WO2022237006A1 - Access control method and apparatus, and device - Google Patents

Access control method and apparatus, and device Download PDF

Info

Publication number
WO2022237006A1
WO2022237006A1 PCT/CN2021/115143 CN2021115143W WO2022237006A1 WO 2022237006 A1 WO2022237006 A1 WO 2022237006A1 CN 2021115143 W CN2021115143 W CN 2021115143W WO 2022237006 A1 WO2022237006 A1 WO 2022237006A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
access control
instance
services
security
Prior art date
Application number
PCT/CN2021/115143
Other languages
French (fr)
Chinese (zh)
Inventor
孙应孔
朱小平
Original Assignee
华为云计算技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为云计算技术有限公司 filed Critical 华为云计算技术有限公司
Publication of WO2022237006A1 publication Critical patent/WO2022237006A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • Embodiments of the present disclosure mainly relate to the field of computer technology, especially the field of cloud computing. More specifically, the embodiments of the present disclosure relate to an access control method, device, device, computer-readable storage medium, and computer program product used in a cloud environment.
  • Cloud technology used to enable services hosted in cloud environments, is one of the fastest growing technologies in computing.
  • Cloud computing can provide consumers with resources such as networks, network bandwidth, servers, storage, and applications as services.
  • resources such as networks, network bandwidth, servers, storage, and applications.
  • the server involves many data centers and many services. Some services may have dependencies between them and thus need to interact.
  • security policies for different services are required for access control.
  • a security policy is usually implemented by a centralized firewall.
  • centralized firewalls have many problems, such as low reliability, low usability, and high cost.
  • Embodiments of the present disclosure provide a solution for access control.
  • an access control method includes: determining an access control rule applied to a service in a cloud environment, where the access control rule specifies a source object in the cloud environment that is allowed to access the service.
  • the method also includes: determining a target instance in the cloud environment where the service is deployed.
  • the method also includes: enabling access control rules on the target instance.
  • determining the access control rule applied to the service includes: determining the access control rule of the security group to which the service belongs as the access control rule applied to the service.
  • the service includes at least one of a cloud service, a group of microservices, a microservice or a component.
  • a cloud service a group of microservices, a microservice or a component.
  • services in different layers are allowed to be protected objects. In this way, the flexibility of security policy management can be increased.
  • the method further includes: if an instance where the service is deployed is added, enabling access control rules on the added instance.
  • access control rules in response to service expansion, access control rules can be automatically enabled on the added instances. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
  • the method further includes: if the target instance no longer deploys the service, disabling or removing the access control rule on the target instance.
  • access control rules may be automatically disabled or removed at the scaled down instance. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
  • the method further includes: if the target instance no longer deploys the service, disassociate the target instance from the access control rule. For example, target instances can be removed from a security group.
  • the security policy may be automatically adjusted in response to scaling down of the service. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
  • determining the access control rules includes: creating a security group based on user input, the security group including services and access control rules applied to the services.
  • security groups users can centrally manage services that share the same access control rules. In this way, the security policy management can be simplified, and the operation and maintenance efficiency of the security policy can be improved.
  • the method further includes adding or removing one or more services to or from the security group based on another user input. In this way, access control rules at target instances can be managed simply through the addition or removal of services.
  • the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment. In this way, the source object can be specified flexibly and conveniently in various ways.
  • the services in the security group belong to users with the same rights.
  • by setting user rights only users with corresponding rights can designate protected objects. In this way, the reliability and security of access control can be enhanced.
  • enabling the access control rule on the target instance includes: enabling the access control rule on one or more planes of the service on the target instance, and the plane is any of the following: management plane, storage plane, operation and maintenance plane Plane or business plane.
  • the plane is any of the following: management plane, storage plane, operation and maintenance plane Plane or business plane.
  • distributed access control is refined down to a plane granularity. In this way, the accuracy of security policy management can be improved, and the failure radius can be further reduced.
  • enabling the access control rule on the target instance includes: issuing the access control rule to the target instance through a controller in an availability zone where the target instance is located. In this way, access control rules can be dispatched to target instances accurately and with low latency.
  • Security groups can be used to easily implement security policy management for services in a multi-cloud environment.
  • an access control device configured to determine an access control rule applied to a service in the cloud environment, where the access control rule specifies a source object in the cloud environment that is allowed to access the service; an instance determination unit configured to determine the a target instance on which the service is deployed; and a rule enabling unit configured to enable access control rules on the target instance.
  • the rule determining unit is further configured to: determine the access control rule of the security group to which the service belongs, as the access control rule applied to the service.
  • the service includes at least one of a cloud service, a group of microservices, a microservice or a component.
  • a cloud service a group of microservices, a microservice or a component.
  • services in different layers are allowed to be protected objects. In this way, the flexibility of security policy management can be improved.
  • the device further includes: a first updating unit configured to enable the access control rule on the added instance if the instance where the service is deployed is added.
  • a first updating unit configured to enable the access control rule on the added instance if the instance where the service is deployed is added.
  • access control rules can be automatically enabled on the added instances. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
  • the device further includes: a second updating unit configured to disable or remove the access control rule on the target instance if the target instance no longer deploys the service.
  • a second updating unit configured to disable or remove the access control rule on the target instance if the target instance no longer deploys the service.
  • access control rules may be automatically disabled or removed at the scaled down instance. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
  • the apparatus further includes: a third update unit configured to disassociate the target instance from the access control rule if the target instance no longer deploys services.
  • the security policy may be automatically adjusted in response to scaling down of the service. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
  • the rule determining unit is further configured to: create a security group based on user input, the security group including the service and the access control rules applied to the service.
  • security groups users can centrally manage services that share the same access control rules. In this way, the security policy management can be simplified, and the operation and maintenance efficiency of the security policy can be improved.
  • the apparatus further comprises: a security group updating unit configured to add one or more services to the security group or remove one or more services from the security group based on another user input.
  • a security group updating unit configured to add one or more services to the security group or remove one or more services from the security group based on another user input.
  • the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment. In this way, the source object can be specified flexibly and conveniently in various ways.
  • the services in the security group belong to users with the same rights.
  • by setting user rights only users with corresponding rights can designate protected objects. In this way, the reliability and security of access control can be enhanced.
  • the rule enabling unit is further configured to: enable the access control rules of the service on one or more planes on the target instance, and the plane is any of the following: management plane, storage plane, operation and maintenance plane or business plane.
  • the plane is any of the following: management plane, storage plane, operation and maintenance plane or business plane.
  • distributed access control is refined down to a plane granularity. In this way, the accuracy of security policy management can be improved, and the failure radius can be further reduced.
  • the rule enabling unit is further configured to issue the access control rule to the target instance through the controller of the availability zone where the target instance is located. In this way, access control rules can be dispatched to target instances accurately and with low latency.
  • different services belonging to a security group are deployed in different cloud environments.
  • Security groups can be used to easily implement security policy management for services in a multi-cloud environment.
  • an electronic device comprising: at least one computing unit; at least one memory, the at least one memory being coupled to the at least one computing unit and storing instructions for execution by the at least one computing unit, the instructions When executed by at least one computing unit, the device is caused to implement the method of the first aspect.
  • a computer-readable storage medium on which a computer program is stored, wherein the computer program is executed by a processor to implement the method of the first aspect.
  • a computer program product including computer-executable instructions, which, when executed by a processor, implement part or all of the steps of the method of the first aspect.
  • the computing system of the third aspect, the computer storage medium of the fourth aspect, or the computer program product of the fifth aspect provided above are all used to execute the method provided in the first aspect. Therefore, the explanations or explanations about the first aspect are also applicable to the third aspect, the fourth aspect and the fifth aspect.
  • the beneficial effects achieved by the third aspect, the fourth aspect, and the fifth aspect reference may be made to the beneficial effects in the corresponding methods, which will not be repeated here.
  • Figure 1 shows a schematic diagram of access control provided by a centralized firewall
  • Figure 2 shows a schematic diagram of an example cloud environment in which various embodiments of the present disclosure can be implemented
  • Fig. 3 shows a schematic diagram of a hierarchical structure of services according to some embodiments of the present disclosure
  • FIG. 4 shows an example structure of resource configuration information according to some embodiments of the present disclosure
  • Figure 5 shows a schematic block diagram of a distributed access control architecture according to some embodiments of the present disclosure
  • Fig. 6 shows a schematic diagram of user rights associated with services according to some embodiments of the present disclosure
  • Figure 7 shows a schematic diagram of an example security group according to some embodiments of the present disclosure.
  • Fig. 8 shows a schematic diagram of another example security group according to some embodiments of the present disclosure.
  • FIG. 9 shows a flowchart of a process of updating a security policy according to some embodiments of the present disclosure
  • Figure 10 shows a flow chart of an access control method according to some embodiments of the present disclosure
  • Figure 11 shows a schematic block diagram of an access control device according to some embodiments of the present disclosure.
  • Figure 12 shows a block diagram of a computing device capable of implementing various embodiments of the present disclosure.
  • cloud service refers to a service that is presented to an end consumer as a whole to allow the end consumer to access hosted resources.
  • service refers to services in a broad sense provided by the cloud environment, which may refer to the "cloud service” provided to consumers as a whole, or to the components included in the cloud service.
  • cloud or “cloud environment” may include, but is not limited to, public clouds, private clouds, joint operations clouds, edge clouds, hybrid clouds, and the like.
  • a centralized firewall provides network-layer access control to services for each network partition.
  • Fig. 1 shows a schematic diagram of access control provided by a centralized firewall in a conventional solution.
  • the cloud environment 100 includes multiple network partitions, such as an operation and maintenance zone 121 , a management zone 122 , a isolated (DMZ) zone 123 , a computing zone 124 and a storage zone 125 .
  • These network partitions are connected to firewall 101 via switches 111 , 112 , 113 , 114 and router 105 respectively.
  • a service in one network partition wants to access a service in another network partition, access control needs to be performed through the firewall 101 .
  • the service is firstly routed to the firewall 101 for access control.
  • the traffic is forwarded to computing area 124 .
  • access control can only control service access across network partitions, and access control of different services within the same network partition is a security blind spot.
  • security policies of many services deployed in the cloud environment 100 are all concentrated in the firewall 101. This requires the consumption of a large amount of firewall hardware, which is very expensive.
  • various embodiments of the present disclosure provide a scheme for access control.
  • access control rules applied to a service in a cloud environment and target instances in the cloud environment on which the service is deployed are determined.
  • Access control rules specify the source objects in the cloud environment that are allowed to access the service. Enable this access control rule on the target instance.
  • This method simplifies the security policy configuration and makes the failure radius of the security policy controllable, thereby improving the O&M efficiency of the security policy. Therefore, embodiments of the present disclosure enable reliable and secure access control in a cloud environment.
  • FIGS. 1 to 12 Various example embodiments of the present disclosure are described below with reference to FIGS. 1 to 12 .
  • FIG. 2 shows a schematic diagram of an example cloud environment 200 in which various embodiments of the present disclosure can be implemented.
  • the cloud environment 200 includes a resource configuration system 203 , a configuration database 202 , a security manager 201 and a resource production system 204 .
  • the security manager 201, the resource configuration system 203 and the configuration database 202 may be deployed in the same or different zones, and the embodiments of the present disclosure are not limited in this respect.
  • Users 250 such as service administrators, security administrators, etc., can interact with the resource configuration system 203, security manager 201, etc. in the cloud environment 200.
  • Resource production system 204 is used to implement services provided by cloud environment 200, and may include one or more network partitions, such as network partitions 230-1, 230-2, 230-3, and 230-4, which may also be collectively referred to as multiple network partitions.
  • Multiple network partitions 230 may include instances 210-1, 210-2, 210-3, 210-4, 210-5, 210-6, 210-7, 210-8, and 210-9, which may also be collectively referred to as multiple instance 210 or individually as instance 210.
  • Multiple instances 210 may be distributed across multiple network partitions 230 . As an example only, instances 210-1, 210-2 and 210-3 etc.
  • instances 210-4 and 210-5 etc. are distributed in network partition 230-2
  • instances 210-6 and 210 -7, etc. are distributed in network partition 230-3
  • instances 210-8 and 210-9, etc. are distributed in network partition 230-4.
  • Instance 210 is deployed with one or more services of the cloud environment.
  • the instance 210 may be any suitable virtual resource or physical resource.
  • Virtual resources may include, for example, virtual machines (VMs), containers, and the like.
  • Physical resources may include, for example, physical machines (PMs), bare metal servers, network devices, security devices, interface cards, and so on.
  • PMs physical machines
  • bare metal servers network devices
  • network devices security devices
  • interface cards interface cards
  • Resource configuration system 203 is used to create and deploy services. For example, user 250 may interact with resource configuration system 203 to specify a service to create.
  • the resource configuration system 203 may determine an instance 210 for deploying the service, for example, determine which VM, PM or container the service is to be deployed on. Furthermore, the resource configuration system 203 can release such resources to the resource production system 204 and deploy the service in the determined instance 210 .
  • the resource configuration system 203 can store service information and resource configuration information in the configuration database 202 .
  • Configuration database 202 may be, for example, a configuration management database (CMDB).
  • CMDB configuration management database
  • the service information indicates each service in the cloud environment 200, and may optionally indicate a relationship between services.
  • the resource configuration information indicates the instance or instances in which each service is deployed. In other words, resource configuration information indicates service-to-instance relationships.
  • FIG. 3 shows a schematic diagram of a service hierarchy 300 according to some embodiments of the present disclosure.
  • Hierarchy 300 includes three levels from top to bottom, namely cloud service, microservice group, microservice or component.
  • Microservices or components are services or components that have independent functions and can be deployed independently.
  • a microservice group includes a group of microservices or components with similar characteristics or functions.
  • cloud service 310 includes microservice group 321 and microservice group 322 .
  • Microservice group 321 includes microservice 331 and microservice 332 .
  • Microservice group 322 includes microservice 333 and microservice 334 .
  • the hierarchical structure 300 shown in Figure 3 can be considered a service tree.
  • the resource configuration system 203 may store the service tree in the configuration database 202 as service information.
  • the hierarchical structure 300 including three levels shown in FIG. 3 is exemplary only, and is not intended to limit the scope of the present disclosure.
  • various services in a cloud environment may be constructed in any suitable number of levels.
  • each service in the cloud environment can be constructed at two levels of cloud service and microservice.
  • FIG. 4 shows an example structure of resource configuration information 400 according to some embodiments of the present disclosure.
  • the resource configuration information 400 or the service-instance relationship includes five levels, namely L1, L2, L3, L4, and L5.
  • L1 to L3 levels indicate services, namely cloud services 401 , microservice groups 402 , and microservices or components 403 .
  • the L4 level indicates instances 404 of running or deploying microservices or components 403 .
  • the L5 level indicates the instance address 405 of the instance 104 .
  • an address may include but not limited to an Internet Protocol (IP) address, such as an IPv4 address, an IPv6 address, and may also include other types of addresses.
  • IP Internet Protocol
  • an instance deployed with a cloud service refers to an instance deployed with microservices or components under the cloud service
  • an instance deployed with a microservice group refers to an instance deployed with microservices under the microservice group or an instance of a component. Therefore, in the example of FIG. 3, the instance deployed with cloud service 310 includes instances deployed with microservices 331, 332, 333 and 334, and the instance deployed with microservice group 321 includes instances deployed with microservices 331, 332, And the instances deployed with the microservice group 322 include the instances deployed with the microservices 333 and 334 .
  • the service information (eg, service tree) and resource configuration information (ie, service-instance relationship) stored in the configuration database 202 are sent to the security manager 201 .
  • the security manager 201 is used to configure and manage security policies for the resource production system 204 .
  • the security manager 201 determines a protected service as a protection object based on the service information, and determines an access control rule applied to the service.
  • the security manager 201 determines the target instance on which the service is deployed from the multiple instances 210, such as instance 210-2 and instance 210-8. Then, the security manager 201 enables the access control rule on the target instance. For example, the security manager 201 dispatches access control rules to target instances as security policies.
  • the target instance When receiving an access request from a source object, the target instance determines whether the source object has access rights based on access control rules to accept or deny the access request. To apply access control rules, the target instance can translate the access control rules into executable instructions. Depending on the device type of the target instance (eg, VM, container, etc.), application of access control rules may be accomplished in any suitable manner. For example, an agent can be deployed in the operating system of the target instance. The agent is used to communicate with the security manager 201 and make access control rules take effect on the data plane.
  • an agent can be deployed in the operating system of the target instance. The agent is used to communicate with the security manager 201 and make access control rules take effect on the data plane.
  • Cloud environment 200 instance-based distributed access control can be implemented. This greatly reduces the radius of failure of security policies compared to centralized firewalls.
  • Cloud environment 200 may include, but is not limited to, public clouds, private clouds, joint operations clouds, edge clouds, hybrid clouds, and combinations thereof.
  • this distributed access control can be achieved across two or more cloud environments. For example, multiple instances 210 may be provided by different cloud environments.
  • FIG. 5 shows a schematic block diagram of a distributed access control architecture 500 according to some embodiments of the present disclosure.
  • the architecture 500 includes a security policy orchestration layer 510 , a security policy scheduling layer 520 and a security policy execution layer 530 .
  • Security policy orchestration layer 510 includes security manager 201 .
  • the security policy scheduling layer 520 includes controllers 521 , 522 and 523 of availability zones.
  • Security policy enforcement layer 530 includes instances 531 , 532 , 533 and 534 in availability zones.
  • FIG. 5 shows a schematic block diagram of a distributed access control architecture 500 according to some embodiments of the present disclosure.
  • the architecture 500 includes a security policy orchestration layer 510 , a security policy scheduling layer 520 and a security policy execution layer 530 .
  • Security policy orchestration layer 510 includes security manager 201 .
  • the security policy scheduling layer 520 includes controllers 521 , 522 and 523 of availability zones.
  • Security policy enforcement layer 530 includes instances 531 , 532
  • controller 521 is the controller of the availability zone where instance 531 is located
  • controller 522 is the controller of the availability zone where instance 532 is located
  • controller 523 is the controller of the availability zone where instances 533 and 534 are located.
  • the controller can be, for example, a dedicated server in an availability zone.
  • the architecture 500 shown in FIG. 5 is exemplary only, and is not intended to limit the scope of the present disclosure.
  • the distributed access control architecture can also be divided in other ways.
  • the security manager 201 includes a policy orchestration module 501 , a policy management module 502 and a policy scheduling engine 503 .
  • the policy orchestration module 501 is used to associate the protected service (also referred to as "target service” hereinafter) with corresponding access control rules. Access control rules specify the source objects in cloud environment 200 that are allowed to access the service.
  • the service in the cloud environment 200 is structured in a hierarchical structure, the service may belong to any level in the hierarchical structure.
  • the service may include any one of a cloud service, a microservice group, a microservice, or a component. In such an embodiment, services in different layers are allowed to be protected objects. In this way, the flexibility of security policy management can be improved.
  • services and corresponding access control rules can be specified in a pre-configuration file.
  • the policy orchestration module 501 can read the pre-configuration file, and determine the protected services and corresponding access control rules therefrom.
  • protected services and corresponding access control rules may be specified by the user 505 .
  • user 505 may be presented with a user interface displaying service information (eg, a service tree).
  • service information eg, a service tree.
  • User 505 can select a protected service through the user interface, and can specify source objects that are allowed to access the service.
  • FIG. 6 shows a schematic diagram of user permissions associated with services according to some embodiments of the present disclosure.
  • RBAC role-based access control
  • users belonging to the same group have the same role and have the same authority.
  • Users 601, 602, and 603 belong to different groups 611, 612, and 613, respectively.
  • the role of the group 611 is the service administrator of the cloud service 621 .
  • a user belonging to the group 611 can select a service from the cloud service 621 and the microservice groups, microservices or components included therein as a protection object.
  • the role of group 612 is a service administrator of cloud service 622 .
  • a user belonging to the group 612 (for example, the user 602 ) can select a service from the cloud service 622 and the microservice group, microservice or component included therein as a protection object.
  • the role of group 613 is security administrators of system resources 623 .
  • a user belonging to the group 611 (for example, user 603 ) can select a service from all cloud services and microservice groups, microservices or components as protection objects. In this embodiment, by setting user rights, only users with corresponding rights can designate protected objects. In this way, the reliability and security of access control can be further enhanced.
