in.
技术领域Technical field
本申请涉及Docker技术领域,具体涉及镜像仓库的权限认证方法、系统、设备及存储介质。The present application relates to the field of Docker technology, and specifically relates to a method, system, device and storage medium for authenticating a mirror warehouse.
背景技术Background technique
Docker(Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的容器中,然后发布到任何流行的 Linux 机器上,也可以实现虚拟化)提供的容器技术允许在同一台主机或虚拟机上运行若干个容器(container),每个容器就是一个独立的虚拟环境或应用。Docker (Docker Is an open source application container engine that allows developers to package their applications and dependencies into a portable container and then publish them to any popular Linux On the machine, virtualization can also be implemented. The container technology provided allows several containers to be run on the same host or virtual machine, each container being a separate virtual environment or application.
容器来源于Docker 镜像(image),而镜像可以由用户自制(build)或由运行中的容器提交(commit)来生成,镜像生成后,可以推送(push)到镜像仓库(registry)中进行保存,也可以从镜像仓库拉取(pull)到本地以运行容器。Container from Docker Mirroring, which can be generated by the user or by a running container commit. After the image is generated, it can be pushed to the image repository for saving or mirroring. The repository pulls to the local to run the container.
Docker 提供了官方镜像仓库(Docker hub),同时允许用户自行搭建私有镜像仓库(private registry)。对于大多数机构和组织,使用私有镜像仓库是很有必要的,用以保护仓库的镜像内容及使用。 Docker provides an official image repository (Docker hub), while allowing users to build their own private image repository (private Registry). For most organizations and organizations, it is necessary to use a private image repository to protect the mirrored content and use of the repository.
当用户访问Docker镜像时,针对不同镜像仓库内的镜像,需要细化访问权限控制。例如,对于公共镜像(即访问官方镜像仓库),任何用户都能够拉取(Pull)镜像,而只有系统管理员可以推送(Push)镜像;对于用户自己命名空间(Name space)下的镜像(即私有Docker 镜像仓库),只有通过了权限验证的该用户才能够拉取/推送镜像,即在访问时需要根据用户终端的身份判断有哪些仓库中的镜像可以拉取,或者可以往哪些仓库中推送镜像,能够提高镜像的安全性。When a user accesses a Docker image, the access control needs to be refined for images in different mirrored warehouses. For example, for a public image (that is, access to the official image repository), any user can pull (Pull) the image, and only the system administrator can push (Push) the image; for the user's own namespace (Name Mirror under space) (ie private Docker) Mirroring warehouse), only the user who has passed the authorization verification can pull/push the image, that is, when accessing, it is necessary to judge which mirrors in the warehouse can be pulled according to the identity of the user terminal, or which mirrors can be pushed to which warehouse. Can improve the security of the image.
目前,Docker镜像服务器的权限设置比较简单,一般采用两种方式,第一种方式是只检查用户认证信息在请求时是否一并提供,并不验证其真假;第二种方式是配置静态的用户名与密码对,且需要预先生成密码文件,通过简单的用户登录就可以操作镜像服务。At present, the permission setting of the Docker image server is relatively simple, generally adopting two methods. The first way is to check whether the user authentication information is provided together at the request, and does not verify the true and false; the second way is to configure static The username and password are correct, and the password file needs to be generated in advance. The mirror service can be operated by simple user login.
可见上述两种方式的权限控制方式都不够安全,都不能满足镜像安全的要求。It can be seen that the above two methods of access control are not secure enough to meet the requirements of mirror security.
因此,现有技术还有待于改进和发展。Therefore, the prior art has yet to be improved and developed.
申请内容Application content
针对现有技术的上述缺陷,本申请提供一种镜像仓库的权限认证方法、系统、设备及存储介质,主要解决现有Docker镜像访问不安全的问题。In view of the above-mentioned deficiencies of the prior art, the present application provides a method, system, device and storage medium for authenticating a mirror warehouse, which mainly solves the problem that the existing Docker image access is not secure.
本申请解决技术问题所采用的技术方案如下:The technical solution adopted by the present application to solve the technical problem is as follows:
一种镜像仓库的权限认证方法,包括如下步骤:A method for authenticating a mirrored warehouse includes the following steps:
通过代理服务器访问Docker镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息;When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中;Parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, where the proxy server sends the rights authentication request to the token server for rights authentication, where the proxy server is deployed in the available area The token server is deployed in the cloud management area;
接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求;Receiving a token returned by the token server in the cloud management area, and carrying the token to send an access request to the mirror warehouse;
接收镜像仓库返回的镜像。Receive the image returned by the mirror repository.
可选地,所述解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证的步骤包括:Optionally, the parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, and the step of the proxy server sending the rights authentication request to the token server for performing the rights authentication includes:
解析所述未授权错误信息,获取未授权错误信息的响应头中包含认证方法提示信息;Parsing the unauthorized error information, and obtaining an authentication error prompt message in the response header for obtaining the unauthorized error information;
根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息;Prompting the authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information;
将所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证。The authority authentication request information is sent to the proxy server, and the proxy server sends the authority authentication request to the token server for authority authentication.
可选地,所述根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息的步骤包括:Optionally, the step of generating the rights authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information includes:
根据认证方法提示信息将用户认证信息加密,放在https请求的请求头部,将请求的镜像内容范围置于https请求的请求参数中,基于该https请求的请求头部及请求参数生成权限认证请求信息。The user authentication information is encrypted according to the authentication method prompt information, placed in the request header of the https request, and the requested mirror content range is placed in the request parameter of the https request, and the permission authentication request is generated based on the request header and the request parameter of the https request. information.
可选地,在将所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证的步骤之后、接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求的步骤之前,所述权限认证方法还包括:Optionally, after the step of sending the rights authentication request information to the proxy server, the proxy server sends the rights authentication request to the token server for the rights authentication, and receives the token returned by the token server in the cloud management area, and Before the step of sending the access request to the mirror warehouse, the rights authentication method further includes:
代理服务器根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器;The proxy server performs secure transport layer protocol authentication according to the domain name entered by the client, and receives the data access request of the client after the verification is passed and sends it to the token server of the cloud management area;
云管区的令牌服务器解析所述权限认证请求信息,并验证用户认证信息;The token server of the cloud management area parses the authority authentication request information, and verifies the user authentication information;
在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容;When the user authentication is passed, it is determined according to the scope of the requested mirror content whether the client can access the mirrored content of the request;
当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。When the client can access the requested mirrored content, the token is generated and returned to the client according to the user authentication information and the requested mirrored content range.
可选地,在接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求的步骤之后、接收镜像仓库返回的镜像的步骤之前,还包括:Optionally, after the step of receiving the token returned by the token server in the cloud management zone and carrying the token to send the access request to the mirroring warehouse, and before receiving the mirror image returned by the mirroring warehouse, the method further includes:
镜像仓库接收所述令牌,解析并验证所述令牌,在验证通过时,向客户端返回镜像。The mirror repository receives the token, parses and verifies the token, and returns a mirror to the client when the verification passes.
一种镜像仓库的权限认证系统,其包括若干个可用区,每个所述可用区均设置有权限认证设备和代理服务器,A permission authentication system for a mirrored warehouse, comprising a plurality of available zones, each of which is provided with a rights authentication device and a proxy server,
所述权限认证设备设置为访问镜像仓库,并在访问镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,所述未授权错误信息的响应头中包含认证方法提示信息; 以及用于解析所述未授权错误信息,并根据认证方法提示信息生成权限认证请求并将其发送至代理服务器;以及接收令牌服务器返回的令牌;以及携带所述令牌向镜像仓库发送访问请求;以及接收镜像仓库返回的镜像;The authorization authentication device is configured to access the mirrored warehouse, and when the access mirror warehouse is rejected, receiving the unauthorized error information returned by the mirror warehouse, where the response header of the unauthorized error information includes the authentication method prompt information; And parsing the unauthorized error information, and generating a rights authentication request according to the authentication method prompt information and sending it to the proxy server; and receiving the token returned by the token server; and carrying the token to send the access to the mirror warehouse Request; and receive the image returned by the mirror repository;
