WO2022247359A1 - 集群访问方法、装置、电子设备和介质 - Google Patents
集群访问方法、装置、电子设备和介质 Download PDFInfo
- Publication number
- WO2022247359A1 WO2022247359A1 PCT/CN2022/076922 CN2022076922W WO2022247359A1 WO 2022247359 A1 WO2022247359 A1 WO 2022247359A1 CN 2022076922 W CN2022076922 W CN 2022076922W WO 2022247359 A1 WO2022247359 A1 WO 2022247359A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- client
- cluster
- access
- current
- standard
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000004088 simulation Methods 0.000 claims abstract description 47
- 238000005516 engineering process Methods 0.000 claims abstract description 18
- 230000002159 abnormal effect Effects 0.000 claims description 33
- 238000004891 communication Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 12
- 230000036541 health Effects 0.000 claims description 6
- 238000013475 authorization Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Definitions
- the present disclosure relates to the field of computer technology, to the field of container technology, cloud computing and cloud service technology, for example, to a cluster access method, device, electronic equipment and media.
- the mainstream communication method is to centrally manage Kubernetes clusters in different regions through cloud service providers.
- a client Before a client wants to access a Kubernetes cluster, it usually needs to be authenticated by the gateway server of the cluster.
- the present disclosure provides a method, device, electronic device and medium for establishing a connection between a client and a cluster.
- a cluster access method including:
- a cluster access simulation request is sent to the gateway server of the target cluster to establish a connection between the client and the target cluster; wherein, the cluster access simulation request is based on user simulation technology obtained by performing simulation on the client side.
- a cluster access device including:
- the authentication module is configured to obtain the current client port code from the cluster access request sent by the client, and authenticate the client according to the current client port code;
- the communication connection module is configured to send a cluster access simulation request to the gateway server of the target cluster to establish a connection between the client and the target cluster when the authentication is passed; wherein, the cluster access simulation request It is obtained by simulating the client based on the user simulation technology.
- an electronic device including:
- the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can execute the above cluster access method.
- a non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions are used to cause the computer to execute the above cluster access method.
- a computer program product including a computer program, the computer program implements the above-mentioned cluster access method when executed by a processor.
- FIG. 1 is a flow chart of a cluster access method disclosed according to an embodiment of the present disclosure
- Fig. 2 is a flowchart of another cluster access method disclosed according to an embodiment of the present disclosure
- Fig. 3 is a schematic structural diagram of a cluster access device disclosed according to an embodiment of the present disclosure.
- Fig. 4 is a block diagram of an electronic device used to implement the cluster access method disclosed in the embodiment of the present disclosure.
- the client directly sends a cluster access request to the gateway server of the target cluster, and the gateway server authenticates the client through the OpenID Connect scheme.
- the gateway server does not enable support for the OpenID Connect solution, so you need to configure the parameters of the OpenID Connect solution on the gateway server first to enable it.
- Fig. 1 is a flow chart of a cluster access method disclosed according to an embodiment of the present disclosure, and this embodiment may be applicable to the case of establishing a connection between a client and a cluster.
- the method in this embodiment can be executed by the cluster access device disclosed in the embodiment of the present disclosure, the device can be implemented by software and/or hardware, and can be integrated on any electronic device with computing capability.
- the cluster access method disclosed in this embodiment may include:
- S101 Acquire a current client token from a cluster access request sent by a client, and authenticate the client according to the current client token.
- the client means the client device used by the user who wants to access the target cluster, which may be software installed in the smart device, or a web browser.
- This embodiment does not limit the form of the client.
- a cluster represents a collection of devices that implement the same service function.
- the cluster in this embodiment may optionally include a Kubernetes cluster, that is, a group of node computers running containerized applications.
- the client sends a cluster access request for the target cluster to the proxy server through address information previously exposed by the proxy server, such as a Uniform Resource Locator (Uniform Resource Locator, URL) address.
- the proxy server parses the cluster access request to determine whether the cluster access request contains the current client port password. If the cluster access request does not contain the current client token, the proxy server immediately rejects the client’s access to the target cluster; if the cluster access request contains the current client token, the proxy server determines the validity period of the current client token, and then Determine if the current client token has expired.
- Uniform Resource Locator Uniform Resource Locator
- the proxy server rejects the client’s access to the target cluster; if the current client port token has not expired, the proxy server authenticates the client according to the current client port token.
