WO2019128007A1 - Container logon method, application server, system, and storage medium - Google Patents

Container logon method, application server, system, and storage medium Download PDF

Info

Publication number
WO2019128007A1
WO2019128007A1 PCT/CN2018/084466 CN2018084466W WO2019128007A1 WO 2019128007 A1 WO2019128007 A1 WO 2019128007A1 CN 2018084466 W CN2018084466 W CN 2018084466W WO 2019128007 A1 WO2019128007 A1 WO 2019128007A1
Authority
WO
WIPO (PCT)
Prior art keywords
control unit
container
random token
proxy server
unit address
Prior art date
Application number
PCT/CN2018/084466
Other languages
French (fr)
Chinese (zh)
Inventor
刘俊杰
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019128007A1 publication Critical patent/WO2019128007A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a container login method, an application server, a system, and a storage medium.
  • the container technology provided by the Docker container allows several containers (Containers) to be run on the same host or virtual machine, each container being a separate virtual environment or application.
  • the Docker container provides the client with the ability to log in to the container, allowing the user to access the container to operate the container in the same way as the host or virtual machine.
  • Kubernetes is a Google container open source container orchestration tool that combines several Docker containers into a single service, dynamically allocating hosts running on containers.
  • Kubernetes locates the host where the container is located through the management unit of the cluster where the container resides, reads the docker socket on the host, and provides the websocket to the client.
  • the API way allows users to log in to the container directly using the Kubernetes API.
  • API requests expose the direct access of the cluster's snap-ins to the client; they cannot be combined with dynamic authentication.
  • the purpose of the present application is to provide a container login method, an application server, a system, and a storage medium, which combines the need for facilitating login of a container with dynamic authentication, and does not expose the cluster control unit.
  • the real address guarantees the security of the system.
  • a container login method includes the following steps:
  • control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit. Address, which establishes a connection between the client and the control unit.
  • An application server for container login comprising: a processor, a memory, and a communication bus;
  • Storing on the memory is a computer readable program executable by the processor
  • the communication bus implements connection communication between the processor and the memory
  • the processor implements the steps in the container login method of any of the above, when the computer readable program is executed.
  • a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement a container login method as described above A step of.
  • a container login system comprising a client and a proxy server, further comprising an application server logged in by the container as described above;
  • the application server is configured to receive a user-initiated container service access request and generate a random token; and query a control unit address of the cluster where the service to be accessed is located according to the container service access request, and the random token and the control unit The address is formed into a key value pair and stored in the cache; and when the container login request in the service to be accessed is received, the container login request and the random token are sent to the proxy server, wherein the container login request includes user account information And authenticating the user account information and the random token, if the authentication is passed, acquiring the control unit address according to the random token and returning to the proxy server;
  • the proxy server is configured to send the container login request to the control unit address to establish a connection between the client and the control unit.
  • the container login method receives a user-initiated container service access request and generates a random token;
  • the service access request queries the control unit address of the cluster where the service to be accessed is located, and stores the random token and the control unit address into a key value pair, and then stores the information in the cache; and when receiving the container login request in the service to be accessed,
  • the container login request and the random token are sent to the proxy server, where the container login request includes user account information; and then the user account information and the random token are authenticated, and if the authentication is passed, according to the random
  • the token acquires the control unit address and returns it to the proxy server, which sends the container login request to the control unit address to establish a connection between the client and the control unit.
  • FIG. 1 is a flowchart of a container login method provided by the present application.
  • step S20 is a flowchart of step S20 in the container login method provided by the present application.
  • step S23 is a flowchart of step S23 in the container login method provided by the present application.
  • step S30 is a flowchart of step S30 in the container login method provided by the present application.
  • FIG. 5 is a flowchart of step S40 in the container login method provided by the present application.
  • FIG. 6 is a flowchart of step S43 in the container login method provided by the present application.
  • FIG. 7 is a schematic diagram of an operating environment of a preferred embodiment of a container login procedure of the present application.
  • FIG. 8 is a functional block diagram of a system for installing a container login program according to a preferred embodiment of the present application.
  • FIG. 9 is a structural block diagram of an application server for container login provided by the present application.
  • Kubernetes is a Google container open source container orchestration tool, which can realize the functions of combining several Docker containers into one service and dynamically allocating the host running the container.
  • Kubernetes Service is the Kubernetes service is a collection of several containers, a Service can provide services for users;
  • Kubernetes cluster refers to a group of hosts or virtual machines, used to run Kubernetes services, the containers within the services of Kubernetes actually run in the cluster On each node host; each Kubernetes cluster has one and only one control unit, namely Kubernetes Master, used to schedule and manage Kubernetes services, such as allocating a container of a service to a node in the cluster.
  • Kubernetes Master is a process that runs on a host or virtual machine.
  • the container login method provided by the present application includes the following steps:
  • the client when the user enters the Kubernetes service page, the client requests access to the container service. At this time, the client receives the container service access request and generates a random token, where the container service access request includes the service name and the container name to be accessed. And information such as user permissions.
  • the service unit and the container information in the container service access request are used to query the control unit address of the cluster in which the service to be accessed is located.
  • the container Since the management of Kubernetes, the container is organized in the form of a service, and the container may be Drift on different hosts to achieve higher availability. The user does not need to know which host the container to log in on, only need to know the container name, the service and the cluster, and then command kubectl through the Kubernetes client. Exec or websocket that calls the Kubernetes control unit
  • the API can log in to the container.
  • the dynamic authentication and control unit address query in the subsequent login operation encapsulates the control unit address of the cluster to improve the security of the system.
  • FIG. 2 is a flowchart of step S20 in the container login method provided by the present application.
  • the step S20 includes:
  • the random token is used as a key and a control unit address as a value to form a key value pair, and then stored in a cache.
  • the container service after receiving the container service request, according to the service information to be accessed in the request, that is, the service name, the container name, and the user authority, etc., first verify whether the user has the right to access the service, if the authority is verified. Passing, the container service access request is forwarded to the container service, the container service obtains the Kubernetes cluster name of the container according to the service name and the container name in the request, and accesses the database, and receives the database query according to the Kubernetes cluster name. The control unit address of the Kubernetes cluster. After that, the container service will generate the random token key and the obtained control unit address as the value ⁇ random token, control unit address> key-value pair, and store it in the cache for subsequent call query. .
  • the random token is returned to the front end page of the client and saved as a variable, and the timeout period of the random token is set to be consistent with the timeout period of the system session, that is, each time the user enters the Kubernetes service page, a random order is generated. Cards and key-value pairs. If the user enters the Kubernetes service page again after exiting, a new random token will be generated again. The last saved random token will expire with the timeout, and will be generated each time the service page is entered. A new ⁇ random token, control unit address> key-value pair is used for the user to log in to the container, improving subsequent authentication and login security.
  • FIG. 3 is a flowchart of step S23 in the container login method provided by the present application.
  • the step S23 includes:
  • the random token is used as a key and a control unit address as a value to form a key value pair.
  • the generated random token and the obtained control unit address are first composed of a ⁇ random token, a control unit address> key value pair, and then the cache (such as redis) is checked. Is there a key-value pair with the same random token as the key, if there is, then regenerate a new random token, compose the new key-value pair and check again, if not, directly store the current key-value pair in the cache. To avoid the occurrence of the case where the same random token is used as the key and the different control unit addresses are used as the value in the cache, and the accuracy of the subsequent acquisition of the control unit address is ensured.
  • a container login request is initiated, and the container login request includes user account information, and the container login request and the random order are received after receiving the container login request.
  • the card is sent to the proxy server, and the subsequent login process is performed through the proxy server.
  • the proxy server adopts Nginx, which is an open source proxy service, which can proxy the request initiated by the user and forward the request, which can be avoided by the proxy server. Expose the real control unit address when logging in to the container to ensure the security of the system.
  • FIG. 4 is a flowchart of step S30 in the container login method provided by the present application.
  • the step S30 includes:
  • the user triggers the login request through the login container virtual button on the Kubernetes service detail page.
  • the user carries the user account information and the random token to send the container login request to the proxy server.
  • the user account information includes a username, a password, and a user authority, and the like.
  • the user account information and the random token are first authenticated, and the user account information and the random token are verified to be correct, if the authentication is performed. Passing the red token in the cache according to the random token to obtain the corresponding control unit address and returning to the proxy server, and the proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit.
  • the user can directly log in to the container from the existing Kubernetes container service platform to ensure the convenience of the container login, and at the same time, the user is authenticated when the container is logged in, thereby solving the user's need for convenient login and permission authentication.
  • FIG. 5 is a flowchart of step S40 in the container login method provided by the present application.
  • the step S40 includes:
  • control unit address is obtained according to the random token and returned to the proxy server, and the proxy login request is sent by the proxy server to the control unit address to establish a connection between the client and the control unit.
  • the proxy server after receiving the login container request, the proxy server first initiates a sub-request for obtaining the control unit address.
  • Nginx is used as the proxy server, and Nginx has an open source module ngx_http_auth_request_module that provides the sub-request function, that is, Before Nginx forwards the received request to its proxy's real service, it first initiates a subrequest. Only when the subrequest's response is normal (response status code is 200-299), the original request is forwarded.
  • the proxy server receives After the request to the login container, the login container request is not immediately forwarded, but the user account information and the random token are first sent to the authentication service to initiate a sub-request for obtaining the control unit address, and the authentication service pairs the user account information and the random request.
  • the token is authenticated and the authentication result is returned to the proxy server; specifically, the authentication service verifies that the user account information is correct, including verifying that the username and password are correct, whether the user has permission to log in to the container, etc., if correct, the control will be acquired.
  • the sub-request of the unit address is forwarded to the container service; otherwise it does not turn The sub-request, the authentication failure information is returned directly to the proxy server.
  • the authentication service will intercept the request and return an unauthorized response, so the sub-request fails, and the proxy server does not forward the request to the real control unit address;
  • the authentication service forwards the sub-request to the container service, and the container service obtains the corresponding control unit address in the cache according to the random token. Therefore, before the user logs in the container, the authentication service is combined with the authentication service to perform the dynamic authority authentication on the account information, so as to implement the combination of the convenient login and the dynamic authentication.
  • FIG. 6 is the step of the container login method provided by the present application. Flowchart of S43.
  • the step S43 includes:
  • the container service searches for a corresponding control unit address in the cache according to the random token.
  • the proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit.
  • the container service After the user account information is verified and the authentication service forwards the sub-request to the container service, the container service searches the cache for the corresponding control unit address according to the random token. If the random token is missing or incorrect, the cache is cached. According to the random token, the real control unit address cannot be obtained, the response is not found, the sub-request fails, the proxy server does not forward the request to the real control unit address; if the random token is correct, the container service is based on the random token. The corresponding control unit address is obtained in the cache and returned to the proxy server. At this time, the sub-request is successful, and the proxy server forwards the original container login request to the corresponding control unit, and accesses the websocket of the control unit.
  • API which establishes a connection for the client and the control unit, allows the client to successfully log in to the container, and implements the encapsulation of the real address of the cluster control unit that needs to be accessed by the login container. The user cannot intercept the information and ensure the security of the system. .
  • the application further provides an application server for registering a container, and the application server for registering the container may be a mobile terminal, a desktop computer, a notebook, a palmtop computer, a server, or the like. Computing device.
  • the application server to which the container logs in includes the processor 10, the memory 20, and the display 30.
  • Figure 7 shows only some of the components of the application server to which the container logs in, but it should be understood that not all illustrated components may be implemented, and more or fewer components may be implemented instead.
  • the memory 20 may be, in some embodiments, an internal storage unit of the application server to which the container logs in, such as a hard disk or memory of an application server to which the container logs.
  • the memory 20 may also be an external storage device of the application server that the container logs in, for example, a plug-in hard disk equipped on the application server of the container login, and a smart memory card (Smart Media Card, SMC), Secure Digital (SD) card, flash card (Flash) Card) and so on.
  • the memory 20 may also include an internal storage unit of the application server to which the container is logged in, and an external storage device.
  • the memory 20 is configured to store application software and various types of data of an application server installed in the container, for example, a program code of an application server to which the installation container logs in.
  • the memory 20 can also be used to temporarily store data that has been output or is about to be output.
  • a container login program 40 is stored on the memory 20, and the container login program 40 can be executed by the processor 10 to implement the container login method of the present application.
  • the processor 10 may be a central processing unit (Central Processing Unit) in some embodiments.
  • the display 30 may be an LED display, a liquid crystal display, a touch liquid crystal display, and an OLED (Organic) in some embodiments. Light-Emitting Diode, organic light emitting diodes), etc.
  • the display 30 is for displaying information of an application server registered in the container and a user interface for displaying visualization.
  • the processor 10 executes the container login program 40 in the memory 20, the steps of the embodiments in the container login method are implemented, and details are not described herein.
  • FIG. 8 is a functional block diagram of a system for installing a container login program according to a preferred embodiment of the present application.
  • the system for installing the container login program may be divided into one or more modules, the one or more modules being stored in the memory 20 and being composed of one or more processors (this embodiment) Executed for the processor 10) to complete the application.
  • the system in which the container login program is installed may be divided into a generation module 21, a query module 22, a login module 23, and an authentication acquisition module 24.
  • a module as referred to in the present application refers to a series of computer program instruction segments capable of performing a specific function, and is more suitable than the program to describe the execution process of the container login program in the application server to which the container is logged. The following description will specifically describe the functions of the modules 21-24.
  • Generating block 21 configured to receive a user-initiated container service access request and generate a random token
  • the querying module 22 is configured to query, according to the container service access request, a control unit address of a cluster where the service to be accessed is located, and store the random token and the control unit address into a key value pair and store the information in the cache;
  • the login module 23 is configured to send the container login request and the random token to the proxy server when receiving the container login request in the to-be-accessed service, where the container login request includes user account information;
  • the authentication obtaining module 24 is configured to authenticate the user account information and the random token. If the authentication succeeds, the control unit address is obtained according to the random token and returned to the proxy server.
  • the query module 22 specifically includes:
  • a name obtaining unit configured to acquire a cluster name and access a database according to the to-be-accessed service information in the container service access request;
  • a receiving unit configured to receive, by the database, the control unit address of the cluster that is queried according to the cluster name;
  • a generating unit configured to store the random token as a key, a control unit address as a value, and then store the key value pair in a cache.
  • the generating unit includes:
  • a key-value pair generating sub-unit configured to use the random token as a key and a control unit address as a value to form a key-value pair;
  • the search unit is configured to search whether there is a key value pair with the same random token as a key in the cache, and regenerate the random token if it exists; if not, the current key value pair is stored in the cache.
  • the login module 23 includes:
  • a detecting unit configured to detect whether a virtual button of the login container in the service to be accessed is triggered
  • a sending unit configured to send a container login request and a random token to the proxy server when the virtual button of the login container is triggered, where the container login request includes user account information.
  • the authentication obtaining module 24 includes:
  • a sub-requesting initiation unit configured to initiate a sub-request for obtaining an address of the control unit according to the user account information and the random token;
  • An authentication unit configured to authenticate the user account information and the random token, and return an authentication result to the proxy server;
  • the address obtaining unit is configured to acquire the control unit address according to the random token and return to the proxy server when the authentication is passed.
  • the address obtaining unit includes:
  • An address search subunit for the container service to search for a corresponding control unit address in the cache according to the random token
  • the feedback sub-unit is configured to return the sub-request failure information to the proxy server if the random token is missing or incorrect; if the random token is correct, the corresponding control unit address is obtained and returned to the proxy server.
  • the present application further provides a container login system.
  • the client 101, the proxy server 102, and the container login application server 103 as described above are included.
  • the application server 103 is configured to receive a user-initiated container service access request and generate a random token; and query a control unit address of the cluster where the service to be accessed is located according to the container service access request, and the random token and The control unit address is stored in the cache after the key value pair is formed; and when the container login request in the service to be accessed is received, the container login request and the random token are sent to the proxy server 102, wherein the container login request includes User account information; and authenticating the user account information and the random token, if the authentication is passed, acquiring the control unit address according to the random token and returning to the proxy server 102; the proxy server 102 is configured to The login request is sent to the control unit address to establish a connection between the client 101 and the control unit.
  • the container login method receives a user-initiated container service access request and generates a random token; and then accesses according to the container service.
  • the need to facilitate the login of the container is combined with dynamic authentication, and the real address of the cluster control unit is not exposed to ensure the security of the system.
  • a computer program to instruct related hardware (such as a processor, a controller, etc.), and the program can be stored in one.
  • the program when executed, may include the processes of the various method embodiments as described above.
  • the storage medium described therein may be a memory, a magnetic disk, an optical disk, or the like.