所述代理服务器设置为将权限认证请求发送给云管区的令牌服务器。The proxy server is configured to send a rights authentication request to a token server of the cloud management area.
可选地,所述的镜像仓库的权限认证系统,还包括设置在云管区的令牌服务器,所述令牌服务器设置为解析所述权限认证请求信息,并验证用户认证信息;以及在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容;以及当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。Optionally, the rights authentication system of the mirrored warehouse further includes a token server disposed in the cloud management zone, the token server is configured to parse the authority authentication request information, and verify user authentication information; and authenticate the user. When passing, determining whether the client can access the requested mirrored content according to the scope of the requested mirrored content; and when the client can access the requested mirrored content, generating a token according to the user authentication information and the requested mirrored content range is returned to the client end.
可选地,所述代理服务器还设置为根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器。Optionally, the proxy server is further configured to perform a secure transport layer protocol authentication according to the domain name input by the client, and receive the data access request of the client after the verification is passed and send the data access request to the token server of the cloud management area.
可选地,所述令牌服务器的数量为1个。Optionally, the number of the token servers is one.
可选地,所述镜像仓库的权限认证系统还包括设置在云管区的镜像仓库,所述镜像仓库设置为接收所述令牌,解析并验证所述令牌,在验证通过时,向客户端返回镜像。Optionally, the rights authentication system of the mirror warehouse further includes a mirror warehouse disposed in the cloud management area, the image warehouse is configured to receive the token, parse and verify the token, and when the verification passes, to the client Return to the image.
一种镜像仓库的权限认证设备,所述权限认证设备包括处理器、存储器、以及存储在所述存储器上并可被所述处理器执行的权限认证程序,所述权限认证程序被所述处理器执行时,实现以下步骤:A rights authentication device for mirroring a warehouse, the rights authentication device comprising a processor, a memory, and a rights authentication program stored on the memory and executable by the processor, the rights authentication program being used by the processor When executed, implement the following steps:
通过代理服务器访问Docker镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息;When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中;Parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, where the proxy server sends the rights authentication request to the token server for rights authentication, where the proxy server is deployed in the available area The token server is deployed in the cloud management area;
接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求;Receiving a token returned by the token server in the cloud management area, and carrying the token to send an access request to the mirror warehouse;
接收镜像仓库返回的镜像。Receive the image returned by the mirror repository.
一种存储介质,所述存储介质存储有权限认证程序,所述权限认证程序被处理器执行时,实现以下步骤:A storage medium storing a rights authentication program, the rights authentication program being executed by a processor, implementing the following steps:
通过代理服务器访问Docker镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息;When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中;Parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, where the proxy server sends the rights authentication request to the token server for rights authentication, where the proxy server is deployed in the available area The token server is deployed in the cloud management area;
接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求;Receiving a token returned by the token server in the cloud management area, and carrying the token to send an access request to the mirror warehouse;
接收镜像仓库返回的镜像。Receive the image returned by the mirror repository.
本申请公开的镜像仓库的权限认证方法、系统、设备和存储介质中,其权限认证方法先通过代理服务器访问镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息;之后,解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中;之后,接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求;接收镜像仓库返回的镜像,即完成了私有Docker 镜像仓库的访问操作。本申请通过将权限认证交由第三方进行验证,根据请求令牌发放权限,提高了镜像的安全性,而且通过在云管区设置令牌服务器,无需再在各个可用区设置鉴权组件,避免每次在进行权限认证时均需要调用云管区的API来认证用户的域账号,避免了资源的浪费,通过使用代理服务器后,由于代理服务器的维护难度远小于自研的鉴权组件,因此只需要维护一份云管区的令牌服务器即可。In the privilege authentication method, system, device, and storage medium of the mirror warehouse disclosed in the present application, the privilege authentication method first receives the unauthorized error information returned by the mirror warehouse when the proxy server accesses the mirror warehouse is rejected, wherein the mirror warehouse Deployed in the cloud management area, the response header of the unauthorized error information includes authentication method prompt information; afterwards, the unauthorized error information is parsed, and the authority authentication request is generated according to the authentication method prompt information and sent to the proxy server, The proxy server sends a rights authentication request to the token server for rights authentication, wherein the proxy server is deployed in the available area, and the token server is deployed in the cloud management area; afterwards, the token returned by the token server in the cloud management area is received, And carrying the token to send an access request to the mirror warehouse; receiving the image returned by the mirror warehouse, that is, completing the private Docker The access operation of the mirrored warehouse. By applying the authority authentication to the third party for verification, the application improves the security of the image according to the request token issuance authority, and by setting the token server in the cloud management area, it is no longer necessary to set the authentication component in each available area, avoiding each When performing the rights authentication, the API of the cloud management area needs to be called to authenticate the user's domain account, which avoids the waste of resources. After using the proxy server, since the maintenance of the proxy server is much less difficult than the authentication component of the self-research, only the need is needed. Maintain a token server in the cloud zone.
附图说明DRAWINGS
图1为本申请提供的镜像仓库的权限认证方法的较佳实施例的流程图;1 is a flowchart of a preferred embodiment of a method for authenticating a mirrored warehouse provided by the present application;
图2为本申请提供的镜像仓库的权限认证方法中步骤S20的较佳实施例的流程图;2 is a flowchart of a preferred embodiment of step S20 in the method for authenticating a mirrored warehouse provided by the present application;
图3为本申请提供的镜像仓库的权限认证系统较佳实施例的功能模块图;3 is a functional block diagram of a preferred embodiment of a rights authentication system for a mirrored warehouse provided by the present application;
图4为本申请提供的镜像仓库的权限认证系统中,所述权限认证设备的较佳实施例的功能模块图;4 is a functional block diagram of a preferred embodiment of the rights authentication device in the rights authentication system of the mirrored warehouse provided by the present application;
图5为本申请提供的镜像仓库的权限认证系统中,权限认证设备的解析模块的功能模块图;FIG. 5 is a functional block diagram of a parsing module of a rights authentication device in a rights authentication system of a mirrored warehouse provided by the present application;
图6为本申请提供的镜像仓库的权限认证系统中令牌服务器的令牌处理模块的功能模块图。FIG. 6 is a functional block diagram of a token processing module of a token server in a rights authentication system of a mirrored warehouse provided by the present application.
具体实施方式Detailed ways
本申请针对目前镜像权限管理的需求,将认证程序部署在云管区的镜像仓库中,利用镜像仓库指定云管区的令牌服务器为用户对私有Docker镜像仓库及其镜像的访问提供认证服务。每当镜像仓库接收到某一可用区的用户对镜像的访问请求时,指示此可用区客户端将用户信息、访问的镜像信息、访问动作通过该可用区的代理服务器发送至云管区的令牌服务器,令牌服务器根据用户信息决定是否授予用户所请求的访问权限。The present application is directed to the current image permission management requirement, and the authentication program is deployed in the mirror warehouse of the cloud management area, and the token server of the cloud management area is designated by the mirror warehouse to provide authentication services for the user to access the private Docker image warehouse and its image. Whenever the mirroring warehouse receives a request for access to the image by a user of an available area, instructs the available area client to send the user information, the accessed mirror information, and the access action to the token of the cloud management area through the proxy server of the available area. The server, the token server determines whether to grant the user the requested access rights based on the user information.
为使本申请的目的、技术方案及优点更加清楚、明确,以下参照附图并举实施例对本申请进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the objects, technical solutions, and advantages of the present application more clear and clear, the present application will be further described in detail below with reference to the accompanying drawings. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
