WO2022062918A1 - Control method for strategy implementation, strategy implementation system, and computing device - Google Patents

Control method for strategy implementation, strategy implementation system, and computing device Download PDF

Info

Publication number
WO2022062918A1
WO2022062918A1 PCT/CN2021/117706 CN2021117706W WO2022062918A1 WO 2022062918 A1 WO2022062918 A1 WO 2022062918A1 CN 2021117706 W CN2021117706 W CN 2021117706W WO 2022062918 A1 WO2022062918 A1 WO 2022062918A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
terminal
server
access
message queue
Prior art date
Application number
PCT/CN2021/117706
Other languages
French (fr)
Chinese (zh)
Inventor
陈作朋
李鹤
Original Assignee
统信软件技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 统信软件技术有限公司 filed Critical 统信软件技术有限公司
Publication of WO2022062918A1 publication Critical patent/WO2022062918A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Definitions

  • the present invention relates to the technical field of network communication, and in particular, to a control method for policy execution, a policy execution system and a computing device.
  • Microsoft AD Active Directory, Active Directory
  • the AD domain is a large security boundary. As long as the user passes the authentication when logging in, all the resources allowed to be accessed in this domain can be directly accessed, without the need for separate authentication, thereby realizing resource sharing.
  • "My Documents" on the user's desktop can be redirected to the file server.
  • user data can be backed up centrally to avoid user data loss due to system reinstallation or hardware damage; On the other hand, users can find their own data no matter which computer they log on to.
  • AD domain multi-level security policies are set in the AD domain, and each level of policy corresponds to different rules, resulting in a relatively complex overall security configuration in the AD domain, high thresholds, and high requirements for administrators' skills.
  • AD domain mainly relies on the Windows operating system, and cannot manage user policies based on the Linux operating system.
  • the present invention provides a method, system and computing device for controlling policy execution to solve or at least alleviate the above problems.
  • a method for controlling policy execution is provided, which is executed in a policy control device, the policy control device is connected to a configuration platform and is connected to one or more terminals, the method comprising: receiving a configuration platform The policy execution request sent, determine the policy rule to be executed based on the policy execution request; determine the device identification of one or more terminals that execute the policy rule; add the policy rule based on the device identification of one or more terminals to the message queue, so as to send the policy rule to the one or more terminals through the message queue; obtain the execution result returned by each terminal after executing the policy rule from the message queue; The execution result is sent to the configuration platform, so that the execution result is displayed on the configuration platform.
  • the invention also discloses a corresponding policy execution system and computing device.
  • the method before adding the policy rule to the message queue, the method further includes the step of: receiving a subscription request for the policy rule sent by one or more terminals based on the corresponding device identifier.
  • the method for controlling policy execution according to the present invention further includes the steps of: receiving an identity authentication request sent by a terminal, and returning a corresponding access permission identifier to the terminal after the authentication is passed; The access permission identifies the sent access request.
  • the method before receiving the identity authentication request sent by the terminal, includes the steps of: receiving a registration account request sent by the terminal; access account number and access password corresponding to the identity, so that the terminal sends an identity authentication request based on the corresponding access account number and access password.
  • the policy control device includes: a policy server, connected to the configuration platform, and adapted to receive a policy execution request sent by the configuration platform; a message queue server, connected to the policy server and one or more terminals; and an access control server, connected to the policy server and one or more terminals, adapted to receive an identity authentication request sent by the terminal, and to send an authentication request to the terminal after passing the authentication A corresponding access permission identifier is returned, and it is adapted to receive an access request sent by the terminal based on the access permission identifier.
  • the terminal is adapted to generate a corresponding device identifier based on hardware information
  • the terminal includes: a pluggable authentication module (PAM), which is connected to the access control server , suitable for sending an identity authentication request to the access control server, and receiving the access permission identifier returned by the access control server; a process monitoring module (Agent), the process monitoring module is connected to the message queue server, and is suitable for terminal-based
  • the device identifier obtains policy rules from the message queue; and a message bus module (DBUS), connected to the process monitoring module, is adapted to execute the policy rules.
  • PAM pluggable authentication module
  • Agent process monitoring module
  • the device identifier obtains policy rules from the message queue
  • DBUS message bus module
  • the message queue server is an NSQ message queue server; and the access control server is OpenLDAP.
  • the policy includes one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
  • a policy execution system comprising: a policy control device adapted to execute the above method to control the execution of a policy; a configuration platform connected to the policy control device and adapted to report to the policy control device
  • the policy control device sends a policy execution request, and is adapted to receive the execution result of each terminal returned by the policy control device, and display the execution result; and a plurality of terminal groups, each terminal group includes one or more terminals,
  • the terminal is adapted to acquire the policy rule from the message queue based on the corresponding device identifier, execute the policy rule, and is adapted to send the execution result to the message queue.
  • the policy control device includes: a policy server, connected to the configuration platform, and adapted to receive a policy execution request sent by the configuration platform; a message queue server, connected to the configuration platform The policy server and one or more terminals are connected; and the access control server is connected to the policy server and one or more terminals, and is adapted to receive an identity authentication request sent by the terminal, and return corresponding to the terminal after the authentication is passed.
  • the access permission identifier is adapted to receive an access request sent by the terminal based on the access permission identifier.
  • the access control server is further adapted to: receive a registration account request sent by the terminal; generate an access account and an account corresponding to the terminal user identity based on the registration account request. access password, so that the terminal sends an identity authentication request based on the corresponding access account number and access password.
  • the terminal is adapted to generate a corresponding device identifier based on hardware information
  • the terminal includes: a pluggable authentication module (PAM), connected to the access control server, adapted to to send an identity authentication request to the access control server, and receive the access permission identifier returned by the access control server; a process monitoring module (Agent), the process monitoring module is connected to the message queue server, and is suitable for terminal-based device identification Obtaining policy rules from the message queue; and a message bus module (DBUS), connected to the process monitoring module, adapted to execute the policy rules.
  • PAM pluggable authentication module
  • Agent process monitoring module
  • DBUS message bus module
  • the message queue server is an NSQ message queue server; and the access control server is OpenLDAP.
  • the policy includes one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
  • a computing device comprising: at least one processor; a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising using Instructions for executing the control method of policy execution as described above.
  • a readable storage medium storing program instructions, which, when the program instructions are read and executed by a computing device, cause the computing device to execute the above-mentioned control method for policy execution.
  • the configuration platform is connected to the policy control device, so that policy managers can configure corresponding policy rules for terminals through the configuration platform, and request policies
  • the control device controls the corresponding terminal execution policy rules, and obtains the execution result of the terminal.
  • the present invention can divide multiple terminals into multiple terminal groups based on the area where each terminal is located, and each terminal group includes one or more terminals arranged in a corresponding area, so that partition management of the terminals can be realized.
  • policy execution for controlling multiple terminal devices of the Linux operating system can be realized.
  • FIG. 1 shows a schematic diagram of a policy enforcement system 100 according to an embodiment of the present invention
  • FIG. 2 shows a schematic diagram of a computing device 200 according to one embodiment of the present invention.
  • FIG. 3 shows a flowchart of a method 300 for controlling policy execution according to an embodiment of the present invention.
  • FIG. 1 shows a schematic diagram of a policy enforcement system 100 according to an embodiment of the present invention.
  • the policy execution system 100 includes one or more terminals 110 , a configuration platform 150 and a policy control device 200 .
  • the policy control device 200 is connected in communication with the configuration platform 150, and is connected in communication with one or more terminals 110, for example, through a wired or wireless network connection.
  • the present invention does not limit the specific connection manner of the policy control device 200 with the configuration platform 150 and the terminal 110 .
  • the terminal 110 is a terminal device used by a user, which may specifically be a personal computer such as a desktop computer, a notebook computer, or a mobile phone, a tablet computer, a multimedia device, a smart wearable device, etc., but is not limited thereto.
  • a personal computer such as a desktop computer, a notebook computer, or a mobile phone, a tablet computer, a multimedia device, a smart wearable device, etc., but is not limited thereto.
  • the terminal 110 may be a terminal device installed with a Linux operating system, but the present invention is not limited to the specific type of the operating system installed on the terminal 110 . It should be noted that, in the specific embodiment, the present invention only takes the Linux operating system as an example to specifically describe the policy execution system 100 . However, it should be understood that the policy execution system 100 of the present invention is not limited to the specific type of the operating system installed on the terminal.
  • the policy control device 200 may be used to control the terminal 110 to execute the policy. It can be implemented as a computing device such as a desktop computer, a notebook computer, a processor chip, a mobile phone, a tablet computer, etc., or can be implemented as a system composed of multiple computing devices.
  • the configuration platform 150 can be a Web platform provided for administrators (policy managers) to configure and manage various policies, and the administrator can access the configuration platform 150 through a browser.
  • administrators policy managers
  • the configuration platform 150 can be a Web platform provided for administrators (policy managers) to configure and manage various policies, and the administrator can access the configuration platform 150 through a browser.
  • the administrator can request the policy control device 200 to control the corresponding terminal to execute the policy rules through the configuration platform 150.
  • the policy enforcement system 100 may include multiple terminal groups, and each terminal group is arranged with one or more terminals 110 . That is, each terminal 110 in the system 100 may be arranged in different terminal groups.
  • the configuration platform 150 can configure corresponding policy rules for different terminal groups, and request the policy control device 200 to control each terminal 110 in the terminal group to execute the policy rules corresponding to the terminal group.
  • each terminal group may correspond to a different area.
  • the present invention may divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes a layout within a corresponding area.
  • One or more terminals 110 in this way, the partition management of the terminals can be realized.
  • the policy control device 200 is adapted to execute the control method of policy execution to control the terminal to execute the policy.
  • the control method 300 of the policy execution of the present invention will be described in detail below.
  • the policies that the policy control device 200 based on the present invention can control to be executed by the terminal include one or more of application customization policies, desktop customization policies, password policies, and firewall policies.
  • the present invention is not limited to the types of strategies listed above.
  • the policy control device 200 includes a policy server 250 , a message queue server 210 , and an access control server 220 .
  • the policy server 250 is connected to the message queue server 210 and the access control server 220 respectively.
  • the policy server 250 is connected with the configuration platform 150 , for example, through a registry connection, so that the policy server 250 can receive the policy execution request sent by the configuration platform 150 .
  • the message queue server 210 is connected to one or more terminals 110, and the message queue server 210 includes a message queue. Therefore, the policy server 250 establishes a communication connection with one or more terminals 110 through the message queue server 210, and performs asynchronous communication based on the message queue in the message queue server 210.
  • the access control server 220 is connected to one or more terminals 110 .
  • the access control server 220 may receive the identity authentication request sent by the terminal 110, and return the corresponding access permission identifier to the terminal 110 after the authentication is passed. Furthermore, the access control server 220 receives the access request sent by the terminal 110 based on the access permission identifier.
  • the access control server 220 may also receive a request for registering an account sent by the terminal 110.
  • the access control server 220 may generate and store an access account and an access password corresponding to the user identity of the terminal 110 based on the registered account request, so that the terminal 110 sends an identity authentication request to the access control server 220 based on the corresponding access account and access password.
  • the access control server 220 stores the access accounts and access passwords corresponding to the multiple terminals 110 , and also stores the information of the terminal group corresponding to each terminal 110 in the access control server 220 .
  • the access control server is, for example, OpenLDAP
  • the message queue server 210 is, for example, an NSQ message queue server, but the present invention is not limited thereto.
  • the terminal 110 may generate a corresponding device identification based on the hardware information.
  • the terminal 110 includes a pluggable authentication module (PAM), a process monitoring module (Agent), and a message bus module (DBUS).
  • PAM pluggable authentication module
  • Agent process monitoring module
  • DBUS message bus module
  • a pluggable authentication module is connected to the access control server 220, so that the terminal 110 can send an account registration request to the access control server 220 through the pluggable authentication module to obtain the corresponding access account number and access password. Further, the pluggable authentication module sends an identity authentication request to the access control server 220 based on the corresponding access account number and access password, receives the access permission identifier returned by the access control server 220, and sends an access request to the access control server 220 based on the access permission identifier to The identity authentication of the terminal 110 is completed, and the communication between the terminal 110 and the policy control device 200 is established.
  • the pluggable authentication module includes an authentication management module (Auth), an account management module (Account), a session management module (Session), and a password management module (Password).
  • the process monitoring module (Agent) is connected to the message queue server 210, and communicates with the policy server 250 of the policy control device 200 through the message queue.
  • the terminal 110 receives and sends messages through the process monitoring module.
  • the process monitoring module can obtain the corresponding policy rule from the message queue based on the device identification of the terminal 110, and can return the execution result of the terminal 110 executing the policy rule to the policy server 250 of the policy control device 200 through the message queue.
  • a message bus module may be used to enable communication between processes of the terminal 110 .
  • the message bus module is connected with the process monitoring module. After the process monitoring module obtains the policy rules, the policy rules can be executed by calling the message bus module.
  • policy enforcement system 100 also includes a data storage system 140 connected to policy server 250 .
  • the data storage system 140 is, for example, a MySQL relational data storage system, but is not limited thereto.
  • the data storage system 140 can store service data.
  • the service data includes, for example, terminal group information, terminal information, user information, policy information, application information, behavior logs, etc., and can also store information among terminal groups, terminals, users, applications, and policies. Correspondence.
  • the policy enforcement system 100 also includes a Redis memory coupled to the policy server 250 .
  • the configuration platform 150 is connected to the policy control device 200 , so that the policy administrator can configure the corresponding terminal 110 through the configuration platform 150 . and request the policy control device 200 to control the corresponding terminal 110 to execute the policy rule, and obtain the execution result of the terminal 110 .