Abstract

Disclosed by the present application are a container logon method, application server, system, and storage medium, the method comprising: receiving a user-initiated container service access request and generating a random token; querying a control unit address of a cluster where a service to be accessed is located according to the container service access request, and grouping the random token and the control unit address into a key value pair and storing the same into a cache; when receiving a container logon request in the service to be accessed, sending the container logon request and the random token to a proxy server, the container logon request comprising user account information; authenticating the user account information and the random token, and if the authentication is passed, obtaining the control unit address according to the random token and returning the same to the proxy server, and sending, by means of the proxy server, the container logon request to the control unit address to establish a connection for a client and the control unit. Convenient logging in to the container and dynamic authentication are realized without exposing the real address of the cluster control unit, thereby ensuring the security of the system.

Description

一种容器登录方法、应用服务器、系统及存储介质  Container login method, application server, system and storage medium
本申请要求于2017年12月29日提交中国专利局、申请号为201711482082.8、发明名称为“一种容器登录方法、应用服务器、系统及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application filed on Dec. 29, 2017, the Chinese Patent Office, Application No. 201711482082.8, entitled "A Container Login Method, Application Server, System, and Storage Media", the entire contents of which are hereby incorporated by reference. The citations are incorporated herein by reference.
技术领域Technical field
本申请涉及计算机技术领域,具体涉及一种容器登录方法、应用服务器、系统及存储介质。The present application relates to the field of computer technologies, and in particular, to a container login method, an application server, a system, and a storage medium.
背景技术Background technique
Docker容器提供的容器技术允许在同一台主机或虚拟机上运行若干个容器(Container),每个容器就是一个独立的虚拟环境或应用。Docker容器为客户端提供了登陆容器的功能,允许用户进入到容器内部以操作主机或虚拟机的方式操作容器。Kubernetes是由谷歌开源的容器编排工具,其可以实现将若干个Docker容器组合成一个服务、动态地分配容器运行的主机等功能。The container technology provided by the Docker container allows several containers (Containers) to be run on the same host or virtual machine, each container being a separate virtual environment or application. The Docker container provides the client with the ability to log in to the container, allowing the user to access the container to operate the container in the same way as the host or virtual machine. Kubernetes is a Google container open source container orchestration tool that combines several Docker containers into a single service, dynamically allocating hosts running on containers.
通常,用户登陆容器需要首先登入容器所在的主机上,接着再使用docker命令进入容器,比较繁琐。而Kubernetes通过容器所在集群的管理单元,定位到容器所在主机,读取该主机上docker的socket及对客户端提供websocket API的方式,让用户可以直接利用Kubernetes的API登陆容器内部。Usually, the user login to the container needs to first log in to the host where the container is located, and then use the docker command to enter the container, which is cumbersome. Kubernetes locates the host where the container is located through the management unit of the cluster where the container resides, reads the docker socket on the host, and provides the websocket to the client. The API way allows users to log in to the container directly using the Kubernetes API.
但这种方式仍然不够直观,需客户端知晓容器所在集群管理单元的具体地址才能发起websocket API请求,会将集群的管理单元的直接访问方式暴露给客户端;且无法与动态的鉴权功能相结合。However, this method is still not intuitive enough. The client needs to know the specific address of the cluster management unit of the container to start the websocket. API requests expose the direct access of the cluster's snap-ins to the client; they cannot be combined with dynamic authentication.
因此,现有技术还有待于改进和发展。Therefore, the prior art has yet to be improved and developed.
发明内容Summary of the invention
鉴于上述现有技术的不足之处,本申请的目的在于提供一种容器登录方法、应用服务器、系统及存储介质,将便利登陆容器的需求与动态鉴权相结合,且不会暴露集群控制单元的真实地址,保证系统的安全。In view of the above-mentioned deficiencies of the prior art, the purpose of the present application is to provide a container login method, an application server, a system, and a storage medium, which combines the need for facilitating login of a container with dynamic authentication, and does not expose the cluster control unit. The real address guarantees the security of the system.
为了达到上述目的,本申请采取了以下技术方案:In order to achieve the above objectives, the present application adopts the following technical solutions:
一种容器登录方法,其包括如下步骤:A container login method includes the following steps:
接收用户发起的容器服务访问请求并生成一随机令牌;Receiving a user-initiated container service access request and generating a random token;
根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;Querying, according to the container service access request, a control unit address of a cluster where the service to be accessed is located, and composing the random token and the control unit address into a key value pair and storing the key value in the cache;
当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;Sending the container login request and the random token to the proxy server when receiving the container login request in the to-be-accessed service, wherein the container login request includes user account information;
对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。And authenticating the user account information and the random token. If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit. Address, which establishes a connection between the client and the control unit.
一种容器登录的应用服务器,其包括:处理器、存储器和通信总线;An application server for container login, comprising: a processor, a memory, and a communication bus;
所述存储器上存储有可被所述处理器执行的计算机可读程序;Storing on the memory is a computer readable program executable by the processor;
所述通信总线实现处理器和存储器之间的连接通信;The communication bus implements connection communication between the processor and the memory;
所述处理器执行所述计算机可读程序时实现如上任意一项所述的容器登录方法中的步骤。The processor implements the steps in the container login method of any of the above, when the computer readable program is executed.
一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如上所述的容器登录方法中的步骤。A computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement a container login method as described above A step of.
一种容器登录系统,包括客户端和代理服务器,其还包括如上所述的容器登录的应用服务器;A container login system, comprising a client and a proxy server, further comprising an application server logged in by the container as described above;
所述应用服务器用于接收用户发起的容器服务访问请求并生成一随机令牌;以及根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;以及当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;以及对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器;The application server is configured to receive a user-initiated container service access request and generate a random token; and query a control unit address of the cluster where the service to be accessed is located according to the container service access request, and the random token and the control unit The address is formed into a key value pair and stored in the cache; and when the container login request in the service to be accessed is received, the container login request and the random token are sent to the proxy server, wherein the container login request includes user account information And authenticating the user account information and the random token, if the authentication is passed, acquiring the control unit address according to the random token and returning to the proxy server;
所述代理服务器用于将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。The proxy server is configured to send the container login request to the control unit address to establish a connection between the client and the control unit.
相较于现有技术,本申请提供的容器登录方法、应用服务器、系统及存储介质中,所述容器登录方法通过接收用户发起的容器服务访问请求并生成一随机令牌;之后根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;之后当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;之后对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。将便利登陆容器的需求与动态鉴权相结合,且不会暴露集群控制单元的真实地址,保证系统的安全。Compared with the prior art, in the container login method, the application server, the system, and the storage medium provided by the present application, the container login method receives a user-initiated container service access request and generates a random token; The service access request queries the control unit address of the cluster where the service to be accessed is located, and stores the random token and the control unit address into a key value pair, and then stores the information in the cache; and when receiving the container login request in the service to be accessed, The container login request and the random token are sent to the proxy server, where the container login request includes user account information; and then the user account information and the random token are authenticated, and if the authentication is passed, according to the random The token acquires the control unit address and returns it to the proxy server, which sends the container login request to the control unit address to establish a connection between the client and the control unit. The need to facilitate the login of the container is combined with dynamic authentication, and the real address of the cluster control unit is not exposed to ensure the security of the system.
附图说明DRAWINGS
图1为本申请提供的容器登录方法的流程图;1 is a flowchart of a container login method provided by the present application;
图2为本申请提供的容器登录方法中步骤S20的流程图;2 is a flowchart of step S20 in the container login method provided by the present application;
图3为本申请提供的容器登录方法中步骤S23的流程图;3 is a flowchart of step S23 in the container login method provided by the present application;
图4为本申请提供的容器登录方法中步骤S30的流程图;4 is a flowchart of step S30 in the container login method provided by the present application;
图5为本申请提供的容器登录方法中步骤S40的流程图;FIG. 5 is a flowchart of step S40 in the container login method provided by the present application;
图6为本申请提供的容器登录方法中步骤S43的流程图;FIG. 6 is a flowchart of step S43 in the container login method provided by the present application;
图7为本申请容器登录程序的较佳实施例的运行环境示意图;7 is a schematic diagram of an operating environment of a preferred embodiment of a container login procedure of the present application;
图8为本申请安装容器登录程序的系统较佳实施例的功能模块图;8 is a functional block diagram of a system for installing a container login program according to a preferred embodiment of the present application;
图9为本申请提供的容器登录的应用服务器的结构框图。FIG. 9 is a structural block diagram of an application server for container login provided by the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案及效果更加清楚、明确,以下参照附图并举实施例对本申请进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。In order to make the objects, technical solutions and effects of the present application more clear and clear, the present application will be further described in detail below with reference to the accompanying drawings. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