请参阅图1,其为本申请提供的镜像仓库的权限认证方法的较佳实施例的流程图。如图1所示,本申请较佳实施例所述的镜像仓库的权限认证方法以下步骤:Please refer to FIG. 1 , which is a flowchart of a preferred embodiment of a method for authenticating a mirrored warehouse provided by the present application. As shown in FIG. 1 , the following steps are performed on the authority authentication method of the mirror warehouse in the preferred embodiment of the present application:
S10、通过代理服务器访问Docker镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息。S10. When the access to the Docker image repository is denied by the proxy server, receiving the unauthorized error information returned by the mirrored warehouse, where the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information. .
本实施例中,所述镜像仓库为云管区设置的唯一镜像仓库,而非某一可用区的镜像仓库,所有的私有Docker镜像均存储在云管区的镜像仓库中,各个可用区均可对镜像仓库发起访问请求,在访问时,通过客户端使用登录Docker镜像仓库、推送docker镜像、拉取docker镜像等命令时,由docker客户端进程通过代理服务器对镜像仓库发出请求。In this embodiment, the mirrored warehouse is a unique mirrored warehouse set in the cloud management area, and is not a mirrored warehouse of an available area. All the private Docker images are stored in the mirrored warehouse of the cloud management area, and each available area can be mirrored. The warehouse initiates an access request. When the client uses the command to log in to the Docker image repository, push the docker image, and pull the docker image, the docker client process sends a request to the mirror repository through the proxy server.
在镜像仓库识别客户端为第一次访问时,向客户端返回未授权错误信息,并在授权错误信息的文件头中提示客户端认证的方法,提示客户端需要去云管区的令牌服务器中获取令牌。When the image repository identifies the client as the first access, it returns an unauthorized error message to the client, and prompts the client authentication method in the file header of the authorization error message, prompting the client to go to the token server of the cloud management area. Get the token.
本申请只在云管区设置有只有一套镜像库,因此镜像的鉴权对所有可用区的客户端都是相同的,所以保持了系统的一致性。In this application, only one set of mirror libraries is set in the cloud management area, so the authentication of the mirror is the same for all the clients in the available area, so the consistency of the system is maintained.
S20、解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中。S20. Parse the unauthorized error information, generate a rights authentication request according to the authentication method prompt information, and send the permission authentication request to the proxy server, where the proxy server sends the rights authentication request to the token server for rights authentication, where the proxy server is deployed in Within the Availability Zone, the token server is deployed in the cloud management zone.
客户端收到未授权错误信息,首先对未授权错误信息解析获取认证方法提示信息,再根据认证方法的提示向令牌服务器请求令牌。请参阅图2,其为本申请提供的镜像仓库的权限认证方法中步骤S20的较佳实施例的流程图。The client receives the unauthorized error message, first parses the unauthorized error information to obtain the authentication method prompt information, and then requests the token from the token server according to the prompt of the authentication method. Please refer to FIG. 2 , which is a flowchart of a preferred embodiment of step S20 in the method for authenticating the mirrored warehouse provided by the present application.
如图2所示,所述步骤S20包括:As shown in FIG. 2, the step S20 includes:
S21、解析所述未授权错误信息,获取未授权错误信息的响应头中包含认证方法提示信息;S21: Parsing the unauthorized error information, and obtaining an authentication error message in the response header of the unauthorized error information;
S22、根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息;S22: Generate permission authentication request information by using user authentication information and requesting a mirrored content range according to the prompt of the authentication method prompt information;
S23、将所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证。S23. Send the rights authentication request information to the proxy server, and send, by the proxy server, the rights authentication request to the token server for rights authentication.
在步骤S22中,在生成权限认证请求信息时,由docker客户端进程根据认证方法提示信息将用户认证信息加密,放在https请求的请求头部,将请求的镜像内容范围置于https请求的请求参数中,基于该https请求的请求头部及请求参数生成权限认证请求信息。In step S22, when the rights authentication request information is generated, the user authentication information is encrypted by the docker client process according to the authentication method prompt information, placed in the request header of the https request, and the requested mirror content range is placed in the request of the https request. In the parameter, the authority authentication request information is generated based on the request header and the request parameter of the https request.
本实施例中,所述认证信息包括用户名和密码,具体实施时,先由docker客户端进程根据镜像仓库返回的提示,将用户的认证信息加密后放在https(Hypertext Transfer Protocol over Secure Socket Layer,是以安全为目标的HTTP通道,简单讲是HTTP的安全版)请求的AUTHORIZATIONHeader(授权头),同时将用户请求的镜像内容范围置于https请求的请求参数中,通过域名发送至代理服务器,由代理服务器将权限认证工作交由令牌服务器处理。In this embodiment, the authentication information includes a user name and a password. In the specific implementation, the authentication process information of the user is first encrypted by the docker client process according to the prompt returned by the mirroring repository, and then placed in https (Hypertext) Transfer Protocol over Secure Socket Layer, which is a security-oriented HTTP channel, which is simply a secure version of HTTP) AUTHORIZATIONHeader (authorization header) of the request, and the scope of the image content requested by the user is placed in the request parameter of the https request, and sent to the proxy server through the domain name. The proxy authentication work is handled by the proxy server by the proxy server.
每一个可用区均部署有一套代理服务器,所述代理服务器为Nginx代理服务器,各个可用区的客户端均通过设置在该区的代理服务器来将权限认证请求发送给云管区的令牌服务器,各个可用区的代理服务器的域名、证书和密钥均相同,所以保证了系统的一致性。Each of the available areas is deployed with a set of proxy servers, which are Nginx proxy servers. The clients of each available area send the permission authentication request to the token server of the cloud management area through the proxy server set in the area. The domain name, certificate, and key of the proxy server in the Availability Zone are the same, so the consistency of the system is guaranteed.
本申请中所有可用区的所有客户端对镜像服务及镜像鉴权服务的是相同的,只有集中管理区有一套镜像库及鉴权服务器;只有云管区需要部署镜像仓库及令牌服务器,各区域只需要部署代理服务器,节省了部署成本;镜像仓库只需要一份配置,将第一次请求返回401响应的响应头中的鉴权服务地址指定为各区域DNS解析的鉴权服务域名,便可以使各区域均能使用,使得扩展、配置和维护较为简单;而且,令牌服务器可以外接其他系统,扩展对接其他用户信息系统,为集成其他系统的用户鉴权提供了可能。All clients in all available areas in this application have the same mirror service and image authentication service. Only the centralized management area has a set of image libraries and authentication servers. Only the cloud management area needs to deploy mirrored warehouses and token servers. Only need to deploy the proxy server, which saves the deployment cost; the mirrored warehouse only needs one configuration, and the authentication service address in the response header of the first request returning the 401 response is specified as the authentication service domain name of the DNS resolution of each region, and then All areas can be used to make expansion, configuration and maintenance easier; moreover, the token server can be connected to other systems to extend the docking of other user information systems, which provides the possibility of integrating users of other systems.
较佳地,客户端通过代理服务器将权限认证请求发送给令牌服务器的方法具体为:客户端通过域名访问代理服务器,代理服务器根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器,由于各个可用区的代理服务器的域名。证书和密钥均相同,所以保证了系统的一致性。Preferably, the method for the client to send the permission authentication request to the token server through the proxy server is specifically: the client accesses the proxy server through the domain name, and the proxy server performs the secure transport layer protocol authentication according to the domain name input by the client, and passes the verification. After receiving the client's data access request and sending it to the token server of the cloud zone, due to the domain name of the proxy server of each Availability Zone. The certificate and key are the same, so the consistency of the system is guaranteed.
S30、接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求。S30. Receive a token returned by the token server in the cloud management area, and carry the token to send an access request to the mirror warehouse.
具体实施时,docker客户端进程拿到token(令牌)后,带令牌再次向镜像仓库请求相同的镜像内容。在镜像仓库收到令牌后对令牌进行解析,从而决定对用户的请求进行放行或阻挡。In the specific implementation, after the docker client process gets the token, it takes the token to request the same mirror content from the mirror warehouse again. After the token is received by the mirrored warehouse, the token is parsed to determine whether to release or block the user's request.
优选的实施例中,所述步骤S23之后、所述步骤S30之前还包括:In a preferred embodiment, after the step S23 and before the step S30, the method further includes:
代理服务器根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器;The proxy server performs secure transport layer protocol authentication according to the domain name entered by the client, and receives the data access request of the client after the verification is passed and sends it to the token server of the cloud management area;
云管区的令牌服务器解析所述权限认证请求信息,并验证用户认证信息;The token server of the cloud management area parses the authority authentication request information, and verifies the user authentication information;
在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容;When the user authentication is passed, it is determined according to the scope of the requested mirror content whether the client can access the mirrored content of the request;
当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。When the client can access the requested mirrored content, the token is generated and returned to the client according to the user authentication information and the requested mirrored content range.
本实施例中,在客户端将权限认证请求信息上传到代理服务器后,代理服务器执行如下步骤:根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器。代理服务器验证发现域名输入有误时反馈域名错误信息至客户端,提示客户端重新输入域名。In this embodiment, after the client uploads the rights authentication request information to the proxy server, the proxy server performs the following steps: performing security transport layer protocol authentication according to the domain name input by the client, and receiving the data access request of the client after the verification is passed. Send it to the token server in the cloud zone. The proxy server verifies that when the domain name is entered incorrectly, it returns the domain name error message to the client, prompting the client to re-enter the domain name.
较佳地,在云管区令牌服务器收到权限认证请求信息之后,云管区的令牌服务器将执行如下动作:Preferably, after the cloud server area token server receives the rights authentication request information, the token server of the cloud management area performs the following actions:
由令牌服务器解析所述权限认证请求信息,并验证用户认证信息;Parsing the authority authentication request information by the token server, and verifying the user authentication information;
在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容。在用户认证不能通过时返回错误令牌,告之客户端没有权限访问镜像仓库。When the user authentication passes, it is determined according to the scope of the requested mirror content whether the client can access the mirrored content of the request. The error token is returned when the user authentication fails, and the client is not authorized to access the mirror repository.
当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。在用户认证信息通过验证,但客户端不能访问指定的镜像内容时,生成错误信息,返回给docker客户端进程,告之客户端没有权限访问其请求的内容。When the client can access the requested mirrored content, the token is generated and returned to the client according to the user authentication information and the requested mirrored content range. When the user authentication information is verified, but the client cannot access the specified image content, an error message is generated and returned to the docker client process, indicating that the client does not have permission to access the content of the request.
S40、接收镜像仓库返回的镜像。S40. Receive an image returned by the mirror warehouse.
在步骤S40之前,本申请的拉取镜像和推送镜像还包括:镜像仓库接收所述令牌,解析并验证所述令牌,在验证通过时,向客户端返回镜像。Before step S40, the pull mirror and the push image of the present application further include: the mirror warehouse receives the token, parses and verifies the token, and returns a mirror to the client when the verification passes.
为了便于更好的理解镜像仓库的权限认证方法,以下例举一应用实施例对本申请的镜像仓库的权限认证方法进行详细说明:In order to facilitate a better understanding of the privilege authentication method of the mirror warehouse, an application embodiment is described below to describe the privilege authentication method of the mirror warehouse of the present application in detail:
本应用实施例提供的镜像仓库的权限认证方法包括:The method for authenticating the image warehouse provided by this application embodiment includes:
第一步、可用区的客户端使用docker login、docker push、docker pull 等命令时,均由该可用区的客户端的docker客户端进程对云管区的镜像仓库发出请求;The first step, the client of the Availability Zone uses docker login, docker push, docker pull When the command is waited for, the docker client process of the client in the available area issues a request to the mirror warehouse of the cloud management area;
第二步、云管区的镜像仓库接到请求后,向发出请求的可用区的客户端返回未授权错误信息,所述未授权错误信息的响应头中包含提示客户端认证的方法;In the second step, after receiving the request, the mirror warehouse of the cloud management area returns an unauthorized error message to the client of the requesting available area, where the response header of the unauthorized error information includes a method for prompting the client authentication;
第三步、该可用区的docker客户端进程根据提示将用户的认证信息加密后放在https 请求的AUTHORIZATION 头部,同时将用户请求的内容范围置于请求参数中,发送给该可用区的代理服务器;The third step, the docker client process of the available area encrypts the user's authentication information according to the prompt and puts it in https. The AUTHORIZATION header of the request, and the content range requested by the user is placed in the request parameter and sent to the proxy server of the Availability Zone;
第四步、该可用区的代理服务器根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器;The fourth step, the proxy server of the available area performs the secure transport layer protocol authentication according to the domain name input by the client, and receives the data access request of the client after the verification is passed and sends the data access request to the token server of the cloud management area;
第五步、云管区的令牌服务器解析并验证用户认证令牌及请求镜像内容范围,在验证通过将相应的令牌发送给该可用区的客户端;In the fifth step, the token server of the cloud management area parses and verifies the user authentication token and the scope of the request mirror content, and sends the corresponding token to the client of the available area by verifying the corresponding token;
第六步、该可用区的docker客户端进程拿到令牌后,带着令牌再次向云管区的镜像仓库请求相同的内容;Step 6: After obtaining the token, the docker client process of the available area requests the same content to the mirror warehouse of the cloud management area with the token again;
第七步、云管区的镜像仓库拿到令牌后,对令牌进行解析和验证,在验证通过时docker客户端进程返回相应的镜像。In the seventh step, after the token warehouse of the cloud management area obtains the token, the token is parsed and verified, and the docker client process returns the corresponding image when the verification is passed.
基于上述镜像仓库的权限认证方法,本申请还提供了一种镜像仓库的权限认证系统,如图3所示,所述权限认证系统包括若干个可用区,每个所述可用区均包括权限认证设备1和代理服务器2,所述权限认证设备1可认为是一种Docker客户端,其用于访问镜像仓库,并在访问镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,所述未授权错误信息的响应头中包含认证方法提示信息;以及用于解析所述未授权错误信息,并根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,;以及接收令牌服务器返回的令牌;以及携带所述令牌向镜像仓库发送访问请求;以及接收镜像仓库返回的镜像。本申请所称权限认证设备可被分割为一个或多个模块,所述模块是指能够完成特定功能的一系列计算机程序指令段,比程序更适合于描述所述镜像仓库的权限认证程序在所述Docker客户端中的执行过程。以下描述将权限认证设备分为多个模块来介绍其功能。The present application further provides a rights authentication system for a mirrored warehouse, as shown in FIG. 3, the rights authentication system includes a plurality of available areas, and each of the available areas includes rights authentication. Device 1 and proxy server 2, which can be considered as a Docker client for accessing the mirror repository and receiving unauthorized error information returned by the mirror repository when the access mirror repository is rejected, The response header of the unauthorized error message includes authentication method prompt information; and is used for parsing the unauthorized error information, and generates a rights authentication request according to the authentication method prompt information and sends it to the proxy server; and receiving the token server to return The token; and carrying the token to send an access request to the mirror repository; and receiving the image returned by the mirror repository. The rights authentication device referred to in the present application may be divided into one or more modules, which refers to a series of computer program instruction segments capable of performing a specific function, which is more suitable for describing the authority authentication program of the image warehouse than the program. The execution process in the Docker client. The following description divides the rights authentication device into modules to introduce its functions.
如图3与图4所示,权限认证设备1包括访问模块11,用于访问镜像仓库;As shown in FIG. 3 and FIG. 4, the authority authentication device 1 includes an access module 11 for accessing a mirror warehouse;
接收模块12,用于访问镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,所述未授权错误信息的响应头中包含认证方法提示信息;The receiving module 12 is configured to receive the unauthorized error information returned by the mirror warehouse when the access mirror warehouse is rejected, and the response header of the unauthorized error information includes the authentication method prompt information;
解析模块13,用于解析所述未授权错误信息,并根据认证方法提示信息生成权限认证请求并将其发送至代理服务器;The parsing module 13 is configured to parse the unauthorized error information, and generate a rights authentication request according to the authentication method prompt information and send the same to the proxy server;
所述接收模块12,也用于接收令牌服务器返回的令牌;The receiving module 12 is further configured to receive a token returned by the token server;