  • the configuration platform for policy configuration not only is the operation simple and the configuration efficiency high, but also it is beneficial to control each terminal to execute the corresponding policy rules more efficiently.
  • the present invention can divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes one or more terminals 110 arranged in a corresponding area. Partition management.
  • the policy control device 200 of the present invention can be implemented as a computing device, so that the control method of the policy execution of the present invention can be executed in the computing device.
  • FIG. 2 shows a structural diagram of a computing device 200 according to an embodiment of the present invention.
  • computing device 200 in a basic configuration 202 , typically includes system memory 206 and one or more processors 204 .
  • Memory bus 208 may be used for communication between processor 204 and system memory 206 .
  • the processor 204 may be any type of process, including but not limited to: a microprocessor ( ⁇ P), a microcontroller ( ⁇ C), a digital information processor (DSP), or any combination thereof.
  • Processor 204 may include one or more levels of cache, such as L1 cache 210 and L2 cache 212 , processor core 214 , and registers 216 .
  • Exemplary processor cores 214 may include arithmetic logic units (ALUs), floating point units (FPUs), digital signal processing cores (DSP cores), or any combination thereof.
  • the example memory controller 218 may be used with the processor 204 , or in some implementations, the memory controller 218 may be an internal part of the processor 204 .
  • system memory 206 may be any type of memory including, but not limited to, volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof.
  • System memory 106 may include an operating system 220 , one or more applications 222 , and program data 224 .
  • Application 222 is actually a number of program instructions that instruct processor 204 to perform corresponding operations.
  • the application 222 may be arranged to cause the processor 204 to operate with the program data 224 on the operating system.
  • Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (eg, output device 242 , peripheral interface 244 , and communication device 246 ) to base configuration 202 via bus/interface controller 230 .
  • Example output devices 242 include graphics processing unit 248 and audio processing unit 250 . They may be configured to facilitate communication via one or more A/V ports 252 with various external devices such as displays or speakers.
  • Example peripheral interfaces 244 may include serial interface controller 254 and parallel interface controller 256, which may be configured to facilitate communication via one or more I/O ports 258 and input devices such as keyboard, mouse, pen, etc.
  • the example communication device 246 may include a network controller 260 that may be arranged to facilitate communication via one or more communication ports 264 with one or more other computing devices 262 over a network communication link.
  • a network communication link may be one example of a communication medium.
  • Communication media may typically embody computer readable instructions, data structures, program modules in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.
  • a "modulated data signal" can be a signal of which one or more of its data sets or whose alterations can be made in such a way as to encode information in the signal.
  • communication media may include wired media, such as wired or leased line networks, and various wireless media, such as acoustic, radio frequency (RF), microwave, infrared (IR), or other wireless media .
  • RF radio frequency
  • IR infrared
  • the term computer readable medium as used herein may include both storage media and communication media.
  • the application 222 includes a plurality of program instructions for executing the policy execution control method 300, and these program instructions can instruct the processor 204 to execute the policy execution control method 300 of the present invention, so that the computing device 200 can pass
  • the control method 300 for executing the policy of the present invention is executed to realize the control terminal to execute the policy.
  • FIG. 3 shows a flowchart of a method 300 for controlling policy execution according to an embodiment of the present invention.
  • the method 300 is suitable for execution in a policy control device 200, such as the aforementioned computing device 200.
  • the policy control device 200 is connected to the configuration platform 150 and is connected to one or more terminals 110 .
  • the terminal 110 is a terminal device used by the user.
  • the configuration platform 150 can be a Web platform provided for administrators (policy managers) to configure and manage various policies, and the administrator can access the configuration platform 150 through a browser.
  • administrators policy managers
  • the administrator can request the policy control device 200 to control the corresponding terminal to execute the policy rules through the configuration platform 150.
  • multiple terminals 110 may be arranged in different terminal groups.
  • the configuration platform 150 configures corresponding policy rules for different terminal groups to request the policy control device 200 to control the execution of each terminal 110 in the terminal group.
  • each terminal group may correspond to a different area.
  • the present invention may divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes a layout within a corresponding area.
  • One or more terminals 110 in this way, the partition management of the terminals can be realized.
  • the terminal 110 may be a terminal device installed with a Linux operating system, so that the policy execution control method 300 of the present invention can realize the control and management of the policy execution of multiple terminal devices installed with the Linux operating system , in other words, the method 300 for controlling policy execution of the present invention can control multiple terminal devices to execute corresponding policies based on the Linux operating system.
  • the present invention only takes the Linux operating system as an example to specifically describe the control method 300 for policy execution.
  • the method 300 for controlling policy execution of the present invention is not limited to the specific type of the operating system installed on the terminal. Any type of operating system that can control the terminal execution policy through the method 300 of the present invention falls within the protection scope of the present invention.
  • policies that can be controlled by the terminal based on the method 300 of the present invention include one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
  • the present invention is not limited to the types of strategies listed above.
  • the method 300 begins at step S310.
  • step S310 a policy execution request sent by the administrator on the configuration platform 150 is received, and a policy rule to be executed is determined based on the policy execution request.
  • the administrator configures the policy rules to be executed for one or more terminals 110 on the configuration platform 150 and sends a policy execution request to the policy control device 200 to request the policy control device 200 to control these terminals 110 to execute the corresponding policy rules .
  • the policy rules include, for example, one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
  • the administrator configures the policy rule on the configuration platform 150 based on the device identification of each terminal 110 that executes the policy rule, and sends the policy execution request.
  • the policy execution request also includes device identifiers corresponding to one or more terminals 110 that execute policy rules.
  • the policy control device 200 may determine the device identifiers of one or more terminals 110 that execute the policy rule according to the policy execution request.
  • the policy control device 200 and one or more terminals 110 may implement asynchronous communication based on a message queue.
  • step S330 the policy control device 200 adds the policy rule to the message queue based on the determined device identifiers of the one or more terminals 110, so as to send the policy rule to the corresponding one or more terminals 110 through the message queue , so that the corresponding terminal 110 can be controlled to execute the configured policy rule.
  • the policy control device 200 and one or more terminals 110 may perform data interaction in a publish-and-subscribe mode. Specifically, the terminal 110 may generate a corresponding unique device identifier based on its own hardware information, in other words, each terminal 110 corresponds to a device identifier capable of identifying the terminal 110 . In addition, the terminal 110 may send a subscription request based on its own device identification to subscribe to the corresponding topic message in the message queue, that is, to subscribe to the policy rule corresponding to the topic message.
  • the policy control device 200 may receive a request for subscribing to corresponding policy rules sent by one or more terminals based on the device identifier. In this way, after the policy control device 200 encapsulates the policy rule based on the device ID of the terminal 110 into a topic message and adds it to the message queue, the terminal 110 can obtain the topic message and policy rule corresponding to its own device ID from the message queue.
  • the policy control device 200 After the policy control device 200 determines the device identifiers of one or more terminals 110 that execute the policy rule, when controlling these terminals 110 to execute the policy rule, it sends the message queue with the terminal 110 (device identifier) that needs to execute the policy rule.
  • the corresponding topic message is implemented. Specifically, the policy control device 200 adds the topic message to the message queue by encapsulating the policy rule into a corresponding topic message based on the determined device identifiers of one or more terminals 110 .
  • the terminal 110 that subscribes to the topic message based on its own device identifier (that is, the terminal 110 corresponding to the device identifier in the topic message) can obtain the topic message corresponding to its own device identifier from the message queue, thereby obtaining the topic
  • the policy rule corresponding to the message can execute corresponding policy rules.
  • step S340 the policy control device 200 obtains the execution result returned by each terminal 110 after executing the policy rule from the message queue.
  • each terminal 110 may encapsulate the execution result of the policy rule into a corresponding topic message and add it to the message queue. In this way, the policy control device 200 can acquire the topic message corresponding to each terminal 110 from the message queue to acquire the execution result of the policy rule corresponding to each terminal 110 .
  • step S350 the policy control device 200 sends the execution result of each terminal 110 to the configuration platform 150 , so that the configuration platform 150 displays the execution result of each terminal 110 .
  • the policy control device 200 includes a policy server 250 , a message queue server 210 , and an access control server 220 .
  • the policy server 250 is connected to the message queue server 210 and the access control server 220 respectively.
  • the policy server 250 is connected with the configuration platform 150 , so that the policy server 250 can receive the policy execution request sent by the configuration platform 150 .
  • the message queue server 210 is connected to one or more terminals 110, and the message queue server 210 includes a message queue. Therefore, the policy server 250 establishes a communication connection with one or more terminals 110 through the message queue server 210 , and performs asynchronous communication based on the message queue in the message queue server 210 .
  • the access control server 220 is connected to one or more terminals 110 .
  • the policy control device 200 may receive the identity authentication requests sent by one or more terminals 110 through the access control server 220, and return the corresponding access permission to the terminal 110 after the authentication is passed logo. Furthermore, the access control server 220 receives the access request sent by the terminal 110 based on the access permission identifier.
  • the terminal 110 needs to send an identity authentication request to the policy control device 200, and the access control server 220 receives the identity authentication request of the terminal 110 , Perform identity authentication on the terminal 110 .
  • the access control server 220 After the terminal 110 passes the identity authentication, the access control server 220 returns the corresponding access permission identifier to the terminal 110 .
  • the terminal 110 can send an access request to the policy control device 200 (the policy server 250 ) based on the access permission identifier, so as to perform data interaction with the policy control device 200 (the policy server 250 ), so as to subscribe to the corresponding topic message based on the device identifier, Obtain policy rules, execute policy rules, and return execution results.
  • the policy control device 200 before receiving the identity authentication request sent by the terminal 110, the policy control device 200 further receives the account registration request sent by the terminal 110 through the access control server 220. Further, the access control server 220 generates an access account and an access password corresponding to the user identity of the terminal 110 based on the registered account request, so that the terminal 110 sends an identity authentication request to the access control server 220 based on the corresponding access account and access password. In this way, the access control server 220 stores the access accounts and access passwords corresponding to the multiple terminals 110 , and also stores the information of the terminal group corresponding to each terminal 110 in the access control server 220 .
  • the access control server is, for example, OpenLDAP
  • the message queue server 210 is, for example, an NSQ message queue server, but the present invention is not limited thereto.
  • the terminal 110 may generate a corresponding device identification based on the hardware information.
  • the terminal 110 includes a pluggable authentication module (PAM), a process monitoring module (Agent), and a message bus module (DBUS).
  • PAM pluggable authentication module
  • Agent process monitoring module
  • DBUS message bus module
  • a pluggable authentication module is connected to the access control server 220, so that the terminal 110 can send a registration account request to the access control server 220 through the pluggable authentication module to obtain the corresponding access account and access control password. Further, the pluggable authentication module sends an identity authentication request to the access control server 220 based on the corresponding access account number and access password, receives the access permission identifier returned by the access control server 220, and sends an access request to the access control server 220 based on the access permission identifier to The identity authentication of the terminal 110 is completed, and the communication between the terminal 110 and the policy control device 200 is established.
  • the pluggable authentication module includes an authentication management module (Auth), an account management module (Account), a session management module (Session), and a password management module (Password).
  • the process monitoring module (Agent) is connected to the message queue server 210, and communicates with the policy server 250 of the policy control device 200 through the message queue.
  • the terminal 110 receives and sends messages through the process monitoring module.
  • the process monitoring module can obtain the corresponding policy rules from the message queue based on the device identification of the terminal 110, and can return the execution result of the terminal 110 executing the policy rules to the policy server 250 of the policy control device 200 through the message queue.
  • a message bus module may be used to enable communication between processes of the terminal 110 .
  • the message bus module is connected with the process monitoring module. After the process monitoring module obtains the policy rules, the policy rules can be executed by calling the message bus module.
  • the configuration platform 150 is connected to the policy control device 200 , so that the policy administrator can use the configuration platform 150 for the terminal 110 Configure the corresponding policy rule, and request the policy control device 200 to control the corresponding terminal 110 to execute the policy rule, and obtain the execution result of the terminal 110 .
  • the configuration platform for policy configuration not only is the operation simple and the configuration efficiency high, but also it is beneficial to control each terminal to execute the corresponding policy rules more efficiently.
  • the present invention can divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes one or more terminals 110 arranged in a corresponding area. Partition management.
  • the various techniques described herein can be implemented in conjunction with hardware or software, or a combination thereof.
  • the method and apparatus of the present invention, or certain aspects or portions of the method and apparatus of the present invention may take the form of an embedded tangible medium, such as a removable hard disk, a USB stick, a floppy disk, a CD-ROM, or any other machine-readable storage medium.
  • program code ie, instructions
  • the mobile terminal generally includes a processor, a storage medium readable by the processor (including volatile and nonvolatile memory and/or storage elements), at least one input device, and at least one output device.
  • the memory is configured to store program codes; the processor is configured to execute the control method for policy execution of the present invention according to the instructions in the program codes stored in the memory.
  • readable media include readable storage media and communication media.
  • Readable storage media store information such as computer readable instructions, data structures, program modules or other data.
  • Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
  • modules or units or components of the apparatus in the examples disclosed herein may be arranged in the apparatus as described in this embodiment, or alternatively may be positioned differently from the apparatus in this example in one or more devices.
  • the modules in the preceding examples may be combined into one module or further divided into sub-modules.
  • modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment.
  • the modules or units or components in the embodiments may be combined into one module or unit or component, and further they may be divided into multiple sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination unless at least some of such features and/or procedures or elements are mutually exclusive. All processes or units of equipment are combined.
  • Each feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Abstract