本申请是基于Kubernetes集群内的容器登录方法,Kubernetes是由谷歌开源的容器编排工具,其可以实现将若干个Docker容器组合成一个服务、动态地分配容器运行的主机等功能,其中Kubernetes Service即Kubernetes服务是若干个容器的集合,一个Service即可为用户提供服务;Kubernetes集群是指一组主机或虚拟机,用于运行Kubernetes服务,Kubernetes管辖的服务内的容器实际上运行于集群的各个节点主机上;每个Kubernetes集群有且只有一个控制单元,即Kubernetes Master,用于调度和管理Kubernetes服务,如分配某个服务的某个容器到集群内的某个节点上。Kubernetes Master是一个进程,运行于某台主机或虚拟机上This application is based on the container login method in the Kubernetes cluster. Kubernetes is a Google container open source container orchestration tool, which can realize the functions of combining several Docker containers into one service and dynamically allocating the host running the container. Kubernetes Service is the Kubernetes service is a collection of several containers, a Service can provide services for users; Kubernetes cluster refers to a group of hosts or virtual machines, used to run Kubernetes services, the containers within the services of Kubernetes actually run in the cluster On each node host; each Kubernetes cluster has one and only one control unit, namely Kubernetes Master, used to schedule and manage Kubernetes services, such as allocating a container of a service to a node in the cluster. Kubernetes Master is a process that runs on a host or virtual machine.
请参阅图1,本申请提供的容器登录方法包括以下步骤:Referring to FIG. 1, the container login method provided by the present application includes the following steps:
S10、接收用户发起的容器服务访问请求并生成一随机令牌。S10. Receive a user-initiated container service access request and generate a random token.
本实施例中,用户进入Kubernetes服务页面时请求访问容器服务,此时客户端接收该容器服务访问请求,并生成一随机令牌,所述容器服务访问请求中包含待访问的服务名称、容器名称以及用户权限等信息。In this embodiment, when the user enters the Kubernetes service page, the client requests access to the container service. At this time, the client receives the container service access request and generates a random token, where the container service access request includes the service name and the container name to be accessed. And information such as user permissions.
S20、根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存。S20. Query the control unit address of the cluster where the service to be accessed is located according to the container service access request, and combine the random token and the control unit address into a key value pair and store the information in the cache.
当用户发起容器服务访问请求后,根据容器服务访问请求中的服务及容器信息查询待访问服务所在集群的控制单元地址,由于在Kubernetes的管理下,容器以服务的形式被组织起来,且容器可能在不同的主机上漂移,以达到更高的可用性。用户不需要知道所要登陆的容器具体位于哪一台主机上,只需要知晓容器名称、所在服务及所在集群,接着通过Kubernetes客户端命令kubectl exec或调用Kubernetes控制单元的websocket API即可登陆容器,因此当用户进入服务页面并请求访问时先获取待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存,以用户后续登录操作时的动态鉴权与控制单元地址查询,将集群的控制单元地址做了封装,提高系统的安全性。具体查询过程请参阅图2,其为本申请提供的容器登录方法中步骤S20的流程图。After the user initiates the container service access request, the service unit and the container information in the container service access request are used to query the control unit address of the cluster in which the service to be accessed is located. Since the management of Kubernetes, the container is organized in the form of a service, and the container may be Drift on different hosts to achieve higher availability. The user does not need to know which host the container to log in on, only need to know the container name, the service and the cluster, and then command kubectl through the Kubernetes client. Exec or websocket that calls the Kubernetes control unit The API can log in to the container. Therefore, when the user enters the service page and requests access, the address of the control unit of the cluster where the service to be accessed is obtained is obtained, and the random token and the control unit address are combined into a key value pair and then stored in the cache. The dynamic authentication and control unit address query in the subsequent login operation encapsulates the control unit address of the cluster to improve the security of the system. For the specific query process, please refer to FIG. 2 , which is a flowchart of step S20 in the container login method provided by the present application.
如图2所示,所述步骤S20包括:As shown in FIG. 2, the step S20 includes:
S21、根据所述容器服务访问请求中的待访问服务信息获取其所在的集群名称并访问数据库;S21. Obtain a cluster name and access a database according to the to-be-accessed service information in the container service access request.
S22、接收数据库反馈的根据集群名称查询的该集群的控制单元地址;S22. Receive, by the database, the control unit address of the cluster that is queried according to the cluster name.
S23、将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存。S23. The random token is used as a key and a control unit address as a value to form a key value pair, and then stored in a cache.
本实施例中,在接收到容器服务服务请求后,根据该请求中的待访问服务信息,即服务名称、容器名称以及用户权限等,先对用户是否有权限访问该服务进行验证,若权限验证通过,则将该容器服务访问请求转发至容器服务,容器服务根据请求中的服务名称以及容器名称获取该容器所在的Kubernetes集群名称,并访问数据库,接收数据库反馈的根据Kubernetes集群名称查询到的该Kubernetes集群的控制单元地址,之后容器服务将生成的随机令牌键、获取到的控制单元地址作为值组成<随机令牌,控制单元地址>键值对,并存入缓存中,以便后续调用查询。In this embodiment, after receiving the container service request, according to the service information to be accessed in the request, that is, the service name, the container name, and the user authority, etc., first verify whether the user has the right to access the service, if the authority is verified. Passing, the container service access request is forwarded to the container service, the container service obtains the Kubernetes cluster name of the container according to the service name and the container name in the request, and accesses the database, and receives the database query according to the Kubernetes cluster name. The control unit address of the Kubernetes cluster. After that, the container service will generate the random token key and the obtained control unit address as the value <random token, control unit address> key-value pair, and store it in the cache for subsequent call query. .
优选地,将该随机令牌返回至客户端的前端页面并作为变量保存,同时设置该随机令牌的超时时间与系统会话的超时时间一致,即用户每次进入Kubernetes服务页面时均会生成随机令牌以及键值对,如果用户退出后再次进入Kubernetes服务页面时,则会再次生成新的随机令牌,上次保存的随机令牌会随着超时而失效,每次进入服务页面时,都会生成一个新的<随机令牌,控制单元地址>键值对以备用户当次登陆容器之用,提高后续鉴权以及登录的安全性。具体地键值对生成保存过程请参阅图3,其为本申请提供的容器登录方法中步骤S23的流程图。Preferably, the random token is returned to the front end page of the client and saved as a variable, and the timeout period of the random token is set to be consistent with the timeout period of the system session, that is, each time the user enters the Kubernetes service page, a random order is generated. Cards and key-value pairs. If the user enters the Kubernetes service page again after exiting, a new random token will be generated again. The last saved random token will expire with the timeout, and will be generated each time the service page is entered. A new <random token, control unit address> key-value pair is used for the user to log in to the container, improving subsequent authentication and login security. For details, refer to FIG. 3, which is a flowchart of step S23 in the container login method provided by the present application.
如图3所示,所述步骤S23包括:As shown in FIG. 3, the step S23 includes:
S231、将所述随机令牌作为键、控制单元地址作为值组成键值对;S231. The random token is used as a key and a control unit address as a value to form a key value pair.
S232、搜索缓存中是否存在以相同的随机令牌作为键的键值对,若存在则重新生成随机令牌;若不存在则将当前键值对存入缓存中。S232. Whether there is a key value pair with the same random token as a key in the search cache, if yes, regenerate the random token; if not, the current key value pair is stored in the cache.
本实施例中,在生成并保存键值对时,先将生成的随机令牌以及获取到的控制单元地址组成<随机令牌,控制单元地址>键值对,之后检查缓存(如redis)中是否有以同样的随机令牌作为键的键值对,如果有则重新生成新的随机令牌,组成新的键值对后再次检查,如果没有则直接将当前的键值对存入缓存中,避免发生缓存中存在以相同随机令牌作为键、不同控制单元地址作为值的情况,确保后续获取控制单元地址的准确性。In this embodiment, when the key value pair is generated and saved, the generated random token and the obtained control unit address are first composed of a <random token, a control unit address> key value pair, and then the cache (such as redis) is checked. Is there a key-value pair with the same random token as the key, if there is, then regenerate a new random token, compose the new key-value pair and check again, if not, directly store the current key-value pair in the cache. To avoid the occurrence of the case where the same random token is used as the key and the different control unit addresses are used as the value in the cache, and the accuracy of the subsequent acquisition of the control unit address is ensured.
S30、当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括随机令牌。S30. When receiving the container login request in the service to be accessed, send the container login request and the random token to the proxy server, where the container login request includes a random token.
本实施例中,当用户需要登录待访问Kubernetes服务中的容器时,发起容器登录请求,所述容器登录请求包括用户账号信息,当接收到该容器登录请求后将所述容器登录请求和随机令牌发送至代理服务器,通过代理服务器来进行后续的登录过程,具体实施时,代理服务器采用Nginx,Nginx是一个开源的代理服务,可以代理用户发起的请求,并将请求转发,通过代理服务器可避免在登录容器时暴露真实的控制单元地址,保证系统的安全。具体请参阅图4,其为本申请提供的容器登录方法中步骤S30的流程图。In this embodiment, when the user needs to log in to the container in the Kubernetes service to be accessed, a container login request is initiated, and the container login request includes user account information, and the container login request and the random order are received after receiving the container login request. The card is sent to the proxy server, and the subsequent login process is performed through the proxy server. In the specific implementation, the proxy server adopts Nginx, which is an open source proxy service, which can proxy the request initiated by the user and forward the request, which can be avoided by the proxy server. Expose the real control unit address when logging in to the container to ensure the security of the system. For details, please refer to FIG. 4 , which is a flowchart of step S30 in the container login method provided by the present application.
如图4所示,所述步骤S30包括:As shown in FIG. 4, the step S30 includes:
S31、检测待访问服务中登录容器的虚拟按钮是否被触发;S31. Detect whether a virtual button of the login container in the service to be accessed is triggered.
S32、当登录容器的虚拟按钮被触发时,向代理服务器发送容器登录请求和随机令牌,所述容器登录请求中包括用户账号信息。S32. When the virtual button of the login container is triggered, send a container login request and a random token to the proxy server, where the container login request includes user account information.
本实施例中,用户通过Kubernetes服务详情页面上的登录容器虚拟按钮触发登录请求,当检测到登录容器的虚拟按钮被触发时,则携带用户账号信息以及随机令牌向代理服务器发送容器登录请求,以用于后续的权限验证以及控制单元地址的获取,其中用户账号信息包括用户名、密码、以及用户权限等等。In this embodiment, the user triggers the login request through the login container virtual button on the Kubernetes service detail page. When detecting that the virtual button of the login container is triggered, the user carries the user account information and the random token to send the container login request to the proxy server. For subsequent authorization verification and acquisition of the control unit address, the user account information includes a username, a password, and a user authority, and the like.