  • the source objects that are allowed to access the target service may be specified by a pre-configuration file or by user input from user 505 .
  • Policy orchestration module 501 may provide one or more schemas to specify source objects.
  • source objects may include one or more services in cloud environment 200 .
  • policy orchestration module 501 can provide service patterns to users 505 .
  • service mode policy orchestration module 501 presents user 505 with a user interface displaying service information (eg, a service tree). The user 505 can select one or more services through the user interface, and the selected services are allowed to access the target service.
  • the policy orchestration module 501 may determine the address (eg, IP address) of the instance where the selected service is deployed based on the resource configuration information from the configuration database 202 to determine the access control rule. That is, the determined address is allowed to access the target instance.
  • the address eg, IP address
  • a source object may include one or more addresses in a cloud environment.
  • policy orchestration module 501 can provide address patterns to user 505 . In the address mode, the user 505 can directly input an address through the user interface to specify the source object. The policy composition module 501 can determine access control rules based on the address input by the user 505 . That is, the address entered by the user 505 is allowed to access the target instance.
  • a source object may comprise a collection of addresses in a cloud environment.
  • policy orchestration module 501 can provide address pool mode to user 505 .
  • the user 505 can select an address pool from multiple predefined address pools to specify a source object.
  • Each address pool may include a collection of addresses, such as multiple addresses, one or more address ranges, and combinations thereof.
  • the policy orchestration module 501 can determine access control rules based on the selected address pool. That is, addresses in the selected address pool are allowed to access the target instance.
  • the service mode, the address mode and the address pool mode are described by taking the user input to specify the source object as an example, this is only exemplary. These modes can also be used in cases where a preconfiguration file specifies a source object. For example, a service, one or more addresses, or an address pool can be specified as a source object in a preconfiguration file.
  • user input or a pre-configuration file may also specify the protocol port of the target instance (ie, the destination protocol port) as part of the access control rules.
  • a port number for Transmission Control Protocol (TCP), such as TCP 443, may be specified.
  • TCP Transmission Control Protocol
  • the access control rule in the service mode, can allow the determined address to access the target instance with the TCP port 443; in the address mode, the access control rule can allow the address entered by the user 505 to access the target instance with the TCP port 443; In the address pool mode, the access control rule can allow addresses in the selected address pool to access the target instance through TCP port 443.
  • the policy management module 502 in the security manager 201 is used to determine target instances where protected services are deployed. For example, the target instance can be determined based on resource configuration information from the configuration database 202 .
  • the policy management module 502 is also used to manage service information, resource configuration information and security policies. Specifically, the policy management module 502 can monitor service and resource configuration updates.
  • Service updates may include, but are not limited to, the increase of microservices (for example, online), the reduction of microservices (for example, offline), the expansion of microservices, the shrinkage of microservices, the increase of regions, the Changes, changes in availability zones, etc.
  • the update of the service may cause the update of the resource configuration, for example, the increase, decrease, change, etc. of the instances deployed by the service.
  • policy management module 502 may receive real-time messages from configuration database 202 to monitor service and resource configuration updates. Such real-time messages are generated in response to and indicate updates to service or resource configurations. Examples of real-time messages may include, but are not limited to, configuration management database instance messages, cloud service view service tree messages, microservice instance messages, cloud location zone messages, and the like.
  • the policy management module 502 may periodically synchronize service information and resource configuration information with the configuration database 202 to monitor updates of service and resource configurations. For example, policy management module 502 may periodically receive service trees and service-to-instance relationships from configuration database 202 . In such an embodiment, periodic synchronization can be used to avoid information mismatch problems caused by real-time message sending and receiving failures, thereby enhancing the reliability of distributed access control. In the case of the combination of real-time messages and periodic synchronization, it can be ensured that the security manager 201 knows the relationship between services and instances in a timely and reliable manner, so as to accurately determine the target instance.
  • the policy management module 502 can maintain the relationship of protected services and access control rules. When monitoring the update of the service and resource configuration, the policy management module 502 can update the relationship between the service and the access control rule accordingly. For example, if a reduction in services is detected, the policy management module 502 may disassociate the reduced services from the corresponding access control rules. The security manager 201 may further disable or remove the access control rule in the instance where the reduced service is originally deployed. As another example, if an increase of a service is detected, the policy management module 502 may determine an access control rule applied to the added service, and associate the added service with the access control rule.
  • the policy scheduling engine 503 in the security manager 201 is used to enable access control rules on the target instance. Specifically, the policy scheduling engine 503 can issue access control rules to target instances in the security policy enforcement layer 530. In some embodiments, if the instances in the cloud environment are located in different availability zones, the policy scheduling engine 503 issues the access control rules to the target instance through the controller of the availability zone where the target instance is located. In the example of FIG. 5 , when the target instance includes the instance 531 , the policy scheduling engine 503 can issue the access control rules to the instance 531 through the controller 521 . In the case that the target instance includes the instance 532 , the policy scheduling engine 503 can issue the access control rules to the instance 532 through the controller 522 . In the case that the target instance includes the instance 533 and/or the instance 534 , the policy scheduling engine 503 may issue the access control rules to the instance 533 and/or the instance 534 through the controller 523 .
  • Distributed access control is realized using the system architecture described above.
  • Security policies are dispatched to instances through policy orchestration and dispatch software technology, which reduces costs compared to hardware firewalls.
  • the corresponding access control rules can be enabled on one or more target instances where the service is deployed.
  • the access control rules of different businesses are only on the instance of this service, and different services are physically isolated from each other, which reduces the failure radius when the security policy is wrong.
  • the source object specified by the access control rules can be configured as desired and is not limited to being in a different zone from the target instance. In this way, security blind spots in centralized firewall solutions are eliminated.
  • security groups can be used to manage multiple services sharing the same access control rules.
  • Security manager 201 eg, policy orchestration module 501
  • the created security group includes these services and shared access control rules.
  • the user 505 may create a security group and add services to the security group through a user interface, and specify a source object by specifying a service, address, or address pool.
  • the security manager 201 can take the service added by the user as a member of the security group, and generate the access control rules of the security group based on the specified source object.
  • security manager 201 may add the determined target instance to a security group.
  • services in a security group may belong to users with the same authority.
  • the security manager 201 may determine the access control rules of the security group as the access control rules applied to the services in the security group.
  • the user 505 can provide subsequent input through the user interface when the security group needs to be updated. Based on subsequent input, the security group may be updated. For example, one or more services may be added to a security group to apply the security group's access control rules to the added services. As another example, one or more services originally belonging to a security group may be removed from the security group.
  • the security manager 201 (eg, the policy management module 502 ) can update the security group accordingly when monitoring the update of the service and resource configuration. For example, if a reduction of a service is detected, the security manager 201 may remove the reduced service from the security group to which it originally belongs, so as to disassociate the service from the corresponding access control rule. For another example, if an increase of a service is detected, the security manager 201 may determine the security group to which the added service belongs and add it to the security group, thereby associating the added service with a corresponding access control rule.
  • services in the same security group can be deployed in different cloud environments. For example, some services in a security group are deployed in a public cloud, while others are deployed in a private cloud. In this way, cross-cloud management of security policies can be conveniently realized.
  • FIG. 7 shows a schematic diagram of an example security group 701 according to some embodiments of the present disclosure.
  • FIG. 7 takes the three-level hierarchical structure shown in FIG. 3 as an example, but this is only exemplary and not intended to limit the scope of the present disclosure.
  • security group 701 includes service directory 702.
  • the entry “identification of cloud service B” indicates that the security group 701 includes cloud service B at the cloud service level
  • the entry “identification of microservice group A” indicates that the security group 701 includes microservice group A at the microservice group level
  • the entry “identification of microservice C” indicates that the security group 701 includes microservice C at the microservice level.
  • Access control rules 703 for the security group are generated. Access control rule 703 will be applied to cloud service B, microservice group A and microservice C belonging to security group 701 .
  • the security manager 201 enables the access control rule 703 on all instances where the cloud service B, the microservice group A and the microservice C are deployed. In other words, all instances deployed with cloud service B, microservice group A, and microservice C allow access from the source address 10.52.80/24 on TCP port 443.
  • services in the cloud environment are structured in multiple tiers, and security groups are allowed to include services in different tiers.
  • the flexibility of security policy management can be increased. Allowing the specified cloud service has the effect of turning parts into wholes, so that users do not have to select each microservice under the cloud service one by one. Allows specifying microservices or components to refine security policy management.
  • a security group may include any suitable number of services, such as any suitable number of cloud services, microservice groups, microservices.
  • security policy management can be further refined to plane granularity.
  • Access control rules for protected services on one or more planes can be enabled on the target instance.
  • the plane can be any of the management plane, storage plane, operation and maintenance plane, or service plane. For example, you can enable protected services with management plane access control rules only on target instances where the access control rules apply to the management plane.
  • FIG. 8 shows a schematic diagram of another example security group 801 according to some embodiments of the present disclosure.
  • FIG. 8 takes the three-level hierarchical structure shown in FIG. 3 as an example, but this is only exemplary and not intended to limit the content of the present disclosure.
  • the security group 801 includes at least microservices 810 and access control rules 803 .
  • the security group 801 may also include other services not shown.
  • Instances deployed with microservice 810 include instance A, instance B, and instance C, wherein instance B does not involve the target plane, and instances A and C involve the target plane.
  • instance A all ports are applied to the target plane, or for instance A the planes are not differentiated.
  • C port A and port C are applied to the target plane, while port B is applied to a plane other than the target plane.
  • Instance A and Instance C are determined as target instances.
  • access control rule 803 is only enabled on port A and port C of instance C.
  • the security group 801 includes an instance directory 802 .
  • the entry "identification of instance A" and its subentries indicate instance A and all addresses of instance A
  • the entry "identification of instance C” and its subentries indicate instance C, instance C's The address of port A and the address of port C of instance C.
  • the instance directory 802 may also include other entries or sub-entries for indicating the type of the port or the plane to which the port applies.
  • security manager 201 enables access control rule 703 on all ports of instance A, port A and port C of instance C.
  • all ports of instance A, port A and port C of instance C allow access from the source address 10.52.80/24 on TCP port 443.
  • distributed access control is refined down to a plane granularity. In this way, the accuracy of security policy management can be improved, and the failure radius can be further reduced.
  • the policy management module 502 can monitor for updates to service and resource configurations. Based on updates to service and resource configurations, security manager 201 can update security policies.
  • Figure 9 shows a flow diagram of a process 900 for updating security policies according to some embodiments of the present disclosure.
  • the security manager 201 determines whether there is a service scaling up or down based on the monitored service and resource configuration updates. For example, security manager 201 may determine whether there is a service scaling up or down based on real-time messages received from configuration database 202 or periodic synchronization with configuration database 202 .
  • process 900 proceeds to block 920 .
  • process 900 proceeds to block 920 if additional instances of a protected service are deployed.
  • the security manager 201 associates the added instance with the access control rules applied to the service. For example, in an embodiment where a security group is created, the added instance may be added to the security group in which the service resides.
  • the security manager 201 enables the access control rule on the added instance. For example, the security manager 201 may issue the access control rule to the added instance through the controller of the availability zone where the added instance is located.
  • process 900 proceeds to block 940 .
  • process 900 proceeds to block 940 if the target instance that had a protected service deployed no longer has the service deployed.
  • the security manager 201 disassociates the target instance on which the service is no longer deployed from the access control rules applied to the service. For example, in an embodiment where a security group is created, the security manager 201 may remove the target instance from the security group where the service is located.
  • the security manager 201 disables or removes the access control rules applied to the service on target instances where the service is no longer deployed. For example, the security manager 201 may send a message or command to the target instance to mark the access control rule as disabled in the target instance, or delete the access control rule locally from the target instance.
  • Process 900 of automatically updating security policies is described above with respect to services in a broad sense.
  • Process 900 can be applied to services of any granularity.
  • the services to be scaled up or down may include any one or more of cloud services, microservice groups, microservices or components.
  • security policies may be automatically updated in response to updates to service and resource configurations. That is, in response to the expansion of the service, the access control rule can be automatically enabled on the increased instance; in response to the shrinkage of the service, the access control rule can be automatically disabled or removed from the reduced instance. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
  • FIG. 10 shows a flowchart of an access control method 1000 according to some embodiments of the present disclosure.
  • the method 1000 can be implemented, for example, by the security manager 201 in FIG. 2 .
  • the method 1000 is described below with reference to FIGS. 2-8 .
  • Access control rules to apply to services in a cloud environment are determined. Access control rules specify the source objects in the cloud environment that are allowed to access the service. Cloud environments are, for example, public clouds, private clouds, joint operations clouds, edge clouds, hybrid clouds, and combinations thereof.
  • the service includes at least one of a cloud service, a group of microservices, a microservice, or a component.
  • the service may include a cloud service, a microservice group, a microservice or a component.
  • the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment.
  • one or more of service mode, address mode and address pool mode may be provided to the user.
  • the access control rule of the security group to which the service belongs may be determined as the access control rule applied to the service.
  • the access rule 703 of the security group 701 may be determined as the access control rule applied to cloud service B, microservice group A and microservice C.
  • a security group may be created based on user input, the security group including the service and the access control rules applied to the service.
  • security group 701 can be created based on user input 704 and 705 .
  • one or more services may also be added to or removed from the security group based on another user input.
  • security group 701 may be updated based on subsequent input.
  • services in a security group belong to users with the same permissions.
  • a BRAC model as shown in FIG. 6 may be set to manage user's security policy configuration for services.
  • different services belonging to a security group are deployed in different cloud environments.
  • distributed access control can be achieved across multiple clouds.
  • target instances in the cloud environment where the service is deployed are determined.
  • the target instance can be determined based on resource configuration information (ie, service-instance relationship).
  • a target instance can be any suitable virtual or physical resource.
  • Virtual resources may include, for example, VMs, containers, and the like.
  • Physical resources may include, for example, PMs, bare metal servers, network devices, security devices, interface cards, and so on.
  • access control rules are enabled on the target instance. For example, security manager 201 dispatches access control rules to the determined one or more target instances.
  • access control rules serving services at one or more planes may be enabled on the target instance.
  • the plane can be any of the following: management plane, storage plane, operation and maintenance plane, or service plane.
  • access control rule 803 is only enabled on port A and port C, and port A and port C are applicable to the same plane as access control rule 803 .
  • the access control rules can be issued to the target instance through the controller of the availability zone where the target instance is located. For example, if the target instance includes the instance 531 shown in FIG. 5 , the controller 521 may issue the access control rules to the instance 531 .
  • the method 1000 further includes: if an instance deployed with the service is added, enabling access control rules on the added instance.
  • the added instance can also be associated with the access control rule at the security manager 201, for example, added to the security group to which the service belongs.
  • the method 1000 further includes: disabling or removing the access control rule on the target instance if the service is no longer deployed on the target instance.
  • the target instance can also be disassociated from the access control rules at the security manager 201 .
  • the target instance may be removed from the security group to which the service belongs.
  • Fig. 11 shows a block diagram of an access control apparatus 1100 according to an embodiment of the present disclosure, and the apparatus 1100 may include a plurality of units for performing corresponding steps in the method 1000 as discussed in Fig. 10 .
  • the apparatus 1100 includes a rule determination unit 1110 configured to determine access control rules applied to services in the cloud environment. Access control rules specify the source objects in the cloud environment that are allowed to access the service.
  • the apparatus 1100 further includes an instance determination unit 1120 configured to determine a target instance in which the service is deployed in the cloud environment.
  • the apparatus 1100 further includes a rule enabling unit 1130 configured to enable access control rules on the target instance.
  • the rule determining unit 1110 is further configured to: determine the access control rule of the security group to which the service belongs, as the access control rule applied to the service.
  • the service includes at least one of a cloud service, a group of microservices, a microservice, or a component.
  • the apparatus 1100 further includes: a first update unit configured to enable access control rules on the added instance if an instance deployed with the service is added.
  • the apparatus 1100 further includes: a second update unit configured to disable or remove the access control rule on the target instance if the target instance no longer deploys the service.
  • the apparatus 1100 further includes: a third updating unit configured to remove the target instance from the security group if the target instance no longer deploys services.
  • the rule determination unit 1110 is further configured to: create a security group based on user input, the security group includes services and access control rules applied to the services.
  • the apparatus 1100 further includes: a security group update unit configured to add one or more services to the security group or remove one or more services from the security group based on another user input.
  • a security group update unit configured to add one or more services to the security group or remove one or more services from the security group based on another user input.
  • the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment.
  • services in a security group belong to users with the same permissions.
  • the rule enabling unit 1130 is further configured to: enable the access control rules of the service on one or more planes on the target instance, and the plane is any of the following: management plane, storage plane, operation and maintenance plane or business plane .
  • the rule enabling unit 1130 is further configured to issue the access control rule to the target instance through the controller of the availability zone where the target instance is located.
  • different services belonging to a security group are deployed in different cloud environments.
  • FIG. 12 shows a schematic block diagram of an example device 1200 that may be used to implement embodiments of the present disclosure.
  • the device 1200 may be used to implement the security manager 201 or the like.
  • device 1200 includes computing unit 1201, which may be loaded into RAM and/or ROM according to computer program instructions stored in random access memory (RAM) and/or read only memory (ROM) 1202 or from storage unit 1207 1202 to perform various appropriate actions and processes.
  • RAM random access memory
  • ROM read only memory
  • storage unit 1207 1202 storage unit 1207 1202
  • various programs and data necessary for the operation of the device 1200 may also be stored.
  • the computing unit 1201 and the RAM and/or ROM 1202 are connected to each other via a bus 1203.
  • An input/output (I/O) interface 1204 is also connected to the bus 1203 .
  • I/O input/output
  • the I/O interface 1204 includes: an input unit 1205, such as a keyboard, a mouse, etc.; an output unit 1206, such as various types of displays, speakers, etc.; a storage unit 1207, such as a magnetic disk, an optical disk, etc. ; and a communication unit 1208, such as a network card, a modem, a wireless communication transceiver, and the like.
  • the communication unit 1208 allows the device 1200 to exchange information/data with other devices over a computer network such as the Internet and/or various telecommunication networks.
  • the computing unit 1201 may be various general-purpose and/or special-purpose processing components with processing and computing capabilities. Some examples of computing units 1201 include, but are not limited to, central processing units (CPUs), graphics processing units (GPUs), various dedicated artificial intelligence (AI) computing chips, various computing units that run machine learning model algorithms, digital signal processing processor (DSP), and any suitable processor, controller, microcontroller, etc.
  • the calculation unit 1201 executes various methods and processes described above, such as the method 1000 .
  • method 1000 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 1207 .
  • part or all of the computer program may be loaded and/or installed onto device 1200 via RAM and/or ROM and/or communication unit 1208 .
  • a computer program When a computer program is loaded into RAM and/or ROM and executed by computing unit 1201, one or more steps of method 1000 described above may be performed.
  • the computing unit 1201 may be configured to execute the method 1000 in any other suitable manner (for example, by means of firmware).
  • Program codes for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general-purpose computer, a special purpose computer, or other programmable data processing devices, so that the program codes, when executed by the processor or controller, make the functions/functions specified in the flow diagrams and/or block diagrams Action is implemented.
  • the program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device.
  • a machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium.
  • a machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing.
  • machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.
  • RAM random access memory
  • ROM read only memory
  • EPROM or flash memory erasable programmable read only memory
  • CD-ROM compact disk read only memory
  • magnetic storage or any suitable combination of the foregoing.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