- Authentication methods include but are not limited to At least one of the following implementations:
- the client encrypts the current client token with a private key, generates a cluster access request based on the encrypted current client token and sends it to the proxy server, and the proxy server uses the public key to encrypt the encrypted current client token.
- Decryption if the current client port token obtained by decryption is the same as the standard client port code issued to the client in advance, then the authentication of the client side is passed.
- the client uses its own standard client ID as an interference code to encrypt the current client port order, and generates a cluster access request according to the encrypted current client port order and sends it to the proxy server.
- the terminal identifier decrypts the encrypted current client port token, and if the decryption is successful, the authentication of the client is passed.
- the client authorizes the proxy server to obtain the standard client information of the client, and the proxy server generates a standard client port token according to the standard client information and returns it to the client.
- the client sends the cluster access request carrying the current client port token to the proxy server, and the proxy server parses the current client port token to obtain the current client information, and compares the current client information with the standard client information. If successful, the client authentication is passed.
- This embodiment does not limit the implementation manner of authenticating the client based on the current client port token, and any identity authentication method based on the client port token falls within the scope of protection of this embodiment.
- the authentication of the client based on the proxy server is realized, and the security of the client accessing the cluster is guaranteed.
- the client is simulated using user simulation technology to generate a cluster access simulation request from the client to the target cluster, wherein the user simulation technology is User Impersonation technology, It is a technique for one user to simulate another user to perform related operations.
- the proxy server simulates the client to send a cluster access request to the gateway server of the target cluster.
- the proxy server sends the generated cluster access simulation request to the gateway server of the target cluster.
- the cluster access simulation request is obtained by simulating the client based on user simulation technology, from the perspective of the gateway server side, it is equivalent to
- the real client sends a cluster access request to the gateway server, so that the gateway server responds to the cluster access simulation request and exposes an externally accessible designated port to the client, so that the client can access the target cluster based on the designated port.
- This disclosure obtains the current client token from the cluster access request sent by the client, and authenticates the client according to the current client token, so that the client authentication process is executed on the proxy server instead of on the gateway server. , avoiding the problem of client authentication by the gateway server in the related technology, which intrudes into the gateway server, resulting in security risks in the cluster, and improves the security of the cluster; simulates the client to serve the gateway through the proxy server based on user simulation technology
- the client sends a cluster access request, which ensures that even the cluster access simulation request sent by the proxy server itself can also achieve the effect of establishing a connection between the client and the cluster, so that the client can access the target cluster smoothly.
- the permission information to be updated of the target cluster is determined; according to the permission information to be updated, the target cluster is controlled to update the permission information.
- Permission information indicates the relevant attribute information of cluster permissions, including but not limited to permission rules and authorized person information.
- Permission rules define the content of permissions in the cluster, such as "access A namespace” permission or “modify A namespace” permission etc.
- the authorized person information indicates the object to which any permission rule applies, for example, if permission rule A is given to user A, then user A is the authorized person of permission rule A.
- the proxy server communicates with multiple managed clusters, the user configures the permission information of the target cluster in the corresponding front end of the proxy server, and the proxy server responds to the user's permission configuration on the front end Operation, determine the permission information to be updated of the target cluster, and control the managed target cluster to update the current permission information to the permission information to be updated.
- the user configures the permission information of the target Kubernetes cluster on the corresponding front end of the proxy server, including but not limited to “Role” configuration, “ClusterRole” configuration, “Rolebinding” configuration, and “Cluster Rolebinding” configuration, etc., where “Role” means any Permission rules for a namespace in a Kubernetes cluster, “ClusterRole” indicates the permission rules of any Kubernetes cluster itself, “Rolebinding” indicates the authorized person information corresponding to any “Role” in any Kubernetes cluster, “Cluster Rolebinding” Indicates the authorized person information of any “ClusterRole” in any Kubernetes cluster.
- the proxy server determines at least one permission information among the updated "Role”, “ClusterRole”, “Rolebinding” and “Cluster Rolebinding” according to the user's permission configuration operation, and controls the target Kubernetes cluster to update the permission information accordingly . For example, if the user configures the "Role” of the target Kubernetes cluster on the front end, the proxy server will correspondingly update the configured "Role” to the target Kubernetes cluster synchronously.
- the permission information to be updated of the target cluster is determined, and the target cluster is controlled to update the permission information according to the permission information to be updated, so that the unified management of the cluster permission information based on the proxy server is realized, and the improvement is improved.