S40、对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。S40. Perform authentication on the user account information and the random token. If the authentication succeeds, the control unit address is obtained according to the random token and returned to the proxy server, where the proxy login request is sent by the proxy server. Control unit address to establish a connection between the client and the control unit.
本实施例中,当向代理服务器发送了容器登录请求和随机令牌后,先对所述用户账号信息和随机令牌进行鉴权,验证用户的账号信息以及随机令牌是否正确,若鉴权通过则根据该随机令牌在缓存中红搜索获取到对应的控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接,从而让客户端成功登陆容器。本实施例中,用户可以从既有的Kubernetes容器服务平台中直接登陆容器,保证容器登录的便利性,同时在登录容器时会对其进行鉴权,解决了用户便利登陆容器的需求与权限认证的限制之间的矛盾,既保证了权限的限制,又满足了用户便利登陆容器的需求,且通过代理服务器的请求转发,使得真实的Kubernetes控制单元地址不会暴露给用户,只会暴露代理服务器的地址,极大地提高了登录容器的安全性。具体请参阅图5,其为本申请提供的容器登录方法中步骤S40的流程图。In this embodiment, after the container login request and the random token are sent to the proxy server, the user account information and the random token are first authenticated, and the user account information and the random token are verified to be correct, if the authentication is performed. Passing the red token in the cache according to the random token to obtain the corresponding control unit address and returning to the proxy server, and the proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit. This allows the client to successfully log in to the container. In this embodiment, the user can directly log in to the container from the existing Kubernetes container service platform to ensure the convenience of the container login, and at the same time, the user is authenticated when the container is logged in, thereby solving the user's need for convenient login and permission authentication. The contradiction between the restrictions not only guarantees the limitation of the rights, but also satisfies the user's need to conveniently log in to the container, and the request forwarding by the proxy server makes the real Kubernetes control unit address not exposed to the user, only the proxy server is exposed. The address greatly improves the security of the login container. For details, please refer to FIG. 5 , which is a flowchart of step S40 in the container login method provided by the present application.
如图5所示,所述步骤S40包括:As shown in FIG. 5, the step S40 includes:
S41、根据所述用户账号信息和随机令牌发起获取控制单元地址的子请求;S41. Initiate a sub-request for obtaining an address of the control unit according to the user account information and the random token.
S42、对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器;S42. Perform authentication on the user account information and the random token, and return the authentication result to the proxy server.
S43、若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。S43. If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the proxy login request is sent by the proxy server to the control unit address to establish a connection between the client and the control unit.
本实施例中,代理服务器在接收到登录容器请求后,将先发起获取控制单元地址的子请求,具体实施时,采用Nginx作为代理服务器,Nginx有一个开源模块ngx_http_auth_request_module提供了子请求的功能,即Nginx将接收到的请求向其代理的真实服务转发前,先发起一个子请求,只有子请求的响应正常(响应状态码为200-299)时,才会转发原请求,基于此,代理服务器接收到登录容器请求后,并不立即转发该登录容器请求,而是先携带用户账号信息和随机令牌向鉴权服务发起获取控制单元地址的子请求,鉴权服务对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器;具体为鉴权服务验证用户账号信息是否正确,包括验证用户名和密码是否正确,用户是否有权限登录容器等等,若正确则将获取控制单元地址的子请求转发至容器服务;否则不转发该子请求,直接返回鉴权失败信息至代理服务器。例如,请求中的用户账号信息有误或不带用户账号信息,则鉴权服务将拦截请求,返回未授权响应,因此子请求失败,代理服务器不会转发请求到真实的控制单元地址;当用户账号信息正确时,鉴权服务将该子请求转发至容器服务,由容器服务根据随机令牌在缓存中获取对应的控制单元地址。因此在用户进行容器登陆前,结合鉴权服务对其账号信息进行了动态的权限认证,实现便利登录与动态鉴权的结合,具体请参阅图6,其为本申请提供的容器登录方法中步骤S43的流程图。In this embodiment, after receiving the login container request, the proxy server first initiates a sub-request for obtaining the control unit address. In the specific implementation, Nginx is used as the proxy server, and Nginx has an open source module ngx_http_auth_request_module that provides the sub-request function, that is, Before Nginx forwards the received request to its proxy's real service, it first initiates a subrequest. Only when the subrequest's response is normal (response status code is 200-299), the original request is forwarded. Based on this, the proxy server receives After the request to the login container, the login container request is not immediately forwarded, but the user account information and the random token are first sent to the authentication service to initiate a sub-request for obtaining the control unit address, and the authentication service pairs the user account information and the random request. The token is authenticated and the authentication result is returned to the proxy server; specifically, the authentication service verifies that the user account information is correct, including verifying that the username and password are correct, whether the user has permission to log in to the container, etc., if correct, the control will be acquired. The sub-request of the unit address is forwarded to the container service; otherwise it does not turn The sub-request, the authentication failure information is returned directly to the proxy server. For example, if the user account information in the request is incorrect or does not have user account information, the authentication service will intercept the request and return an unauthorized response, so the sub-request fails, and the proxy server does not forward the request to the real control unit address; When the account information is correct, the authentication service forwards the sub-request to the container service, and the container service obtains the corresponding control unit address in the cache according to the random token. Therefore, before the user logs in the container, the authentication service is combined with the authentication service to perform the dynamic authority authentication on the account information, so as to implement the combination of the convenient login and the dynamic authentication. For details, please refer to FIG. 6 , which is the step of the container login method provided by the present application. Flowchart of S43.
如图6所示,所述步骤S43包括:As shown in FIG. 6, the step S43 includes:
S431、容器服务根据随机令牌在缓存中搜索对应的控制单元地址;S431. The container service searches for a corresponding control unit address in the cache according to the random token.
S432、若随机令牌缺失或有误,则返回子请求失败信息至代理服务器;若随机令牌无误则获取对应的控制单元地址并返回给代理服务器;S432. If the random token is missing or incorrect, return the sub-request failure information to the proxy server; if the random token is correct, obtain the corresponding control unit address and return to the proxy server;
S433、代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。S433. The proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit.
当用户账号信息验证通过,鉴权服务将子请求转发至容器服务后,容器服务将根据随机令牌在缓存中搜索对应的控制单元地址,此时若随机令牌缺失或者有误,则在缓存中根据该随机令牌无法获取真实的控制单元地址,返回未找到响应,子请求失败,代理服务器不会转发请求到真实的控制单元地址;若随机令牌无误,则容器服务根据随机令牌在缓存中获取对应的控制单元地址并返回给代理服务器,此时子请求成功,代理服务器将原容器登录请求转发至对应的控制单元,访问该控制单元的websocket API,从而为客户端及控制单元建立了连接,让客户端成功登陆容器,实现了将登陆容器所需要访问的集群控制单元的真实地址做了封装,用户无法截获此信息,保证了系统的安全。After the user account information is verified and the authentication service forwards the sub-request to the container service, the container service searches the cache for the corresponding control unit address according to the random token. If the random token is missing or incorrect, the cache is cached. According to the random token, the real control unit address cannot be obtained, the response is not found, the sub-request fails, the proxy server does not forward the request to the real control unit address; if the random token is correct, the container service is based on the random token. The corresponding control unit address is obtained in the cache and returned to the proxy server. At this time, the sub-request is successful, and the proxy server forwards the original container login request to the corresponding control unit, and accesses the websocket of the control unit. API, which establishes a connection for the client and the control unit, allows the client to successfully log in to the container, and implements the encapsulation of the real address of the cluster control unit that needs to be accessed by the login container. The user cannot intercept the information and ensure the security of the system. .
如图7所示,基于上述容器登录方法,本申请还相应提供了一种容器登录的应用服务器,所述容器登录的应用服务器可以是移动终端、桌上型计算机、笔记本、掌上电脑及服务器等计算设备。该容器登录的应用服务器包括处理器10、存储器20及显示器30。图7仅示出了容器登录的应用服务器的部分组件,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。As shown in FIG. 7 , based on the foregoing container login method, the application further provides an application server for registering a container, and the application server for registering the container may be a mobile terminal, a desktop computer, a notebook, a palmtop computer, a server, or the like. Computing device. The application server to which the container logs in includes the processor 10, the memory 20, and the display 30. Figure 7 shows only some of the components of the application server to which the container logs in, but it should be understood that not all illustrated components may be implemented, and more or fewer components may be implemented instead.
所述存储器20在一些实施例中可以是所述容器登录的应用服务器的内部存储单元,例如容器登录的应用服务器的硬盘或内存。所述存储器20在另一些实施例中也可以是所述容器登录的应用服务器的外部存储设备,例如所述容器登录的应用服务器上配备的插接式硬盘,智能存储卡(Smart Media Card, SMC),安全数字(Secure Digital, SD)卡,闪存卡(Flash Card)等。进一步地,所述存储器20还可以既包括所容器登录的应用服务器的内部存储单元也包括外部存储设备。所述存储器20用于存储安装于所述容器登录的应用服务器的应用软件及各类数据,例如所述安装容器登录的应用服务器的程序代码等。所述存储器20还可以用于暂时地存储已经输出或者将要输出的数据。在一实施例中,存储器20上存储有容器登录程序40,该容器登录程序40可被处理器10所执行,从而实现本申请中容器登录方法。The memory 20 may be, in some embodiments, an internal storage unit of the application server to which the container logs in, such as a hard disk or memory of an application server to which the container logs. In other embodiments, the memory 20 may also be an external storage device of the application server that the container logs in, for example, a plug-in hard disk equipped on the application server of the container login, and a smart memory card (Smart Media Card, SMC), Secure Digital (SD) card, flash card (Flash) Card) and so on. Further, the memory 20 may also include an internal storage unit of the application server to which the container is logged in, and an external storage device. The memory 20 is configured to store application software and various types of data of an application server installed in the container, for example, a program code of an application server to which the installation container logs in. The memory 20 can also be used to temporarily store data that has been output or is about to be output. In one embodiment, a container login program 40 is stored on the memory 20, and the container login program 40 can be executed by the processor 10 to implement the container login method of the present application.