Provided in the embodiments of the present disclosure are an access control method and apparatus, and a device, a storage medium and a program product. The access control method comprises: determining an access control rule for a service applied to a cloud environment, wherein the access control rule specifies a source object, which is allowed to access the service, in the cloud environment; determining a target instance, for which the service is deployed, in the cloud environment; and enabling the access control rule at the target instance. In this way, by means of the embodiments of the present disclosure, distributed access control is realized. In this way, the configuration of a security policy is simplified, and the radius of a fault in the security policy is made controllable, thereby improving the operation and maintenance efficiency of the security policy.

Description

访问控制方法、装置和设备Access control method, device and equipment 技术领域technical field
本公开的实施例主要涉及计算机技术领域,尤其是云计算领域。更具体地,本公开的实施例涉及用于云环境中的访问控制方法、装置、设备、计算机可读存储介质以及计算机程序产品。Embodiments of the present disclosure mainly relate to the field of computer technology, especially the field of cloud computing. More specifically, the embodiments of the present disclosure relate to an access control method, device, device, computer-readable storage medium, and computer program product used in a cloud environment.
背景技术Background technique
云技术用于实现云环境中托管的服务,是计算机领域中发展最快的技术之一。云计算可以向消费方提供诸如网络、网络带宽、服务器、存储、应用等资源作为服务。以公有云为例,器涉及众多数据中心和众多服务。一些服务之间可能具有依赖性,因此需要交互。为了保证服务的网络安全,需要针对不同服务的安全策略以进行访问控制。当前,这样的安全策略通常由集中式防火墙来实现。然而,集中式防火墙具有诸多问题,例如可靠性低、易用性不高、成本高等。Cloud technology, used to enable services hosted in cloud environments, is one of the fastest growing technologies in computing. Cloud computing can provide consumers with resources such as networks, network bandwidth, servers, storage, and applications as services. Taking the public cloud as an example, the server involves many data centers and many services. Some services may have dependencies between them and thus need to interact. In order to ensure the network security of services, security policies for different services are required for access control. Currently, such a security policy is usually implemented by a centralized firewall. However, centralized firewalls have many problems, such as low reliability, low usability, and high cost.
发明内容Contents of the invention
本公开的实施例提供了一种用于访问控制的方案。Embodiments of the present disclosure provide a solution for access control.
在本公开的第一方面,提供了一种访问控制方法。该方法包括:确定应用于云环境中的服务的访问控制规则,访问控制规则指定云环境中被允许访问服务的源对象。方法还包括:确定云环境中部署有服务的目标实例。方法还包括:在目标实例启用访问控制规则。In a first aspect of the present disclosure, an access control method is provided. The method includes: determining an access control rule applied to a service in a cloud environment, where the access control rule specifies a source object in the cloud environment that is allowed to access the service. The method also includes: determining a target instance in the cloud environment where the service is deployed. The method also includes: enabling access control rules on the target instance.
以此方式,实现了以服务为保护对象的、在实例处的分布式访问控制。这种方式简化了安全策略配置,并且使安全策略的故障半径可控,从而可以提升安全策略的运维效率。因此,本公开的实施例能够实现云环境中可靠且安全的访问控制。In this way, distributed access control at instances with services as protected objects is realized. This method simplifies the security policy configuration and makes the failure radius of the security policy controllable, thereby improving the O&M efficiency of the security policy. Therefore, embodiments of the present disclosure enable reliable and secure access control in a cloud environment.
在第一方面的一些实施例中,确定应用于服务的访问控制规则包括:确定服务所属于的安全组的访问控制规则,作为应用于服务的访问控制规则。利用安全组,可以统一管理共享相同的访问控制规则的服务。以此方式,可以简化安全策略管理,并提高安全策略的运维效率。In some embodiments of the first aspect, determining the access control rule applied to the service includes: determining the access control rule of the security group to which the service belongs as the access control rule applied to the service. With security groups, services that share the same access control rules can be managed uniformly. In this way, the security policy management can be simplified, and the operation and maintenance efficiency of the security policy can be improved.
在第一方面的一些实施例中,服务包括云服务、微服务组、微服务或组件中的至少一项。在这种实施例中,允许将不同层级中的服务作为保护对象。以此方式,可以提高安全策略管理的灵活性。In some embodiments of the first aspect, the service includes at least one of a cloud service, a group of microservices, a microservice or a component. In such an embodiment, services in different layers are allowed to be protected objects. In this way, the flexibility of security policy management can be increased.
在第一方面的一些实施例中,方法还包括:如果增加部署有服务的实例,在所增加的实例启用访问控制规则。在这种实施例中,响应于服务的扩容,可以自动在所增加的实例启用访问控制规则。以此方式,简化了安全策略的人工配置,从而有助于提高安全策略的运维效率。In some embodiments of the first aspect, the method further includes: if an instance where the service is deployed is added, enabling access control rules on the added instance. In such an embodiment, in response to service expansion, access control rules can be automatically enabled on the added instances. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
在第一方面的一些实施例中,方法还包括:如果目标实例不再部署服务,在目标实例禁用或移除访问控制规则。在这种实施例中,响应于服务的缩容,可以自动在所减少的实例禁用或移除访问控制规则。以此方式,简化了安全策略的人工配置,从而有助于提高安全策略的运维效率。In some embodiments of the first aspect, the method further includes: if the target instance no longer deploys the service, disabling or removing the access control rule on the target instance. In such an embodiment, in response to scaling down of the service, access control rules may be automatically disabled or removed at the scaled down instance. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
在第一方面的一些实施例中,方法还包括:如果目标实例不再部署服务,将目标实例与 访问控制规则解除关联。例如,可以从安全组移除目标实例。在这种实施例中,响应于服务的缩容,可以自动调整安全策略。以此方式,简化了安全策略的人工配置,从而有助于提高安全策略的运维效率。In some embodiments of the first aspect, the method further includes: if the target instance no longer deploys the service, disassociate the target instance from the access control rule. For example, target instances can be removed from a security group. In such an embodiment, the security policy may be automatically adjusted in response to scaling down of the service. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
在第一方面的一些实施例中,确定访问控制规则包括:基于用户输入创建安全组,安全组包括服务和应用于服务的访问控制规则。利用安全组,用户可以统一管理共享相同的访问控制规则的服务。以此方式,可以简化安全策略管理,并提高安全策略的运维效率。In some embodiments of the first aspect, determining the access control rules includes: creating a security group based on user input, the security group including services and access control rules applied to the services. Using security groups, users can centrally manage services that share the same access control rules. In this way, the security policy management can be simplified, and the operation and maintenance efficiency of the security policy can be improved.
在第一方面的一些实施例中,方法还包括:基于另一用户输入,向安全组添加一个或多个服务,或从安全组移除一个或多个服务。以此方式,可以简单地通过服务的添加或移除,来管理目标实例处的访问控制规则。In some embodiments of the first aspect, the method further includes adding or removing one or more services to or from the security group based on another user input. In this way, access control rules at target instances can be managed simply through the addition or removal of services.
在第一方面的一些实施例中,源对象包括以下至少一项:云环境中的一个或多个服务,云环境中的一个或多个地址,或云环境中的地址集合。以此方式,可以通过多种方式灵活且便捷地指定源对象。In some embodiments of the first aspect, the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment. In this way, the source object can be specified flexibly and conveniently in various ways.
在第一方面的一些实施例中,安全组中的服务属于具有相同权限的用户。在这种实施例中,通过设置用户权限,仅具有相应权限的用户才能够指定保护对象。以此方式,可以增强访问控制的可靠性和安全性。In some embodiments of the first aspect, the services in the security group belong to users with the same rights. In this embodiment, by setting user rights, only users with corresponding rights can designate protected objects. In this way, the reliability and security of access control can be enhanced.
在第一方面的一些实施例中,在目标实例启用访问控制规则包括:在目标实例启用服务在一个或多个平面的访问控制规则,平面为以下任一项:管理平面、存储平面、运维平面或业务平面。在这种实施例中,分布式访问控制被细化到平面粒度。以此方式,可以提高安全策略管理的精确度,并且可以进一步缩小故障半径。In some embodiments of the first aspect, enabling the access control rule on the target instance includes: enabling the access control rule on one or more planes of the service on the target instance, and the plane is any of the following: management plane, storage plane, operation and maintenance plane Plane or business plane. In such an embodiment, distributed access control is refined down to a plane granularity. In this way, the accuracy of security policy management can be improved, and the failure radius can be further reduced.
在第一方面的一些实施例中,在目标实例启用访问控制规则包括:通过目标实例所在可用区的控制器,将访问控制规则发放到目标实例。以此方式,可以准确、低延时地将访问控制规则调度到目标实例。In some embodiments of the first aspect, enabling the access control rule on the target instance includes: issuing the access control rule to the target instance through a controller in an availability zone where the target instance is located. In this way, access control rules can be dispatched to target instances accurately and with low latency.
在第一方面的一些实施例中,属于安全组的不同服务部署在不同云环境。利用安全组,可以便捷地实现多云环境中服务的安全策略管理。In some embodiments of the first aspect, different services belonging to a security group are deployed in different cloud environments. Security groups can be used to easily implement security policy management for services in a multi-cloud environment.
在本公开的第二方面,提供了一种访问控制装置。该装置包括:规则确定单元,被配置为确定应用于云环境中的服务的访问控制规则,访问控制规则指定云环境中被允许访问服务的源对象;实例确定单元,被配置为确定云环境中部署有服务的目标实例;以及规则启用单元,被配置为在目标实例启用访问控制规则。In a second aspect of the present disclosure, an access control device is provided. The device includes: a rule determination unit configured to determine an access control rule applied to a service in the cloud environment, where the access control rule specifies a source object in the cloud environment that is allowed to access the service; an instance determination unit configured to determine the a target instance on which the service is deployed; and a rule enabling unit configured to enable access control rules on the target instance.
以此方式,实现了以服务为保护对象的、在实例处的分布式访问控制。这种方式简化了安全策略配置,并且使安全策略的故障半径可控,从而可以提升安全策略的运维效率。因此,本公开的实施例能够实现云环境中可靠且安全的访问控制。In this way, distributed access control at instances with services as protected objects is realized. This method simplifies the security policy configuration and makes the failure radius of the security policy controllable, thereby improving the O&M efficiency of the security policy. Therefore, embodiments of the present disclosure enable reliable and secure access control in a cloud environment.
在第二方面的一些实施例中,规则确定单元进一步被配置为:确定服务所属于的安全组的访问控制规则,作为应用于服务的访问控制规则。利用安全组,可以统一管理共享相同的访问控制规则的服务。以此方式,可以简化安全策略管理,并提高安全策略的运维效率。In some embodiments of the second aspect, the rule determining unit is further configured to: determine the access control rule of the security group to which the service belongs, as the access control rule applied to the service. With security groups, services that share the same access control rules can be managed uniformly. In this way, the security policy management can be simplified, and the operation and maintenance efficiency of the security policy can be improved.
在第二方面的一些实施例中,服务包括云服务、微服务组、微服务或组件中的至少一项。在这种实施例中,允许将不同层级中的服务作为保护对象。以此方式,可以提高安全策略管理的灵活性。In some embodiments of the second aspect, the service includes at least one of a cloud service, a group of microservices, a microservice or a component. In such an embodiment, services in different layers are allowed to be protected objects. In this way, the flexibility of security policy management can be improved.
在第二方面的一些实施例中,装置还包括:第一更新单元,被配置为如果增加部署有服务的实例,在所增加的实例启用访问控制规则。在这种实施例中,响应于服务的扩容,可以自动在所增加的实例启用访问控制规则。以此方式,简化了安全策略的人工配置,从而有助于提高安全策略的运维效率。In some embodiments of the second aspect, the device further includes: a first updating unit configured to enable the access control rule on the added instance if the instance where the service is deployed is added. In such an embodiment, in response to service expansion, access control rules can be automatically enabled on the added instances. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
在第二方面的一些实施例中,装置还包括:第二更新单元,被配置为如果目标实例不再部署服务,在目标实例禁用或移除访问控制规则。在这种实施例中,响应于服务的缩容,可以自动在所减少的实例禁用或移除访问控制规则。以此方式,简化了安全策略的人工配置,从而有助于提高安全策略的运维效率。In some embodiments of the second aspect, the device further includes: a second updating unit configured to disable or remove the access control rule on the target instance if the target instance no longer deploys the service. In such an embodiment, in response to scaling down of the service, access control rules may be automatically disabled or removed at the scaled down instance. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
在第二方面的一些实施例中,装置还包括:第三更新单元,被配置为如果目标实例不再部署服务,将目标实例与访问控制规则解除关联。在这种实施例中,响应于服务的缩容,可以自动调整安全策略。以此方式,简化了安全策略的人工配置,从而有助于提高安全策略的运维效率。In some embodiments of the second aspect, the apparatus further includes: a third update unit configured to disassociate the target instance from the access control rule if the target instance no longer deploys services. In such an embodiment, the security policy may be automatically adjusted in response to scaling down of the service. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
在第二方面的一些实施例中,规则确定单元进一步被配置为:基于用户输入创建安全组,安全组包括服务和应用于服务的访问控制规则。利用安全组,用户可以统一管理共享相同的访问控制规则的服务。以此方式,可以简化安全策略管理,并提高安全策略的运维效率。In some embodiments of the second aspect, the rule determining unit is further configured to: create a security group based on user input, the security group including the service and the access control rules applied to the service. Using security groups, users can centrally manage services that share the same access control rules. In this way, the security policy management can be simplified, and the operation and maintenance efficiency of the security policy can be improved.
在第二方面的一些实施例中,装置还包括:安全组更新单元,被配置为基于另一用户输入,向安全组添加一个或多个服务,或从安全组移除一个或多个服务。以此方式,可以简单地通过服务的添加或移除,来管理目标实例处的访问控制规则。In some embodiments of the second aspect, the apparatus further comprises: a security group updating unit configured to add one or more services to the security group or remove one or more services from the security group based on another user input. In this way, access control rules at target instances can be managed simply through the addition or removal of services.
在第二方面的一些实施例中,源对象包括以下至少一项:云环境中的一个或多个服务,云环境中的一个或多个地址,或云环境中的地址集合。以此方式,可以通过多种方式灵活且便捷地指定源对象。In some embodiments of the second aspect, the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment. In this way, the source object can be specified flexibly and conveniently in various ways.
在第二方面的一些实施例中,安全组中的服务属于具有相同权限的用户。在这种实施例中,通过设置用户权限,仅具有相应权限的用户才能够指定保护对象。以此方式,可以增强访问控制的可靠性和安全性。In some embodiments of the second aspect, the services in the security group belong to users with the same rights. In this embodiment, by setting user rights, only users with corresponding rights can designate protected objects. In this way, the reliability and security of access control can be enhanced.
在第二方面的一些实施例中,规则启用单元进一步被配置为:在目标实例启用服务在一个或多个平面的访问控制规则,平面为以下任一项:管理平面、存储平面、运维平面或业务平面。在这种实施例中,分布式访问控制被细化到平面粒度。以此方式,可以提高安全策略管理的精确度,并且可以进一步缩小故障半径。In some embodiments of the second aspect, the rule enabling unit is further configured to: enable the access control rules of the service on one or more planes on the target instance, and the plane is any of the following: management plane, storage plane, operation and maintenance plane or business plane. In such an embodiment, distributed access control is refined down to a plane granularity. In this way, the accuracy of security policy management can be improved, and the failure radius can be further reduced.
在第二方面的一些实施例中,规则启用单元进一步被配置为:通过目标实例所在可用区的控制器,将访问控制规则发放到目标实例。以此方式,可以准确、低延时地将访问控制规则调度到目标实例。In some embodiments of the second aspect, the rule enabling unit is further configured to issue the access control rule to the target instance through the controller of the availability zone where the target instance is located. In this way, access control rules can be dispatched to target instances accurately and with low latency.
在第二方面的一些实施例中,属于安全组的不同服务部署在不同云环境。利用安全组,可以便捷地实现多云环境中服务的安全策略管理。In some embodiments of the second aspect, different services belonging to a security group are deployed in different cloud environments. Security groups can be used to easily implement security policy management for services in a multi-cloud environment.
在本公开的第三方面,提供了一种电子设备,包括:至少一个计算单元;至少一个存储器,至少一个存储器被耦合到至少一个计算单元并且存储用于由至少一个计算单元执行的指令,指令当由至少一个计算单元执行时,使得设备实现第一方面的方法。In a third aspect of the present disclosure, there is provided an electronic device comprising: at least one computing unit; at least one memory, the at least one memory being coupled to the at least one computing unit and storing instructions for execution by the at least one computing unit, the instructions When executed by at least one computing unit, the device is caused to implement the method of the first aspect.
在本公开的第四方面,提供了一种计算机可读存储介质,其上存储有计算机程序,其中计算机程序被处理器执行实现第一方面的方法。In a fourth aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, wherein the computer program is executed by a processor to implement the method of the first aspect.
在本公开的第五方面,提供一种计算机程序产品,包括计算机可执行指令,当指令在被处理器执行时实现第一方面的方法的部分或全部步骤。In a fifth aspect of the present disclosure, a computer program product is provided, including computer-executable instructions, which, when executed by a processor, implement part or all of the steps of the method of the first aspect.
可以理解地,上述提供的第三方面的计算系统、第四方面的计算机存储介质或者第五方面的计算机程序产品均用于执行第一方面所提供的方法。因此,关于第一方面的解释或者说明同样适用于第三方面、第四方面和第五方面。此外,第三方面、第四方面和第五方面所能达到的有益效果可参考对应方法中的有益效果,此处不再赘述。It can be understood that the computing system of the third aspect, the computer storage medium of the fourth aspect, or the computer program product of the fifth aspect provided above are all used to execute the method provided in the first aspect. Therefore, the explanations or explanations about the first aspect are also applicable to the third aspect, the fourth aspect and the fifth aspect. In addition, for the beneficial effects achieved by the third aspect, the fourth aspect, and the fifth aspect, reference may be made to the beneficial effects in the corresponding methods, which will not be repeated here.
附图说明Description of drawings
结合附图并参考以下详细说明,本公开各实施例的上述和其他特征、优点及方面将变得更加明显。在附图中,相同或相似的附图标注表示相同或相似的元素,其中:The above and other features, advantages and aspects of the various embodiments of the present disclosure will become more apparent with reference to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, the same or similar reference numerals indicate the same or similar elements, wherein:
图1示出了由集中式防火墙提供访问控制的示意图;Figure 1 shows a schematic diagram of access control provided by a centralized firewall;
图2示出了本公开的多个实施例能够在其中实现的示例云环境的示意图;Figure 2 shows a schematic diagram of an example cloud environment in which various embodiments of the present disclosure can be implemented;
图3示出了根据本公开的一些实施例的服务的层次结构的示意图;Fig. 3 shows a schematic diagram of a hierarchical structure of services according to some embodiments of the present disclosure;
图4示出了根据本公开的一些实施例的资源配置信息的示例结构;FIG. 4 shows an example structure of resource configuration information according to some embodiments of the present disclosure;
图5示出了根据本公开的一些实施例的分布式访问控制架构的示意性框图;Figure 5 shows a schematic block diagram of a distributed access control architecture according to some embodiments of the present disclosure;
图6示出了根据本公开的一些实施例的与服务相关联的用户权限的示意图;Fig. 6 shows a schematic diagram of user rights associated with services according to some embodiments of the present disclosure;
图7示出了根据本公开的一些实施例的示例安全组的示意图;Figure 7 shows a schematic diagram of an example security group according to some embodiments of the present disclosure;
图8示出了根据本公开的一些实施例的另一示例安全组的示意图;Fig. 8 shows a schematic diagram of another example security group according to some embodiments of the present disclosure;
图9示出了根据本公开的一些实施例的更新安全策略的过程的流程图;FIG. 9 shows a flowchart of a process of updating a security policy according to some embodiments of the present disclosure;
图10示出了根据本公开的一些实施例的访问控制方法的流程图;Figure 10 shows a flow chart of an access control method according to some embodiments of the present disclosure;
图11示出了根据本公开的一些实施例的访问控制装置的示意性框图;以及Figure 11 shows a schematic block diagram of an access control device according to some embodiments of the present disclosure; and
图12示出了能够实施本公开的多个实施例的计算设备的框图。Figure 12 shows a block diagram of a computing device capable of implementing various embodiments of the present disclosure.
具体实施方式Detailed ways
下面将参照附图更详细地描述本公开的实施例。虽然附图中显示了本公开的某些实施例,然而应当理解的是,本公开可以通过各种形式来实现,而且不应该被解释为限于这里阐述的实施例,相反提供这些实施例是为了更加透彻和完整地理解本公开。应当理解的是,本公开的附图及实施例仅用于示例性作用,并非用于限制本公开的保护范围。Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the present disclosure are shown in the drawings, it should be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein; A more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for exemplary purposes only, and are not intended to limit the protection scope of the present disclosure.
在本公开的实施例的描述中,术语“包括”及其类似用语应当理解为开放性包含,即“包括但不限于”。术语“基于”应当理解为“至少部分地基于”。术语“一个实施例”或“该实施例”应当理解为“至少一个实施例”。术语“第一”、“第二”等等可以指代不同的或相同的对象。下文还可能包括其他明确的和隐含的定义。In the description of the embodiments of the present disclosure, the term "comprising" and its similar expressions should be interpreted as an open inclusion, that is, "including but not limited to". The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be read as "at least one embodiment". The terms "first", "second", etc. may refer to different or the same object. Other definitions, both express and implied, may also be included below.