- Efficiency of cluster authority information management is improved.
- Fig. 2 is a flow chart of another cluster access method disclosed according to an embodiment of the present disclosure, which is extended based on the above technical solution and can be combined with the above optional implementation.
- the cluster access method disclosed in this embodiment may include:
- S201 Acquire standard client information of the client according to an access configuration file acquisition request sent by the client.
- An access configuration file is a certificate required for a client to access a cluster, and each client needs to access a cluster based on an access configuration file. To access the configuration file, the client needs to apply to the authoritative party to obtain it.
- Standard client information refers to some private information of the client, such as client name and client status.
- the client sends an access configuration file acquisition request to the proxy server according to the address information exposed by the proxy server.
- the proxy server obtains the request according to the access configuration file, applies to the client to obtain the standard client information, and obtains the standard client information of the client under the authorization of the client.
- this embodiment provides an implementation manner of S201 in a real scene.
- the user logs in the browser, and enters the address information of the proxy server in the browser to send the proxy server a request for obtaining the access configuration file.
- the proxy server forwards the access configuration file acquisition request to the identity service component, and the identity service component controls the browser to jump to display personal information authorization according to the preset authorization protocol, such as the Open Authorization 2.0 (OAuth2.0) protocol, etc. interface.
- OAuth2.0 Open Authorization 2.0
- the user performs personal information authorization operations in the personal information authorization interface of the browser, including but not limited to authorization based on account password, authorization based on QR code or authorization based on verification code, etc.
- the identity service component obtains the user's personal information from the third-party server associated with the browser.
- standard client information is encoded using preset encoding techniques, such as Base64 encoding, to generate payload information; standard client port token type information and signature algorithm information are also encoded using encoding techniques to generate header information. internal information; use signature algorithm to encrypt payload information and header information to generate signature information; finally generate standard client port token according to header information, payload information and signature information.
- a standard access profile including the standard client token is generated based on the standard client token.
- the proxy server feeds back the generated standard access configuration file to the client, so that the client subsequently performs cluster access through a cluster access request including the standard access configuration file.
- the client sends the current access configuration file including the current client password to the proxy server, and the proxy server parses the current access configuration file and extracts the current client password from the preset field area.
- the current access configuration file in the cluster access request is not necessarily the standard access configuration file obtained by the client in S203. Therefore, the proxy server needs to check the current access configuration file in the cluster access request.
- the access configuration file is parsed and verified to ensure that the client is accessing the cluster through a cluster access request that includes a standard access configuration file.
- S205 Determine current client information of the client according to the current client port order, and authenticate the client according to the current client information.
- the proxy server after the proxy server obtains the current client password, it first decodes the payload information part of the current client password to obtain the password expiration time, and determines whether the current client password is expired based on the current time and the password expiration time, If the current client token has not expired, take out the payload information and header information in the current client token, calculate the signature information again, and compare the calculated signature information with the signature information in the current client token. If the signature information of the payload is consistent with the signature information in the current client port order, then the payload information is decoded to obtain the current client information. Then, the client is authenticated according to the current client information.
- the authentication methods include but are not limited to: 1) comparing the current client information with the standard client information, and if the current client information is consistent with the standard client information, then determine the client The terminal is legal, that is, the authentication of the client is passed. 2) Obtain the client status corresponding to the current client information from the third-party server through the data interface, and authenticate the client according to the client status. For example, if it is determined that the client status is abnormal, the authentication of the client will not pass.
- the proxy server determines the target cluster according to the target cluster identifier included in the cluster access request.
- multiple clients send their respective cluster access requests to the proxy server, so each client adds a target cluster ID to the cluster access request, so that the proxy server determines each The target cluster corresponding to a cluster access request.
- S207 Determine whether the target cluster is in an abnormal state; wherein, the abnormal state includes at least one of a disconnection abnormal state and a health value abnormal state, and when the target cluster is not in an abnormal state, send it to the gateway server of the target cluster Cluster access simulation request.
- the abnormal state of disconnection indicates that the cluster is disconnected from the gateway server.
- the abnormal state of the health value indicates that some indicator data of the cluster are abnormal, such as the central processing unit (Central Processing Unit, CPU) usage rate is too high or the remaining available memory is too high. Wait a minute.