所述处理器10在一些实施例中可以是一中央处理器(Central Processing Unit, CPU),微处理器或其他数据处理芯片,用于运行所述存储器20中存储的程序代码或处理数据,例如执行所述容器登录方法等。The processor 10 may be a central processing unit (Central Processing Unit) in some embodiments. A CPU, microprocessor or other data processing chip for running program code or processing data stored in the memory 20, such as executing the container login method or the like.
所述显示器30在一些实施例中可以是LED显示器、液晶显示器、触控式液晶显示器以及OLED(Organic Light-Emitting Diode,有机发光二极管)触摸器等。所述显示器30用于显示在所述容器登录的应用服务器的信息以及用于显示可视化的用户界面。所述容器登录的应用服务器的部件10-30通过系统总线相互通信。The display 30 may be an LED display, a liquid crystal display, a touch liquid crystal display, and an OLED (Organic) in some embodiments. Light-Emitting Diode, organic light emitting diodes), etc. The display 30 is for displaying information of an application server registered in the container and a user interface for displaying visualization. The components 10-30 of the application server to which the container logs in communicate with each other through the system bus.
在一实施例中,当处理器10执行所述存储器20中容器登录程序40时实现上述容器登录方法中各实施例的步骤,此处不再赘述。In an embodiment, when the processor 10 executes the container login program 40 in the memory 20, the steps of the embodiments in the container login method are implemented, and details are not described herein.
请参阅图8,其为本申请安装容器登录程序的系统较佳实施例的功能模块图。在本实施例中,安装容器登录程序的系统可以被分割成一个或多个模块,所述一个或者多个模块被存储于所述存储器20中,并由一个或多个处理器(本实施例为所述处理器10)所执行,以完成本申请。例如,在图8中,安装容器登录程序的系统可以被分割成生成模块21、查询模块22、登录模块23和鉴权获取模块24。本申请所称的模块是指能够完成特定功能的一系列计算机程序指令段,比程序更适合于描述所述容器登录程序在所述容器登录的应用服务器中的执行过程。以下描述将具体介绍所述模块21-24的功能。Please refer to FIG. 8 , which is a functional block diagram of a system for installing a container login program according to a preferred embodiment of the present application. In this embodiment, the system for installing the container login program may be divided into one or more modules, the one or more modules being stored in the memory 20 and being composed of one or more processors (this embodiment) Executed for the processor 10) to complete the application. For example, in FIG. 8, the system in which the container login program is installed may be divided into a generation module 21, a query module 22, a login module 23, and an authentication acquisition module 24. A module as referred to in the present application refers to a series of computer program instruction segments capable of performing a specific function, and is more suitable than the program to describe the execution process of the container login program in the application server to which the container is logged. The following description will specifically describe the functions of the modules 21-24.
生成块21,用于接收用户发起的容器服务访问请求并生成一随机令牌;Generating block 21, configured to receive a user-initiated container service access request and generate a random token;
查询模块22,用于根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;The querying module 22 is configured to query, according to the container service access request, a control unit address of a cluster where the service to be accessed is located, and store the random token and the control unit address into a key value pair and store the information in the cache;
登录模块23,用于当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;The login module 23 is configured to send the container login request and the random token to the proxy server when receiving the container login request in the to-be-accessed service, where the container login request includes user account information;
鉴权获取模块24,用于对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器。The authentication obtaining module 24 is configured to authenticate the user account information and the random token. If the authentication succeeds, the control unit address is obtained according to the random token and returned to the proxy server.
查询模块22具体包括:The query module 22 specifically includes:
名称获取单元,用于根据所述容器服务访问请求中的待访问服务信息获取其所在的集群名称并访问数据库;a name obtaining unit, configured to acquire a cluster name and access a database according to the to-be-accessed service information in the container service access request;
接收单元,用于接收数据库反馈的根据集群名称查询的该集群的控制单元地址;a receiving unit, configured to receive, by the database, the control unit address of the cluster that is queried according to the cluster name;
生成单元,用于将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存。And a generating unit, configured to store the random token as a key, a control unit address as a value, and then store the key value pair in a cache.
所述生成单元包括:The generating unit includes:
键值对生成子单元,用于将所述随机令牌作为键、控制单元地址作为值组成键值对;a key-value pair generating sub-unit, configured to use the random token as a key and a control unit address as a value to form a key-value pair;
搜索单元,用于搜索缓存中是否存在以相同的随机令牌作为键的键值对,若存在则重新生成随机令牌;若不存在则将当前键值对存入缓存中。The search unit is configured to search whether there is a key value pair with the same random token as a key in the cache, and regenerate the random token if it exists; if not, the current key value pair is stored in the cache.
所述登录模块23包括:The login module 23 includes:
检测单元,用于检测待访问服务中登录容器的虚拟按钮是否被触发;a detecting unit, configured to detect whether a virtual button of the login container in the service to be accessed is triggered;
发送单元,用于当登录容器的虚拟按钮被触发时,向代理服务器发送容器登录请求和随机令牌,所述容器登录请求中包括用户账号信息。And a sending unit, configured to send a container login request and a random token to the proxy server when the virtual button of the login container is triggered, where the container login request includes user account information.
所述鉴权获取模块24包括:The authentication obtaining module 24 includes:
子请求发起单元,用于根据所述用户账号信息和随机令牌发起获取控制单元地址的子请求;a sub-requesting initiation unit, configured to initiate a sub-request for obtaining an address of the control unit according to the user account information and the random token;
鉴权单元,用于对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器;An authentication unit, configured to authenticate the user account information and the random token, and return an authentication result to the proxy server;
地址获取单元,用于鉴权通过时根据所述随机令牌获取控制单元地址并返回给代理服务器。The address obtaining unit is configured to acquire the control unit address according to the random token and return to the proxy server when the authentication is passed.
所述地址获取单元包括:The address obtaining unit includes:
地址搜索子单元,用于容器服务根据随机令牌在缓存中搜索对应的控制单元地址;An address search subunit for the container service to search for a corresponding control unit address in the cache according to the random token;
反馈子单元,用于若随机令牌缺失或有误,则返回子请求失败信息至代理服务器;若随机令牌无误则获取对应的控制单元地址并返回给代理服务器。The feedback sub-unit is configured to return the sub-request failure information to the proxy server if the random token is missing or incorrect; if the random token is correct, the corresponding control unit address is obtained and returned to the proxy server.
基于上述容器登录方法和应用服务器,本申请还相应提供一种容器登录系统,请参阅图9,其包括客户端101、代理服务器102和如上所述的容器登录的应用服务器103。Based on the above container login method and application server, the present application further provides a container login system. Referring to FIG. 9, the client 101, the proxy server 102, and the container login application server 103 as described above are included.
其中所述应用服务器103用于接收用户发起的容器服务访问请求并生成一随机令牌;以及根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;以及当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器102,其中,所述容器登录请求包括用户账号信息;以及对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器102;所述代理服务器102用于将所述登录请求发送至该控制单元地址,为客户端101和控制单元建立连接。The application server 103 is configured to receive a user-initiated container service access request and generate a random token; and query a control unit address of the cluster where the service to be accessed is located according to the container service access request, and the random token and The control unit address is stored in the cache after the key value pair is formed; and when the container login request in the service to be accessed is received, the container login request and the random token are sent to the proxy server 102, wherein the container login request includes User account information; and authenticating the user account information and the random token, if the authentication is passed, acquiring the control unit address according to the random token and returning to the proxy server 102; the proxy server 102 is configured to The login request is sent to the control unit address to establish a connection between the client 101 and the control unit.
综上所述,本申请提供的容器登录方法、应用服务器、系统及存储介质中,所述容器登录方法通过接收用户发起的容器服务访问请求并生成一随机令牌;之后根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;之后当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;之后对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。将便利登陆容器的需求与动态鉴权相结合,且不会暴露集群控制单元的真实地址,保证系统的安全。In summary, in the container login method, the application server, the system, and the storage medium provided by the present application, the container login method receives a user-initiated container service access request and generates a random token; and then accesses according to the container service. Requesting to query the control unit address of the cluster where the service to be accessed is located, and storing the random token and the control unit address into a key value pair and storing the value in the cache; then, when receiving the container login request in the service to be accessed, the container is The login request and the random token are sent to the proxy server, where the container login request includes user account information; then the user account information and the random token are authenticated, and if the authentication passes, the random token is The control unit address is obtained and returned to the proxy server, and the container login request is sent by the proxy server to the control unit address to establish a connection between the client and the control unit. The need to facilitate the login of the container is combined with dynamic authentication, and the real address of the cluster control unit is not exposed to ensure the security of the system.
当然,本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关硬件(如处理器,控制器等)来完成,所述的程序可存储于一计算机可读取的存储介质中,该程序在执行时可包括如上述各方法实施例的流程。其中所述的存储介质可为存储器、磁碟、光盘等。Certainly, those skilled in the art can understand that all or part of the processes in the foregoing embodiments can be implemented by a computer program to instruct related hardware (such as a processor, a controller, etc.), and the program can be stored in one. In a computer readable storage medium, the program, when executed, may include the processes of the various method embodiments as described above. The storage medium described therein may be a memory, a magnetic disk, an optical disk, or the like.
应当理解的是,本申请的应用不限于上述的举例,对本领域普通技术人员来说,可以根据上述说明加以改进或变换,所有这些改进和变换都应属于本申请所附权利要求的保护范围。It should be understood that the application of the present application is not limited to the above-described examples, and those skilled in the art can make modifications and changes in accordance with the above description, all of which are within the scope of the appended claims.