如本文所使用的,术语“云服务”是指如下的服务,其作为整体呈现给终端消费方以允许终端消费方访问所托管的资源。术语“服务”是指由云环境提供的广泛意义上的服务,其既可以指代作为整体提供给消费方的“云服务”,也可以指代云服务所包括的组成部分。术语“云”或“云环境”可以包括但不限于公有云、私有云、合运营云、边缘云、混合云等。As used herein, the term "cloud service" refers to a service that is presented to an end consumer as a whole to allow the end consumer to access hosted resources. The term "service" refers to services in a broad sense provided by the cloud environment, which may refer to the "cloud service" provided to consumers as a whole, or to the components included in the cloud service. The term "cloud" or "cloud environment" may include, but is not limited to, public clouds, private clouds, joint operations clouds, edge clouds, hybrid clouds, and the like.
如上文所简要提及的,在云环境中,一些服务之间可能需要交互。为了保证服务的网络安全,需要针对不同服务的安全策略以进行访问控制。在常规方案中,由集中式防火墙提供针对各网络分区的服务的网络层访问控制。As mentioned briefly above, in a cloud environment, some services may need to interact with each other. In order to ensure the network security of services, security policies for different services are required for access control. In a conventional approach, a centralized firewall provides network-layer access control to services for each network partition.
图1示出了常规方案中由集中式防火墙提供访问控制的示意图。如图1所示,云环境100包括多个网络分区,例如运维区121、管理区122、隔离(DMZ)区123、计算区124和存储区125。这些网络分区分别经由交换机111、112、113、114和路由器105连接至防火墙101。一个网络分区中的服务如果要访问另一网络分区中的服务,需要通过防火墙101进行访问控制。例如,在运维区121的服务A要访问计算区124的服务B的情况下,该业务首先被路由至防火墙101以进行访问控制。在防火墙101确定服务A被允许访问服务B的情况下,该业务被转发至计算区124。Fig. 1 shows a schematic diagram of access control provided by a centralized firewall in a conventional solution. As shown in FIG. 1 , the cloud environment 100 includes multiple network partitions, such as an operation and maintenance zone 121 , a management zone 122 , a isolated (DMZ) zone 123 , a computing zone 124 and a storage zone 125 . These network partitions are connected to firewall 101 via switches 111 , 112 , 113 , 114 and router 105 respectively. If a service in one network partition wants to access a service in another network partition, access control needs to be performed through the firewall 101 . For example, when service A in the operation and maintenance area 121 wants to access service B in the computing area 124, the service is firstly routed to the firewall 101 for access control. In the event that firewall 101 determines that service A is allowed to access service B, the traffic is forwarded to computing area 124 .
在诸如图1的集中式防火墙的常规方案中,访问控制只能管控跨网络分区的服务访问,而同一网络分区内不同服务的访问控制是安全盲点。此外,云环境100中所部署的众多服务 的安全策略均集中在防火墙101。这需要消耗大量的防火墙硬件,成本很高。In a conventional solution such as the centralized firewall in Figure 1, access control can only control service access across network partitions, and access control of different services within the same network partition is a security blind spot. In addition, the security policies of many services deployed in the cloud environment 100 are all concentrated in the firewall 101. This requires the consumption of a large amount of firewall hardware, which is very expensive.
随着服务量的增加,也需要不断升级防火墙的能力。当云环境100中部署新服务时,存在新服务所依赖的其他服务和依赖于新服务的其他服务。因而需要针对新服务开通访问依赖服务的端口,同时需要针对依赖于新服务的其他服务开通访问新服务的端口。可见,常规方案中的安全策略非常复杂并且维护成本很高。如果不小心错误地配置了新服务的安全策略,还会影响在该安全策略后面的其他服务的安全策略。因此,这种方案的故障半径是全局的。另外,这种常规方案采用基于IP的配置,易用性不高且容易出错。As the volume of services increases, the ability to continuously upgrade the firewall is also required. When a new service is deployed in the cloud environment 100, there are other services that the new service depends on and other services that depend on the new service. Therefore, it is necessary to open ports to access dependent services for new services, and to open ports to access new services for other services that depend on new services. It can be seen that the security policy in the conventional solution is very complicated and the maintenance cost is high. If you accidentally configure the security policy of a new service incorrectly, it will also affect the security policies of other services behind this security policy. Therefore, the failure radius of this scheme is global. In addition, this conventional solution uses IP-based configuration, which is not easy to use and is prone to errors.
为了至少部分地解决上述问题以及其他潜在问题,本公开的各种实施例提供了一种用于访问控制的方案。总体而言,根据在此描述的各种实施例,确定应用于云环境中的服务的访问控制规则和云环境中部署有该服务的目标实例。访问控制规则指定云环境中被允许访问该服务的源对象。在目标实例启用该访问控制规则。以此方式,实现了以服务为保护对象的、在实例处的分布式访问控制。这种方式简化了安全策略配置,并且使安全策略的故障半径可控,从而可以提升安全策略的运维效率。因此,本公开的实施例能够实现云环境中可靠且安全的访问控制。To at least partially address the above problems and other potential problems, various embodiments of the present disclosure provide a scheme for access control. In general, according to various embodiments described herein, access control rules applied to a service in a cloud environment and target instances in the cloud environment on which the service is deployed are determined. Access control rules specify the source objects in the cloud environment that are allowed to access the service. Enable this access control rule on the target instance. In this way, distributed access control at instances with services as protected objects is realized. This method simplifies the security policy configuration and makes the failure radius of the security policy controllable, thereby improving the O&M efficiency of the security policy. Therefore, embodiments of the present disclosure enable reliable and secure access control in a cloud environment.
以下参考图1至图12来描述本公开的各种示例实施例。Various example embodiments of the present disclosure are described below with reference to FIGS. 1 to 12 .
示例环境example environment
图2示出了本公开的多个实施例能够在其中实现的示例云环境200的示意图。总体而言,云环境200包括资源配置系统203、配置数据库202、安全管理器201和资源生产系统204。安全管理器201与资源配置系统203和配置数据库202可以部署在相同或不同的区,本公开的实施例在此方面不受限制。用户250,诸如服务管理员、安全管理员等,可以与云环境200中的资源配置系统203、安全管理器201等交互。FIG. 2 shows a schematic diagram of an example cloud environment 200 in which various embodiments of the present disclosure can be implemented. In general, the cloud environment 200 includes a resource configuration system 203 , a configuration database 202 , a security manager 201 and a resource production system 204 . The security manager 201, the resource configuration system 203 and the configuration database 202 may be deployed in the same or different zones, and the embodiments of the present disclosure are not limited in this respect. Users 250, such as service administrators, security administrators, etc., can interact with the resource configuration system 203, security manager 201, etc. in the cloud environment 200.
资源生产系统204用于实现由云环境200提供的服务,并且可以包括一个或多个网络分区,例如网络分区230-1、230-2、230-3和230-4,其也可以统称为多个网络分区230或单独称为网络分区230。多个网络分区230可以包括实例210-1、210-2、210-3、210-4、210-5、210-6、210-7、210-8和210-9,其也可以统称为多个实例210或单独称为实例210。多个实例210可以分布于多个网络分区230。仅作为示例,实例210-1、210-2和210-3等分布在网络分区230-1中,实例210-4和210-5等分布在网络分区230-2中,实例210-6和210-7等分布在网络分区230-3中,并且实例210-8和210-9等分布在网络分区230-4中。 Resource production system 204 is used to implement services provided by cloud environment 200, and may include one or more network partitions, such as network partitions 230-1, 230-2, 230-3, and 230-4, which may also be collectively referred to as multiple network partitions. network partitions 230 or network partitions 230 alone. Multiple network partitions 230 may include instances 210-1, 210-2, 210-3, 210-4, 210-5, 210-6, 210-7, 210-8, and 210-9, which may also be collectively referred to as multiple instance 210 or individually as instance 210. Multiple instances 210 may be distributed across multiple network partitions 230 . As an example only, instances 210-1, 210-2 and 210-3 etc. are distributed in network partition 230-1, instances 210-4 and 210-5 etc. are distributed in network partition 230-2, instances 210-6 and 210 -7, etc. are distributed in network partition 230-3, and instances 210-8 and 210-9, etc. are distributed in network partition 230-4.
实例210部署有云环境的一个或多个服务。在本公开的实施例中,实例210可以是任何合适的虚拟资源或实体资源。虚拟资源例如可以包括虚拟机(VM)、容器等。实体资源例如可以包括物理机(PM)、裸金属服务器、网络设备、安全设备、接口卡等。应当理解,图2中所示的网络分区的数目、实例的数目、以及实例的分布仅是示例性的,而无意限制本公开的范围。在本公开的实施例中,云环境可以包括任何合适数目的网络分区和实例。Instance 210 is deployed with one or more services of the cloud environment. In an embodiment of the present disclosure, the instance 210 may be any suitable virtual resource or physical resource. Virtual resources may include, for example, virtual machines (VMs), containers, and the like. Physical resources may include, for example, physical machines (PMs), bare metal servers, network devices, security devices, interface cards, and so on. It should be understood that the number of network partitions, the number of instances, and the distribution of instances shown in FIG. 2 are exemplary only, and are not intended to limit the scope of the present disclosure. In embodiments of the present disclosure, a cloud environment may include any suitable number of network partitions and instances.
资源配置系统203用于创建和部署服务。例如,用户250可以与资源配置系统203交互,以指定要创建的服务。资源配置系统203可以确定用于部署该服务的实例210,例如确定该服务要部署于哪个或哪些VM、PM或容器。进而,资源配置系统203可以向资源生产系统204发放这样的资源,并在所确定的实例210部署该服务。资源配置系统203可以将服务信息和资源配置信息存储在配置数据库202中。配置数据库202例如可以是配置管理数据库(CMDB)。服务信息指示云环境200中的各个服务,并且可以可选地指示服务间的关系。资源配置信息指示各个服务所部署于的一个或多个实例。换言之,资源配置信息指示服务与实 例关系。 Resource configuration system 203 is used to create and deploy services. For example, user 250 may interact with resource configuration system 203 to specify a service to create. The resource configuration system 203 may determine an instance 210 for deploying the service, for example, determine which VM, PM or container the service is to be deployed on. Furthermore, the resource configuration system 203 can release such resources to the resource production system 204 and deploy the service in the determined instance 210 . The resource configuration system 203 can store service information and resource configuration information in the configuration database 202 . Configuration database 202 may be, for example, a configuration management database (CMDB). The service information indicates each service in the cloud environment 200, and may optionally indicate a relationship between services. The resource configuration information indicates the instance or instances in which each service is deployed. In other words, resource configuration information indicates service-to-instance relationships.
可以以任何合适的结构来构建云环境200中的服务。在一些实施例中,可以以层次结构来构建云环境200中的服务。图3示出了根据本公开的一些实施例的服务的层次结构300的示意图。层次结构300从上到下包括三个层级,即云服务、微服务组、微服务或组件。微服务或组件是指具有独立功能、可独立部署的服务或组件。微服务组包括特征或功能接近的一组微服务或组件。在图3的示例中,云服务310包括微服务组321和微服务组322。微服务组321包括微服务331和微服务332。微服务组322包括微服务333和微服务334。Services in cloud environment 200 may be structured in any suitable structure. In some embodiments, services in cloud environment 200 may be structured in a hierarchical structure. FIG. 3 shows a schematic diagram of a service hierarchy 300 according to some embodiments of the present disclosure. Hierarchy 300 includes three levels from top to bottom, namely cloud service, microservice group, microservice or component. Microservices or components are services or components that have independent functions and can be deployed independently. A microservice group includes a group of microservices or components with similar characteristics or functions. In the example of FIG. 3 , cloud service 310 includes microservice group 321 and microservice group 322 . Microservice group 321 includes microservice 331 and microservice 332 . Microservice group 322 includes microservice 333 and microservice 334 .
图3中所示的层次结构300可以视为服务树。在这种实施例中,资源配置系统203可以将服务树作为服务信息存储在配置数据库202中。应当理解,图3中所示的包括三个层级的层次结构300仅是示例性的,而无意限制本公开的范围。在本公开的实施例中,可以以任何合适数目的层级来构建云环境中的各个服务。作为示例,可以以云服务和微服务两个层级来构建云环境中的各个服务。The hierarchical structure 300 shown in Figure 3 can be considered a service tree. In such an embodiment, the resource configuration system 203 may store the service tree in the configuration database 202 as service information. It should be understood that the hierarchical structure 300 including three levels shown in FIG. 3 is exemplary only, and is not intended to limit the scope of the present disclosure. In embodiments of the present disclosure, various services in a cloud environment may be constructed in any suitable number of levels. As an example, each service in the cloud environment can be constructed at two levels of cloud service and microservice.
图4示出了根据本公开的一些实施例的资源配置信息400的示例结构。在图4的示例中,资源配置信息400或服务与实例关系包括五个层级,即L1、L2、L3、L4、L5。L1至L3层级指示服务,即云服务401、微服务组402、微服务或组件403。L4层级指示运行或部署微服务或组件403的实例404。L5层级指示实例104的实例地址405。在本文中,地址可以包括但不限于互联网协议(IP)地址,诸如IPv4地址、IPv6地址,还可以包括其他类型的地址。FIG. 4 shows an example structure of resource configuration information 400 according to some embodiments of the present disclosure. In the example of FIG. 4 , the resource configuration information 400 or the service-instance relationship includes five levels, namely L1, L2, L3, L4, and L5. L1 to L3 levels indicate services, namely cloud services 401 , microservice groups 402 , and microservices or components 403 . The L4 level indicates instances 404 of running or deploying microservices or components 403 . The L5 level indicates the instance address 405 of the instance 104 . Herein, an address may include but not limited to an Internet Protocol (IP) address, such as an IPv4 address, an IPv6 address, and may also include other types of addresses.
在本公开的实施例中,部署有云服务的实例是指部署有该云服务下的微服务或组件的实例,并且部署有微服务组的实例是指部署有该微服务组下的微服务或组件的实例。因此,在图3的示例中,部署有云服务310的实例包括部署有微服务331、332、333和334的实例,部署有微服务组321的实例包括部署有微服务331、332的实例,并且部署有微服务组322的实例包括部署有微服务333、334的实例。In the embodiments of the present disclosure, an instance deployed with a cloud service refers to an instance deployed with microservices or components under the cloud service, and an instance deployed with a microservice group refers to an instance deployed with microservices under the microservice group or an instance of a component. Therefore, in the example of FIG. 3, the instance deployed with cloud service 310 includes instances deployed with microservices 331, 332, 333 and 334, and the instance deployed with microservice group 321 includes instances deployed with microservices 331, 332, And the instances deployed with the microservice group 322 include the instances deployed with the microservices 333 and 334 .
继续参考图2。配置数据库202中存储的服务信息(例如,服务树)和资源配置信息(即,服务与实例关系)被发送给安全管理器201。安全管理器201用于配置和管理针对资源生产系统204的安全策略。安全管理器201基于服务信息确定受保护的服务作为保护对象,并且确定应用于该服务的访问控制规则。安全管理器201基于资源配置信息,从多个实例210中确定部署有该服务的目标实例,例如实例210-2和实例210-8。然后,安全管理器201在目标实例启用该访问控制规则。例如,安全管理器201将访问控制规则作为安全策略调度到目标实例。Continue to refer to Figure 2. The service information (eg, service tree) and resource configuration information (ie, service-instance relationship) stored in the configuration database 202 are sent to the security manager 201 . The security manager 201 is used to configure and manage security policies for the resource production system 204 . The security manager 201 determines a protected service as a protection object based on the service information, and determines an access control rule applied to the service. Based on the resource configuration information, the security manager 201 determines the target instance on which the service is deployed from the multiple instances 210, such as instance 210-2 and instance 210-8. Then, the security manager 201 enables the access control rule on the target instance. For example, the security manager 201 dispatches access control rules to target instances as security policies.
在接收到来自源对象的访问请求时,目标实例基于访问控制规则,确定源对象是否具有访问权限,以接受或拒绝该访问请求。为了应用访问控制规则,目标实例可以将访问控制规则转换为可执行指令。取决于目标实例的设备类型(例如,VM、容器等),可以以任何合适的方式来实现访问控制规则的应用。例如,可以在目标实例的操作系统中部署代理。该代理用于与安全管理器201通信,并使访问控制规则在数据面生效。When receiving an access request from a source object, the target instance determines whether the source object has access rights based on access control rules to accept or deny the access request. To apply access control rules, the target instance can translate the access control rules into executable instructions. Depending on the device type of the target instance (eg, VM, container, etc.), application of access control rules may be accomplished in any suitable manner. For example, an agent can be deployed in the operating system of the target instance. The agent is used to communicate with the security manager 201 and make access control rules take effect on the data plane.
在云环境200中,可以实现基于实例的分布式访问控制。与集中式防火墙相比,这极大地降低了安全策略的故障半径。云环境200可以包括但不限于公有云、私有云、合运营云、边缘云、混合云及其组合。此外,可以跨两个或更多个云环境来实现这种分布式访问控制。例如,多个实例210可以由不同的云环境提供。In the cloud environment 200, instance-based distributed access control can be implemented. This greatly reduces the radius of failure of security policies compared to centralized firewalls. Cloud environment 200 may include, but is not limited to, public clouds, private clouds, joint operations clouds, edge clouds, hybrid clouds, and combinations thereof. Furthermore, this distributed access control can be achieved across two or more cloud environments. For example, multiple instances 210 may be provided by different cloud environments.
系统架构system structure
下面描述用于实现分布式访问控制的示例架构。图5示出了根据本公开的一些实施例的分布式访问控制架构500的示意性框图。总体而言,架构500包括安全策略编排层510、安全策略调度层520和安全策略执行层530。安全策略编排层510包括安全管理器201。安全策略调度层520包括可用区的控制器521、522和523。安全策略执行层530包括可用区中的实例531、532、533和534。在图5的示例中,控制器521是实例531所在可用区的控制器,控制器522是实例532所在可用区的控制器,并且控制器523是实例533和534所在可用区的控制器。控制器例如可以是可用区中的专用服务器等。图5中所示的架构500仅是示例性的,而无意限制本公开的范围。也可以用其他的方式来划分分布式访问控制架构。An example architecture for implementing distributed access control is described below. FIG. 5 shows a schematic block diagram of a distributed access control architecture 500 according to some embodiments of the present disclosure. In general, the architecture 500 includes a security policy orchestration layer 510 , a security policy scheduling layer 520 and a security policy execution layer 530 . Security policy orchestration layer 510 includes security manager 201 . The security policy scheduling layer 520 includes controllers 521 , 522 and 523 of availability zones. Security policy enforcement layer 530 includes instances 531 , 532 , 533 and 534 in availability zones. In the example in FIG. 5 , controller 521 is the controller of the availability zone where instance 531 is located, controller 522 is the controller of the availability zone where instance 532 is located, and controller 523 is the controller of the availability zone where instances 533 and 534 are located. The controller can be, for example, a dedicated server in an availability zone. The architecture 500 shown in FIG. 5 is exemplary only, and is not intended to limit the scope of the present disclosure. The distributed access control architecture can also be divided in other ways.
安全管理器201包括策略编排模块501、策略管理模块502和策略调度引擎503。策略编排模块501用于将受保护的服务(下文也可以称为“目标服务”)与对应的访问控制规则相关联。访问控制规则指定云环境200中被允许访问该服务的源对象。在一些实施例中,如果云环境200中的服务是以层次结构构建的,该服务可以属于层次结构中的任一层级。在具有如图3所示的层次结构300的实施例中,该服务可以包括云服务、微服务组、微服务或组件中的任一项。在这种实施例中,允许将不同层级中的服务作为保护对象。以此方式,可以提高安全策略管理的灵活性。The security manager 201 includes a policy orchestration module 501 , a policy management module 502 and a policy scheduling engine 503 . The policy orchestration module 501 is used to associate the protected service (also referred to as "target service" hereinafter) with corresponding access control rules. Access control rules specify the source objects in cloud environment 200 that are allowed to access the service. In some embodiments, if the service in the cloud environment 200 is structured in a hierarchical structure, the service may belong to any level in the hierarchical structure. In an embodiment having a hierarchical structure 300 as shown in FIG. 3 , the service may include any one of a cloud service, a microservice group, a microservice, or a component. In such an embodiment, services in different layers are allowed to be protected objects. In this way, the flexibility of security policy management can be improved.
在一些实施例中,可以在预配置文件中指定服务及对应的访问控制规则。策略编排模块501可以读取预配置文件,并且从中确定受保护的服务及对应的访问控制规则。In some embodiments, services and corresponding access control rules can be specified in a pre-configuration file. The policy orchestration module 501 can read the pre-configuration file, and determine the protected services and corresponding access control rules therefrom.
在一些实施例中,可以由用户505指定受保护的服务及对应的访问控制规则。例如,可以向用户505呈现显示服务信息(例如,服务树)的用户界面。用户505可以通过用户界面来选择受保护的服务,并且可以指定被允许访问该服务的源对象。In some embodiments, protected services and corresponding access control rules may be specified by the user 505 . For example, user 505 may be presented with a user interface displaying service information (eg, a service tree). User 505 can select a protected service through the user interface, and can specify source objects that are allowed to access the service.