- CPU Central Processing Unit
- the proxy server regularly checks the connection status and health value of each cluster through List-watch, and if it is determined that the target cluster is in an abnormal state, it stops sending cluster access simulation requests to the gateway server of the target cluster . If the target cluster is not in an abnormal state, a cluster access simulation request is sent to the gateway server of the target cluster. The gateway server establishes a connection with the client according to the received cluster access simulation request.
- This disclosure obtains the standard client information of the client by obtaining the request according to the access configuration file sent by the client, generates a standard client port token according to the standard client information, and generates a standard access configuration file according to the standard client port code, and converts the standard access configuration file Send it to the client, laying the foundation for the subsequent client to access the target cluster according to the standard access configuration file, and ensure the smooth progress of the cluster access; obtain the current access configuration file of the client from the cluster access request, and update the current access configuration file Analyze and determine the current client port order, which lays the foundation for subsequent authentication of the client according to the current client port order; by determining the current client information of the client according to the current client port order, and authenticating the client based on the current client information, The effect of authenticating the client is realized, which improves the security of cluster access; by determining the target cluster according to the cluster access request, the effect of determining the target cluster that each client wants to access is realized, and it is used for subsequent sending to the target cluster.
- the cluster access simulation request lays the foundation; by determining whether the target cluster is in an abnormal state; wherein, the abnormal state includes at least one of a disconnection abnormal state and a health value abnormal state, and when the target cluster is not in an abnormal state, send to The gateway server of the target cluster sends a cluster access simulation request, which ensures that the target cluster can be accessed normally and avoids the problem that the client cannot access the target cluster.
- the acquisition, storage and application of the user's personal information involved are in compliance with relevant laws and regulations, and do not violate public order and good customs.
- Fig. 3 is a schematic structural diagram of a cluster access device disclosed according to an embodiment of the present disclosure, which may be applicable to the case of establishing a connection between a client and a cluster.
- the apparatus in this embodiment can be implemented by software and/or hardware, and can be integrated on any electronic device with computing capability.
- the cluster access device 30 disclosed in this embodiment may include an authentication module 31 and a communication connection module 32, wherein:
- the authentication module 31 is configured to obtain the current client token from the cluster access request sent by the client, and authenticates the client according to the current client token;
- the communication connection module 32 is configured to pass the authentication , sending a cluster access simulation request to the gateway server of the target cluster to establish a connection between the client and the target cluster; wherein, the cluster access simulation request simulates the client based on user simulation technology owned.
- the device also includes a target cluster determination module, which is set to:
- the authentication module 31 is configured to obtain the current client password from the cluster access request sent by the client in the following manner:
- the device also includes an access configuration file sending module, which is set to:
- the authentication module 31 is configured to authenticate the client according to the client port order in the following manner:
- the device also includes an abnormal state judging module, which is set to:
- the communication connection module 32 is configured to send the target cluster to the gateway server in the following manner Sending a cluster access simulation request: when the target cluster is not in an abnormal state, sending the cluster access simulation request to the gateway server of the target cluster.
- the device also includes a permission information update module, which is set to:
- the permission information to be updated of the target cluster is determined; according to the permission information to be updated, the target cluster is controlled to update the permission information.
- the cluster access device 30 disclosed in the embodiment of the present disclosure can execute the cluster access method disclosed in the embodiment of the present disclosure, and has corresponding functional modules and effects for executing the method.
- the cluster access device 30 disclosed in the embodiment of the present disclosure can execute the cluster access method disclosed in the embodiment of the present disclosure, and has corresponding functional modules and effects for executing the method.
- the present disclosure also provides an electronic device, a readable storage medium, and a computer program product.
- FIG. 4 shows a schematic block diagram of an example electronic device 400 that may be used to implement embodiments of the present disclosure.
- Electronic device 400 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers.
- Electronic device 400 may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices.
- the components shown herein, their connections and relationships, and their functions, are by way of example only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
- the device 400 includes a computing unit 401 that can be loaded into a random access memory (Random Access Memory, RAM) according to a computer program stored in a read-only memory (Read-Only Memory, ROM) 402 or from a storage unit 408. ) 403 to perform various appropriate actions and processes. In the RAM 403, various programs and data necessary for the operation of the device 400 can also be stored.
- the computing unit 401, ROM 402, and RAM 403 are connected to each other through a bus 404.
- An input/output (Input/Output, I/O) interface 405 is also connected to the bus 404 .