Disclosed in the present invention is a control method for strategy implementation, performed in a strategy control device. The method comprises: receiving a strategy implementation request sent by a configuration platform, and determining, on the basis of the strategy implementation request, a strategy rule to be implemented; determining a device identifier for one or more terminals which implement the strategy rule; adding the strategy rule to a message queue on the basis of the device identifier of the one or more terminals, so as to send the strategy rule to the one or more terminals by means of the message queue; obtaining, from the message queue, an implementation result returned by each terminal after implementing the strategy rule; and sending the implementation result of each terminal to the configuration platform, so as to show the implementation result at the configuration platform. Also disclosed in the present invention are a corresponding strategy implementation system and a computing device. According to the technical solution of the present invention, each terminal can be controlled more conveniently and efficiently to implement the corresponding strategy rule.

Description

策略执行的控制方法、策略执行系统及计算设备Policy execution control method, policy execution system and computing device 技术领域technical field
本发明涉及网络通信技术领域,尤其涉及一种策略执行的控制方法、策略执行系统及计算设备。The present invention relates to the technical field of network communication, and in particular, to a control method for policy execution, a policy execution system and a computing device.
背景技术Background technique
随着国家政策的大力支持,越来越多的军工、政府、银行等企业采用国产化操作系统。国产操作系统大多是在Linux内核的基础上进行二次开发,因此,对于企业办公而言,Linux系统的安全性和集中管理也越来越被重视。With the strong support of national policies, more and more enterprises such as military industry, government, and banks have adopted localized operating systems. Most of the domestic operating systems are secondary developed on the basis of the Linux kernel. Therefore, for corporate offices, the security and centralized management of Linux systems are also being paid more and more attention.
现有技术中,微软AD(Active Directory,活动目录)是微软基于LDAP提供给SERVER平台的目录服务,它通过域模式实现了对资源的集中控制和简化管理。AD域是一个大的安全边界,用户只要在登录时通过了身份验证,这个域中所有允许访问的资源都可以直接访问,不用再单独进行身份验证,从而实现资源共享。对于用户而言,基于AD域可以将用户桌面上的“我的文档”重定向到文件服务器上,一方面可以对用户数据进行集中备份,避免因重装系统或硬件损坏而造成用户数据丢失;另一方面,用户无论登录在哪台计算机上,都可以查找自己的数据。In the prior art, Microsoft AD (Active Directory, Active Directory) is a directory service provided by Microsoft to the SERVER platform based on LDAP, which realizes centralized control and simplified management of resources through the domain mode. The AD domain is a large security boundary. As long as the user passes the authentication when logging in, all the resources allowed to be accessed in this domain can be directly accessed, without the need for separate authentication, thereby realizing resource sharing. For users, based on the AD domain, "My Documents" on the user's desktop can be redirected to the file server. On the one hand, user data can be backed up centrally to avoid user data loss due to system reinstallation or hardware damage; On the other hand, users can find their own data no matter which computer they log on to.
但是,由于在AD域中会设置多级安全策略,各级策略分别对应不同的规则,导致AD域的整体安全配置相对复杂、门槛较高、对管理员的技能水平要求较高。另一方面,AD域主要依托于Windows操作系统,不能基于Linux操作系统实现对用户策略的管理。However, multi-level security policies are set in the AD domain, and each level of policy corresponds to different rules, resulting in a relatively complex overall security configuration in the AD domain, high thresholds, and high requirements for administrators' skills. On the other hand, the AD domain mainly relies on the Windows operating system, and cannot manage user policies based on the Linux operating system.
为此,需要一种策略执行的控制方法和策略执行系统,以解决上述技术方案中存在的问题。Therefore, a control method and a policy execution system for policy execution are required to solve the problems existing in the above technical solutions.
发明内容SUMMARY OF THE INVENTION
为此,本发明提供一种策略执行的控制方法、系统及计算设备,以解决 或至少缓解上面存在的问题。To this end, the present invention provides a method, system and computing device for controlling policy execution to solve or at least alleviate the above problems.
根据本发明的一个方面,提供一种策略执行的控制方法,在策略控制设备中执行,所述策略控制设备与配置平台连接,并与一个或多个终端连接,所述方法包括:接收配置平台发送的策略执行请求,基于所述策略执行请求确定待执行的策略规则;确定执行所述策略规则的一个或多个终端的设备标识;基于一个或多个终端的设备标识将所述策略规则添加到消息队列,以便通过消息队列将所述策略规则发送至所述一个或多个终端;从所述消息队列中获取每个终端在执行所述策略规则后返回的执行结果;将每个终端的执行结果发送至所述配置平台,以便在所述配置平台展示执行结果。本发明一并公开了相应的策略执行系统和计算设备。According to one aspect of the present invention, a method for controlling policy execution is provided, which is executed in a policy control device, the policy control device is connected to a configuration platform and is connected to one or more terminals, the method comprising: receiving a configuration platform The policy execution request sent, determine the policy rule to be executed based on the policy execution request; determine the device identification of one or more terminals that execute the policy rule; add the policy rule based on the device identification of one or more terminals to the message queue, so as to send the policy rule to the one or more terminals through the message queue; obtain the execution result returned by each terminal after executing the policy rule from the message queue; The execution result is sent to the configuration platform, so that the execution result is displayed on the configuration platform. The invention also discloses a corresponding policy execution system and computing device.
可选地,在根据本发明的策略执行的控制方法中,在将策略规则添加到消息队列之前,还包括步骤:接收一个或多个终端基于相应的设备标识发送的对策略规则的订阅请求。Optionally, in the method for controlling policy execution according to the present invention, before adding the policy rule to the message queue, the method further includes the step of: receiving a subscription request for the policy rule sent by one or more terminals based on the corresponding device identifier.
可选地,在根据本发明的策略执行的控制方法中,还包括步骤:接收终端发送的身份认证请求,并在认证通过之后向所述终端返回相应的访问许可标识;以及接收所述终端基于所述访问许可标识发送的访问请求。Optionally, the method for controlling policy execution according to the present invention further includes the steps of: receiving an identity authentication request sent by a terminal, and returning a corresponding access permission identifier to the terminal after the authentication is passed; The access permission identifies the sent access request.
可选地,在根据本发明的策略执行的控制方法中,在接收终端发送的身份认证请求之前,包括步骤:接收终端发送的注册账号请求;以及基于所述注册账号请求生成与所述终端用户身份相对应的访问账号和访问密码,以便所述终端基于相应的访问账号和访问密码发送身份认证请求。Optionally, in the method for controlling policy execution according to the present invention, before receiving the identity authentication request sent by the terminal, the method includes the steps of: receiving a registration account request sent by the terminal; access account number and access password corresponding to the identity, so that the terminal sends an identity authentication request based on the corresponding access account number and access password.
可选地,在根据本发明的策略执行的控制方法中,所述策略控制设备包括:策略服务器,与所述配置平台连接,适于接收所述配置平台发送的策略执行请求;消息队列服务器,与所述策略服务器、一个或多个终端连接;以及访问控制服务器,与所述策略服务器、一个或多个终端连接,适于接收终端发送的身份认证请求,并在认证通过之后向所述终端返回相应的访问许可标识,并适于接收所述终端基于所述访问许可标识发送的访问请求。Optionally, in the method for controlling policy execution according to the present invention, the policy control device includes: a policy server, connected to the configuration platform, and adapted to receive a policy execution request sent by the configuration platform; a message queue server, connected to the policy server and one or more terminals; and an access control server, connected to the policy server and one or more terminals, adapted to receive an identity authentication request sent by the terminal, and to send an authentication request to the terminal after passing the authentication A corresponding access permission identifier is returned, and it is adapted to receive an access request sent by the terminal based on the access permission identifier.
可选地,在根据本发明的策略执行的控制方法中,所述终端适于基于硬件信息生成相应的设备标识,所述终端包括:可插入认证模块(PAM),与所述访问控制服务器连接,适于向访问控制服务器发送身份认证请求,并接收 所述访问控制服务器返回的访问许可标识;进程监控模块(Agent),所述进程监控模块与所述消息队列服务器相连,适于基于终端的设备标识从所述消息队列中获取策略规则;以及消息总线模块(DBUS),与进程监控模块连接,适于执行所述策略规则。Optionally, in the method for controlling policy execution according to the present invention, the terminal is adapted to generate a corresponding device identifier based on hardware information, and the terminal includes: a pluggable authentication module (PAM), which is connected to the access control server , suitable for sending an identity authentication request to the access control server, and receiving the access permission identifier returned by the access control server; a process monitoring module (Agent), the process monitoring module is connected to the message queue server, and is suitable for terminal-based The device identifier obtains policy rules from the message queue; and a message bus module (DBUS), connected to the process monitoring module, is adapted to execute the policy rules.
可选地,在根据本发明的策略执行的控制方法中,其中,所述消息队列服务器为NSQ消息队列服务器;所述访问控制服务器为OpenLDAP。Optionally, in the method for controlling policy execution according to the present invention, the message queue server is an NSQ message queue server; and the access control server is OpenLDAP.
可选地,在根据本发明的策略执行的控制方法中,所述策略包括:应用定制策略、桌面定制策略、密码策略、防火墙策略中的一种或多种。Optionally, in the method for controlling policy execution according to the present invention, the policy includes one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
根据本发明的一个方面,提供一种策略执行系统,包括:策略控制设备,适于执行如上所述的方法来控制策略的执行;配置平台,与所述策略控制设备连接,适于向所述策略控制设备发送策略执行请求,并适于接收所述策略控制设备返回的每个终端的执行结果,并展示所述执行结果;以及多个终端组,每个终端组包括一个或多个终端,所述终端适于基于相应的设备标识从消息队列中获取策略规则,并执行所述策略规则,并适于将执行结果发送至消息队列。According to one aspect of the present invention, there is provided a policy execution system, comprising: a policy control device adapted to execute the above method to control the execution of a policy; a configuration platform connected to the policy control device and adapted to report to the policy control device The policy control device sends a policy execution request, and is adapted to receive the execution result of each terminal returned by the policy control device, and display the execution result; and a plurality of terminal groups, each terminal group includes one or more terminals, The terminal is adapted to acquire the policy rule from the message queue based on the corresponding device identifier, execute the policy rule, and is adapted to send the execution result to the message queue.
可选地,在根据本发明的策略执行系统中,所述策略控制设备包括:策略服务器,与所述配置平台连接,适于接收所述配置平台发送的策略执行请求;消息队列服务器,与所述策略服务器、一个或多个终端连接;以及访问控制服务器,与所述策略服务器、一个或多个终端连接,适于接收终端发送的身份认证请求,并在认证通过之后向所述终端返回相应的访问许可标识,并适于接收所述终端基于所述访问许可标识发送的访问请求。Optionally, in the policy execution system according to the present invention, the policy control device includes: a policy server, connected to the configuration platform, and adapted to receive a policy execution request sent by the configuration platform; a message queue server, connected to the configuration platform The policy server and one or more terminals are connected; and the access control server is connected to the policy server and one or more terminals, and is adapted to receive an identity authentication request sent by the terminal, and return corresponding to the terminal after the authentication is passed. The access permission identifier is adapted to receive an access request sent by the terminal based on the access permission identifier.
可选地,在根据本发明的策略执行系统中,所述访问控制服务器还适于:接收终端发送的注册账号请求;基于所述注册账号请求生成与所述终端用户身份相对应的访问账号和访问密码,以便所述终端基于相应的访问账号和访问密码发送身份认证请求。Optionally, in the policy enforcement system according to the present invention, the access control server is further adapted to: receive a registration account request sent by the terminal; generate an access account and an account corresponding to the terminal user identity based on the registration account request. access password, so that the terminal sends an identity authentication request based on the corresponding access account number and access password.
可选地,在根据本发明的策略执行系统中,所述终端适于基于硬件信息生成相应的设备标识,所述终端包括:可插入认证模块(PAM),与所述访问控制服务器连接,适于向访问控制服务器发送身份认证请求,并接收所述访问控制服务器返回的访问许可标识;进程监控模块(Agent),所述进程监控 模块与所述消息队列服务器相连,适于基于终端的设备标识从所述消息队列中获取策略规则;以及消息总线模块(DBUS),与进程监控模块连接,适于执行所述策略规则。Optionally, in the policy enforcement system according to the present invention, the terminal is adapted to generate a corresponding device identifier based on hardware information, and the terminal includes: a pluggable authentication module (PAM), connected to the access control server, adapted to to send an identity authentication request to the access control server, and receive the access permission identifier returned by the access control server; a process monitoring module (Agent), the process monitoring module is connected to the message queue server, and is suitable for terminal-based device identification Obtaining policy rules from the message queue; and a message bus module (DBUS), connected to the process monitoring module, adapted to execute the policy rules.
可选地,在根据本发明的策略执行系统中,其中,所述消息队列服务器为NSQ消息队列服务器;所述访问控制服务器为OpenLDAP。Optionally, in the policy execution system according to the present invention, the message queue server is an NSQ message queue server; and the access control server is OpenLDAP.
可选地,在根据本发明的策略执行系统中,所述策略包括:应用定制策略、桌面定制策略、密码策略、防火墙策略中的一种或多种。Optionally, in the policy execution system according to the present invention, the policy includes one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
根据本发明的一个方面,提供一种计算设备,包括:至少一个处理器;存储器,存储有程序指令,其中,程序指令被配置为适于由上述至少一个处理器执行,所述程序指令包括用于执行如上所述的策略执行的控制方法的指令。According to one aspect of the present invention, there is provided a computing device comprising: at least one processor; a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising using Instructions for executing the control method of policy execution as described above.
根据本发明的一个方面,提供一种存储有程序指令的可读存储介质,当该程序指令被计算设备读取并执行时,使得该计算设备执行如上所述的策略执行的控制方法。According to one aspect of the present invention, there is provided a readable storage medium storing program instructions, which, when the program instructions are read and executed by a computing device, cause the computing device to execute the above-mentioned control method for policy execution.
根据本发明的技术方案,通过提供用于配置和管理各种策略的配置平台,将配置平台连接到策略控制设备,从而,策略管理人员可以通过配置平台为终端配置相应的策略规则,并请求策略控制设备控制相应的终端执行策略规则,并获取终端的执行结果。这样,通过利用配置平台进行策略配置,不仅便于操作简单,配置效率高,而且有利于更加高效地控制各个终端执行相应策略规则。According to the technical solution of the present invention, by providing a configuration platform for configuring and managing various policies, the configuration platform is connected to the policy control device, so that policy managers can configure corresponding policy rules for terminals through the configuration platform, and request policies The control device controls the corresponding terminal execution policy rules, and obtains the execution result of the terminal. In this way, by using the configuration platform for policy configuration, not only is the operation simple and the configuration efficiency high, but also it is beneficial to control each terminal to execute the corresponding policy rules more efficiently.