在一些实施例中,可以设置与服务相关联的用户权限。换言之,在这种实施例中,用户505仅可以指定属于用户505的服务作为保护对象。现在参考图6。图6示出了根据本公开的一些实施例的与服务相关联的用户权限的示意图。在图6所示的基于角色的访问控制(RBAC)模型600中,属于同一群组的用户具有相同的角色并且具有相同的权限。用户601、602、603分别属于不同的群组611、612、613。群组611的角色是云服务621的服务管理员。相应地,属于群组611的用户(例如,用户601)能够从云服务621及其包括的微服务组、微服务或组件中选择服务作为保护对象。群组612的角色是云服务622的服务管理员。相应地,属于群组612的用户(例如,用户602)能够从云服务622及其包括的微服务组、微服务或组件中选择服务作为保护对象。群组613的角色是系统资源623的安全管理员。相应地,属于群组611的用户(例如,用户603)能够从所有云服务及微服务组、微服务或组件中选择服务作为保护对象。在这种实施例中,通过设置用户权限,仅具有相应权限的用户才能够指定保护对象。以此方式,可以进一步增强访问控制的可靠性和安全性。In some embodiments, user permissions associated with the service may be set. In other words, in such an embodiment, the user 505 can only designate services belonging to the user 505 as protection objects. Reference is now made to FIG. 6 . FIG. 6 shows a schematic diagram of user permissions associated with services according to some embodiments of the present disclosure. In the role-based access control (RBAC) model 600 shown in FIG. 6 , users belonging to the same group have the same role and have the same authority. Users 601, 602, and 603 belong to different groups 611, 612, and 613, respectively. The role of the group 611 is the service administrator of the cloud service 621 . Correspondingly, a user belonging to the group 611 (for example, the user 601 ) can select a service from the cloud service 621 and the microservice groups, microservices or components included therein as a protection object. The role of group 612 is a service administrator of cloud service 622 . Correspondingly, a user belonging to the group 612 (for example, the user 602 ) can select a service from the cloud service 622 and the microservice group, microservice or component included therein as a protection object. The role of group 613 is security administrators of system resources 623 . Correspondingly, a user belonging to the group 611 (for example, user 603 ) can select a service from all cloud services and microservice groups, microservices or components as protection objects. In this embodiment, by setting user rights, only users with corresponding rights can designate protected objects. In this way, the reliability and security of access control can be further enhanced.
返回参考图5。如上文所提及的,可以由预配置文件或来自用户505的用户输入指定被允许访问目标服务的源对象。策略编排模块501可以提供一个或多个模式来指定源对象。在一些实施例中,源对象可以包括云环境200中的一个或多个服务。例如,策略编排模块501可以向用户505提供服务模式。在服务模式下,策略编排模块501向用户505呈现显示服务信息(例如,服务树)的用户界面。用户505可以通过用户界面选择一个或多个服务,所选择的服务被允许访问目标服务。在这种情况下,策略编排模块501可以基于来自配置数据库202的资源配置信息,确定部署有所选择的服务的实例的地址(例如,IP地址),以确定访问控制规则。也即,允许所确定的地址访问目标实例。Refer back to FIG. 5 . As mentioned above, the source objects that are allowed to access the target service may be specified by a pre-configuration file or by user input from user 505 . Policy orchestration module 501 may provide one or more schemas to specify source objects. In some embodiments, source objects may include one or more services in cloud environment 200 . For example, policy orchestration module 501 can provide service patterns to users 505 . In service mode, policy orchestration module 501 presents user 505 with a user interface displaying service information (eg, a service tree). The user 505 can select one or more services through the user interface, and the selected services are allowed to access the target service. In this case, the policy orchestration module 501 may determine the address (eg, IP address) of the instance where the selected service is deployed based on the resource configuration information from the configuration database 202 to determine the access control rule. That is, the determined address is allowed to access the target instance.
备选地或附加地,在一些实施例中,源对象可以包括云环境中的一个或多个地址。例如, 策略编排模块501可以向用户505提供地址模式。在地址模式下,用户505可以通过用户界面直接输入地址,以指定源对象。策略编排模块501可以基于用户505输入的地址,确定访问控制规则。也即,允许用户505输入的地址访问目标实例。Alternatively or additionally, in some embodiments, a source object may include one or more addresses in a cloud environment. For example, policy orchestration module 501 can provide address patterns to user 505 . In the address mode, the user 505 can directly input an address through the user interface to specify the source object. The policy composition module 501 can determine access control rules based on the address input by the user 505 . That is, the address entered by the user 505 is allowed to access the target instance.
备选地或附加地,在一些实施例中,源对象可以包括云环境中的地址集合。例如,策略编排模块501可以向用户505提供地址池模式。在地址池模式下,用户505可以从预定义的多个地址池中选择地址池,以指定源对象。每个地址池可以包括地址集合,例如多个地址、一个或多个地址范围及其组合。策略编排模块501可以基于所选择的地址池,确定访问控制规则。也即,允许所选择的地址池中的地址访问目标实例。Alternatively or additionally, in some embodiments, a source object may comprise a collection of addresses in a cloud environment. For example, policy orchestration module 501 can provide address pool mode to user 505 . In the address pool mode, the user 505 can select an address pool from multiple predefined address pools to specify a source object. Each address pool may include a collection of addresses, such as multiple addresses, one or more address ranges, and combinations thereof. The policy orchestration module 501 can determine access control rules based on the selected address pool. That is, addresses in the selected address pool are allowed to access the target instance.
尽管以用户输入指定源对象为例描述了服务模式、地址模式和地址池模式,但这仅是示例性的。在预配置文件指定源对象的情况下,也可以使用这些模式。例如,预配置文件中可以指定作为源对象的服务、一个或多个地址或地址池。Although the service mode, the address mode and the address pool mode are described by taking the user input to specify the source object as an example, this is only exemplary. These modes can also be used in cases where a preconfiguration file specifies a source object. For example, a service, one or more addresses, or an address pool can be specified as a source object in a preconfiguration file.
除了源对象之外,用户输入或预配置文件还可以指定目标实例的协议端口(即,目的协议端口),作为访问控制规则的一部分。作为示例,可以指定传输控制协议(TCP)的端口号,诸如TCP 443。如此,在服务模式下,访问控制规则可以是允许所确定的地址以TCP 443端口访问目标实例;在地址模式下,访问控制规则可以是允许用户505输入的地址以TCP 443端口访问目标实例;在地址池模式下,访问控制规则可以是允许所选择的地址池中的地址以TCP 443端口访问目标实例。In addition to the source object, user input or a pre-configuration file may also specify the protocol port of the target instance (ie, the destination protocol port) as part of the access control rules. As an example, a port number for Transmission Control Protocol (TCP), such as TCP 443, may be specified. In this way, in the service mode, the access control rule can allow the determined address to access the target instance with the TCP port 443; in the address mode, the access control rule can allow the address entered by the user 505 to access the target instance with the TCP port 443; In the address pool mode, the access control rule can allow addresses in the selected address pool to access the target instance through TCP port 443.
安全管理器201中的策略管理模块502用于确定部署有受保护的服务的目标实例。例如,可以基于来自配置数据库202的资源配置信息,来确定目标实例。策略管理模块502还用于管理服务信息、资源配置信息和安全策略。具体地,策略管理模块502可以监测服务和资源配置的更新。服务的更新可以包括但不限于,微服务的增加(例如,上线)、微服务的减少(例如,下线)、微服务的扩容、微服务的缩容、区域(region)的增加、区域的变化、可用区的变化等。服务的更新可以引起资源配置的更新,例如服务所部署的实例的增加、减少、改变等。The policy management module 502 in the security manager 201 is used to determine target instances where protected services are deployed. For example, the target instance can be determined based on resource configuration information from the configuration database 202 . The policy management module 502 is also used to manage service information, resource configuration information and security policies. Specifically, the policy management module 502 can monitor service and resource configuration updates. Service updates may include, but are not limited to, the increase of microservices (for example, online), the reduction of microservices (for example, offline), the expansion of microservices, the shrinkage of microservices, the increase of regions, the Changes, changes in availability zones, etc. The update of the service may cause the update of the resource configuration, for example, the increase, decrease, change, etc. of the instances deployed by the service.
在一些实施例中,策略管理模块502可以从配置数据库202接收实时消息,以监测服务和资源配置的更新。这样的实时消息响应于服务或资源配置的更新而生成,并且指示服务和资源配置的更新。实时消息的示例可以包括但不限于,配置管理数据库实例消息、云服务视图服务树消息、微服务实例消息、云位置区域消息等。In some embodiments, policy management module 502 may receive real-time messages from configuration database 202 to monitor service and resource configuration updates. Such real-time messages are generated in response to and indicate updates to service or resource configurations. Examples of real-time messages may include, but are not limited to, configuration management database instance messages, cloud service view service tree messages, microservice instance messages, cloud location zone messages, and the like.
备选地或附加地,在一些实施例中,策略管理模块502可以周期性地与配置数据库202同步服务信息和资源配置信息,以监测服务和资源配置的更新。例如,策略管理模块502可以周期性地从配置数据库202接收服务树以及服务与实例关系。在这种实施例中,利用周期性同步,可以避免实时消息收发故障而产生的信息不匹配问题,从而增强分布式访问控制的可靠性。在实时消息与周期性同步结合的情况下,可以确保安全管理器201及时且可靠地知晓服务与实例关系,从而准确地确定目标实例。Alternatively or additionally, in some embodiments, the policy management module 502 may periodically synchronize service information and resource configuration information with the configuration database 202 to monitor updates of service and resource configurations. For example, policy management module 502 may periodically receive service trees and service-to-instance relationships from configuration database 202 . In such an embodiment, periodic synchronization can be used to avoid information mismatch problems caused by real-time message sending and receiving failures, thereby enhancing the reliability of distributed access control. In the case of the combination of real-time messages and periodic synchronization, it can be ensured that the security manager 201 knows the relationship between services and instances in a timely and reliable manner, so as to accurately determine the target instance.
附加地,策略管理模块502可以维护受保护的服务与访问控制规则的关系。在监测到服务和资源配置的更新时,策略管理模块502可以相应地更新服务与访问控制规则的关系。例如,如果监测到服务的减少,则策略管理模块502可以将所减少的服务与对应的访问控制规则解除关联。安全管理器201可以进一步在原本部署有所减少的服务的实例禁用或移除该访问控制规则。又如,如果监测到服务的增加,则策略管理模块502可以确定应用于所增加的服务的访问控制规则,并且将所增加的服务与该访问控制规则相关联。Additionally, the policy management module 502 can maintain the relationship of protected services and access control rules. When monitoring the update of the service and resource configuration, the policy management module 502 can update the relationship between the service and the access control rule accordingly. For example, if a reduction in services is detected, the policy management module 502 may disassociate the reduced services from the corresponding access control rules. The security manager 201 may further disable or remove the access control rule in the instance where the reduced service is originally deployed. As another example, if an increase of a service is detected, the policy management module 502 may determine an access control rule applied to the added service, and associate the added service with the access control rule.
安全管理器201中的策略调度引擎503用于在目标实例启用访问控制规则。具体地,策 略调度引擎503可以将访问控制规则发放到安全策略执行层530中的目标实例。在一些实施例中,如果云环境中的实例位于不同的可用区,则策略调度引擎503通过目标实例所在可用区的控制器,将访问控制规则发放到目标实例。在图5的示例中,在目标实例包括实例531的情况下,策略调度引擎503可以通过控制器521,将访问控制规则发放到实例531。在目标实例包括实例532的情况下,策略调度引擎503可以通过控制器522,将访问控制规则发放到实例532。在目标实例包括实例533和/或实例534的情况下,策略调度引擎503可以通过控制器523,将访问控制规则发放到实例533和/或实例534。The policy scheduling engine 503 in the security manager 201 is used to enable access control rules on the target instance. Specifically, the policy scheduling engine 503 can issue access control rules to target instances in the security policy enforcement layer 530. In some embodiments, if the instances in the cloud environment are located in different availability zones, the policy scheduling engine 503 issues the access control rules to the target instance through the controller of the availability zone where the target instance is located. In the example of FIG. 5 , when the target instance includes the instance 531 , the policy scheduling engine 503 can issue the access control rules to the instance 531 through the controller 521 . In the case that the target instance includes the instance 532 , the policy scheduling engine 503 can issue the access control rules to the instance 532 through the controller 522 . In the case that the target instance includes the instance 533 and/or the instance 534 , the policy scheduling engine 503 may issue the access control rules to the instance 533 and/or the instance 534 through the controller 523 .
利用以上描述的系统架构实现了分布式访问控制。通过策略编排和调度软件技术将安全策略调度到实例,这与硬件防火墙相比降低了成本。可以针对每个需要保护的服务,在部署有该服务的一个或多个目标实例启用对应的访问控制规则。不同业务的访问控制规则只在本服务的实例上,不同服务之间相互物理隔离,这降低了安全策略错误时产生的故障半径。由访问控制规则指定的源对象可以根据需要配置,而不限于与目标实例位于不同的区。以此方式,消除了集中式防火墙方案中的安全盲点。Distributed access control is realized using the system architecture described above. Security policies are dispatched to instances through policy orchestration and dispatch software technology, which reduces costs compared to hardware firewalls. For each service that needs to be protected, the corresponding access control rules can be enabled on one or more target instances where the service is deployed. The access control rules of different businesses are only on the instance of this service, and different services are physically isolated from each other, which reduces the failure radius when the security policy is wrong. The source object specified by the access control rules can be configured as desired and is not limited to being in a different zone from the target instance. In this way, security blind spots in centralized firewall solutions are eliminated.
安全组security group
考虑到一些服务可能具有相同的安全策略并且共享相同的访问控制规则,在一些实施例中,可以利用安全组来管理共享相同的访问控制规则的多个服务。安全管理器201(例如,策略编排模块501)可以基于用户输入创建安全组。所创建的安全组包括这些服务和所共享的访问控制规则。作为示例,用户505可以通过用户界面来创建安全组并向安全组添加服务,并且通过指定服务、地址或地址池来指定源对象。安全管理器201可以将用户所添加的服务作为安全组的成员,并且基于所指定的源对象来生成该安全组的访问控制规则。在一些实施例中,安全管理器201可以将所确定的目标实例添加至安全组。在一些实施例中,例如在应用图6所示的RBAC模型的情况下,安全组中的服务可以属于具有相同权限的用户。Considering that some services may have the same security policy and share the same access control rules, in some embodiments, security groups can be used to manage multiple services sharing the same access control rules. Security manager 201 (eg, policy orchestration module 501 ) can create security groups based on user input. The created security group includes these services and shared access control rules. As an example, the user 505 may create a security group and add services to the security group through a user interface, and specify a source object by specifying a service, address, or address pool. The security manager 201 can take the service added by the user as a member of the security group, and generate the access control rules of the security group based on the specified source object. In some embodiments, security manager 201 may add the determined target instance to a security group. In some embodiments, for example, in the case of applying the RBAC model shown in FIG. 6 , services in a security group may belong to users with the same authority.
在这种实施例中,安全管理器201可以确定安全组的访问控制规则,作为应用于安全组中的服务的访问控制规则。当安全组需要更新时,用户505可以通过用户界面提供后续输入。基于后续输入,安全组可以被更新。例如,一个或多个服务可以被添加到安全组,以向所添加的服务应用该安全组的访问控制规则。又如,原本属于安全组的一个或多个服务可以被移除出该安全组。In such an embodiment, the security manager 201 may determine the access control rules of the security group as the access control rules applied to the services in the security group. The user 505 can provide subsequent input through the user interface when the security group needs to be updated. Based on subsequent input, the security group may be updated. For example, one or more services may be added to a security group to apply the security group's access control rules to the added services. As another example, one or more services originally belonging to a security group may be removed from the security group.
此外,在监测到服务和资源配置的更新时,安全管理器201(例如,策略管理模块502)可以相应地更新安全组。例如,如果监测到服务的减少,则安全管理器201可以将所减少的服务从其原本属于的安全组移除,从而将该服务与对应的访问控制规则解除关联。又如,如果监测到服务的增加,则安全管理器201可以确定所增加的服务所属于的安全组并将其添加至该安全组,从而将所增加的服务与对应的访问控制规则相关联。In addition, the security manager 201 (eg, the policy management module 502 ) can update the security group accordingly when monitoring the update of the service and resource configuration. For example, if a reduction of a service is detected, the security manager 201 may remove the reduced service from the security group to which it originally belongs, so as to disassociate the service from the corresponding access control rule. For another example, if an increase of a service is detected, the security manager 201 may determine the security group to which the added service belongs and add it to the security group, thereby associating the added service with a corresponding access control rule.
利用安全组,可以统一管理共享相同的访问控制规则的服务。以此方式,可以简化安全策略管理,并提高安全策略的运维效率。With security groups, services that share the same access control rules can be managed uniformly. In this way, the security policy management can be simplified, and the operation and maintenance efficiency of the security policy can be improved.
在多云环境的情况下,同一安全组中的服务可以部署在不同的云环境中。例如,安全组中的一些服务部署在公有云中,而另一些服务部署在私有云中。以此方式,可以便捷地实现安全策略的跨云管理。In the case of a multi-cloud environment, services in the same security group can be deployed in different cloud environments. For example, some services in a security group are deployed in a public cloud, while others are deployed in a private cloud. In this way, cross-cloud management of security policies can be conveniently realized.
图7示出了根据本公开的一些实施例的示例安全组701的示意图。图7以图3所示的三个层级的层次结构作为示例,但这仅是示例性而无意限制本公开的范围。如图7所示,基于用户输入704,创建了包括云服务B、微服务组A和微服务C的安全组701。相应地,安全 组701包括服务目录702。在服务目录702中,条目“云服务B的标识”指示安全组701在云服务层级包括云服务B,条目“微服务组A的标识”指示安全组701在微服务组层级包括微服务组A,并且条目“微服务C的标识”指示安全组701在微服务层级包括微服务C。FIG. 7 shows a schematic diagram of an example security group 701 according to some embodiments of the present disclosure. FIG. 7 takes the three-level hierarchical structure shown in FIG. 3 as an example, but this is only exemplary and not intended to limit the scope of the present disclosure. As shown in FIG. 7 , based on user input 704 , a security group 701 including cloud service B, microservice group A and microservice C is created. Accordingly, security group 701 includes service directory 702. In the service catalog 702, the entry "identification of cloud service B" indicates that the security group 701 includes cloud service B at the cloud service level, and the entry "identification of microservice group A" indicates that the security group 701 includes microservice group A at the microservice group level , and the entry "identification of microservice C" indicates that the security group 701 includes microservice C at the microservice level.
基于用户输入705,生成了安全组的访问控制规则703。访问控制规则703将应用于属于安全组701的云服务B、微服务组A和微服务C。相应地,安全管理器201在部署有云服务B、微服务组A和微服务C的所有实例启用访问控制规则703。换言之,部署有云服务B、微服务组A和微服务C的所有实例允许源地址10.52.80/24以TCP 443端口的访问。Based on user input 705, access control rules 703 for the security group are generated. Access control rule 703 will be applied to cloud service B, microservice group A and microservice C belonging to security group 701 . Correspondingly, the security manager 201 enables the access control rule 703 on all instances where the cloud service B, the microservice group A and the microservice C are deployed. In other words, all instances deployed with cloud service B, microservice group A, and microservice C allow access from the source address 10.52.80/24 on TCP port 443.
在图7的示例中,以多个层级来构建云环境中的服务,并且允许安全组包括不同层级中的服务。以此方式,可以提高安全策略管理的灵活性。允许指定云服务具有化零为整的作用,使得用户不必逐一选择云服务下的各个微服务。允许指定微服务或组件使得安全策略管理精细化。In the example of FIG. 7 , services in the cloud environment are structured in multiple tiers, and security groups are allowed to include services in different tiers. In this way, the flexibility of security policy management can be increased. Allowing the specified cloud service has the effect of turning parts into wholes, so that users do not have to select each microservice under the cloud service one by one. Allows specifying microservices or components to refine security policy management.
应当理解,图7中所示的安全组、源地址、端口号等均是示例性的,而无意限制本公开的范围。安全组可以包括任何合适数目的服务,例如任何合适数目的云服务、微服务组、微服务。It should be understood that the security group, source address, port number, etc. shown in FIG. 7 are all exemplary, and are not intended to limit the scope of the present disclosure. A security group may include any suitable number of services, such as any suitable number of cloud services, microservice groups, microservices.
在一些实施例中,安全策略的管理可以进一步细化到平面粒度。可以在目标实例启用受保护的服务在一个或多个平面(下文也可以称为“目标平面”)的访问控制规则。该平面可以是管理平面、存储平面、运维平面或业务平面中的任一项。例如,在访问控制规则适用于管理平面的情况下,可以仅在目标实例启用受保护的服务在管理平面的访问控制规则。In some embodiments, security policy management can be further refined to plane granularity. Access control rules for protected services on one or more planes (also referred to as "target planes" hereinafter) can be enabled on the target instance. The plane can be any of the management plane, storage plane, operation and maintenance plane, or service plane. For example, you can enable protected services with management plane access control rules only on target instances where the access control rules apply to the management plane.
相应地,安全管理器201可以维护实例关于目标平面的信息。下面参考图8以安全组为例来描述这种实施例。图8示出了根据本公开的一些实施例的另一示例安全组801的示意图。图8以图3所示的三个层级的层次结构作为示例,但这仅是示例性而无意限制本公开的内容。安全组801至少包括微服务810和访问控制规则803。安全组801还可以包括其他未示出的服务。Accordingly, the security manager 201 may maintain instance information about the target plane. The following describes this embodiment by taking a security group as an example with reference to FIG. 8 . FIG. 8 shows a schematic diagram of another example security group 801 according to some embodiments of the present disclosure. FIG. 8 takes the three-level hierarchical structure shown in FIG. 3 as an example, but this is only exemplary and not intended to limit the content of the present disclosure. The security group 801 includes at least microservices 810 and access control rules 803 . The security group 801 may also include other services not shown.
部署有微服务810的实例包括实例A、实例B和实例C,其中实例B不涉及目标平面,而实例A和C涉及目标平面。对于实例A,所有端口均应用于目标平面,或者对实例A而言不区分平面。对于实例C,端口A和端口C应用于目标平面,而端口B应用于不同于目标平面的其他平面。在这种情况下,实例A和实例C被确定为目标实例。进一步地,针对实例C,仅在实例C的端口A和端口C启用访问控制规则803。Instances deployed with microservice 810 include instance A, instance B, and instance C, wherein instance B does not involve the target plane, and instances A and C involve the target plane. For instance A, all ports are applied to the target plane, or for instance A the planes are not differentiated. For example C, port A and port C are applied to the target plane, while port B is applied to a plane other than the target plane. In this case, Instance A and Instance C are determined as target instances. Further, for instance C, access control rule 803 is only enabled on port A and port C of instance C.