权限认证请求模块14,用于携带所述令牌向镜像仓库发送访问请求;The authority authentication requesting module 14 is configured to carry the token to send an access request to the mirror warehouse;
所述接收模块12,还用于接收镜像仓库返回的镜像。The receiving module 12 is further configured to receive a mirror returned by the mirror warehouse.
所述代理服务器2用于将权限认证请求发送给云管区的令牌服务器,具体实施时,所述代理服务器具体用于根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器。The proxy server 2 is configured to send a rights authentication request to the token server of the cloud management area. In specific implementation, the proxy server is specifically configured to perform security transport layer protocol authentication according to the domain name input by the client, and receive the authentication after the verification is passed. The client's data access request is sent to the token server in the cloud zone.
请一并参阅图3和图5,在具体实施时,所述解析模块13包括:Referring to FIG. 3 and FIG. 5 together, in a specific implementation, the parsing module 13 includes:
解析单元131,用于解析所述未授权错误信息,获取未授权错误信息的响应头中包含认证方法提示信息;The parsing unit 131 is configured to parse the unauthorized error information, and the response header for obtaining the unauthorized error information includes the authentication method prompt information;
请求信息生成单元132,用于根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息;The request information generating unit 132 is configured to generate the authority authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information;
发送单元133,用于所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证。The sending unit 133 is configured to send the rights authentication request information to the proxy server, and the proxy server sends the rights authentication request to the token server for rights authentication.
其中,所述请求信息生成单元132,具体用于根据认证方法提示信息将用户认证信息加密,放在https请求的请求头部,将请求的镜像内容范围置于https请求的请求参数中,基于该https请求的请求头部及请求参数生成权限认证请求信息。The request information generating unit 132 is specifically configured to encrypt the user authentication information according to the authentication method prompt information, put it in the request header of the https request, and place the requested mirror content range in the request parameter of the https request, based on the request parameter. The request header and request parameters of the https request generate permission authentication request information.
请继续参阅图3,本申请的镜像仓库的权限认证系统中还包括设置在云管区的令牌服务器3,所述令牌服务器用于解析所述权限认证请求信息,并验证用户认证信息;以及在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容;以及当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。本申请所称令牌服务器也可被分割为一个或多个模块,所述模块是指能够完成特定功能的一系列计算机程序指令段,比程序更适合于描述所述执行过程。以下描述将令牌服务器分为多个模块来介绍其功能。Referring to FIG. 3, the authority authentication system of the mirror warehouse of the present application further includes a token server 3 disposed in the cloud management area, where the token server is configured to parse the authority authentication request information and verify user authentication information; When the user authentication is passed, it is determined whether the client can access the requested mirrored content according to the requested mirror content range; and when the client can access the mirrored content of the request, the token is generated according to the user authentication information and the requested mirrored content range. Return to the client. The token server referred to in this application can also be divided into one or more modules, which are a series of computer program instructions that are capable of performing a particular function, and are more suitable than the program to describe the execution process. The following description divides the token server into modules to introduce its functions.
请一并参阅图3和图6,在具体实施时,所述令牌服务器3包括:Referring to FIG. 3 and FIG. 6 together, in a specific implementation, the token server 3 includes:
验证模块31,用于解析所述权限认证请求信息,并验证用户认证信息;The verification module 31 is configured to parse the authority authentication request information, and verify user authentication information;
判断模块32,用于在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容;The determining module 32 is configured to determine, according to the scope of the mirrored content of the request, whether the client can access the mirrored content of the request when the user passes the authentication;
令牌处理模块33,用于当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。The token processing module 33 is configured to: when the client can access the requested mirrored content, generate a token according to the user authentication information and the requested mirrored content range, and return the token to the client.
其中,所述令牌服务器的数量为1个,无需再在各个可用区设置令牌服务器,避免每次在进行权限认证时均需要调用云管区的API来认证用户的域账号,避免了资源的浪费,通过使用代理服务器后,由于Nginx代理服务器的维护难度远小于令牌服务器的维护难度,因此降低了系统的维护成本,只需要维护一份云管区的令牌服务器即可。The number of the token servers is one, and the token server is not required to be set in each available area, so that each time the authority authentication is performed, the API of the cloud management area needs to be called to authenticate the user's domain account, thereby avoiding resources. Waste, after using the proxy server, because the maintenance of the Nginx proxy server is much less difficult than the maintenance of the token server, the maintenance cost of the system is reduced, and only one token server of the cloud management area needs to be maintained.
请继续参阅图3,本申请的镜像仓库的权限认证系统还包括镜像仓库4,用于接收所述令牌,解析并验证所述令牌,在验证通过时,向客户端返回镜像。Referring to FIG. 3, the rights authentication system of the mirrored warehouse of the present application further includes a mirrored warehouse 4 for receiving the token, parsing and verifying the token, and returning the image to the client when the verification is passed.
所述镜像仓库的数量也只有一个,因此镜像的鉴权对所有客户端都是相同的,保持了系统的一致性。The number of mirrored warehouses is only one, so the authentication of the mirror is the same for all clients, maintaining system consistency.
综上所述,本申请通过将权限认证交由第三方进行验证,根据请求令牌发放权限,提高了镜像的安全性,而且通过在云管区设置令牌服务器,无需再在各个可用区设置鉴权组件,避免每次在进行权限认证时均需要调用云管区的API来认证用户的域账号,避免了资源的浪费,通过使用代理服务器后,由于代理服务器的维护难度远小于自研的鉴权组件,因此只需要维护一份云管区的令牌服务器即可。In summary, the present application improves the security of the image by granting the authority authentication to the third party for verification, according to the request token issuance authority, and by setting the token server in the cloud management area, it is no longer necessary to set the reference in each available area. The right component avoids the need to call the cloud management area API to authenticate the user's domain account every time the authority authentication is performed, thereby avoiding waste of resources. After using the proxy server, the maintenance of the proxy server is much less difficult than the self-research authentication. Component, so you only need to maintain a token server in the cloud zone.
本申请还提供了一种镜像仓库的权限认证设备,所述权限认证设备包括处理器、存储器、以及存储在所述存储器上并可被所述处理器执行的权限认证程序,所述权限认证程序被所述处理器执行时,实现如上述的权限认证方法的步骤。The present application also provides a rights authentication device for a mirrored warehouse, the rights authentication device including a processor, a memory, and a rights authentication program stored on the memory and executable by the processor, the rights authentication program When executed by the processor, the steps of the rights authentication method as described above are implemented.
其中,权限认证程序被执行时所实现的方法可参照本申请权限认证方法的各个实施例,此处不再赘述。For the method that is implemented when the rights authentication program is executed, refer to various embodiments of the rights authentication method of the present application, and details are not described herein again.
本申请还提供了一种存储介质,所述存储介质存储有权限认证程序,所述权限认证程序被处理器执行时,实现如上述的权限认证方法的步骤。The present application also provides a storage medium storing a rights authentication program, and when the rights authentication program is executed by the processor, implementing the steps of the rights authentication method as described above.
其中,权限认证程序被执行时所实现的方法可参照本申请权限认证方法的各个实施例,此处不再赘述。For the method that is implemented when the rights authentication program is executed, refer to various embodiments of the rights authentication method of the present application, and details are not described herein again.
当然,本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关硬件(如处理器,控制器等)来完成,所述的程序可存储于一计算机可读取的存储介质中,该程序在执行时可包括如上述各方法实施例的流程。其中所述的存储介质可为存储器、磁碟、光盘等。Certainly, those skilled in the art can understand that all or part of the processes in the foregoing embodiments can be implemented by a computer program to instruct related hardware (such as a processor, a controller, etc.), and the program can be stored in one. In a computer readable storage medium, the program, when executed, may include the processes of the various method embodiments as described above. The storage medium described therein may be a memory, a magnetic disk, an optical disk, or the like.
应当理解的是,本申请的应用不限于上述的举例,对本领域普通技术人员来说,可以根据上述说明加以改进或变换,所有这些改进和变换都应属于本申请所附权利要求的保护范围。It should be understood that the application of the present application is not limited to the above-described examples, and those skilled in the art can make modifications and changes in accordance with the above description, all of which are within the scope of the appended claims.