进一步而言,本发明可以基于各个终端所在的区域将多个终端划分为多个终端组,每个终端组包括布置相应区域内的一个或多个终端,这样,可以实现对终端进行分区管理。Further, the present invention can divide multiple terminals into multiple terminal groups based on the area where each terminal is located, and each terminal group includes one or more terminals arranged in a corresponding area, so that partition management of the terminals can be realized.
此外,根据本发明的策略执行的控制方法,可以实现控制Linux操作系统的多个终端设备的策略执行。In addition, according to the method for controlling policy execution of the present invention, policy execution for controlling multiple terminal devices of the Linux operating system can be realized.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, in order to be able to understand the technical means of the present invention more clearly, it can be implemented according to the content of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and easy to understand , the following specific embodiments of the present invention are given.
附图说明Description of drawings
为了实现上述以及相关目的,本文结合下面的描述和附图来描述某些说明性方面,这些方面指示了可以实践本文所公开的原理的各种方式,并且所有方面及其等效方面旨在落入所要求保护的主题的范围内。通过结合附图阅读下面的详细描述,本公开的上述以及其它目的、特征和优势将变得更加明显。遍及本公开,相同的附图标记通常指代相同的部件或元素。To achieve the above and related objects, certain illustrative aspects are described herein in conjunction with the following description and drawings, which are indicative of the various ways in which the principles disclosed herein may be practiced, and all aspects and their equivalents are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent by reading the following detailed description in conjunction with the accompanying drawings. Throughout this disclosure, the same reference numbers generally refer to the same parts or elements.
图1示出了根据本发明一个实施例的策略执行系统100的示意图;FIG. 1 shows a schematic diagram of a policy enforcement system 100 according to an embodiment of the present invention;
图2示出了根据本发明一个实施例的计算设备200的示意图;以及FIG. 2 shows a schematic diagram of a computing device 200 according to one embodiment of the present invention; and
图3示出了根据本发明一个实施例的策略执行的控制方法300的流程图。FIG. 3 shows a flowchart of a method 300 for controlling policy execution according to an embodiment of the present invention.
具体实施方式detailed description
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be more thoroughly understood, and will fully convey the scope of the present disclosure to those skilled in the art.
图1示出了根据本发明一个实施例的策略执行系统100的示意图。FIG. 1 shows a schematic diagram of a policy enforcement system 100 according to an embodiment of the present invention.
如图1所示,策略执行系统100包括一个或多个终端110、配置平台150以及策略控制设备200。其中,策略控制设备200与配置平台150通信连接,并且与一个或多个终端110通信连接,例如通过有线或无线的方式网络连接。这里,本发明不限制策略控制设备200与配置平台150、终端110的具体连接方式。As shown in FIG. 1 , the policy execution system 100 includes one or more terminals 110 , a configuration platform 150 and a policy control device 200 . Wherein, the policy control device 200 is connected in communication with the configuration platform 150, and is connected in communication with one or more terminals 110, for example, through a wired or wireless network connection. Here, the present invention does not limit the specific connection manner of the policy control device 200 with the configuration platform 150 and the terminal 110 .
终端110即用户所使用的终端设备,其具体可以是桌面电脑、笔记本电脑等个人计算机,也可以是手机、平板电脑、多媒体设备、智能可穿戴设备等,但不限于此。The terminal 110 is a terminal device used by a user, which may specifically be a personal computer such as a desktop computer, a notebook computer, or a mobile phone, a tablet computer, a multimedia device, a smart wearable device, etc., but is not limited thereto.
在一个实施例中,终端110可以是安装有Linux操作系统的终端设备,但,本发明不限于终端110所安装的操作系统的具体种类。需要说明的是,在具体实施例中,本发明仅以Linux操作系统为例对策略执行系统100进行了具体说明。但,应当理解,本发明的策略执行系统100并不受限于终端所 安装的操作系统的具体种类。In one embodiment, the terminal 110 may be a terminal device installed with a Linux operating system, but the present invention is not limited to the specific type of the operating system installed on the terminal 110 . It should be noted that, in the specific embodiment, the present invention only takes the Linux operating system as an example to specifically describe the policy execution system 100 . However, it should be understood that the policy execution system 100 of the present invention is not limited to the specific type of the operating system installed on the terminal.
在本发明的实施例中,策略控制设备200可用于控制终端110执行策略。其可以实现为为桌面电脑、笔记本电脑、处理器芯片、手机、平板电脑等计算设备,也可以实现为由多个计算设备组成的系统。In the embodiment of the present invention, the policy control device 200 may be used to control the terminal 110 to execute the policy. It can be implemented as a computing device such as a desktop computer, a notebook computer, a processor chip, a mobile phone, a tablet computer, etc., or can be implemented as a system composed of multiple computing devices.
配置平台150可以是为管理员(策略管理人员)提供的可以配置和管理各种策略的Web平台,管理员可以通过浏览器访问配置平台150。通过将配置平台150连接到策略控制设备200,管理员在配置平台150为终端110配置好策略规则后,可以通过配置平台150请求策略控制设备200控制相应的终端执行策略规则。The configuration platform 150 can be a Web platform provided for administrators (policy managers) to configure and manage various policies, and the administrator can access the configuration platform 150 through a browser. By connecting the configuration platform 150 to the policy control device 200, after the configuration platform 150 configures the policy rules for the terminal 110, the administrator can request the policy control device 200 to control the corresponding terminal to execute the policy rules through the configuration platform 150.
在一个实施例中,策略执行系统100中可以包括多个终端组,每个终端组布置有一个或者多个终端110。也就是说,系统100中的各个终端110可以布置在不同的终端组。这样,在配置平台150可以针对不同的终端组配置相应的策略规则,并请求策略控制设备200控制终端组中的每个终端110执行与该终端组相对应的策略规则。需要说明的是,每个终端组可以对应不同的区域,具体来说,本发明可以基于各个终端110所在的区域将多个终端110划分为多个终端组,每个终端组包括布置相应区域内的一个或多个终端110,这样,可以实现对终端进行分区管理。In one embodiment, the policy enforcement system 100 may include multiple terminal groups, and each terminal group is arranged with one or more terminals 110 . That is, each terminal 110 in the system 100 may be arranged in different terminal groups. In this way, the configuration platform 150 can configure corresponding policy rules for different terminal groups, and request the policy control device 200 to control each terminal 110 in the terminal group to execute the policy rules corresponding to the terminal group. It should be noted that each terminal group may correspond to a different area. Specifically, the present invention may divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes a layout within a corresponding area. One or more terminals 110, in this way, the partition management of the terminals can be realized.
在本发明的实施例中,策略控制设备200适于执行策略执行的控制方法,来控制终端执行策略。本发明的策略执行的控制方法300将在下文中详述。In the embodiment of the present invention, the policy control device 200 is adapted to execute the control method of policy execution to control the terminal to execute the policy. The control method 300 of the policy execution of the present invention will be described in detail below.
在一个实施例中,基于本发明的策略控制设备200可以控制终端执行的策略包括:应用定制策略、桌面定制策略、密码策略、防火墙策略中的一种或多种。但,本发明不限于上述所列举的策略种类。In one embodiment, the policies that the policy control device 200 based on the present invention can control to be executed by the terminal include one or more of application customization policies, desktop customization policies, password policies, and firewall policies. However, the present invention is not limited to the types of strategies listed above.
在一个实施例中,如图1所示,策略控制设备200包括策略服务器250、消息队列服务器210、访问控制服务器220。其中,策略服务器250分别与消息队列服务器210、访问控制服务器220连接。并且,策略服务器250与配置平台150连接,例如通过Registry连接,从而策略服务器250可以接收配置平台150发送的策略执行请求。In one embodiment, as shown in FIG. 1 , the policy control device 200 includes a policy server 250 , a message queue server 210 , and an access control server 220 . The policy server 250 is connected to the message queue server 210 and the access control server 220 respectively. Furthermore, the policy server 250 is connected with the configuration platform 150 , for example, through a registry connection, so that the policy server 250 can receive the policy execution request sent by the configuration platform 150 .
消息队列服务器210与一个或多个终端110连接,消息队列服务器210包括消息队列。从而,策略服务器250与一个或多个终端110通过消息队列 服务器210建立了通信连接,并基于消息队列服务器210中的消息队列进行异步通信。The message queue server 210 is connected to one or more terminals 110, and the message queue server 210 includes a message queue. Therefore, the policy server 250 establishes a communication connection with one or more terminals 110 through the message queue server 210, and performs asynchronous communication based on the message queue in the message queue server 210.
在一个实施例中,访问控制服务器220与一个或多个终端110连接。访问控制服务器220可以接收终端110发送的身份认证请求,并在认证通过之后向终端110返回相应的访问许可标识。进而,访问控制服务器220接收终端110基于访问许可标识发送的访问请求。In one embodiment, the access control server 220 is connected to one or more terminals 110 . The access control server 220 may receive the identity authentication request sent by the terminal 110, and return the corresponding access permission identifier to the terminal 110 after the authentication is passed. Furthermore, the access control server 220 receives the access request sent by the terminal 110 based on the access permission identifier.
在一个实施例中,访问控制服务器220在接收终端110发送的身份认证请求之前,还可以接收终端110发送的注册账号请求。访问控制服务器220可以基于注册账号请求生成与终端110用户身份相对应的访问账号和访问密码并存储,以便终端110基于相应的访问账号和访问密码向访问控制服务器220发送身份认证请求。这样,访问控制服务器220中存储有多个终端110对应的访问账号和访问密码,并且,访问控制服务器220中还存储有与每个终端110相对应的终端组的信息。In one embodiment, before receiving the identity authentication request sent by the terminal 110, the access control server 220 may also receive a request for registering an account sent by the terminal 110. The access control server 220 may generate and store an access account and an access password corresponding to the user identity of the terminal 110 based on the registered account request, so that the terminal 110 sends an identity authentication request to the access control server 220 based on the corresponding access account and access password. In this way, the access control server 220 stores the access accounts and access passwords corresponding to the multiple terminals 110 , and also stores the information of the terminal group corresponding to each terminal 110 in the access control server 220 .
在一个实施例中,访问控制服务器例如为OpenLDAP,消息队列服务器210例如为NSQ消息队列服务器,但本发明不限于此。In one embodiment, the access control server is, for example, OpenLDAP, and the message queue server 210 is, for example, an NSQ message queue server, but the present invention is not limited thereto.
在一个实施例中,终端110可以基于硬件信息生成相应的设备标识。其中,终端110包括可插入认证模块(PAM)、进程监控模块(Agent)、消息总线模块(DBUS)。In one embodiment, the terminal 110 may generate a corresponding device identification based on the hardware information. The terminal 110 includes a pluggable authentication module (PAM), a process monitoring module (Agent), and a message bus module (DBUS).
如图1所示,可插入认证模块(PAM)与访问控制服务器220连接,从而,终端110可以通过可插入认证模块向访问控制服务器220发送注册账号请求,以获取相应的访问账号和访问密码。进而,可插入认证模块基于相应的访问账号和访问密码向访问控制服务器220发送身份认证请求,接收访问控制服务器220返回的访问许可标识,并基于访问许可标识向访问控制服务器220发送访问请求,以完成对终端110的身份认证,建立终端110与策略控制设备200的通信。其中,可插入认证模块包括认证管理模块(Auth)、账号管理模块(Account)、会话管理模块(Session)、口令管理模块(Password)。As shown in FIG. 1 , a pluggable authentication module (PAM) is connected to the access control server 220, so that the terminal 110 can send an account registration request to the access control server 220 through the pluggable authentication module to obtain the corresponding access account number and access password. Further, the pluggable authentication module sends an identity authentication request to the access control server 220 based on the corresponding access account number and access password, receives the access permission identifier returned by the access control server 220, and sends an access request to the access control server 220 based on the access permission identifier to The identity authentication of the terminal 110 is completed, and the communication between the terminal 110 and the policy control device 200 is established. The pluggable authentication module includes an authentication management module (Auth), an account management module (Account), a session management module (Session), and a password management module (Password).
进程监控模块(Agent)与消息队列服务器210相连,并通过消息队列与策略控制设备200的策略服务器250通信。终端110通过进程监控模块来接收和发送消息。具体地,进程监控模块可以基于终端110的设备标识从消息 队列中获取相应的策略规则,并可以将终端110执行策略规则的执行结果通过消息队列返回给策略控制设备200的策略服务器250。The process monitoring module (Agent) is connected to the message queue server 210, and communicates with the policy server 250 of the policy control device 200 through the message queue. The terminal 110 receives and sends messages through the process monitoring module. Specifically, the process monitoring module can obtain the corresponding policy rule from the message queue based on the device identification of the terminal 110, and can return the execution result of the terminal 110 executing the policy rule to the policy server 250 of the policy control device 200 through the message queue.
消息总线模块(DBUS)可用于实现终端110的进程之间的通信。消息总线模块与进程监控模块连接,在进程监控模块获取到策略规则后,通过调用消息总线模块可以实现执行策略规则。A message bus module (DBUS) may be used to enable communication between processes of the terminal 110 . The message bus module is connected with the process monitoring module. After the process monitoring module obtains the policy rules, the policy rules can be executed by calling the message bus module.
在一个实施例中,策略执行系统100还包括与策略服务器250连接的数据存储系统140。数据存储系统140例如是MySQL关系型数据存储系统,但不限于此。数据存储系统140中可以存储业务数据,业务数据例如包括终端组信息、终端信息、用户信息、策略信息、应用信息、行为日志等,还可以存储终端组、终端、用户、应用、策略之间的对应关系。In one embodiment, policy enforcement system 100 also includes a data storage system 140 connected to policy server 250 . The data storage system 140 is, for example, a MySQL relational data storage system, but is not limited thereto. The data storage system 140 can store service data. The service data includes, for example, terminal group information, terminal information, user information, policy information, application information, behavior logs, etc., and can also store information among terminal groups, terminals, users, applications, and policies. Correspondence.
在一个实施例中,策略执行系统100还包括与策略服务器250耦接的Redis内存。In one embodiment, the policy enforcement system 100 also includes a Redis memory coupled to the policy server 250 .
根据本发明的策略执行系统100,通过提供用于配置和管理各种策略的配置平台150,将配置平台150连接到策略控制设备200,从而,策略管理人员可以通过配置平台150为终端110配置相应的策略规则,并请求策略控制设备200控制相应的终端110执行策略规则,并获取终端110的执行结果。这样,通过利用配置平台进行策略配置,不仅便于操作简单,配置效率高,而且有利于更加高效地控制各个终端执行相应策略规则。According to the policy execution system 100 of the present invention, by providing the configuration platform 150 for configuring and managing various policies, the configuration platform 150 is connected to the policy control device 200 , so that the policy administrator can configure the corresponding terminal 110 through the configuration platform 150 . and request the policy control device 200 to control the corresponding terminal 110 to execute the policy rule, and obtain the execution result of the terminal 110 . In this way, by using the configuration platform for policy configuration, not only is the operation simple and the configuration efficiency high, but also it is beneficial to control each terminal to execute the corresponding policy rules more efficiently.
进一步而言,本发明可以基于各个终端110所在的区域将多个终端110划分为多个终端组,每个终端组包括布置相应区域内的一个或多个终端110,这样,可以实现对终端进行分区管理。Further, the present invention can divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes one or more terminals 110 arranged in a corresponding area. Partition management.