相应地,安全组801包括实例目录802。在实例目录802中,条目“实例A的标识”及其下的子条目指示实例A和实例A的所有地址,并且条目“实例C的标识”及其下的子条目指示实例C、实例C的端口A的地址和实例C的端口C的地址。尽管未示出,但实例目录802还可以包括其他的条目或子条目,以用于指示端口的类型或端口所应用于的平面。Correspondingly, the security group 801 includes an instance directory 802 . In the instance directory 802, the entry "identification of instance A" and its subentries indicate instance A and all addresses of instance A, and the entry "identification of instance C" and its subentries indicate instance C, instance C's The address of port A and the address of port C of instance C. Although not shown, the instance directory 802 may also include other entries or sub-entries for indicating the type of the port or the plane to which the port applies.
在图8的示例中,安全管理器201在实例A的所有端口、实例C的端口A和端口C启用访问控制规则703。换言之,实例A的所有端口、实例C的端口A和端口C允许源地址10.52.80/24以TCP 443端口的访问。In the example of FIG. 8 , security manager 201 enables access control rule 703 on all ports of instance A, port A and port C of instance C. In other words, all ports of instance A, port A and port C of instance C allow access from the source address 10.52.80/24 on TCP port 443.
在这种实施例中,分布式访问控制被细化到平面粒度。以此方式,可以提高安全策略管理的精确度,并且可以进一步缩小故障半径。In such an embodiment, distributed access control is refined down to a plane granularity. In this way, the accuracy of security policy management can be improved, and the failure radius can be further reduced.
安全策略的更新Security Policy Updates
如参考图5所描述的,策略管理模块502可以监测服务和资源配置的更新。基于服务和资源配置的更新,安全管理器201可以更新安全策略。图9示出了根据本公开的一些实施例 的更新安全策略的过程900的流程图。As described with reference to FIG. 5, the policy management module 502 can monitor for updates to service and resource configurations. Based on updates to service and resource configurations, security manager 201 can update security policies. Figure 9 shows a flow diagram of a process 900 for updating security policies according to some embodiments of the present disclosure.
在框910,安全管理器201基于监测到的服务和资源配置的更新,确定是否存在服务扩容或缩容。例如,安全管理器201可以基于从配置数据库202接收的实时消息或与配置数据库202的周期性同步,来确定是否存在服务扩容或缩容。At block 910, the security manager 201 determines whether there is a service scaling up or down based on the monitored service and resource configuration updates. For example, security manager 201 may determine whether there is a service scaling up or down based on real-time messages received from configuration database 202 or periodic synchronization with configuration database 202 .
如果在框910确定存在服务扩容,则过程900进行到框920。换言之,如果增加部署有某个受保护服务的实例,则过程900进行到框920。在框920,安全管理器201将所增加的实例与应用于该服务的访问控制规则相关联。例如,在创建了安全组的实施例中,所增加的实例可以被添加至该服务所在的安全组。在框930,安全管理器201在所增加的实例启用该访问控制规则。例如,安全管理器201可以通过所增加的实例所在可用区的控制器,将该访问控制规则发放到所增加的实例。If at block 910 it is determined that service scaling exists, process 900 proceeds to block 920 . In other words, process 900 proceeds to block 920 if additional instances of a protected service are deployed. At block 920, the security manager 201 associates the added instance with the access control rules applied to the service. For example, in an embodiment where a security group is created, the added instance may be added to the security group in which the service resides. At block 930, the security manager 201 enables the access control rule on the added instance. For example, the security manager 201 may issue the access control rule to the added instance through the controller of the availability zone where the added instance is located.
如果在框910确定存在服务缩容,则过程900进行到框940。换言之,如果原本部署有某个受保护服务的目标实例不再部署有该服务,则过程900进行到框940。在框940,安全管理器201将不再部署有该服务的目标实例与应用于该服务的访问控制规则解除关联。例如,在创建了安全组的实施例中,安全管理器201可以从该服务所在的安全组移除该目标实例。在框950,安全管理器201在不再部署有该服务的目标实例禁用或移除应用于该服务的访问控制规则。例如,安全管理器201可以向该目标实例发送消息或命令,以将该访问控制规则在目标实例被标记为禁用,或者将该访问控制规则从目标实例的本地删除。If at block 910 it is determined that there is a service shrink, process 900 proceeds to block 940 . In other words, process 900 proceeds to block 940 if the target instance that had a protected service deployed no longer has the service deployed. At block 940, the security manager 201 disassociates the target instance on which the service is no longer deployed from the access control rules applied to the service. For example, in an embodiment where a security group is created, the security manager 201 may remove the target instance from the security group where the service is located. At block 950, the security manager 201 disables or removes the access control rules applied to the service on target instances where the service is no longer deployed. For example, the security manager 201 may send a message or command to the target instance to mark the access control rule as disabled in the target instance, or delete the access control rule locally from the target instance.
以上相对于广义上的服务来描述了自动更新安全策略的过程900。过程900可以适用于任何粒度的服务。在以如图3所示的层次结构来构建服务的实施例中,扩容或缩容的服务可以包括云服务、微服务组、微服务或组件中的任一项或多项。The process 900 of automatically updating security policies is described above with respect to services in a broad sense. Process 900 can be applied to services of any granularity. In the embodiment in which services are built with the hierarchical structure shown in FIG. 3 , the services to be scaled up or down may include any one or more of cloud services, microservice groups, microservices or components.
在这种实施例中,响应于服务和资源配置的更新可以自动更新安全策略。也即,响应于服务的扩容,可以自动在所增加的实例启用访问控制规则;响应于服务的缩容,可以自动在所减少的实例禁用或移除访问控制规则。以此方式,简化了安全策略的人工配置,从而有助于提高安全策略的运维效率。In such embodiments, security policies may be automatically updated in response to updates to service and resource configurations. That is, in response to the expansion of the service, the access control rule can be automatically enabled on the increased instance; in response to the shrinkage of the service, the access control rule can be automatically disabled or removed from the reduced instance. In this way, the manual configuration of the security policy is simplified, thereby helping to improve the operation and maintenance efficiency of the security policy.
示例过程、装置和设备EXAMPLE PROCESSES, APPARATUS AND EQUIPMENT
图10示出了根据本公开的一些实施例的访问控制方法1000的流程图。方法1000例如可以由图2中的安全管理器201来实施。为了方便描述,以下参考图2-8来描述方法1000。FIG. 10 shows a flowchart of an access control method 1000 according to some embodiments of the present disclosure. The method 1000 can be implemented, for example, by the security manager 201 in FIG. 2 . For convenience of description, the method 1000 is described below with reference to FIGS. 2-8 .
在框1010,确定应用于云环境中的服务的访问控制规则。访问控制规则指定云环境中被允许访问该服务的源对象。云环境例如是公有云、私有云、合运营云、边缘云、混合云及其组合。在一些实施例中,该服务包括云服务、微服务组、微服务或组件中的至少一项。例如,在云环境中的服务以图3所示的层次结构300构建的情况下,该服务可以包括云服务、微服务组、微服务或组件。At block 1010, access control rules to apply to services in a cloud environment are determined. Access control rules specify the source objects in the cloud environment that are allowed to access the service. Cloud environments are, for example, public clouds, private clouds, joint operations clouds, edge clouds, hybrid clouds, and combinations thereof. In some embodiments, the service includes at least one of a cloud service, a group of microservices, a microservice, or a component. For example, in the case that a service in a cloud environment is constructed with the hierarchical structure 300 shown in FIG. 3 , the service may include a cloud service, a microservice group, a microservice or a component.
在一些实施例中,源对象包括以下至少一项:云环境中的一个或多个服务,云环境中的一个或多个地址,或云环境中的地址集合。例如,可以向用户提供服务模式、地址模式和地址池模式中的一项或多项。In some embodiments, the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment. For example, one or more of service mode, address mode and address pool mode may be provided to the user.
在一些实施例中,可以确定该服务所属于的安全组的访问控制规则,作为应用于该服务的访问控制规则。例如,可以将安全组701的访问规则703确定为应用于云服务B、微服务组A和微服务C的访问控制规则。In some embodiments, the access control rule of the security group to which the service belongs may be determined as the access control rule applied to the service. For example, the access rule 703 of the security group 701 may be determined as the access control rule applied to cloud service B, microservice group A and microservice C.
在一些实施例中,可以基于用户输入创建安全组,安全组包括该服务和应用于该服务的访问控制规则。例如,可以基于用户输入704和705创建安全组701。在一些实施例中,还 可以基于另一用户输入,向安全组添加一个或多个服务,或从安全组移除一个或多个服务。例如,可以基于后续输入来更新安全组701。In some embodiments, a security group may be created based on user input, the security group including the service and the access control rules applied to the service. For example, security group 701 can be created based on user input 704 and 705 . In some embodiments, one or more services may also be added to or removed from the security group based on another user input. For example, security group 701 may be updated based on subsequent input.
在一些实施例中,安全组中的服务属于具有相同权限的用户。例如,可以设置如图6所示的BRAC模型来管理用户对服务的安全策略配置。In some embodiments, services in a security group belong to users with the same permissions. For example, a BRAC model as shown in FIG. 6 may be set to manage user's security policy configuration for services.
在一些实施例中,属于安全组的不同服务部署在不同云环境。换言之,可以跨多个云来实现分布式访问控制。In some embodiments, different services belonging to a security group are deployed in different cloud environments. In other words, distributed access control can be achieved across multiple clouds.
在框1020,确定云环境中部署有该服务的目标实例。例如,可以基于资源配置信息(即,服务与实例关系)来确定目标实例。目标实例可以是任何合适的虚拟资源或实体资源。虚拟资源例如可以包括VM、容器等。实体资源例如可以包括PM、裸金属服务器、网络设备、安全设备、接口卡等。在框1020,在目标实例启用访问控制规则。例如,安全管理器201将访问控制规则调度到所确定的一个或多个目标实例。At block 1020, target instances in the cloud environment where the service is deployed are determined. For example, the target instance can be determined based on resource configuration information (ie, service-instance relationship). A target instance can be any suitable virtual or physical resource. Virtual resources may include, for example, VMs, containers, and the like. Physical resources may include, for example, PMs, bare metal servers, network devices, security devices, interface cards, and so on. At block 1020, access control rules are enabled on the target instance. For example, security manager 201 dispatches access control rules to the determined one or more target instances.
在一些实施例中,可以在目标实例启用服务在一个或多个平面的访问控制规则。平面可以为以下任一项:管理平面、存储平面、运维平面或业务平面。例如,对于图8中所示的实例C,仅在端口A和端口C启用访问控制规则803,端口A和端口C与访问控制规则803适用于相同平面。In some embodiments, access control rules serving services at one or more planes may be enabled on the target instance. The plane can be any of the following: management plane, storage plane, operation and maintenance plane, or service plane. For example, for instance C shown in FIG. 8 , access control rule 803 is only enabled on port A and port C, and port A and port C are applicable to the same plane as access control rule 803 .
在一些实施例中,可以通过目标实例所在可用区的控制器,将访问控制规则发放到目标实例。例如,如果目标实例包括图5中所示的实例531,可以通过控制器521将访问控制规则发放到实例531。In some embodiments, the access control rules can be issued to the target instance through the controller of the availability zone where the target instance is located. For example, if the target instance includes the instance 531 shown in FIG. 5 , the controller 521 may issue the access control rules to the instance 531 .
在一些实施例中,方法1000还包括:如果增加部署有该服务的实例,在所增加的实例启用访问控制规则。还可以在安全管理器201处将所增加的实例与该访问控制规则相关联,例如添加至该服务所属于的安全组。In some embodiments, the method 1000 further includes: if an instance deployed with the service is added, enabling access control rules on the added instance. The added instance can also be associated with the access control rule at the security manager 201, for example, added to the security group to which the service belongs.
在一些实施例中,方法1000还包括:如果目标实例不再部署该服务,在目标实例禁用或移除访问控制规则。还可以在安全管理器201将目标实例与访问控制规则解除关联。在一些实施例中,可以从该服务所属于的安全组移除目标实例。In some embodiments, the method 1000 further includes: disabling or removing the access control rule on the target instance if the service is no longer deployed on the target instance. The target instance can also be disassociated from the access control rules at the security manager 201 . In some embodiments, the target instance may be removed from the security group to which the service belongs.
图11示出了根据本公开实施例的访问控制装置1100的框图,装置1100可以包括多个单元,以用于执行如图10中所讨论的方法1000中的对应步骤。如图11所示,装置1100包括规则确定单元1110,期被配置为确定应用于云环境中的服务的访问控制规则。访问控制规则指定云环境中被允许访问服务的源对象。装置1100还包括实例确定单元1120,被配置为确定云环境中部署有服务的目标实例。装置1100进一步包括规则启用单元1130,被配置为在目标实例启用访问控制规则。Fig. 11 shows a block diagram of an access control apparatus 1100 according to an embodiment of the present disclosure, and the apparatus 1100 may include a plurality of units for performing corresponding steps in the method 1000 as discussed in Fig. 10 . As shown in FIG. 11 , the apparatus 1100 includes a rule determination unit 1110 configured to determine access control rules applied to services in the cloud environment. Access control rules specify the source objects in the cloud environment that are allowed to access the service. The apparatus 1100 further includes an instance determination unit 1120 configured to determine a target instance in which the service is deployed in the cloud environment. The apparatus 1100 further includes a rule enabling unit 1130 configured to enable access control rules on the target instance.
在一些实施例中,规则确定单元1110进一步被配置为:确定服务所属于的安全组的访问控制规则,作为应用于服务的访问控制规则。In some embodiments, the rule determining unit 1110 is further configured to: determine the access control rule of the security group to which the service belongs, as the access control rule applied to the service.
在一些实施例中,服务包括云服务、微服务组、微服务或组件中的至少一项。In some embodiments, the service includes at least one of a cloud service, a group of microservices, a microservice, or a component.
在一些实施例中,装置1100还包括:第一更新单元,被配置为如果增加部署有服务的实例,在所增加的实例启用访问控制规则。In some embodiments, the apparatus 1100 further includes: a first update unit configured to enable access control rules on the added instance if an instance deployed with the service is added.
在一些实施例中,装置1100还包括:第二更新单元,被配置为如果目标实例不再部署服务,在目标实例禁用或移除访问控制规则。In some embodiments, the apparatus 1100 further includes: a second update unit configured to disable or remove the access control rule on the target instance if the target instance no longer deploys the service.
在一些实施例中,装置1100还包括:第三更新单元,被配置为如果目标实例不再部署服务,从安全组移除目标实例。In some embodiments, the apparatus 1100 further includes: a third updating unit configured to remove the target instance from the security group if the target instance no longer deploys services.
在一些实施例中,规则确定单元1110进一步被配置为:基于用户输入创建安全组,安全组包括服务和应用于服务的访问控制规则。In some embodiments, the rule determination unit 1110 is further configured to: create a security group based on user input, the security group includes services and access control rules applied to the services.
在一些实施例中,装置1100还包括:安全组更新单元,被配置为基于另一用户输入,向安全组添加一个或多个服务,或从安全组移除一个或多个服务。In some embodiments, the apparatus 1100 further includes: a security group update unit configured to add one or more services to the security group or remove one or more services from the security group based on another user input.
在一些实施例中,源对象包括以下至少一项:云环境中的一个或多个服务,云环境中的一个或多个地址,或云环境中的地址集合。In some embodiments, the source object includes at least one of: one or more services in the cloud environment, one or more addresses in the cloud environment, or a collection of addresses in the cloud environment.
在一些实施例中,安全组中的服务属于具有相同权限的用户。In some embodiments, services in a security group belong to users with the same permissions.
在一些实施例中,规则启用单元1130进一步被配置为:在目标实例启用服务在一个或多个平面的访问控制规则,平面为以下任一项:管理平面、存储平面、运维平面或业务平面。In some embodiments, the rule enabling unit 1130 is further configured to: enable the access control rules of the service on one or more planes on the target instance, and the plane is any of the following: management plane, storage plane, operation and maintenance plane or business plane .
在一些实施例中,规则启用单元1130进一步被配置为:通过目标实例所在可用区的控制器,将访问控制规则发放到目标实例。In some embodiments, the rule enabling unit 1130 is further configured to issue the access control rule to the target instance through the controller of the availability zone where the target instance is located.
在一些实施例中,属于安全组的不同服务部署在不同云环境。In some embodiments, different services belonging to a security group are deployed in different cloud environments.
图12示出了可以用来实施本公开的实施例的示例设备1200的示意性框图。设备1200可以用于实现安全管理器201等。如图所示,设备1200包括计算单元1201,其可以根据存储在随机存取存储器(RAM)和/或只读存储器(ROM)1202的计算机程序指令或者从存储单元1207加载到RAM和/或ROM 1202中的计算机程序指令,来执行各种适当的动作和处理。在RAM和/或ROM 1202中,还可存储设备1200操作所需的各种程序和数据。计算单元1201和RAM和/或ROM 1202通过总线1203彼此相连。输入/输出(I/O)接口1204也连接至总线1203。FIG. 12 shows a schematic block diagram of an example device 1200 that may be used to implement embodiments of the present disclosure. The device 1200 may be used to implement the security manager 201 or the like. As shown, device 1200 includes computing unit 1201, which may be loaded into RAM and/or ROM according to computer program instructions stored in random access memory (RAM) and/or read only memory (ROM) 1202 or from storage unit 1207 1202 to perform various appropriate actions and processes. In the RAM and/or ROM 1202, various programs and data necessary for the operation of the device 1200 may also be stored. The computing unit 1201 and the RAM and/or ROM 1202 are connected to each other via a bus 1203. An input/output (I/O) interface 1204 is also connected to the bus 1203 .
设备1200中的多个部件连接至I/O接口1204,包括:输入单元1205,例如键盘、鼠标等;输出单元1206,例如各种类型的显示器、扬声器等;存储单元1207,例如磁盘、光盘等;以及通信单元1208,例如网卡、调制解调器、无线通信收发机等。通信单元1208允许设备1200通过诸如因特网的计算机网络和/或各种电信网络与其他设备交换信息/数据。Multiple components in the device 1200 are connected to the I/O interface 1204, including: an input unit 1205, such as a keyboard, a mouse, etc.; an output unit 1206, such as various types of displays, speakers, etc.; a storage unit 1207, such as a magnetic disk, an optical disk, etc. ; and a communication unit 1208, such as a network card, a modem, a wireless communication transceiver, and the like. The communication unit 1208 allows the device 1200 to exchange information/data with other devices over a computer network such as the Internet and/or various telecommunication networks.
计算单元1201可以是各种具有处理和计算能力的通用和/或专用处理组件。计算单元1201的一些示例包括但不限于中央处理单元(CPU)、图形处理单元(GPU)、各种专用的人工智能(AI)计算芯片、各种运行机器学习模型算法的计算单元、数字信号处理器(DSP)、以及任何适当的处理器、控制器、微控制器等。计算单元1201执行上文所描述的各个方法和处理,例如方法1000。例如,在一些实施例中,方法1000可被实现为计算机软件程序,其被有形地包含于机器可读介质,例如存储单元1207。在一些实施例中,计算机程序的部分或者全部可以经由RAM和/或ROM和/或通信单元1208而被载入和/或安装到设备1200上。当计算机程序加载到RAM和/或ROM并由计算单元1201执行时,可以执行上文描述的方法1000的一个或多个步骤。备选地,在其他实施例中,计算单元1201可以通过其他任何适当的方式(例如,借助于固件)而被配置为执行方法1000。The computing unit 1201 may be various general-purpose and/or special-purpose processing components with processing and computing capabilities. Some examples of computing units 1201 include, but are not limited to, central processing units (CPUs), graphics processing units (GPUs), various dedicated artificial intelligence (AI) computing chips, various computing units that run machine learning model algorithms, digital signal processing processor (DSP), and any suitable processor, controller, microcontroller, etc. The calculation unit 1201 executes various methods and processes described above, such as the method 1000 . For example, in some embodiments, method 1000 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 1207 . In some embodiments, part or all of the computer program may be loaded and/or installed onto device 1200 via RAM and/or ROM and/or communication unit 1208 . When a computer program is loaded into RAM and/or ROM and executed by computing unit 1201, one or more steps of method 1000 described above may be performed. Alternatively, in other embodiments, the computing unit 1201 may be configured to execute the method 1000 in any other suitable manner (for example, by means of firmware).
用于实施本公开的方法的程序代码可以采用一个或多个编程语言的任何组合来编写。这些程序代码可以提供给通用计算机、专用计算机或其他可编程数据处理装置的处理器或控制器,使得程序代码当由处理器或控制器执行时使流程图和/或框图中所规定的功能/操作被实施。程序代码可以完全在机器上执行、部分地在机器上执行,作为独立软件包部分地在机器上执行且部分地在远程机器上执行或完全在远程机器或服务器上执行。Program codes for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general-purpose computer, a special purpose computer, or other programmable data processing devices, so that the program codes, when executed by the processor or controller, make the functions/functions specified in the flow diagrams and/or block diagrams Action is implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
在本公开的上下文中,机器可读介质可以是有形的介质,其可以包含或存储以供指令执行系统、装置或设备使用或与指令执行系统、装置或设备结合地使用的程序。机器可读介质可以是机器可读信号介质或机器可读储存介质。机器可读介质可以包括但不限于电子的、磁性的、光学的、电磁的、红外的、或半导体系统、装置或设备,或者上述内容的任何合适组合。机器可读存储介质的更具体示例会包括基于一个或多个线的电气连接、便携式计算机盘、 硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或快闪存储器)、光纤、便捷式紧凑盘只读存储器(CD-ROM)、光学储存设备、磁储存设备、或上述内容的任何合适组合。In the context of the present disclosure, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.
此外,虽然采用特定次序描绘了各操作,但是这应当理解为要求这样操作以所示出的特定次序或以顺序次序执行,或者要求所有图示的操作应被执行以取得期望的结果。在一定环境下,多任务和并行处理可能是有利的。同样地,虽然在上面论述中包含了若干具体实现细节,但是这些不应当被解释为对本公开的范围的限制。在单独的实施例的上下文中描述的某些特征还可以组合地实现在单个实现中。相反地,在单个实现的上下文中描述的各种特征也可以单独地或以任何合适的子组合的方式实现在多个实现中。In addition, while operations are depicted in a particular order, this should be understood to require that such operations be performed in the particular order shown, or in sequential order, or that all illustrated operations should be performed to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while the above discussion contains several specific implementation details, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
尽管已经采用特定于结构特征和/或方法逻辑动作的语言描述了本主题,但是应当理解所附权利要求书中所限定的主题未必局限于上面描述的特定特征或动作。相反,上面所描述的特定特征和动作仅仅是实现权利要求书的示例形式。Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are merely example forms of implementing the claims.