Claims (16)

  1. 一种镜像仓库的权限认证方法,其中,所述权限认证方法包括如下步骤: A privilege authentication method for a mirrored warehouse, wherein the privilege authentication method includes the following steps:
    通过代理服务器访问Docker镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息;When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
    解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中;Parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, where the proxy server sends the rights authentication request to the token server for rights authentication, where the proxy server is deployed in the available area The token server is deployed in the cloud management area;
    接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求;Receiving a token returned by the token server in the cloud management area, and carrying the token to send an access request to the mirror warehouse;
    接收镜像仓库返回的镜像。Receive the image returned by the mirror repository.
  2. 根据权利要求1所述的镜像仓库的权限认证方法,其中,所述解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证的步骤包括:The authority authentication method of the image warehouse according to claim 1, wherein the parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and transmitting the content authentication request to the proxy server, and the proxy server requests the authority authentication The steps sent to the token server for permission authentication include:
    解析所述未授权错误信息,获取未授权错误信息的响应头中包含认证方法提示信息;Parsing the unauthorized error information, and obtaining an authentication error prompt message in the response header for obtaining the unauthorized error information;
    根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息;Prompting the authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information;
    将所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证。The authority authentication request information is sent to the proxy server, and the proxy server sends the authority authentication request to the token server for authority authentication.
  3. 根据权利要求2所述的镜像仓库的权限认证方法,其中,所述根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息的步骤包括:The method for authenticating the image warehouse according to claim 2, wherein the step of generating the authority authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information comprises:
    根据认证方法提示信息将用户认证信息加密,放在https请求的请求头部,将请求的镜像内容范围置于https请求的请求参数中,基于该https请求的请求头部及请求参数生成权限认证请求信息。The user authentication information is encrypted according to the authentication method prompt information, placed in the request header of the https request, and the requested mirror content range is placed in the request parameter of the https request, and the permission authentication request is generated based on the request header and the request parameter of the https request. information.
  4. 根据权利要求2所述的镜像仓库的权限认证方法,其中,在将所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证的步骤之后、接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求的步骤之前,所述权限认证方法还包括:The authority authentication method of the image warehouse according to claim 2, wherein after the step of transmitting the authority authentication request information to the proxy server and transmitting the authority authentication request to the token server for authority authentication, the cloud is received Before the step of the token returned by the token server in the pipeline and carrying the token to send an access request to the mirror warehouse, the rights authentication method further includes:
    代理服务器根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器;The proxy server performs secure transport layer protocol authentication according to the domain name entered by the client, and receives the data access request of the client after the verification is passed and sends it to the token server of the cloud management area;
    云管区的令牌服务器解析所述权限认证请求信息,并验证用户认证信息;The token server of the cloud management area parses the authority authentication request information, and verifies the user authentication information;
    在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容;When the user authentication is passed, it is determined according to the scope of the requested mirror content whether the client can access the mirrored content of the request;
    当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。When the client can access the requested mirrored content, the token is generated and returned to the client according to the user authentication information and the requested mirrored content range.
  5. 根据权利要求1所述的镜像仓库的权限认证方法,其中,在接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求的步骤之后、接收镜像仓库返回的镜像的步骤之前,还包括:The method for authenticating a mirrored warehouse according to claim 1, wherein after receiving the token returned by the token server in the cloud management zone and carrying the token to send an access request to the mirrored warehouse, the receiving mirrored warehouse returns Before the mirroring step, it also includes:
    镜像仓库接收所述令牌,解析并验证所述令牌,在验证通过时,向客户端返回镜像。The mirror repository receives the token, parses and verifies the token, and returns a mirror to the client when the verification passes.
  6. 一种镜像仓库的权限认证系统,其中,包括若干个可用区,每个所述可用区均设置有权限认证设备和代理服务器,A permission authentication system for a mirror warehouse, comprising: a plurality of available zones, each of which is provided with a rights authentication device and a proxy server,
    所述权限认证设备设置为访问Docker镜像仓库,并在访问镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,所述未授权错误信息的响应头中包含认证方法提示信息; 以及用于解析所述未授权错误信息,并根据认证方法提示信息生成权限认证请求并将其发送至代理服务器;以及接收令牌服务器返回的令牌;以及携带所述令牌向镜像仓库发送访问请求;以及接收镜像仓库返回的镜像;The rights authentication device is configured to access the Docker image repository, and receive the unauthorized error information returned by the mirror warehouse when the access mirror warehouse is rejected, and the response header of the unauthorized error information includes the authentication method prompt information; And parsing the unauthorized error information, and generating a rights authentication request according to the authentication method prompt information and sending it to the proxy server; and receiving the token returned by the token server; and carrying the token to send the access to the mirror warehouse Request; and receive the image returned by the mirror repository;
    所述代理服务器设置为将权限认证请求发送给云管区的令牌服务器。The proxy server is configured to send a rights authentication request to a token server of the cloud management area.
  7. 根据权利要求6所述的镜像仓库的权限认证系统,其中,还包括设置在云管区的令牌服务器,所述令牌服务器设置为解析所述权限认证请求信息,并验证用户认证信息;以及在用户认证通过时,根据请求的镜像内容范围判断客户端是否能访问其请求的镜像内容;以及当客户端能访问其请求的镜像内容时,根据用户认证信息、请求的镜像内容范围生成令牌返回给客户端。The authority authentication system of the mirror warehouse according to claim 6, further comprising a token server disposed in the cloud management area, the token server configured to parse the authority authentication request information, and verify user authentication information; When the user authentication is passed, it is determined whether the client can access the requested mirrored content according to the requested mirror content range; and when the client can access the requested mirrored content, the token is returned according to the user authentication information and the requested mirrored content range. To the client.
  8. 根据权利要求7所述的镜像仓库的权限认证系统,其中,所述代理服务器还设置为根据客户端输入的域名进行安全传输层协议认证,并在验证通过后接收客户端的数据访问请求并将其发送至云管区的令牌服务器。The authority authentication system of the mirror warehouse according to claim 7, wherein the proxy server is further configured to perform secure transport layer protocol authentication according to the domain name input by the client, and receive the data access request of the client after the verification is passed and Send to the token server in the cloud zone.
  9. 根据权利要求7所述的镜像仓库的权限认证系统,其中,所述令牌服务器的数量为1个。The authority authentication system of the mirror warehouse according to claim 7, wherein the number of the token servers is one.
  10. 根据权利要求6所述的镜像仓库的权限认证系统,其中,还包括设置在云管区的镜像仓库,所述镜像仓库设置为接收所述令牌,解析并验证所述令牌,在验证通过时,向客户端返回镜像。The authority authentication system of the mirror warehouse according to claim 6, further comprising a mirror warehouse disposed in the cloud management area, the image warehouse being configured to receive the token, parse and verify the token, and when the verification is passed , return the image to the client.
  11. 一种镜像仓库的权限认证设备,其中,所述权限认证设备包括处理器、存储器、以及存储在所述存储器上并可被所述处理器执行的权限认证程序,所述权限认证程序被所述处理器执行时,实现以下步骤:A rights authentication device for mirroring a warehouse, wherein the rights authentication device includes a processor, a memory, and a rights authentication program stored on the memory and executable by the processor, the rights authentication program being When the processor executes, the following steps are implemented:
    通过代理服务器访问Docker镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息;When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
    解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中;Parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, where the proxy server sends the rights authentication request to the token server for rights authentication, where the proxy server is deployed in the available area The token server is deployed in the cloud management area;
    接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求;Receiving a token returned by the token server in the cloud management area, and carrying the token to send an access request to the mirror warehouse;
    接收镜像仓库返回的镜像。Receive the image returned by the mirror repository.
  12. 根据权利要求11所述的镜像仓库的权限认证设备,其中,所述解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证的步骤包括:The authority authentication device of the mirror warehouse according to claim 11, wherein the parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and transmitting the permission authentication request to the proxy server, and the proxy server requests the authority authentication The steps sent to the token server for permission authentication include:
    解析所述未授权错误信息,获取未授权错误信息的响应头中包含认证方法提示信息;Parsing the unauthorized error information, and obtaining an authentication error prompt message in the response header for obtaining the unauthorized error information;
    根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息;Prompting the authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information;
    将所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证。The authority authentication request information is sent to the proxy server, and the proxy server sends the authority authentication request to the token server for authority authentication.
  13. 根据权利要求12所述的镜像仓库的权限认证设备,其中,所述根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息的步骤包括:The authorization authentication device of the mirrored warehouse according to claim 12, wherein the step of generating the authority authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information comprises:
    根据认证方法提示信息将用户认证信息加密,放在https请求的请求头部,将请求的镜像内容范围置于https请求的请求参数中,基于该https请求的请求头部及请求参数生成权限认证请求信息。The user authentication information is encrypted according to the authentication method prompt information, placed in the request header of the https request, and the requested mirror content range is placed in the request parameter of the https request, and the permission authentication request is generated based on the request header and the request parameter of the https request. information.
  14. 一种存储介质,其中,所述存储介质存储有权限认证程序,所述权限认证程序被处理器执行时,实现以下步骤:A storage medium, wherein the storage medium stores a rights authentication program, and when the rights authentication program is executed by a processor, the following steps are implemented:
    通过代理服务器访问Docker镜像仓库被拒绝时,接收镜像仓库返回的未授权错误信息,其中,所述镜像仓库部署在云管区中,所述未授权错误信息的响应头中包含认证方法提示信息;When the access to the Docker image repository is denied by the proxy server, the unauthorized error information returned by the mirrored warehouse is received, wherein the mirrored warehouse is deployed in the cloud management area, and the response header of the unauthorized error information includes the authentication method prompt information;
    解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证,其中所述代理服务器部署在可用区内,令牌服务器部署在云管区中;Parsing the unauthorized error information, generating a rights authentication request according to the authentication method prompt information, and sending the permission authentication request to the proxy server, where the proxy server sends the rights authentication request to the token server for rights authentication, where the proxy server is deployed in the available area The token server is deployed in the cloud management area;
    接收云管区中的令牌服务器返回的令牌,并携带所述令牌向镜像仓库发送访问请求;Receiving a token returned by the token server in the cloud management area, and carrying the token to send an access request to the mirror warehouse;
    接收镜像仓库返回的镜像。Receive the image returned by the mirror repository.
  15. 根据权利要求14所述的存储介质,其中,所述解析所述未授权错误信息,根据认证方法提示信息生成权限认证请求并将其发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证的步骤包括:The storage medium according to claim 14, wherein said parsing said unauthorized error information, generating a rights authentication request according to the authentication method prompt information and transmitting it to a proxy server, and transmitting, by the proxy server, a rights authentication request to the token The steps for the server to perform the rights authentication include:
    解析所述未授权错误信息,获取未授权错误信息的响应头中包含认证方法提示信息;Parsing the unauthorized error information, and obtaining an authentication error prompt message in the response header for obtaining the unauthorized error information;
    根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息;Prompting the authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information;
    将所述权限认证请求信息发送至代理服务器,由代理服务器将权限认证请求发送给令牌服务器进行权限认证。The authority authentication request information is sent to the proxy server, and the proxy server sends the authority authentication request to the token server for authority authentication.
  16. 根据权利要求15所述的存储介质,其中,所述根据认证方法提示信息的提示,利用用户认证信息、请求镜像内容范围生成权限认证请求信息的步骤包括:The storage medium according to claim 15, wherein the step of generating the authority authentication request information by using the user authentication information and requesting the mirrored content range according to the prompt of the authentication method prompt information comprises:
    根据认证方法提示信息将用户认证信息加密,放在https请求的请求头部,将请求的镜像内容范围置于https请求的请求参数中,基于该https请求的请求头部及请求参数生成权限认证请求信息。 The user authentication information is encrypted according to the authentication method prompt information, placed in the request header of the https request, and the requested mirror content range is placed in the request parameter of the https request, and the permission authentication request is generated based on the request header and the request parameter of the https request. information.
PCT/CN2018/082269 2017-12-29 2018-04-09 Authority authentication method, system and device for mirror repository, and storage medium WO2019127973A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711476882.9 2017-12-29
CN201711476882.9A CN107948201B (en) 2017-12-29 2017-12-29 Authority authentication method and system for Docker mirror warehouse