在一个实施例中,本发明的策略控制设备200可以实现为一种计算设备,使得本发明的策略执行的控制方法可以在计算设备中执行。In one embodiment, the policy control device 200 of the present invention can be implemented as a computing device, so that the control method of the policy execution of the present invention can be executed in the computing device.
图2示出了根据本发明一个实施例的计算设备200的结构图。如图2所示,在基本的配置202中,计算设备200典型地包括系统存储器206和一个或者多个处理器204。存储器总线208可以用于在处理器204和系统存储器206之间的通信。FIG. 2 shows a structural diagram of a computing device 200 according to an embodiment of the present invention. As shown in FIG. 2 , in a basic configuration 202 , computing device 200 typically includes system memory 206 and one or more processors 204 . Memory bus 208 may be used for communication between processor 204 and system memory 206 .
取决于期望的配置,处理器204可以是任何类型的处理,包括但不限于: 微处理器(μP)、微控制器(μC)、数字信息处理器(DSP)或者它们的任何组合。处理器204可以包括诸如一级高速缓存210和二级高速缓存212之类的一个或者多个级别的高速缓存、处理器核心214和寄存器216。示例的处理器核心214可以包括运算逻辑单元(ALU)、浮点数单元(FPU)、数字信号处理核心(DSP核心)或者它们的任何组合。示例的存储器控制器218可以与处理器204一起使用,或者在一些实现中,存储器控制器218可以是处理器204的一个内部部分。Depending on the desired configuration, the processor 204 may be any type of process, including but not limited to: a microprocessor (μP), a microcontroller (μC), a digital information processor (DSP), or any combination thereof. Processor 204 may include one or more levels of cache, such as L1 cache 210 and L2 cache 212 , processor core 214 , and registers 216 . Exemplary processor cores 214 may include arithmetic logic units (ALUs), floating point units (FPUs), digital signal processing cores (DSP cores), or any combination thereof. The example memory controller 218 may be used with the processor 204 , or in some implementations, the memory controller 218 may be an internal part of the processor 204 .
取决于期望的配置,系统存储器206可以是任意类型的存储器,包括但不限于:易失性存储器(诸如RAM)、非易失性存储器(诸如ROM、闪存等)或者它们的任何组合。系统存储器106可以包括操作系统220、一个或者多个应用222以及程序数据224。应用222实际上是多条程序指令,其用于指示处理器204执行相应的操作。在一些实施方式中,应用222可以布置为在操作系统上使得处理器204利用程序数据224进行操作。Depending on the desired configuration, system memory 206 may be any type of memory including, but not limited to, volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include an operating system 220 , one or more applications 222 , and program data 224 . Application 222 is actually a number of program instructions that instruct processor 204 to perform corresponding operations. In some implementations, the application 222 may be arranged to cause the processor 204 to operate with the program data 224 on the operating system.
计算设备200还可以包括有助于从各种接口设备(例如,输出设备242、外设接口244和通信设备246)到基本配置202经由总线/接口控制器230的通信的接口总线240。示例的输出设备242包括图形处理单元248和音频处理单元250。它们可以被配置为有助于经由一个或者多个A/V端口252与诸如显示器或者扬声器之类的各种外部设备进行通信。示例外设接口244可以包括串行接口控制器254和并行接口控制器256,它们可以被配置为有助于经由一个或者多个I/O端口258和诸如输入设备(例如,键盘、鼠标、笔、语音输入设备、触摸输入设备)或者其他外设(例如打印机、扫描仪等)之类的外部设备进行通信。示例的通信设备246可以包括网络控制器260,其可以被布置为便于经由一个或者多个通信端口264与一个或者多个其他计算设备262通过网络通信链路的通信。 Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (eg, output device 242 , peripheral interface 244 , and communication device 246 ) to base configuration 202 via bus/interface controller 230 . Example output devices 242 include graphics processing unit 248 and audio processing unit 250 . They may be configured to facilitate communication via one or more A/V ports 252 with various external devices such as displays or speakers. Example peripheral interfaces 244 may include serial interface controller 254 and parallel interface controller 256, which may be configured to facilitate communication via one or more I/O ports 258 and input devices such as keyboard, mouse, pen, etc. , voice input devices, touch input devices) or other peripherals (eg printers, scanners, etc.) The example communication device 246 may include a network controller 260 that may be arranged to facilitate communication via one or more communication ports 264 with one or more other computing devices 262 over a network communication link.
网络通信链路可以是通信介质的一个示例。通信介质通常可以体现为在诸如载波或者其他传输机制之类的调制数据信号中的计算机可读指令、数据结构、程序模块,并且可以包括任何信息递送介质。“调制数据信号”可以这样的信号,它的数据集中的一个或者多个或者它的改变可以在信号中编码信息的方式进行。作为非限制性的示例,通信介质可以包括诸如有线网络或 者专线网络之类的有线介质,以及诸如声音、射频(RF)、微波、红外(I R)或者其它无线介质在内的各种无线介质。这里使用的术语计算机可读介质可以包括存储介质和通信介质二者。A network communication link may be one example of a communication medium. Communication media may typically embody computer readable instructions, data structures, program modules in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media. A "modulated data signal" can be a signal of which one or more of its data sets or whose alterations can be made in such a way as to encode information in the signal. By way of non-limiting example, communication media may include wired media, such as wired or leased line networks, and various wireless media, such as acoustic, radio frequency (RF), microwave, infrared (IR), or other wireless media . The term computer readable medium as used herein may include both storage media and communication media.
在根据本发明的计算设备200中,应用222包括执行策略执行的控制方法300的多条程序指令,这些程序指令可以指示处理器204执行本发明的策略执行的控制方法300,以便计算设备200通过执行本发明的策略执行的控制方法300来实现控制终端执行策略。In the computing device 200 according to the present invention, the application 222 includes a plurality of program instructions for executing the policy execution control method 300, and these program instructions can instruct the processor 204 to execute the policy execution control method 300 of the present invention, so that the computing device 200 can pass The control method 300 for executing the policy of the present invention is executed to realize the control terminal to execute the policy.
图3示出了根据本发明一个实施例的策略执行的控制方法300的流程图。方法300适于在策略控制设备200(例如前述计算设备200)中执行。FIG. 3 shows a flowchart of a method 300 for controlling policy execution according to an embodiment of the present invention. The method 300 is suitable for execution in a policy control device 200, such as the aforementioned computing device 200.
根据本发明的实施例,策略控制设备200与配置平台150连接,并且与一个或多个终端110连接。这里,终端110即用户所使用的终端设备。配置平台150可以是为管理员(策略管理人员)提供的可以配置和管理各种策略的Web平台,管理员可以通过浏览器访问配置平台150。通过将配置平台150连接到策略控制设备200,管理员在配置平台150为终端110配置好策略规则后,可以通过配置平台150请求策略控制设备200控制相应的终端执行策略规则。According to an embodiment of the present invention, the policy control device 200 is connected to the configuration platform 150 and is connected to one or more terminals 110 . Here, the terminal 110 is a terminal device used by the user. The configuration platform 150 can be a Web platform provided for administrators (policy managers) to configure and manage various policies, and the administrator can access the configuration platform 150 through a browser. By connecting the configuration platform 150 to the policy control device 200, after the configuration platform 150 configures the policy rules for the terminal 110, the administrator can request the policy control device 200 to control the corresponding terminal to execute the policy rules through the configuration platform 150.
在一个实施例中,多个终端110可以布置在不同的终端组。这样,在根据本发明的方法300控制多个终端110执行策略时,通过在配置平台150针对不同的终端组配置相应的策略规则,以请求策略控制设备200控制终端组中的每个终端110执行与该终端组相对应的策略规则。需要说明的是,每个终端组可以对应不同的区域,具体来说,本发明可以基于各个终端110所在的区域将多个终端110划分为多个终端组,每个终端组包括布置相应区域内的一个或多个终端110,这样,可以实现对终端进行分区管理。In one embodiment, multiple terminals 110 may be arranged in different terminal groups. In this way, when controlling multiple terminals 110 to execute policies according to the method 300 of the present invention, the configuration platform 150 configures corresponding policy rules for different terminal groups to request the policy control device 200 to control the execution of each terminal 110 in the terminal group. The policy rule corresponding to this endpoint group. It should be noted that each terminal group may correspond to a different area. Specifically, the present invention may divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes a layout within a corresponding area. One or more terminals 110, in this way, the partition management of the terminals can be realized.
在一个实施例中,终端110可以是安装有Linux操作系统的终端设备,以使本发明的策略执行的控制方法300可以实现对安装有Linux操作系统的多个终端设备的策略执行进行控制和管理,换言之,本发明的策略执行的控制方法300可以基于Linux操作系统控制多个终端设备执行相应策略。In one embodiment, the terminal 110 may be a terminal device installed with a Linux operating system, so that the policy execution control method 300 of the present invention can realize the control and management of the policy execution of multiple terminal devices installed with the Linux operating system , in other words, the method 300 for controlling policy execution of the present invention can control multiple terminal devices to execute corresponding policies based on the Linux operating system.
需要说明的是,在具体实施例中,本发明仅以Linux操作系统为例对策略执行的控制方法300进行了具体说明。但,应当理解,本发明的策略执行的控制方法300并不受限于终端所安装的操作系统的具体种类。任何能通过 本发明的方法300来实现控制终端执行策略的操作系统的种类均在本发明的保护范围之内。It should be noted that, in the specific embodiment, the present invention only takes the Linux operating system as an example to specifically describe the control method 300 for policy execution. However, it should be understood that the method 300 for controlling policy execution of the present invention is not limited to the specific type of the operating system installed on the terminal. Any type of operating system that can control the terminal execution policy through the method 300 of the present invention falls within the protection scope of the present invention.
还需要说明的是,基于本发明的方法300可以控制终端执行的策略包括:应用定制策略、桌面定制策略、密码策略、防火墙策略中的一种或多种。但,本发明不限于上述所列举的策略种类。It should also be noted that the policies that can be controlled by the terminal based on the method 300 of the present invention include one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy. However, the present invention is not limited to the types of strategies listed above.
如图3所示,方法300始于步骤S310。As shown in FIG. 3, the method 300 begins at step S310.
在步骤S310中,接收管理员在配置平台150发送的策略执行请求,基于策略执行请求确定待执行的策略规则。这里,管理员通过在配置平台150为一个或多个终端110配置待执行的策略规则,并向策略控制设备200发送策略执行请求,以请求策略控制设备200来控制这些终端110执行相应的策略规则。这里,策略规则例如包括应用定制策略、桌面定制策略、密码策略、防火墙策略中的一种或多种。In step S310, a policy execution request sent by the administrator on the configuration platform 150 is received, and a policy rule to be executed is determined based on the policy execution request. Here, the administrator configures the policy rules to be executed for one or more terminals 110 on the configuration platform 150 and sends a policy execution request to the policy control device 200 to request the policy control device 200 to control these terminals 110 to execute the corresponding policy rules . Here, the policy rules include, for example, one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
根据一个实施例,管理员在配置平台150是基于执行策略规则的每个终端110的设备标识来配置策略规则,并发送策略执行请求。这样,策略执行请求中还包括与执行策略规则的一个或多个终端110相对应的设备标识。According to one embodiment, the administrator configures the policy rule on the configuration platform 150 based on the device identification of each terminal 110 that executes the policy rule, and sends the policy execution request. In this way, the policy execution request also includes device identifiers corresponding to one or more terminals 110 that execute policy rules.
从而,在步骤S320中,策略控制设备200可以根据策略执行请求来确定执行该策略规则的一个或多个终端110的设备标识。Thus, in step S320, the policy control device 200 may determine the device identifiers of one or more terminals 110 that execute the policy rule according to the policy execution request.
根据本发明的实施例,策略控制设备200与一个或多个终端110可以基于消息队列实现异步通信。According to an embodiment of the present invention, the policy control device 200 and one or more terminals 110 may implement asynchronous communication based on a message queue.
随后,在步骤S330中,策略控制设备200基于所确定的一个或多个终端110的设备标识将策略规则添加到消息队列,以便通过消息队列将该策略规则发送至相应的一个或多个终端110,从而能实现控制相应的终端110执行所配置的策略规则。Subsequently, in step S330, the policy control device 200 adds the policy rule to the message queue based on the determined device identifiers of the one or more terminals 110, so as to send the policy rule to the corresponding one or more terminals 110 through the message queue , so that the corresponding terminal 110 can be controlled to execute the configured policy rule.
需要说明的是,基于消息队列,策略控制设备200与一个或多个终端110可以通过发布与订阅的模式进行数据交互。具体而言,终端110可以基于其自身硬件信息生成相应的唯一的设备标识,换言之,每个终端110对应一个能够标识该终端110的设备标识。并且,终端110可以基于其自身的设备标识发送订阅请求来订阅消息队列中的相应的主题消息,也就是订阅与主题消息相对应的策略规则。It should be noted that, based on the message queue, the policy control device 200 and one or more terminals 110 may perform data interaction in a publish-and-subscribe mode. Specifically, the terminal 110 may generate a corresponding unique device identifier based on its own hardware information, in other words, each terminal 110 corresponds to a device identifier capable of identifying the terminal 110 . In addition, the terminal 110 may send a subscription request based on its own device identification to subscribe to the corresponding topic message in the message queue, that is, to subscribe to the policy rule corresponding to the topic message.
在一个实例中,策略控制设备200在执行步骤S330之前,会接收到一个或多个终端基于设备标识发送的订阅相应策略规则的请求。这样,在策略控制设备200将策略规则基于终端110的设备标识封装为主题消息添加到消息队列中后,终端110便可以从消息队列中获取与其自身的设备标识相对应的主题消息及策略规则。In an example, before executing step S330, the policy control device 200 may receive a request for subscribing to corresponding policy rules sent by one or more terminals based on the device identifier. In this way, after the policy control device 200 encapsulates the policy rule based on the device ID of the terminal 110 into a topic message and adds it to the message queue, the terminal 110 can obtain the topic message and policy rule corresponding to its own device ID from the message queue.
策略控制设备200在确定执行策略规则的一个或多个终端110的设备标识后,在控制这些终端110执行策略规则时,是通过向消息队列发送与需执行该策略规则的终端110(设备标识)相对应的主题消息来实现。具体地,策略控制设备200通过将策略规则基于所确定的一个或多个终端110的设备标识封装为相应的主题消息,将主题消息添加到消息队列中。这样,基于自身设备标识订阅该主题消息的终端110(即是与主题消息中的设备标识相对应的终端110)便可以从消息队列中获取与其自身的设备标识相对应的主题消息,从而获取主题消息对应的策略规则。进而,一个或多个终端110便可以执行相应的策略规则。After the policy control device 200 determines the device identifiers of one or more terminals 110 that execute the policy rule, when controlling these terminals 110 to execute the policy rule, it sends the message queue with the terminal 110 (device identifier) that needs to execute the policy rule. The corresponding topic message is implemented. Specifically, the policy control device 200 adds the topic message to the message queue by encapsulating the policy rule into a corresponding topic message based on the determined device identifiers of one or more terminals 110 . In this way, the terminal 110 that subscribes to the topic message based on its own device identifier (that is, the terminal 110 corresponding to the device identifier in the topic message) can obtain the topic message corresponding to its own device identifier from the message queue, thereby obtaining the topic The policy rule corresponding to the message. Further, one or more terminals 110 can execute corresponding policy rules.
随后,在步骤S340中,策略控制设备200从消息队列中获取每个终端110在执行策略规则后返回的执行结果。这里,每个终端110在执行策略规则后,可以将策略规则的执行结果封装为相应的主题消息并添加到消息队列中。这样,策略控制设备200可以从消息队列中获取与每个终端110相对应的主题消息,以获取与每个终端110相对应的策略规则的执行结果。Subsequently, in step S340, the policy control device 200 obtains the execution result returned by each terminal 110 after executing the policy rule from the message queue. Here, after executing the policy rule, each terminal 110 may encapsulate the execution result of the policy rule into a corresponding topic message and add it to the message queue. In this way, the policy control device 200 can acquire the topic message corresponding to each terminal 110 from the message queue to acquire the execution result of the policy rule corresponding to each terminal 110 .