Claims (28)

  1. 一种容器登录方法,其特征在于,包括如下步骤: A container login method, comprising the following steps:
    接收用户发起的容器服务访问请求并生成一随机令牌;Receiving a user-initiated container service access request and generating a random token;
    根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;Querying, according to the container service access request, a control unit address of a cluster where the service to be accessed is located, and composing the random token and the control unit address into a key value pair and storing the key value in the cache;
    当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;Sending the container login request and the random token to the proxy server when receiving the container login request in the to-be-accessed service, wherein the container login request includes user account information;
    对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。And authenticating the user account information and the random token. If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit. Address, which establishes a connection between the client and the control unit.
  2. 根据权利要求1所述的容器登录方法,其特征在于,所述根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存包括:The container login method according to claim 1, wherein the querying a control unit address of a cluster in which the service to be accessed is located according to the container service access request, and composing the random token and the control unit address into a key value pair Post-cache is included:
    根据所述容器服务访问请求中的待访问服务信息获取其所在的集群名称并访问数据库;Obtaining a cluster name and accessing a database according to the to-be-accessed service information in the container service access request;
    接收数据库反馈的根据集群名称查询的该集群的控制单元地址;Receiving, by the database, the control unit address of the cluster according to the cluster name query;
    将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存。The random token is used as a key and a control unit address as a value to form a key value pair and then stored in the cache.
  3. 根据权利要求2所述的容器登录方法,其特征在于,所述将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存的步骤包括:The container login method according to claim 2, wherein the step of storing the random token as a key and a control unit address as a value to form a key value pair and then storing the buffer in the cache comprises:
    将所述随机令牌作为键、控制单元地址作为值组成键值对;The random token is used as a key and a control unit address as a value to form a key value pair;
    搜索缓存中是否存在以相同的随机令牌作为键的键值对,若存在则重新生成随机令牌;若不存在则将当前键值对存入缓存中。Whether there is a key-value pair with the same random token as the key in the search cache, if it exists, regenerate the random token; if it does not exist, the current key-value pair is stored in the cache.
  4. 根据权利要求1所述的容器登录方法,其特征在于,所述当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息的步骤包括:The container login method according to claim 1, wherein the container login request and the random token are sent to a proxy server when receiving the container login request in the service to be accessed, wherein the container The steps of the login request including the user account information include:
    检测待访问服务中登录容器的虚拟按钮是否被触发;Detecting whether a virtual button of the login container in the service to be accessed is triggered;
    当登录容器的虚拟按钮被触发时,向代理服务器发送容器登录请求和随机令牌,所述容器登录请求中包括用户账号信息。When the virtual button of the login container is triggered, a container login request and a random token are sent to the proxy server, and the container login request includes user account information.
  5. 根据权利要求1所述的容器登录方法,其特征在于,所述对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接的步骤包括:The container login method according to claim 1, wherein the user account information and the random token are authenticated, and if the authentication is passed, the control unit address is obtained according to the random token and returned to The proxy server sends the container login request to the control unit address by the proxy server, and the steps for establishing a connection between the client and the control unit include:
    根据所述用户账号信息和随机令牌发起获取控制单元地址的子请求;Generating a sub-request for obtaining a control unit address according to the user account information and the random token;
    对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器;And authenticating the user account information and the random token, and returning the authentication result to the proxy server;
    若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit address to establish a connection between the client and the control unit.
  6. 根据权利要求5所述的容器登录方法,其特征在于,所述对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器的步骤包括:The container login method according to claim 5, wherein the step of authenticating the user account information and the random token and returning the authentication result to the proxy server comprises:
    验证用户账户信息是否正确,若正确则将获取控制单元地址的子请求转发至容器服务;否则不转发该子请求,直接返回鉴权失败信息至代理服务器。Verify that the user account information is correct. If it is correct, forward the sub-request that obtains the control unit address to the container service; otherwise, the sub-request is not forwarded, and the authentication failure information is directly returned to the proxy server.
  7. 根据权利要求6所述的容器登录方法,其特征在于,所述若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接的步骤包括:The container login method according to claim 6, wherein if the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to The control unit address, the steps for establishing a connection between the client and the control unit include:
    容器服务根据随机令牌在缓存中搜索对应的控制单元地址;The container service searches the cache for the corresponding control unit address according to the random token;
    若随机令牌缺失或有误,则返回子请求失败信息至代理服务器;若随机令牌无误则获取对应的控制单元地址并返回给代理服务器;If the random token is missing or incorrect, the sub-request failure information is returned to the proxy server; if the random token is correct, the corresponding control unit address is obtained and returned to the proxy server;
    代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。The proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit.
  8. 一种容器登录的应用服务器,其特征在于,包括:处理器、存储器和通信总线;An application server for container login, comprising: a processor, a memory, and a communication bus;
    所述存储器上存储有可被所述处理器执行的计算机可读程序;Storing on the memory is a computer readable program executable by the processor;
    所述通信总线实现处理器和存储器之间的连接通信;The communication bus implements connection communication between the processor and the memory;
    所述处理器执行所述计算机可读程序时实现如下步骤:The processor implements the following steps when executing the computer readable program:
    接收用户发起的容器服务访问请求并生成一随机令牌;Receiving a user-initiated container service access request and generating a random token;
    根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;Querying, according to the container service access request, a control unit address of a cluster where the service to be accessed is located, and composing the random token and the control unit address into a key value pair and storing the key value in the cache;
    当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;Sending the container login request and the random token to the proxy server when receiving the container login request in the to-be-accessed service, wherein the container login request includes user account information;
    对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。And authenticating the user account information and the random token. If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit. Address, which establishes a connection between the client and the control unit.
  9. 根据权利要求8所述的应用服务器,其特征在于,所述根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存包括:The application server according to claim 8, wherein the querying the control unit address of the cluster in which the service to be accessed is located according to the container service access request, and composing the random token and the control unit address into a key value pair Depositing into the cache includes:
    根据所述容器服务访问请求中的待访问服务信息获取其所在的集群名称并访问数据库;Obtaining a cluster name and accessing a database according to the to-be-accessed service information in the container service access request;
    接收数据库反馈的根据集群名称查询的该集群的控制单元地址;Receiving, by the database, the control unit address of the cluster according to the cluster name query;
    将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存。The random token is used as a key and a control unit address as a value to form a key value pair and then stored in the cache.
  10. 根据权利要求9所述的应用服务器,其特征在于,所述将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存的步骤包括:The application server according to claim 9, wherein the step of storing the random token as a key and a control unit address as a value to form a key value pair and then storing the buffer in the cache comprises:
    将所述随机令牌作为键、控制单元地址作为值组成键值对;The random token is used as a key and a control unit address as a value to form a key value pair;
    搜索缓存中是否存在以相同的随机令牌作为键的键值对,若存在则重新生成随机令牌;若不存在则将当前键值对存入缓存中。Whether there is a key-value pair with the same random token as the key in the search cache, if it exists, regenerate the random token; if it does not exist, the current key-value pair is stored in the cache.
  11. 根据权利要求8所述的应用服务器,其特征在于,所述当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息的步骤包括:The application server according to claim 8, wherein the container login request and the random token are sent to the proxy server when receiving the container login request in the service to be accessed, wherein the container login The steps of requesting user account information include:
    检测待访问服务中登录容器的虚拟按钮是否被触发;Detecting whether a virtual button of the login container in the service to be accessed is triggered;
    当登录容器的虚拟按钮被触发时,向代理服务器发送容器登录请求和随机令牌,所述容器登录请求中包括用户账号信息。When the virtual button of the login container is triggered, a container login request and a random token are sent to the proxy server, and the container login request includes user account information.
  12. 根据权利要求8所述的应用服务器,其特征在于,所述对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接的步骤包括:The application server according to claim 8, wherein the user account information and the random token are authenticated, and if the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy. The server sends the container login request to the control unit address by the proxy server, and the step of establishing a connection between the client and the control unit includes:
    根据所述用户账号信息和随机令牌发起获取控制单元地址的子请求;Generating a sub-request for obtaining a control unit address according to the user account information and the random token;
    对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器;And authenticating the user account information and the random token, and returning the authentication result to the proxy server;
    若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit address to establish a connection between the client and the control unit.
  13. 根据权利要求12所述的应用服务器,其特征在于,所述对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器的步骤包括:The application server according to claim 12, wherein the step of authenticating the user account information and the random token and returning the authentication result to the proxy server comprises:
    验证用户账户信息是否正确,若正确则将获取控制单元地址的子请求转发至容器服务;否则不转发该子请求,直接返回鉴权失败信息至代理服务器。Verify that the user account information is correct. If it is correct, forward the sub-request that obtains the control unit address to the container service; otherwise, the sub-request is not forwarded, and the authentication failure information is directly returned to the proxy server.
  14. 根据权利要求13所述的应用服务器,其特征在于,所述若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接的步骤包括:The application server according to claim 13, wherein if the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the server The control unit address, the steps for establishing a connection between the client and the control unit include:
    容器服务根据随机令牌在缓存中搜索对应的控制单元地址;The container service searches the cache for the corresponding control unit address according to the random token;
    若随机令牌缺失或有误,则返回子请求失败信息至代理服务器;若随机令牌无误则获取对应的控制单元地址并返回给代理服务器;If the random token is missing or incorrect, the sub-request failure information is returned to the proxy server; if the random token is correct, the corresponding control unit address is obtained and returned to the proxy server;
    代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。The proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit.
  15. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如下步骤:A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs, the one or more programs being executable by one or more processors to implement the following steps:
    接收用户发起的容器服务访问请求并生成一随机令牌;Receiving a user-initiated container service access request and generating a random token;
    根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;Querying, according to the container service access request, a control unit address of a cluster where the service to be accessed is located, and composing the random token and the control unit address into a key value pair and storing the key value in the cache;
    当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;Sending the container login request and the random token to the proxy server when receiving the container login request in the to-be-accessed service, wherein the container login request includes user account information;
    对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。And authenticating the user account information and the random token. If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit. Address, which establishes a connection between the client and the control unit.
  16. 根据权利要求15所述的计算机可读存储介质,其特征在于,所述一个或者多个程序可被一个或者多个处理器执行,还实现如下步骤:The computer readable storage medium of claim 15 wherein the one or more programs are executable by one or more processors and further implementing the following steps:
    根据所述容器服务访问请求中的待访问服务信息获取其所在的集群名称并访问数据库;Obtaining a cluster name and accessing a database according to the to-be-accessed service information in the container service access request;
    接收数据库反馈的根据集群名称查询的该集群的控制单元地址;Receiving, by the database, the control unit address of the cluster according to the cluster name query;
    将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存。The random token is used as a key and a control unit address as a value to form a key value pair and then stored in the cache.
  17. 根据权利要求16所述的计算机可读存储介质,其特征在于,所述一个或者多个程序可被一个或者多个处理器执行,还实现如下步骤:The computer readable storage medium of claim 16, wherein the one or more programs are executable by one or more processors and further implement the following steps:
    将所述随机令牌作为键、控制单元地址作为值组成键值对;The random token is used as a key and a control unit address as a value to form a key value pair;
    搜索缓存中是否存在以相同的随机令牌作为键的键值对,若存在则重新生成随机令牌;若不存在则将当前键值对存入缓存中。Whether there is a key-value pair with the same random token as the key in the search cache, if it exists, regenerate the random token; if it does not exist, the current key-value pair is stored in the cache.
  18. 根据权利要求15所述的计算机可读存储介质,其特征在于,所述一个或者多个程序可被一个或者多个处理器执行,还实现如下步骤:The computer readable storage medium of claim 15 wherein the one or more programs are executable by one or more processors and further implementing the following steps:
    检测待访问服务中登录容器的虚拟按钮是否被触发;Detecting whether a virtual button of the login container in the service to be accessed is triggered;
    当登录容器的虚拟按钮被触发时,向代理服务器发送容器登录请求和随机令牌,所述容器登录请求中包括用户账号信息。When the virtual button of the login container is triggered, a container login request and a random token are sent to the proxy server, and the container login request includes user account information.
  19. 根据权利要求15所述的计算机可读存储介质,其特征在于,所述对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则所述一个或者多个程序可被一个或者多个处理器执行,还实现如下步骤:The computer readable storage medium according to claim 15, wherein the user account information and the random token are authenticated, and if the authentication is passed, the one or more programs may be one or Executed by multiple processors, the following steps are also implemented:
    根据所述用户账号信息和随机令牌发起获取控制单元地址的子请求;Generating a sub-request for obtaining a control unit address according to the user account information and the random token;
    对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器;And authenticating the user account information and the random token, and returning the authentication result to the proxy server;
    若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit address to establish a connection between the client and the control unit.
  20. 根据权利要求19所述的计算机可读存储介质,其特征在于,所述一个或者多个程序可被一个或者多个处理器执行,还实现如下步骤:The computer readable storage medium of claim 19, wherein the one or more programs are executable by one or more processors, further implementing the following steps:
    验证用户账户信息是否正确,若正确则将获取控制单元地址的子请求转发至容器服务;否则不转发该子请求,直接返回鉴权失败信息至代理服务器。Verify that the user account information is correct. If it is correct, forward the sub-request that obtains the control unit address to the container service; otherwise, the sub-request is not forwarded, and the authentication failure information is directly returned to the proxy server.
  21. 根据权利要求20所述的计算机可读存储介质,其特征在于,所述若鉴权通过,则所述一个或者多个程序可被一个或者多个处理器执行,还实现如下步骤:The computer readable storage medium of claim 20, wherein the one or more programs are executable by one or more processors if the authentication is passed, and the following steps are further implemented:
    容器服务根据随机令牌在缓存中搜索对应的控制单元地址;The container service searches the cache for the corresponding control unit address according to the random token;
    若随机令牌缺失或有误,则返回子请求失败信息至代理服务器;若随机令牌无误则获取对应的控制单元地址并返回给代理服务器;If the random token is missing or incorrect, the sub-request failure information is returned to the proxy server; if the random token is correct, the corresponding control unit address is obtained and returned to the proxy server;
    代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。The proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit.
  22. 一种容器登录系统,包括客户端和代理服务器,其特征在于,还包括容器登录的应用服务器;A container login system, comprising a client and a proxy server, characterized in that it further comprises an application server for registering the container;
    所述应用服务器用于接收用户发起的容器服务访问请求并生成一随机令牌;以及根据所述容器服务访问请求查询待访问服务所在集群的控制单元地址,并将所述随机令牌和控制单元地址组成键值对后存入缓存;以及当接收到待访问服务中的容器登录请求时,将所述容器登录请求和随机令牌发送至代理服务器,其中,所述容器登录请求包括用户账号信息;以及对所述用户账号信息和随机令牌进行鉴权,若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器;The application server is configured to receive a user-initiated container service access request and generate a random token; and query a control unit address of the cluster where the service to be accessed is located according to the container service access request, and the random token and the control unit The address is formed into a key value pair and stored in the cache; and when the container login request in the service to be accessed is received, the container login request and the random token are sent to the proxy server, wherein the container login request includes user account information And authenticating the user account information and the random token, if the authentication is passed, acquiring the control unit address according to the random token and returning to the proxy server;
    所述代理服务器用于将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。The proxy server is configured to send the container login request to the control unit address to establish a connection between the client and the control unit.
  23. 根据权利要求22所述的容器登录系统,其特征在于,所述应用服务器还用于根据所述容器服务访问请求中的待访问服务信息获取其所在的集群名称并访问数据库;接收数据库反馈的根据集群名称查询的该集群的控制单元地址;将所述随机令牌作为键、控制单元地址作为值组成键值对后存入缓存。The container login system according to claim 22, wherein the application server is further configured to acquire a cluster name of the server to be accessed according to the service information to be accessed in the container service access request and access the database; The control unit address of the cluster that is queried by the cluster name; the random token is used as a key and the control unit address as a value to form a key value pair and then stored in the cache.
  24. 根据权利要求23所述的容器登录系统,其特征在于,所述应用服务器还用于:The container login system according to claim 23, wherein the application server is further configured to:
    将所述随机令牌作为键、控制单元地址作为值组成键值对;The random token is used as a key and a control unit address as a value to form a key value pair;
    搜索缓存中是否存在以相同的随机令牌作为键的键值对,若存在则重新生成随机令牌;若不存在则将当前键值对存入缓存中。Whether there is a key-value pair with the same random token as the key in the search cache, if it exists, regenerate the random token; if it does not exist, the current key-value pair is stored in the cache.
  25. 根据权利要求22所述的容器登录系统,其特征在于,所述应用服务器还用于:The container login system according to claim 22, wherein the application server is further configured to:
    检测待访问服务中登录容器的虚拟按钮是否被触发;Detecting whether a virtual button of the login container in the service to be accessed is triggered;
    当登录容器的虚拟按钮被触发时,向代理服务器发送容器登录请求和随机令牌,所述容器登录请求中包括用户账号信息。When the virtual button of the login container is triggered, a container login request and a random token are sent to the proxy server, and the container login request includes user account information.
  26. 根据权利要求22所述的容器登录系统,其特征在于,所述应用服务器还用于:The container login system according to claim 22, wherein the application server is further configured to:
    根据所述用户账号信息和随机令牌发起获取控制单元地址的子请求;Generating a sub-request for obtaining a control unit address according to the user account information and the random token;
    对所述用户账号信息和随机令牌进行鉴权,并返回鉴权结果至代理服务器;And authenticating the user account information and the random token, and returning the authentication result to the proxy server;
    若鉴权通过,则根据所述随机令牌获取控制单元地址并返回给代理服务器,由代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。If the authentication is passed, the control unit address is obtained according to the random token and returned to the proxy server, and the container login request is sent by the proxy server to the control unit address to establish a connection between the client and the control unit.
  27. 根据权利要求26所述的容器登录系统,其特征在于,所述应用服务器还用于:The container login system according to claim 26, wherein the application server is further configured to:
    验证用户账户信息是否正确,若正确则将获取控制单元地址的子请求转发至容器服务;否则不转发该子请求,直接返回鉴权失败信息至代理服务器。Verify that the user account information is correct. If it is correct, forward the sub-request that obtains the control unit address to the container service; otherwise, the sub-request is not forwarded, and the authentication failure information is directly returned to the proxy server.
  28. 根据权利要求27所述的容器登录系统,其特征在于,所述应用服务器还用于:The container login system according to claim 27, wherein the application server is further configured to:
    容器服务根据随机令牌在缓存中搜索对应的控制单元地址;The container service searches the cache for the corresponding control unit address according to the random token;
    若随机令牌缺失或有误,则返回子请求失败信息至代理服务器;若随机令牌无误则获取对应的控制单元地址并返回给代理服务器;If the random token is missing or incorrect, the sub-request failure information is returned to the proxy server; if the random token is correct, the corresponding control unit address is obtained and returned to the proxy server;
    代理服务器将所述容器登录请求发送至该控制单元地址,为客户端和控制单元建立连接。 The proxy server sends the container login request to the control unit address to establish a connection between the client and the control unit.
PCT/CN2018/084466 2017-12-29 2018-04-25 Container logon method, application server, system, and storage medium WO2019128007A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711482082.8A CN107948203B (en) 2017-12-29 2017-12-29 A kind of container login method, application server, system and storage medium
CN201711482082.8 2017-12-29