- the I/O interface 405 includes: an input unit 406, such as a keyboard, a mouse, etc.; an output unit 407, such as various types of displays, speakers, etc.; a storage unit 408, such as a magnetic disk, an optical disk, etc. ; and a communication unit 409, such as a network card, a modem, a wireless communication transceiver, and the like.
- the communication unit 409 allows the device 400 to exchange information/data with other devices over a computer network such as the Internet and/or various telecommunication networks.
- Computing unit 401 may be various general-purpose and/or special-purpose processing components having processing and computing capabilities. Some examples of the computing unit 401 include, but are not limited to, a CPU, a graphics processing unit (Graphics Processing Unit, GPU), a variety of dedicated artificial intelligence (Artificial Intelligence, AI) computing chips, a variety of computing units that run machine learning model algorithms, digital Signal processor (Digital Signal Processing, DSP), and any suitable processor, controller, microcontroller, etc.
- the calculation unit 401 executes the methods and processes described above, such as the cluster access method.
- the cluster access method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 408 .
- part or all of the computer program may be loaded and/or installed on the device 400 via the ROM 402 and/or the communication unit 409.
- the computer program When the computer program is loaded into RAM 403 and executed by computing unit 401, one or more steps of the cluster access method described above may be performed.
- the computing unit 401 may be configured in any other suitable way (for example, by means of firmware) to execute the cluster access method.
- Various embodiments may include being implemented in one or more computer programs executable and/or interpretable on a programmable system including at least one programmable processor that can is a special-purpose or general-purpose programmable processor that can receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.
- a programmable processor that can is a special-purpose or general-purpose programmable processor that can receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.
- Program codes for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general-purpose computer, a special purpose computer, or other programmable data processing devices, so that the program codes, when executed by the processor or controller, make the functions/functions specified in the flow diagrams and/or block diagrams Action is implemented.
- the program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
- a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device.
- a machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium.
- a machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing.
- machine-readable storage media examples include one or more wire-based electrical connections, portable computer disks, hard disks, RAM, ROM, Erasable Programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM, or Flash memory) ), fiber optics, Compact Disc Read-Only Memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
- wire-based electrical connections portable computer disks, hard disks, RAM, ROM, Erasable Programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM, or Flash memory)
- fiber optics Compact Disc Read-Only Memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
- CD-ROM Compact Disc Read-Only Memory
- the systems and techniques described herein can be implemented on a computer having a display device (e.g., a cathode ray tube (CRT) or a liquid crystal display ( Liquid Crystal Display (LCD) monitor); and a keyboard and pointing device (e.g., a mouse or trackball) through which a user can provide input to the computer.
- a display device e.g., a cathode ray tube (CRT) or a liquid crystal display ( Liquid Crystal Display (LCD) monitor
- a keyboard and pointing device e.g., a mouse or trackball
- Other types of devices may also be configured to provide interaction with the user; for example, the feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and may be in any form (including Acoustic input, speech input or, tactile input) to receive input from the user.
- the systems and techniques described herein can be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., as a a user computer having a graphical user interface or web browser through which a user can interact with embodiments of the systems and techniques described herein), or including such backend components, middleware components, Or any combination of front-end components in a computing system.
- the components of the system can be interconnected by any form or medium of digital data communication, eg, a communication network. Examples of communication networks include: Local Area Network (LAN), Wide Area Network (Wide Area Network, WAN), blockchain networks, and the Internet.
- a computer system may include clients and servers.
- Clients and servers are generally remote from each other and typically interact through a communication network.
- the relationship of client and server arises by computer programs running on the respective computers and having a client-server relationship to each other.
- the server can be a cloud server, also known as cloud computing server or cloud host, which is a host product in the cloud computing service system to solve the problems existing in traditional physical host and virtual private server (Virtual Private Server, VPS) services.
- VPS Virtual Private Server
- the defects of difficult management and weak business expansion can also be a server of a distributed system, or a server combined with a blockchain.
- Steps can be reordered, added, or removed using the various forms of flow shown above.
- steps described in the present disclosure may be executed in parallel, sequentially, or in a different order, as long as the desired result of the technical solution disclosed in the present disclosure can be achieved, no limitation is imposed herein.