最后,在步骤S350中,策略控制设备200将每个终端110的执行结果发送至配置平台150,以便在配置平台150展示每个终端110的执行结果。Finally, in step S350 , the policy control device 200 sends the execution result of each terminal 110 to the configuration platform 150 , so that the configuration platform 150 displays the execution result of each terminal 110 .
根据一个实施例,策略控制设备200包括策略服务器250、消息队列服务器210、访问控制服务器220。其中,策略服务器250分别与消息队列服务器210、访问控制服务器220连接。并且,策略服务器250与配置平台150连接,从而策略服务器250可以接收配置平台150发送的策略执行请求。According to one embodiment, the policy control device 200 includes a policy server 250 , a message queue server 210 , and an access control server 220 . The policy server 250 is connected to the message queue server 210 and the access control server 220 respectively. And, the policy server 250 is connected with the configuration platform 150 , so that the policy server 250 can receive the policy execution request sent by the configuration platform 150 .
消息队列服务器210与一个或多个终端110连接,消息队列服务器210包括消息队列。从而,策略服务器250与一个或多个终端110通过消息队列服务器210建立了通信连接,并基于消息队列服务器210中的消息队列进行异步通信。The message queue server 210 is connected to one or more terminals 110, and the message queue server 210 includes a message queue. Therefore, the policy server 250 establishes a communication connection with one or more terminals 110 through the message queue server 210 , and performs asynchronous communication based on the message queue in the message queue server 210 .
根据一个实施例,访问控制服务器220与一个或多个终端110连接。在本发明的方法300中,在执行步骤S310之前,策略控制设备200通过访问控制服务器220可以接收一个或多个终端110发送的身份认证请求,并在认证通过之后向终端110返回相应的访问许可标识。进而,访问控制服务器220接收终端110基于访问许可标识发送的访问请求。According to one embodiment, the access control server 220 is connected to one or more terminals 110 . In the method 300 of the present invention, before step S310 is executed, the policy control device 200 may receive the identity authentication requests sent by one or more terminals 110 through the access control server 220, and return the corresponding access permission to the terminal 110 after the authentication is passed logo. Furthermore, the access control server 220 receives the access request sent by the terminal 110 based on the access permission identifier.
也就是说,在通过策略控制设备200控制一个或多个终端110执行相应的策略规则之前,终端110需要向策略控制设备200发送身份认证请求,并由访问控制服务器220接收终端110的身份认证请求、对终端110进行身份认证。在终端110通过身份认证之后,访问控制服务器220向终端110返回相应的访问许可标识。进而,终端110可以基于访问许可标识发送对策略控制设备200(策略服务器250)的访问请求,从而可以与策略控制设备200(策略服务器250)进行数据交互,以便基于设备标识订阅相应的主题消息、获取策略规则并执行策略规则、返回执行结果。That is, before the policy control device 200 controls one or more terminals 110 to execute corresponding policy rules, the terminal 110 needs to send an identity authentication request to the policy control device 200, and the access control server 220 receives the identity authentication request of the terminal 110 , Perform identity authentication on the terminal 110 . After the terminal 110 passes the identity authentication, the access control server 220 returns the corresponding access permission identifier to the terminal 110 . Further, the terminal 110 can send an access request to the policy control device 200 (the policy server 250 ) based on the access permission identifier, so as to perform data interaction with the policy control device 200 (the policy server 250 ), so as to subscribe to the corresponding topic message based on the device identifier, Obtain policy rules, execute policy rules, and return execution results.
根据一个实施例,策略控制设备200在接收终端110发送的身份认证请求之前,还通过访问控制服务器220接收终端110发送的注册账号请求。进而,访问控制服务器220基于注册账号请求生成与终端110用户身份相对应的访问账号和访问密码,以便终端110基于相应的访问账号和访问密码向访问控制服务器220发送身份认证请求。这样,访问控制服务器220中存储有多个终端110对应的访问账号和访问密码,并且,访问控制服务器220中还存储有与每个终端110相对应的终端组的信息。According to an embodiment, before receiving the identity authentication request sent by the terminal 110, the policy control device 200 further receives the account registration request sent by the terminal 110 through the access control server 220. Further, the access control server 220 generates an access account and an access password corresponding to the user identity of the terminal 110 based on the registered account request, so that the terminal 110 sends an identity authentication request to the access control server 220 based on the corresponding access account and access password. In this way, the access control server 220 stores the access accounts and access passwords corresponding to the multiple terminals 110 , and also stores the information of the terminal group corresponding to each terminal 110 in the access control server 220 .
在一种实施方式中,访问控制服务器例如为OpenLDAP,消息队列服务器210例如为NSQ消息队列服务器,但本发明不限于此。In one embodiment, the access control server is, for example, OpenLDAP, and the message queue server 210 is, for example, an NSQ message queue server, but the present invention is not limited thereto.
在一个实施例中,终端110可以基于硬件信息生成相应的设备标识。其中,终端110包括可插入认证模块(PAM)、进程监控模块(Agent)、消息总线模块(DBUS)。In one embodiment, the terminal 110 may generate a corresponding device identification based on the hardware information. The terminal 110 includes a pluggable authentication module (PAM), a process monitoring module (Agent), and a message bus module (DBUS).
其中,如图1所示,可插入认证模块(PAM)与访问控制服务器220连接,从而,终端110可以通过可插入认证模块向访问控制服务器220发送注册账号请求,以获取相应的访问账号和访问密码。进而,可插入认证模块基于相应的访问账号和访问密码向访问控制服务器220发送身份认证请求,接收访 问控制服务器220返回的访问许可标识,并基于访问许可标识向访问控制服务器220发送访问请求,以完成对终端110的身份认证,建立终端110与策略控制设备200的通信。其中,可插入认证模块包括认证管理模块(Auth)、账号管理模块(Account)、会话管理模块(Session)、口令管理模块(Password)。Wherein, as shown in FIG. 1, a pluggable authentication module (PAM) is connected to the access control server 220, so that the terminal 110 can send a registration account request to the access control server 220 through the pluggable authentication module to obtain the corresponding access account and access control password. Further, the pluggable authentication module sends an identity authentication request to the access control server 220 based on the corresponding access account number and access password, receives the access permission identifier returned by the access control server 220, and sends an access request to the access control server 220 based on the access permission identifier to The identity authentication of the terminal 110 is completed, and the communication between the terminal 110 and the policy control device 200 is established. The pluggable authentication module includes an authentication management module (Auth), an account management module (Account), a session management module (Session), and a password management module (Password).
进程监控模块(Agent)与消息队列服务器210相连,并通过消息队列与策略控制设备200的策略服务器250通信。终端110通过进程监控模块来接收和发送消息。具体地,进程监控模块可以基于终端110的设备标识从消息队列中获取相应的策略规则,并可以将终端110执行策略规则的执行结果通过消息队列返回给策略控制设备200的策略服务器250。The process monitoring module (Agent) is connected to the message queue server 210, and communicates with the policy server 250 of the policy control device 200 through the message queue. The terminal 110 receives and sends messages through the process monitoring module. Specifically, the process monitoring module can obtain the corresponding policy rules from the message queue based on the device identification of the terminal 110, and can return the execution result of the terminal 110 executing the policy rules to the policy server 250 of the policy control device 200 through the message queue.
消息总线模块(DBUS)可用于实现终端110的进程之间的通信。消息总线模块与进程监控模块连接,在进程监控模块获取到策略规则后,通过调用消息总线模块可以实现执行策略规则。A message bus module (DBUS) may be used to enable communication between processes of the terminal 110 . The message bus module is connected with the process monitoring module. After the process monitoring module obtains the policy rules, the policy rules can be executed by calling the message bus module.
根据本发明的策略执行的控制方法300,通过提供用于配置和管理各种策略的配置平台150,将配置平台150连接到策略控制设备200,从而,策略管理人员可以通过配置平台150为终端110配置相应的策略规则,并请求策略控制设备200控制相应的终端110执行策略规则,并获取终端110的执行结果。这样,通过利用配置平台进行策略配置,不仅便于操作简单,配置效率高,而且有利于更加高效地控制各个终端执行相应策略规则。According to the control method 300 of policy execution of the present invention, by providing the configuration platform 150 for configuring and managing various policies, the configuration platform 150 is connected to the policy control device 200 , so that the policy administrator can use the configuration platform 150 for the terminal 110 Configure the corresponding policy rule, and request the policy control device 200 to control the corresponding terminal 110 to execute the policy rule, and obtain the execution result of the terminal 110 . In this way, by using the configuration platform for policy configuration, not only is the operation simple and the configuration efficiency high, but also it is beneficial to control each terminal to execute the corresponding policy rules more efficiently.
进一步而言,本发明可以基于各个终端110所在的区域将多个终端110划分为多个终端组,每个终端组包括布置相应区域内的一个或多个终端110,这样,可以实现对终端进行分区管理。这里描述的各种技术可结合硬件或软件,或者它们的组合一起实现。从而,本发明的方法和设备,或者本发明的方法和设备的某些方面或部分可采取嵌入有形媒介,例如可移动硬盘、U盘、软盘、CD-ROM或者其它任意机器可读的存储介质中的程序代码(即指令)的形式,其中当程序被载入诸如计算机之类的机器,并被所述机器执行时,所述机器变成实践本发明的设备。Further, the present invention can divide multiple terminals 110 into multiple terminal groups based on the area where each terminal 110 is located, and each terminal group includes one or more terminals 110 arranged in a corresponding area. Partition management. The various techniques described herein can be implemented in conjunction with hardware or software, or a combination thereof. Thus, the method and apparatus of the present invention, or certain aspects or portions of the method and apparatus of the present invention, may take the form of an embedded tangible medium, such as a removable hard disk, a USB stick, a floppy disk, a CD-ROM, or any other machine-readable storage medium. in the form of program code (ie, instructions) that, when the program is loaded into a machine, such as a computer, and executed by the machine, the machine becomes an apparatus for practicing the invention.
在程序代码在可编程计算机上执行的情况下,移动终端一般包括处理器、处理器可读的存储介质(包括易失性和非易失性存储器和/或存储元件),至少 一个输入装置,和至少一个输出装置。其中,存储器被配置用于存储程序代码;处理器被配置用于根据该存储器中存储的所述程序代码中的指令,执行本发明的策略执行的控制方法。Where the program code is executed on a programmable computer, the mobile terminal generally includes a processor, a storage medium readable by the processor (including volatile and nonvolatile memory and/or storage elements), at least one input device, and at least one output device. Wherein, the memory is configured to store program codes; the processor is configured to execute the control method for policy execution of the present invention according to the instructions in the program codes stored in the memory.
以示例而非限制的方式,可读介质包括可读存储介质和通信介质。可读存储介质存储诸如计算机可读指令、数据结构、程序模块或其它数据等信息。通信介质一般以诸如载波或其它传输机制等已调制数据信号来体现计算机可读指令、数据结构、程序模块或其它数据,并且包括任何信息传递介质。以上的任一种的组合也包括在可读介质的范围之内。By way of example and not limitation, readable media include readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
在此处所提供的说明书中,算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与本发明的示例一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。In the specification provided herein, the algorithms and displays are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems may also be used with examples of the present invention. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not directed to any particular programming language. It is to be understood that various programming languages may be used to implement the inventions described herein, and that the descriptions of specific languages above are intended to disclose the best mode for carrying out the invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. It will be understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it is to be understood that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together into a single embodiment, figure, or its description. This disclosure, however, should not be interpreted as reflecting an intention that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域那些技术人员应当理解在本文所公开的示例中的设备的模块或单元或组件可以布置在如该实施例中所描述的设备中,或者可替换地可以定位在与该示例中的设备不同的一个或多个设备中。前述示例中的模块可以组合为一个模块或者此外可以分成多个子模块。Those skilled in the art will appreciate that the modules or units or components of the apparatus in the examples disclosed herein may be arranged in the apparatus as described in this embodiment, or alternatively may be positioned differently from the apparatus in this example in one or more devices. The modules in the preceding examples may be combined into one module or further divided into sub-modules.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and further they may be divided into multiple sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination unless at least some of such features and/or procedures or elements are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will appreciate that although some of the embodiments described herein include certain features, but not others, included in other embodiments, that combinations of features of different embodiments are intended to be within the scope of the invention within and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
此外,所述实施例中的一些在此被描述成可以由计算机系统的处理器或者由执行所述功能的其它装置实施的方法或方法元素的组合。因此,具有用于实施所述方法或方法元素的必要指令的处理器形成用于实施该方法或方法元素的装置。此外,装置实施例的在此所述的元素是如下装置的例子:该装置用于实施由为了实施该发明的目的的元素所执行的功能。Furthermore, some of the described embodiments are described herein as methods or combinations of method elements that can be implemented by a processor of a computer system or by other means for performing the described functions. Thus, a processor having the necessary instructions for implementing the method or method element forms means for implementing the method or method element. Furthermore, an element of an apparatus embodiment described herein is an example of a means for carrying out the function performed by the element for the purpose of carrying out the invention.
如在此所使用的那样,除非另行规定,使用序数词“第一”、“第二”、“第三”等等来描述普通对象仅仅表示涉及类似对象的不同实例,并且并不意图暗示这样被描述的对象必须具有时间上、空间上、排序方面或者以任意其它方式的给定顺序。As used herein, unless otherwise specified, the use of the ordinal numbers "first," "second," "third," etc. to describe common objects merely refers to different instances of similar objects, and is not intended to imply such The objects being described must have a given order in time, space, ordinal, or in any other way.
尽管根据有限数量的实施例描述了本发明,但是受益于上面的描述,本技术领域内的技术人员明白,在由此描述的本发明的范围内,可以设想其它实施例。此外,应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的而非限制性的,本发明的范围由所附权利要求书限定。While the invention has been described in terms of a limited number of embodiments, those skilled in the art will appreciate, having the benefit of the above description, that other embodiments are conceivable within the scope of the invention thus described. Furthermore, it should be noted that the language used in this specification has been principally selected for readability and teaching purposes, rather than to explain or define the subject matter of the invention. Accordingly, many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the appended claims. This disclosure is intended to be illustrative and not restrictive with regard to the scope of the present invention, which is defined by the appended claims.