Publications (1)

Publication Number Publication Date
WO2019128007A1 true WO2019128007A1 (en) 2019-07-04

Family

ID=61938062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/084466 WO2019128007A1 (en) 2017-12-29 2018-04-25 Container logon method, application server, system, and storage medium

Country Status (2)

Country Link
CN (1) CN107948203B (en)
WO (1) WO2019128007A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500537A (en) * 2022-03-24 2022-05-13 杭州博盾习言科技有限公司 Access method, system, storage medium and electronic device of container service

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948203B (en) * 2017-12-29 2019-09-13 平安科技(深圳)有限公司 A kind of container login method, application server, system and storage medium
CN109104417B (en) * 2018-07-24 2021-08-20 成都安恒信息技术有限公司 User authentication and routing method applied to operation and maintenance auditing system
CN110912865A (en) * 2018-09-18 2020-03-24 深圳市鸿合创新信息技术有限责任公司 Security access control method, server and electronic equipment
CN109543129B (en) * 2018-10-26 2022-04-12 深圳点猫科技有限公司 Network request method and device based on education resource platform
CN111245774B (en) * 2018-11-29 2023-09-26 阿里巴巴集团控股有限公司 Resource request processing method, device and system
CN109831435B (en) * 2019-01-31 2021-06-01 广州银云信息科技有限公司 Database operation method, system, proxy server and storage medium
US11128617B2 (en) * 2019-01-31 2021-09-21 Baidu Usa Llc Token based secure multiparty computing framework using a restricted operating environment
CN110175077A (en) * 2019-05-27 2019-08-27 浪潮云信息技术有限公司 A kind of method and system based on order management container resource
CN117215635A (en) * 2019-06-28 2023-12-12 杭州海康威视数字技术股份有限公司 Task processing method, device and storage medium
CN112994909B (en) * 2019-12-12 2022-12-06 北京金山云网络技术有限公司 Method, device, equipment and storage medium for managing Kubernets cluster
CN113141386B (en) * 2020-01-19 2023-01-06 北京百度网讯科技有限公司 Kubernetes cluster access method, device, equipment and medium in private network
CN111629059B (en) * 2020-05-27 2022-12-16 浪潮电子信息产业股份有限公司 Cluster communication method, system, equipment and computer readable storage medium
CN111726399B (en) * 2020-06-08 2022-10-18 中国工商银行股份有限公司 Docker container secure access method and device
CN113742711A (en) * 2020-10-20 2021-12-03 北京沃东天骏信息技术有限公司 Container access method and device
CN112383613B (en) * 2020-11-11 2023-05-12 杭州飞致云信息科技有限公司 Method and device for managing container cluster system
CN113630447B (en) * 2021-07-22 2023-04-07 济南浪潮数据技术有限公司 Web-based cloud service providing method, system and storage medium
CN113938289B (en) * 2021-08-31 2024-03-01 联通沃音乐文化有限公司 System and method for preventing interception mechanism from being abused and attacked by proxy client
CN114050911B (en) * 2021-09-27 2023-05-16 度小满科技(北京)有限公司 Remote login method and system for container
CN114615329A (en) * 2022-03-08 2022-06-10 北京从云科技有限公司 Method and system for realizing SDP architecture without client

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685949A (en) * 2016-12-24 2017-05-17 上海七牛信息技术有限公司 Container access method, container access device and container access system
CN106899544A (en) * 2015-12-17 2017-06-27 腾讯科技(深圳)有限公司 Container login method, device and system based on Docker
CN107395642A (en) * 2017-08-31 2017-11-24 郑州云海信息技术有限公司 The method and system for the Docker containers for starting TLS certifications are accessed based on Websocket
CN107493344A (en) * 2017-08-29 2017-12-19 郑州云海信息技术有限公司 A kind of method and system of web access Docker containers
CN107948203A (en) * 2017-12-29 2018-04-20 平安科技(深圳)有限公司 A kind of container login method, application server, system and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101810762B1 (en) * 2015-12-07 2017-12-19 한양대학교 에리카산학협력단 Docker container security log analysis method and system based on hadoop distributed file system in cloud environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899544A (en) * 2015-12-17 2017-06-27 腾讯科技(深圳)有限公司 Container login method, device and system based on Docker
CN106685949A (en) * 2016-12-24 2017-05-17 上海七牛信息技术有限公司 Container access method, container access device and container access system
CN107493344A (en) * 2017-08-29 2017-12-19 郑州云海信息技术有限公司 A kind of method and system of web access Docker containers
CN107395642A (en) * 2017-08-31 2017-11-24 郑州云海信息技术有限公司 The method and system for the Docker containers for starting TLS certifications are accessed based on Websocket
CN107948203A (en) * 2017-12-29 2018-04-20 平安科技(深圳)有限公司 A kind of container login method, application server, system and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500537A (en) * 2022-03-24 2022-05-13 杭州博盾习言科技有限公司 Access method, system, storage medium and electronic device of container service

Also Published As

Publication number Publication date
CN107948203A (en) 2018-04-20
CN107948203B (en) 2019-09-13

Similar Documents

Publication Publication Date Title
WO2019128007A1 (en) Container logon method, application server, system, and storage medium
US10148643B2 (en) Authenticating or controlling software application on end user device
WO2019227557A1 (en) Key management method, device, storage medium and apparatus
US10230725B2 (en) Edge protection for internal identity providers
WO2019127971A1 (en) Image synchronization method for image registry, system, device, and storage medium
US10902107B2 (en) Information processing system, information processing device, server device, method of controlling information processing system, and program
WO2016169410A1 (en) Login method and device, server and login system
WO2019192085A1 (en) Method, apparatus and device for direct-connected communication between bank and enterprise, and computer-readable storage medium
US10447682B1 (en) Trust management in an electronic environment
WO2013065915A1 (en) Method for interworking trust between a trusted region and an untrusted region, method, server, and terminal for controlling the downloading of trusted applications, and control system applying same
US10826895B1 (en) System and method for secure authenticated user session handoff
WO2020189927A1 (en) Method and server for managing identity of user by using blockchain network, and method and terminal for authenticating user by using user identity on basis of blockchain network
WO2020189926A1 (en) Method and server for managing user identity by using blockchain network, and method and terminal for user authentication using blockchain network-based user identity
JP4820928B1 (en) Authentication system and authentication method
US20170357799A1 (en) Tracking and managing multiple time-based one-time password (TOTP) accounts
WO2020224247A1 (en) Blockchain–based data provenance method, apparatus and device, and readable storage medium
CN110197075B (en) Resource access method, device, computing equipment and storage medium
WO2018098881A1 (en) Access processing method and device for application
WO2019218441A1 (en) Request processing method and apparatus, device, and storage medium
US20180343118A1 (en) Method employed in user authentication system and information processing apparatus included in user authentication system
WO2019161597A1 (en) Information sending method, apparatus and device based on instant messaging, and storage medium
US11050560B2 (en) Secure reusable access tokens
CN111965996A (en) Intelligent device control method, device, equipment and storage medium
WO2018076870A1 (en) Data processing method and apparatus, storage medium, server, and data processing system
CN111737232A (en) Database management method, system, device, equipment and computer storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18894428

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18894428

Country of ref document: EP

Kind code of ref document: A1