Publications (1)

Publication Number Publication Date
WO2019127973A1 true WO2019127973A1 (en) 2019-07-04

Family

ID=61937912

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/082269 WO2019127973A1 (en) 2017-12-29 2018-04-09 Authority authentication method, system and device for mirror repository, and storage medium

Country Status (2)

Country Link
CN (1) CN107948201B (en)
WO (1) WO2019127973A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110737498A (en) * 2019-10-16 2020-01-31 黑龙江鑫联华信息股份有限公司 big data and artificial intelligence online examination method and system based on virtual container graphical interface
CN111273926A (en) * 2020-01-14 2020-06-12 一飞智控(天津)科技有限公司 Airport client remote upgrade management method, system, storage medium and unmanned aerial vehicle
CN111291017A (en) * 2020-03-03 2020-06-16 中国工商银行股份有限公司 Mirror image storage and extraction method and device of mirror image warehouse
CN111538566A (en) * 2020-04-24 2020-08-14 咪咕文化科技有限公司 Mirror image file processing method, device and system, electronic equipment and storage medium
CN112667998A (en) * 2020-12-08 2021-04-16 中国科学院信息工程研究所 Safe access method and system for container mirror image warehouse
CN112887352A (en) * 2019-11-29 2021-06-01 北京神州泰岳软件股份有限公司 Image file uploading method and device for Docker container
CN113110917A (en) * 2021-04-28 2021-07-13 北京链道科技有限公司 Data discovery and security access method based on Kubernetes
CN116107715A (en) * 2023-02-02 2023-05-12 北京天云融创软件技术有限公司 Method for running Docker container task and task scheduler
WO2023185514A1 (en) * 2022-03-29 2023-10-05 北京有竹居网络技术有限公司 Message transmission methods and apparatuses, storage medium and electronic device
WO2023216084A1 (en) * 2022-05-09 2023-11-16 北京小米移动软件有限公司 Authentication method and device, medium and chip