Claims (16)

  1. 一种策略执行的控制方法,在策略控制设备中执行,所述策略控制设备与配置平台连接,并与一个或多个终端连接,所述方法包括:A method for controlling policy execution, executed in a policy control device, the policy control device being connected to a configuration platform and connected to one or more terminals, the method comprising:
    接收配置平台发送的策略执行请求,基于所述策略执行请求确定待执行的策略规则;Receive a policy execution request sent by the configuration platform, and determine a policy rule to be executed based on the policy execution request;
    确定执行所述策略规则的一个或多个终端的设备标识;determining the device identity of one or more terminals that execute the policy rule;
    基于一个或多个终端的设备标识将所述策略规则添加到消息队列,以便通过消息队列将所述策略规则发送至所述一个或多个终端;adding the policy rule to a message queue based on the device identifiers of one or more terminals, so as to send the policy rule to the one or more terminals through the message queue;
    从所述消息队列中获取每个终端在执行所述策略规则后返回的执行结果;以及Obtain the execution result returned by each terminal after executing the policy rule from the message queue; and
    将每个终端的执行结果发送至所述配置平台,以便在所述配置平台展示执行结果。Send the execution result of each terminal to the configuration platform, so as to display the execution result on the configuration platform.
  2. 如权利要求1所述的方法,其中,在将策略规则添加到消息队列之前,还包括步骤:The method of claim 1, wherein before adding the policy rule to the message queue, further comprising the step of:
    接收一个或多个终端基于相应的设备标识发送的对策略规则的订阅请求。A subscription request for policy rules sent by one or more terminals based on the corresponding device identifier is received.
  3. 如权利要求1所述的方法,其中,还包括步骤:The method of claim 1, further comprising the step of:
    接收终端发送的身份认证请求,并在认证通过之后向所述终端返回相应的访问许可标识;以及Receive the identity authentication request sent by the terminal, and return the corresponding access permission identifier to the terminal after the authentication is passed; and
    接收所述终端基于所述访问许可标识发送的访问请求。An access request sent by the terminal based on the access permission identifier is received.
  4. 如权利要求3所述的方法,其中,在接收终端发送的身份认证请求之前,包括步骤:The method according to claim 3, wherein before receiving the identity authentication request sent by the terminal, the method comprises the steps of:
    接收终端发送的注册账号请求;以及Receive a request for registering an account sent by the terminal; and
    基于所述注册账号请求生成与所述终端用户身份相对应的访问账号和访问密码,以便所述终端基于相应的访问账号和访问密码发送身份认证请求。An access account number and an access password corresponding to the terminal user identity are generated based on the registered account request, so that the terminal sends an identity authentication request based on the corresponding access account number and access password.
  5. 如权利要求3所述的方法,其中,所述策略控制设备包括:The method of claim 3, wherein the policy control device comprises:
    策略服务器,与所述配置平台连接,适于接收所述配置平台发送的策略 执行请求;a policy server, connected to the configuration platform, adapted to receive a policy execution request sent by the configuration platform;
    消息队列服务器,与所述策略服务器、一个或多个终端连接;以及a message queue server connected to the policy server and one or more terminals; and
    访问控制服务器,与所述策略服务器、一个或多个终端连接,适于接收终端发送的身份认证请求,并在认证通过之后向所述终端返回相应的访问许可标识,并适于接收所述终端基于所述访问许可标识发送的访问请求。An access control server, connected to the policy server and one or more terminals, adapted to receive an identity authentication request sent by the terminal, and to return a corresponding access permission identifier to the terminal after passing the authentication, and adapted to receive the terminal An access request sent based on the access permission identifier.
  6. 如权利要求5所述的方法,其中,所述终端适于基于硬件信息生成相应的设备标识,所述终端包括:The method of claim 5, wherein the terminal is adapted to generate a corresponding device identification based on hardware information, the terminal comprising:
    可插入认证模块(PAM),与所述访问控制服务器连接,适于向访问控制服务器发送身份认证请求,并接收所述访问控制服务器返回的访问许可标识;A pluggable authentication module (PAM), connected to the access control server, adapted to send an identity authentication request to the access control server, and receive an access permission identifier returned by the access control server;
    进程监控模块(Agent),所述进程监控模块与所述消息队列服务器相连,适于基于终端的设备标识从所述消息队列中获取策略规则;以及a process monitoring module (Agent), the process monitoring module is connected to the message queue server, and is adapted to obtain policy rules from the message queue based on the device identification of the terminal; and
    消息总线模块(DBUS),与进程监控模块连接,适于执行所述策略规则。A message bus module (DBUS), connected to the process monitoring module, is adapted to execute the policy rules.
  7. 如权利要求5或6所述的方法,其中,The method of claim 5 or 6, wherein,
    所述消息队列服务器为NSQ消息队列服务器;The message queue server is an NSQ message queue server;
    所述访问控制服务器为OpenLDAP。The access control server is OpenLDAP.
  8. 如权利要求1-7任一项所述的方法,其中,所述策略包括:应用定制策略、桌面定制策略、密码策略、防火墙策略中的一种或多种。The method according to any one of claims 1-7, wherein the policy includes one or more of an application customization policy, a desktop customization policy, a password policy, and a firewall policy.
  9. 一种策略执行系统,包括:A policy enforcement system comprising:
    策略控制设备,适于执行如权利要求1-8任一项所述的方法来控制策略的执行;a policy control device adapted to execute the method according to any one of claims 1-8 to control the execution of the policy;
    配置平台,与所述策略控制设备连接,适于向所述策略控制设备发送策略执行请求,并适于接收所述策略控制设备返回的每个终端的执行结果,并展示所述执行结果;以及a configuration platform, connected to the policy control device, adapted to send a policy execution request to the policy control device, and adapted to receive the execution result of each terminal returned by the policy control device, and to display the execution result; and
    多个终端组,每个终端组包括一个或多个终端,所述终端适于基于相应的设备标识从消息队列中获取策略规则,并执行所述策略规则,并适于将执行结果发送至消息队列。Multiple terminal groups, each terminal group includes one or more terminals, the terminals are adapted to obtain policy rules from the message queue based on the corresponding device identifiers, execute the policy rules, and are adapted to send the execution results to the message queue.
  10. 如权利要求9所述的系统,其中,所述策略控制设备包括:The system of claim 9, wherein the policy control device comprises:
    策略服务器,与所述配置平台连接,适于接收所述配置平台发送的策略执行请求;a policy server, connected to the configuration platform, adapted to receive a policy execution request sent by the configuration platform;
    消息队列服务器,与所述策略服务器、一个或多个终端连接;以及a message queue server connected to the policy server and one or more terminals; and
    访问控制服务器,与所述策略服务器、一个或多个终端连接,适于接收终端发送的身份认证请求,并在认证通过之后向所述终端返回相应的访问许可标识,并适于接收所述终端基于所述访问许可标识发送的访问请求。An access control server, connected to the policy server and one or more terminals, adapted to receive an identity authentication request sent by the terminal, and to return a corresponding access permission identifier to the terminal after passing the authentication, and adapted to receive the terminal An access request sent based on the access permission identifier.
  11. 如权利要求10所述的系统,其中,所述访问控制服务器还适于:The system of claim 10, wherein the access control server is further adapted to:
    接收终端发送的注册账号请求;Receive a request for registering an account sent by the terminal;
    基于所述注册账号请求生成与所述终端用户身份相对应的访问账号和访问密码,以便所述终端基于相应的访问账号和访问密码发送身份认证请求。An access account number and an access password corresponding to the terminal user identity are generated based on the registered account request, so that the terminal sends an identity authentication request based on the corresponding access account number and access password.
  12. 如权利要求10或11所述的系统,其中,所述终端适于基于硬件信息生成相应的设备标识,所述终端包括:The system according to claim 10 or 11, wherein the terminal is adapted to generate a corresponding device identification based on hardware information, and the terminal comprises:
    可插入认证模块(PAM),与所述访问控制服务器连接,适于向访问控制服务器发送身份认证请求,并接收所述访问控制服务器返回的访问许可标识;A pluggable authentication module (PAM), connected to the access control server, adapted to send an identity authentication request to the access control server, and receive an access permission identifier returned by the access control server;
    进程监控模块(Agent),所述进程监控模块与所述消息队列服务器相连,适于基于终端的设备标识从所述消息队列中获取策略规则;以及a process monitoring module (Agent), the process monitoring module is connected to the message queue server, and is adapted to obtain policy rules from the message queue based on the device identification of the terminal; and
    消息总线模块(DBUS),与进程监控模块连接,适于执行所述策略规则。A message bus module (DBUS), connected to the process monitoring module, is adapted to execute the policy rules.
  13. 如权利要求10-12任一项所述的系统,其中,The system of any of claims 10-12, wherein,
    所述消息队列服务器为NSQ消息队列服务器;The message queue server is an NSQ message queue server;
    所述访问控制服务器为OpenLDAP。The access control server is OpenLDAP.
  14. 如权利要求9-13任一项所述的系统,其中,所述策略包括:The system of any of claims 9-13, wherein the policy comprises:
    应用定制策略、桌面定制策略、密码策略、防火墙策略中的一种或多种。Apply one or more of Custom Policy, Desktop Custom Policy, Password Policy, and Firewall Policy.
  15. 一种计算设备,包括:A computing device comprising:
    至少一个处理器;以及at least one processor; and
    存储器,存储有程序指令,其中,所述程序指令被配置为适于由所述至少一个处理器执行,所述程序指令包括用于执行如权利要求1-8中任一项所述的方法的指令。a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising means for performing the method of any of claims 1-8 instruction.
  16. 一种存储有程序指令的可读存储介质,当所述程序指令被计算设备读取并执行时,使得所述计算设备执行如权利要求1-8中任一项所述方法。A readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method according to any one of claims 1-8.
PCT/CN2021/117706 2020-09-25 2021-09-10 Control method for strategy implementation, strategy implementation system, and computing device WO2022062918A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011021736.9A CN112202750B (en) 2020-09-25 2020-09-25 Control method for policy execution, policy execution system and computing device
CN202011021736.9 2020-09-25