Claims (29)

  1. 一种访问控制方法,其特征在于,包括:An access control method, characterized in that, comprising:
    确定应用于云环境中的服务的访问控制规则,所述访问控制规则指定所述云环境中被允许访问所述服务的源对象;determining access control rules applied to a service in a cloud environment, the access control rules specifying source objects in the cloud environment that are permitted to access the service;
    确定所述云环境中部署有所述服务的目标实例;以及determining target instances in the cloud environment on which the service is deployed; and
    在所述目标实例启用所述访问控制规则。Enable the access control rule on the target instance.
  2. 根据权利要求1所述的方法,其特征在于,确定应用于所述服务的所述访问控制规则包括:The method according to claim 1, wherein determining the access control rule applied to the service comprises:
    确定所述服务所属于的安全组的访问控制规则,作为应用于所述服务的所述访问控制规则。Determining the access control rule of the security group to which the service belongs as the access control rule applied to the service.
  3. 根据权利要求1或2所述的方法,其特征在于,所述服务包括云服务、微服务组、微服务或组件中的至少一项。The method according to claim 1 or 2, wherein the service includes at least one of a cloud service, a microservice group, a microservice or a component.
  4. 根据权利要求1-3中的任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-3, further comprising:
    如果增加部署有所述服务的实例,在所增加的实例启用所述访问控制规则。If an instance where the service is deployed is added, the access control rule is enabled on the added instance.
  5. 根据权利要求1-4中的任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-4, further comprising:
    如果所述目标实例不再部署所述服务,在所述目标实例禁用或移除所述访问控制规则。If the target instance no longer deploys the service, disable or remove the access control rule on the target instance.
  6. 根据权利要求1-5所述的方法,其特征在于,所述方法还包括:The method according to claims 1-5, wherein the method further comprises:
    如果所述目标实例不再部署所述服务,将所述目标实例与所述访问控制规则解除关联。If the target instance no longer deploys the service, disassociate the target instance from the access control rule.
  7. 根据权利要求1-6中的任一项所述的方法,其特征在于,确定所述访问控制规则包括:The method according to any one of claims 1-6, wherein determining the access control rule comprises:
    基于用户输入创建安全组,所述安全组包括所述服务和应用于所述服务的所述访问控制规则。A security group is created based on user input, the security group including the service and the access control rules applied to the service.
  8. 根据权利要求7所述的方法,其特征在于,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    基于另一用户输入,向所述安全组添加一个或多个服务,或从所述安全组移除一个或多个服务。Based on another user input, one or more services are added to or removed from the security group.
  9. 根据权利要求1-8中的任一项所述的方法,其特征在于,所述源对象包括以下至少一项:The method according to any one of claims 1-8, wherein the source object comprises at least one of the following:
    所述云环境中的一个或多个服务,one or more services in said cloud environment,
    所述云环境中的一个或多个地址,或one or more addresses in said cloud environment, or
    所述云环境中的地址集合。A collection of addresses in the cloud environment.
  10. 根据权利要求2所述的方法,其特征在于,所述安全组中的服务属于具有相同权限的用户。The method according to claim 2, wherein the services in the security group belong to users with the same authority.
  11. 根据权利要求1-10中的任一项所述的方法,其特征在于,在目标实例启用所述访问控制规则包括:The method according to any one of claims 1-10, wherein enabling the access control rule on the target instance comprises:
    在所述目标实例启用所述服务在一个或多个平面的所述访问控制规则,所述平面为以下任一项:管理平面、存储平面、运维平面或业务平面。Enabling the access control rules of the service on one or more planes in the target instance, the plane being any of the following: management plane, storage plane, operation and maintenance plane or service plane.
  12. 根据权利要求1-10中的任一项所述的方法,其特征在于,在所述目标实例启用所述访问控制规则包括:The method according to any one of claims 1-10, wherein enabling the access control rule on the target instance comprises:
    通过所述目标实例所在可用区的控制器,将所述访问控制规则发放到所述目标实例。The access control rule is issued to the target instance through the controller of the availability zone where the target instance is located.
  13. 根据权利要求2所述的方法,其特征在于,属于所述安全组的不同服务部署在不同 云环境。The method according to claim 2, wherein different services belonging to the security group are deployed in different cloud environments.
  14. 一种访问控制装置,其特征在于,包括:An access control device, characterized in that it comprises:
    规则确定单元,被配置为确定应用于云环境中的服务的访问控制规则,所述访问控制规则指定所述云环境中被允许访问所述服务的源对象;a rule determination unit configured to determine an access control rule applied to a service in a cloud environment, the access control rule specifying a source object in the cloud environment that is allowed to access the service;
    实例确定单元,被配置为确定所述云环境中部署有所述服务的目标实例;以及an instance determining unit configured to determine a target instance in which the service is deployed in the cloud environment; and
    规则启用单元,被配置为在所述目标实例启用所述访问控制规则。A rule enabling unit configured to enable the access control rule on the target instance.
  15. 根据权利要求14所述的方法,其特征在于,所述规则确定单元进一步被配置为:The method according to claim 14, wherein the rule determining unit is further configured to:
    确定所述服务所属于的安全组的访问控制规则,作为应用于所述服务的所述访问控制规则。Determining the access control rule of the security group to which the service belongs as the access control rule applied to the service.
  16. 根据权利要求14或15所述的装置,其特征在于,所述服务包括云服务、微服务组、微服务或组件中的至少一项。The device according to claim 14 or 15, wherein the service includes at least one of a cloud service, a microservice group, a microservice or a component.
  17. 根据权利要求14-16中的任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 14-16, wherein the device further comprises:
    第一更新单元,被配置为如果增加部署有所述服务的实例,在所增加的实例启用所述访问控制规则。The first update unit is configured to enable the access control rule on the added instance if the instance deployed with the service is added.
  18. 根据权利要求14-17中的任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 14-17, wherein the device further comprises:
    第二更新单元,被配置为如果所述目标实例不再部署所述服务,在所述目标实例禁用或移除所述访问控制规则。The second update unit is configured to disable or remove the access control rule on the target instance if the target instance no longer deploys the service.
  19. 根据权利要求14-18所述的装置,其特征在于,所述装置还包括:The device according to claims 14-18, wherein the device further comprises:
    第三更新单元,被配置为如果所述目标实例不再部署所述服务,将所述目标实例与所述访问控制规则解除关联。A third updating unit configured to disassociate the target instance from the access control rule if the target instance no longer deploys the service.
  20. 根据权利要求14-19中的任一项所述的装置,其特征在于,所述规则确定单元进一步被配置为:The device according to any one of claims 14-19, wherein the rule determining unit is further configured to:
    基于用户输入创建安全组,所述安全组包括所述服务和应用于所述服务的所述访问控制规则。A security group is created based on user input, the security group including the service and the access control rules applied to the service.
  21. 根据权利要求20所述的装置,其特征在于,所述装置还包括:The device according to claim 20, further comprising:
    安全组更新单元,被配置为基于另一用户输入,向所述安全组添加一个或多个服务,或从所述安全组移除一个或多个服务。A security group updating unit configured to add one or more services to the security group or remove one or more services from the security group based on another user input.
  22. 根据权利要求14-21中的任一项所述的装置,其特征在于,所述源对象包括以下至少一项:The device according to any one of claims 14-21, wherein the source object includes at least one of the following:
    所述云环境中的一个或多个服务,one or more services in said cloud environment,
    所述云环境中的一个或多个地址,或one or more addresses in said cloud environment, or
    所述云环境中的地址集合。A collection of addresses in the cloud environment.
  23. 根据权利要求15所述的装置,其特征在于,所述安全组中的服务属于具有相同权限的用户。The device according to claim 15, wherein the services in the security group belong to users with the same authority.
  24. 根据权利要求14-23中的任一项所述的装置,其特征在于,所述规则启用单元进一步被配置为:The device according to any one of claims 14-23, wherein the rule enabling unit is further configured to:
    在所述目标实例启用所述服务在一个或多个平面的所述访问控制规则,所述平面为以下任一项:管理平面、存储平面、运维平面或业务平面。Enabling the access control rules of the service on one or more planes in the target instance, the plane being any of the following: management plane, storage plane, operation and maintenance plane or service plane.
  25. 根据权利要求14-23中的任一项所述的装置,其特征在于,所述规则启用单元进一步被配置为:The device according to any one of claims 14-23, wherein the rule enabling unit is further configured to:
    通过所述目标实例所在可用区的控制器,将所述访问控制规则发放到所述目标实例。The access control rule is issued to the target instance through the controller of the availability zone where the target instance is located.
  26. 根据权利要求15所述的装置,其特征在于,属于所述安全组的不同服务部署在不同云环境。The device according to claim 15, wherein different services belonging to the security group are deployed in different cloud environments.
  27. 一种电子设备,包括:An electronic device comprising:
    至少一个计算单元;at least one computing unit;
    至少一个存储器,所述至少一个存储器被耦合到所述至少一个计算单元并且存储用于由所述至少一个计算单元执行的指令,所述指令当由所述至少一个计算单元执行时,使所述电子设备执行根据权利要求1-13中任一项所述的方法。at least one memory coupled to the at least one computing unit and storing instructions for execution by the at least one computing unit that, when executed by the at least one computing unit, cause the The electronic device executes the method according to any one of claims 1-13.
  28. 一种计算机可读存储介质,其上存储有计算机程序,所述程序被处理器执行时实现根据权利要求1-13中任一项所述的方法。A computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the method according to any one of claims 1-13 is realized.
  29. 一种计算机程序产品,包括计算机可执行指令,其中所述计算机可执行指令在被处理器执行时实现根据权利要求1-13中任一项所述的方法。A computer program product comprising computer-executable instructions, wherein said computer-executable instructions, when executed by a processor, implement the method according to any one of claims 1-13.
PCT/CN2021/115143 2021-05-12 2021-08-27 Access control method and apparatus, and device WO2022237006A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202110517596 2021-05-12
CN202110517596.2 2021-05-12
CN202110831636.0 2021-07-22
CN202110831636.0A CN115344873A (en) 2021-05-12 2021-07-22 Access control method, device and equipment