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109343934A (en) * 2018-09-17 2019-02-15 北京北信源信息安全技术有限公司 A kind of private based on container takes framework and its builds and method for visualizing
CN109814889B (en) * 2019-01-30 2022-12-23 北京百度网讯科技有限公司 Method and apparatus for updating source code base
CN109831435B (en) * 2019-01-31 2021-06-01 广州银云信息科技有限公司 Database operation method, system, proxy server and storage medium
US11128617B2 (en) * 2019-01-31 2021-09-21 Baidu Usa Llc Token based secure multiparty computing framework using a restricted operating environment
CN110022294A (en) * 2019-02-27 2019-07-16 广州虎牙信息科技有限公司 A kind of proxy server, Docker system and its right management method, storage medium
CN110929269B (en) * 2019-10-12 2023-08-15 平安证券股份有限公司 System authority management method, device, medium and electronic equipment
CN111209582A (en) * 2020-01-03 2020-05-29 平安科技(深圳)有限公司 Request authentication method, device, equipment and storage medium
CN112311788A (en) * 2020-10-28 2021-02-02 北京锐安科技有限公司 Access control method, device, server and medium
CN114050911B (en) * 2021-09-27 2023-05-16 度小满科技(北京)有限公司 Remote login method and system for container
CN114726513A (en) * 2022-03-18 2022-07-08 阿里巴巴(中国)有限公司 Data transmission method, apparatus, medium, and product
CN114745431B (en) * 2022-03-18 2023-09-29 上海道客网络科技有限公司 Non-invasive authority authentication method, system, medium and equipment based on side car technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506510A (en) * 2014-12-15 2015-04-08 百度在线网络技术(北京)有限公司 Method and device for equipment authentication and authentication service system
CN105653901A (en) * 2015-12-29 2016-06-08 深圳市科漫达智能管理科技有限公司 Component repository management method and system
US20170070504A1 (en) * 2015-09-03 2017-03-09 Vmware, Inc. Access control policy management in a cloud services environment
US20170177877A1 (en) * 2015-12-18 2017-06-22 Amazon Technologies, Inc. Software container registry inspection
CN107239688A (en) * 2017-06-30 2017-10-10 平安科技(深圳)有限公司 The purview certification method and system in Docker mirror images warehouse

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7391865B2 (en) * 1999-09-20 2008-06-24 Security First Corporation Secure data parser method and system
CN102055730B (en) * 2009-11-02 2013-09-11 华为终端有限公司 Cloud processing system, cloud processing method and cloud computing agent device
US9667637B2 (en) * 2014-06-09 2017-05-30 Guardicore Ltd. Network-based detection of authentication failures
CN106657248A (en) * 2016-11-01 2017-05-10 山东大学 Docker container based network load balancing system and establishment method and operating method thereof
CN106790663A (en) * 2017-01-22 2017-05-31 济南浪潮高新科技投资发展有限公司 The implementation method of the network store system based on Docker
CN107105033B (en) * 2017-04-21 2020-08-18 北京奇安信科技有限公司 Cloud application access method, cloud proxy server and cloud application access system
CN107247793B (en) * 2017-06-21 2020-03-17 平安科技(深圳)有限公司 Mirror image synchronization method and mirror image synchronization system of Docker mirror image warehouse

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506510A (en) * 2014-12-15 2015-04-08 百度在线网络技术(北京)有限公司 Method and device for equipment authentication and authentication service system
US20170070504A1 (en) * 2015-09-03 2017-03-09 Vmware, Inc. Access control policy management in a cloud services environment
US20170177877A1 (en) * 2015-12-18 2017-06-22 Amazon Technologies, Inc. Software container registry inspection
CN105653901A (en) * 2015-12-29 2016-06-08 深圳市科漫达智能管理科技有限公司 Component repository management method and system
CN107239688A (en) * 2017-06-30 2017-10-10 平安科技(深圳)有限公司 The purview certification method and system in Docker mirror images warehouse

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110737498A (en) * 2019-10-16 2020-01-31 黑龙江鑫联华信息股份有限公司 big data and artificial intelligence online examination method and system based on virtual container graphical interface
CN110737498B (en) * 2019-10-16 2023-03-10 黑龙江鑫联华信息股份有限公司 Big data and artificial intelligence online examination method and system based on virtual container graphical interface
CN112887352B (en) * 2019-11-29 2023-04-18 北京神州泰岳软件股份有限公司 Image file uploading method and device for Docker container
CN112887352A (en) * 2019-11-29 2021-06-01 北京神州泰岳软件股份有限公司 Image file uploading method and device for Docker container
CN111273926A (en) * 2020-01-14 2020-06-12 一飞智控(天津)科技有限公司 Airport client remote upgrade management method, system, storage medium and unmanned aerial vehicle
CN111291017A (en) * 2020-03-03 2020-06-16 中国工商银行股份有限公司 Mirror image storage and extraction method and device of mirror image warehouse
CN111291017B (en) * 2020-03-03 2024-04-05 中国工商银行股份有限公司 Mirror image storage and extraction method and device of mirror image warehouse
CN111538566A (en) * 2020-04-24 2020-08-14 咪咕文化科技有限公司 Mirror image file processing method, device and system, electronic equipment and storage medium
CN112667998A (en) * 2020-12-08 2021-04-16 中国科学院信息工程研究所 Safe access method and system for container mirror image warehouse
CN112667998B (en) * 2020-12-08 2024-03-01 中国科学院信息工程研究所 Safe access method and system for container mirror image warehouse
CN113110917B (en) * 2021-04-28 2024-03-15 北京链道科技有限公司 Data discovery and security access method based on Kubernetes
CN113110917A (en) * 2021-04-28 2021-07-13 北京链道科技有限公司 Data discovery and security access method based on Kubernetes
WO2023185514A1 (en) * 2022-03-29 2023-10-05 北京有竹居网络技术有限公司 Message transmission methods and apparatuses, storage medium and electronic device
WO2023216084A1 (en) * 2022-05-09 2023-11-16 北京小米移动软件有限公司 Authentication method and device, medium and chip
CN116107715A (en) * 2023-02-02 2023-05-12 北京天云融创软件技术有限公司 Method for running Docker container task and task scheduler
CN116107715B (en) * 2023-02-02 2023-09-26 北京天云融创软件技术有限公司 Method for running Docker container task and task scheduler

Also Published As

Publication number Publication date
CN107948201B (en) 2020-11-13
CN107948201A (en) 2018-04-20

Similar Documents

Publication Publication Date Title
WO2019127973A1 (en) Authority authentication method, system and device for mirror repository, and storage medium
US11641361B2 (en) Dynamic access control to network resources using federated full domain logon
US10116700B2 (en) Installing configuration information on a host
CN112422532B (en) Service communication method, system and device and electronic equipment
WO2013062352A1 (en) Method and system for access control in cloud computing service
WO2016169410A1 (en) Login method and device, server and login system
US10356612B2 (en) Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access
WO2014069777A1 (en) Transit control for data
US20220114249A1 (en) Systems and methods for secure and fast machine learning inference in a trusted execution environment
WO2021150032A1 (en) Method for providing authentication service by using decentralized identity and server using the same
CN109155780A (en) Equipment certification based on tunnel client end network request
WO2014185594A1 (en) Single sign-on system and method in vdi environment
WO2015069018A1 (en) System for secure login, and method and apparatus for same
CN115113970A (en) Data processing method based on container engine and related equipment
WO2014003516A1 (en) Method and apparatus for providing data sharing
US11050560B2 (en) Secure reusable access tokens
US11811917B2 (en) System and method for secure authentication of backup clients using short-term tokens
WO2017016272A1 (en) Method, apparatus and system for processing virtual resource data
WO2019205288A1 (en) Connection establishment method, system, and device, and computer readable storage medium
WO2020032351A1 (en) Method for establishing anonymous digital identity
WO2014137063A1 (en) Certification method using application, and system and apparatus therefor
WO2018043832A1 (en) Method for operating secure web browser
WO2023113081A1 (en) Method, apparatus, and computer-readable recording medium for controlling execution of container workload in scheme of event streaming in cloud environment
Kumari et al. Kerberos style authentication and authorization through CTES model for distributed systems
WO2018021864A1 (en) Method for providing cloud-based service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18894800

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08/10/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18894800

Country of ref document: EP

Kind code of ref document: A1