Abstract
Description
Claims (17)
- 一种集群访问方法,包括:从客户端发送的集群访问请求中获取当前客户端口令,并根据所述当前客户端口令对所述客户端进行认证;在认证通过的情况下,向目标集群的网关服务端发送集群访问模拟请求,以建立所述客户端与所述目标集群之间的连接;其中,所述集群访问模拟请求是基于用户模拟技术对所述客户端进行模拟得到的。
- 根据权利要求1所述的方法,在所述向目标集群的网关服务端发送集群访问模拟请求之前,还包括:根据所述集群访问请求,确定所述目标集群。
- 根据权利要求1所述的方法,其中,所述从客户端发送的集群访问请求中获取当前客户端口令,包括:从所述集群访问请求中获取所述客户端的当前访问配置文件,并对所述当前访问配置文件进行解析确定所述当前客户端口令。
- 根据权利要求1所述的方法,在所述从客户端发送的集群访问请求中获取当前客户端口令之前,还包括:根据所述客户端发送的访问配置文件获取请求,获取所述客户端的标准客户端信息;根据所述标准客户端信息生成标准客户端口令,并根据所述标准客户端口令生成标准访问配置文件;将所述标准访问配置文件发送给所述客户端,以使所述客户端通过包含所述标准访问配置文件的集群访问请求进行集群访问。
- 根据权利要求1所述的方法,其中,所述根据所述当前客户端口令对所述客户端进行认证,包括:根据所述当前客户端口令确定所述客户端的当前客户端信息,并根据所述当前客户端信息对所述客户端进行认证。
- 根据权利要求1所述的方法,在所述认证通过之后,所述向目标集群的网关服务端发送集群访问模拟请求之前,还包括:确定所述目标集群是否处于异常状态;其中,所述异常状态包括失联异常状态和健康值异常状态中的至少一种;所述向目标集群的网关服务端发送集群访问模拟请求,包括:在所述目标集群未处于异常状态的情况下,向所述目标集群的所述网关服务端发送所述集群访问模拟请求。
- 根据权利要求1所述的方法,还包括:根据用户对所述目标集群的权限配置操作,确定所述目标集群的待更新权限信息;根据所述待更新权限信息控制所述目标集群进行权限信息的更新。
- 一种集群访问装置,包括:认证模块,设置为从客户端发送的集群访问请求中获取当前客户端口令,并根据所述当前客户端口令对所述客户端进行认证;通信连接模块,设置为在认证通过的情况下,向目标集群的网关服务端发送集群访问模拟请求,以建立所述客户端与所述目标集群之间的连接;其中,所述集群访问模拟请求是基于用户模拟技术对所述客户端进行模拟得到的。
- 根据权利要求8所述的装置,还包括目标集群确定模块,设置为:根据所述集群访问请求,确定所述目标集群。
- 根据权利要求8所述的装置,其中,所述认证模块设置为通过如下方式从客户端发送的集群访问请求中获取当前客户端口令:从所述集群访问请求中获取所述客户端的当前访问配置文件,并对所述当前访问配置文件进行解析确定所述当前客户端口令。
- 根据权利要求8所述的装置,还包括访问配置文件发送模块,设置为:根据所述客户端发送的访问配置文件获取请求,获取所述客户端的标准客户端信息;根据所述标准客户端信息生成标准客户端口令,并根据所述标准客户端口令生成标准访问配置文件;将所述标准访问配置文件发送给所述客户端,以使所述客户端通过包含所述标准访问配置文件的集群访问请求进行集群访问。
- 根据权利要求8所述的装置,其中,所述认证模块设置为通过如下方式根据所述客户端口令对所述客户端进行认证:根据所述当前客户端口令确定所述客户端的当前客户端信息,并根据所述当前客户端信息对所述客户端进行认证。
- 根据权利要求8所述的装置,还包括异常状态判断模块,设置为:确定所述目标集群是否处于异常状态;其中,所述异常状态包括失联异常状态和健康值异常状态中的至少一种;所述通信连接模块设置为通过如下方式向目标集群的网关服务端发送集群访问模拟请求:在所述目标集群未处于异常状态的情况下,向所述目标集群的所述网关服务端发送所述集群访问模拟请求。
- 根据权利要求8所述的装置,其中,所述装置还包括权限信息更新模块,设置为:根据用户对所述目标集群的权限配置操作,确定所述目标集群的待更新权限信息;根据所述待更新权限信息控制所述目标集群进行权限信息的更新。
- 一种电子设备,包括:至少一个处理器;以及与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行权利要求1-7中任一项所述的集群访问方法。
- 一种存储有计算机指令的非瞬时计算机可读存储介质,其中,所述计算机指令用于使所述计算机执行根据权利要求1-7中任一项所述的集群访问方法。
- 一种计算机程序产品,包括计算机程序,所述计算机程序在被处理器执行时实现根据权利要求1-7中任一项所述的集群访问方法。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP22757466.2A EP4120109A1 (en) | 2021-05-27 | 2022-02-18 | Cluster access method and apparatus, electronic device, and medium |
KR1020227029834A KR20220160549A (ko) | 2021-05-27 | 2022-02-18 | 클러스터 접속 방법, 장치, 전자 설비 및 매체 |
JP2022552283A JP2023530802A (ja) | 2021-05-27 | 2022-02-18 | クラスタアクセス方法、クラスタアクセス装置、電子機器、コンピュータ可読記憶媒体およびコンピュータプログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110606924.6A CN113360882A (zh) | 2021-05-27 | 2021-05-27 | 集群访问方法、装置、电子设备和介质 |