Publications (1)

Publication Number Publication Date
WO2022062918A1 true WO2022062918A1 (en) 2022-03-31

Family

ID=74007223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/117706 WO2022062918A1 (en) 2020-09-25 2021-09-10 Control method for strategy implementation, strategy implementation system, and computing device

Country Status (2)

Country Link
CN (1) CN112202750B (en)
WO (1) WO2022062918A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208933A (en) * 2022-07-07 2022-10-18 成都域卫科技有限公司 Software application control method, device and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112202750B (en) * 2020-09-25 2023-01-24 统信软件技术有限公司 Control method for policy execution, policy execution system and computing device
CN114531280A (en) * 2022-01-25 2022-05-24 北京北信源软件股份有限公司 Data leakage prevention method and device based on mobile terminal connected enterprise terminal
CN115174677A (en) * 2022-07-19 2022-10-11 中国工商银行股份有限公司 Information creation terminal management method, device and system based on distributed message

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1604541A (en) * 2004-11-01 2005-04-06 沈明峰 Security policy based network security management system and method
CN102195991A (en) * 2011-06-28 2011-09-21 辽宁国兴科技有限公司 Terminal security management and authentication method and system
CN103329489A (en) * 2011-01-20 2013-09-25 日本电气株式会社 Communication system, control device, policy management device, communication method, and program
US20150200971A1 (en) * 2012-09-26 2015-07-16 Kabushiki Kaisha Toshiba Policy management system, id provider system, and policy evaluation device
CN112202750A (en) * 2020-09-25 2021-01-08 统信软件技术有限公司 Control method for policy execution, policy execution system and computing device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2287094C (en) * 1998-10-22 2006-12-12 At&T Corp. Method and apparatus for providing a process for registering with a plurality of independent services
CN101237447B (en) * 2007-01-29 2011-04-20 华为技术有限公司 Policy execution method, system and network element
CN101232509A (en) * 2008-02-26 2008-07-30 杭州华三通信技术有限公司 Equipment, system and method for supporting insulation mode network access control
CN102916826A (en) * 2011-08-01 2013-02-06 中兴通讯股份有限公司 Method and device for controlling network access
CN108459917A (en) * 2018-03-15 2018-08-28 欧普照明股份有限公司 A kind of message distribution member, message handling system and message distribution method
CN109784703A (en) * 2019-01-02 2019-05-21 深圳壹账通智能科技有限公司 Business data processing method, device, computer equipment and storage medium
WO2020164425A1 (en) * 2019-02-15 2020-08-20 华为技术有限公司 Method, device and system for sending terminal policy
CN111416822B (en) * 2020-03-20 2022-10-18 数篷科技(深圳)有限公司 Method for access control, electronic device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1604541A (en) * 2004-11-01 2005-04-06 沈明峰 Security policy based network security management system and method
CN103329489A (en) * 2011-01-20 2013-09-25 日本电气株式会社 Communication system, control device, policy management device, communication method, and program
CN102195991A (en) * 2011-06-28 2011-09-21 辽宁国兴科技有限公司 Terminal security management and authentication method and system
US20150200971A1 (en) * 2012-09-26 2015-07-16 Kabushiki Kaisha Toshiba Policy management system, id provider system, and policy evaluation device
CN112202750A (en) * 2020-09-25 2021-01-08 统信软件技术有限公司 Control method for policy execution, policy execution system and computing device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208933A (en) * 2022-07-07 2022-10-18 成都域卫科技有限公司 Software application control method, device and storage medium

Also Published As

Publication number Publication date
CN112202750A (en) 2021-01-08
CN112202750B (en) 2023-01-24

Similar Documents

Publication Publication Date Title
WO2022062918A1 (en) Control method for strategy implementation, strategy implementation system, and computing device
US9787697B2 (en) Providing security services within a cloud computing environment
US20210144147A1 (en) System and method for externally-delegated access control and authorization
US20210173919A1 (en) Systems and methods for controlling privileged operations
US8943319B2 (en) Managing security for computer services
AU2012230866B2 (en) Strong rights management for computing application functionality
JP6314236B2 (en) Entity handle registry to support traffic policy enforcement
US9148426B2 (en) Securely identifying host systems
US11470120B2 (en) Providing different levels of resource access to a computing device that is connected to a dock
US20160094584A1 (en) Management of application access to directories by a hosted directory service
US9535728B2 (en) Scalable policy management in an edge virtual bridging (EVB) environment
WO2017004918A1 (en) Security control method and device, and computer storage medium
CN110138767B (en) Transaction request processing method, device, equipment and storage medium
US20170308492A1 (en) Isolating a redirected usb device to a set of applications
US20140282532A1 (en) Scalable policy assignment in an edge virtual bridging (evb) environment
CN110795343A (en) Test system, test method and computing device
US10242174B2 (en) Secure information flow
WO2019237587A1 (en) Script execution method, server management system and storage medium
CN111447178A (en) Access control method, system and computing device
WO2023092316A1 (en) Third-party service login method and apparatus, terminal device, and storage medium
CN111835523B (en) Data request method, system and computing device
CN112417402B (en) Authority control method, authority control device, authority control equipment and storage medium
WO2022133827A1 (en) Method and apparatus for processing task processing request, and blockchain node device
US20230409723A1 (en) Multi-tenancy in database-as-a-service
CN112615965B (en) Communication number verification method and system and computing device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18.07.2023)

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21871290

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 21871290

Country of ref document: EP

Kind code of ref document: A1