Publications (1)

Publication Number Publication Date
WO2022237006A1 true WO2022237006A1 (en) 2022-11-17

Family

ID=83947035

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/115143 WO2022237006A1 (en) 2021-05-12 2021-08-27 Access control method and apparatus, and device

Country Status (2)

Country Link
CN (1) CN115344873A (en)
WO (1) WO2022237006A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115695045B (en) * 2022-12-14 2023-06-06 深圳富联富桂精密工业有限公司 Dynamic configuration method and device for security group and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190197246A1 (en) * 2017-12-22 2019-06-27 Oracle International Corporation Computerized methods and systems for implementing access control to time series data
CN111464481A (en) * 2019-01-18 2020-07-28 伊姆西Ip控股有限责任公司 Method, apparatus and computer program product for service security protection
US20200336911A1 (en) * 2016-04-14 2020-10-22 Datang Mobile Communications Equipment Co., Ltd Service access, and control method and apparatus therefor
CN112000448A (en) * 2020-07-17 2020-11-27 北京计算机技术及应用研究所 Micro-service architecture-based application management method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200336911A1 (en) * 2016-04-14 2020-10-22 Datang Mobile Communications Equipment Co., Ltd Service access, and control method and apparatus therefor
US20190197246A1 (en) * 2017-12-22 2019-06-27 Oracle International Corporation Computerized methods and systems for implementing access control to time series data
CN111464481A (en) * 2019-01-18 2020-07-28 伊姆西Ip控股有限责任公司 Method, apparatus and computer program product for service security protection
CN112000448A (en) * 2020-07-17 2020-11-27 北京计算机技术及应用研究所 Micro-service architecture-based application management method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DEUTSCHE TELEKOM AG, TENCENT, ZTE, ERICSSON, NTT DOCOMO, SPRINT, ORACLE INTERDIGITAL, AT&T, VERIZON: "Introduction of indirect communication between NF services, and implicit discovery", 3GPP DRAFT; S2-1901587 WAS S2-1901378 CR 501, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Santa Cruz - Tenerife, Spain; 20190225 - 20190301, 19 February 2019 (2019-02-19), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051610194 *
ERICSSON, MEDIATEK INC., LG ELECTRONICS, QUALCOMM INCORPORATED, HUAWEI, HISILICON, INTEL, CATT: "Support of mutually exclusive access to Network Slices", 3GPP DRAFT; S2-1901572_WAS00318_501_MEANS, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Tenerife, Spain; 20190225 - 20190301, 19 February 2019 (2019-02-19), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051610178 *
MEDIATEK INC.: "Discussion on Unified Access Control in 5GS", 3GPP DRAFT; C1-171579 UNIFIED ACCESS CONTROL IN 5GS, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. CT WG1, no. Spokane (WA), USA; 20170403 - 20170407, 2 April 2017 (2017-04-02), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051241722 *

Also Published As

Publication number Publication date
CN115344873A (en) 2022-11-15

Similar Documents

Publication Publication Date Title
CN109818918B (en) Policy driven workload initiation based on software defined network encryption policy
CN111865642B (en) Multi-cluster configuration controller for software defined network
US20220116292A1 (en) System and method for user optimized application dependency mapping
US9098325B2 (en) Persistent volume at an offset of a virtual block device of a storage server
US11729146B1 (en) Network segmentation by security groups
US10713071B2 (en) Method and apparatus for network function virtualization
US9535871B2 (en) Dynamic routing through virtual appliances
US9454392B2 (en) Routing data packets between virtual machines using shared memory without copying the data packet
JP2022058523A (en) Extension of network control system into public cloud
US9083651B2 (en) Controlling a network interface using virtual switch proxying
US9363172B2 (en) Managing a configurable routing scheme for virtual appliances
US9577932B2 (en) Techniques for managing ternary content-addressable memory (TCAM) resources in heterogeneous systems
US8489753B2 (en) Apparatus and computer-implemented method for controlling migration of a virtual machine
US20130205028A1 (en) Elastic, Massively Parallel Processing Data Warehouse
JP2019528005A (en) Method, apparatus, and system for a virtual machine to access a physical server in a cloud computing system
US20130247034A1 (en) Method and System for Utilizing Spare Cloud Resources
US9686237B2 (en) Secure communication channel using a blade server
US20230262111A1 (en) Peripheral device enabling virtualized computing service extensions
US20180278459A1 (en) Sharding Of Network Resources In A Network Policy Platform
US9166947B1 (en) Maintaining private connections during network interface reconfiguration
US20140067864A1 (en) File access for applications deployed in a cloud environment
US20160057206A1 (en) Application profile to configure and manage a software defined environment
CN111835820A (en) System and method for realizing cloud management
WO2022237006A1 (en) Access control method and apparatus, and device
US20190114337A1 (en) Efficient trickle updates in large databases using persistent memory

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21941573

Country of ref document: EP

Kind code of ref document: A1