CN202110606924.6 | 2021-05-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022247359A1 true WO2022247359A1 (zh) | 2022-12-01 |
Family
ID=77530840
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/076922 WO2022247359A1 (zh) | 2021-05-27 | 2022-02-18 | 集群访问方法、装置、电子设备和介质 |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP4120109A1 (zh) |
JP (1) | JP2023530802A (zh) |
KR (1) | KR20220160549A (zh) |
CN (1) | CN113360882A (zh) |
WO (1) | WO2022247359A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116909757A (zh) * | 2023-09-13 | 2023-10-20 | 中移(苏州)软件技术有限公司 | 集群管理的控制系统、方法、电子设备和存储介质 |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113360882A (zh) * | 2021-05-27 | 2021-09-07 | 北京百度网讯科技有限公司 | 集群访问方法、装置、电子设备和介质 |
CN114143313B (zh) * | 2021-11-30 | 2024-03-19 | 招商局金融科技有限公司 | 基于云原生的集群通信装置、方法及相关设备 |
CN114745185A (zh) * | 2022-04-18 | 2022-07-12 | 阿里巴巴(中国)有限公司 | 集群访问方法及装置 |
CN115988078A (zh) * | 2022-11-28 | 2023-04-18 | 中国联合网络通信集团有限公司 | 通信方法、系统、电子设备及存储介质 |
CN116094763A (zh) * | 2022-12-07 | 2023-05-09 | 天翼云科技有限公司 | 一种基于云手机的上网行为管控方法及系统 |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110175077A (zh) * | 2019-05-27 | 2019-08-27 | 浪潮云信息技术有限公司 | 一种基于命令管理容器资源的方法及系统 |
CN110971646A (zh) * | 2018-09-30 | 2020-04-07 | 浙江大学 | 一种集群控制装置、系统及方法 |
CN111212077A (zh) * | 2020-01-08 | 2020-05-29 | 中国建设银行股份有限公司 | 主机访问系统及方法 |
CN111510444A (zh) * | 2020-04-09 | 2020-08-07 | 上海云励科技有限公司 | 容器的远程访问方法、系统、服务端和访问辅助组件 |
CN111796858A (zh) * | 2020-07-07 | 2020-10-20 | 金蝶软件(中国)有限公司 | Kubernetes集群内部应用程序访问检测的方法、系统及相关设备 |
US20200351332A1 (en) * | 2017-07-28 | 2020-11-05 | Kong Inc. | Auto-documentation for application program interfaces based on network requests and responses |
CN111935110A (zh) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | 一种对租户访问容器实例的权限的控制方法和装置 |
CN112468442A (zh) * | 2020-10-28 | 2021-03-09 | 苏州浪潮智能科技有限公司 | 双因子认证方法、装置、计算机设备及存储介质 |
CN113360882A (zh) * | 2021-05-27 | 2021-09-07 | 北京百度网讯科技有限公司 | 集群访问方法、装置、电子设备和介质 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109344620B (zh) * | 2018-09-07 | 2021-08-31 | 国网福建省电力有限公司 | 一种基于对hadoop安全配置的检测方法 |
-
2021
- 2021-05-27 CN CN202110606924.6A patent/CN113360882A/zh active Pending
-
2022
- 2022-02-18 EP EP22757466.2A patent/EP4120109A1/en active Pending
- 2022-02-18 WO PCT/CN2022/076922 patent/WO2022247359A1/zh active Application Filing
- 2022-02-18 JP JP2022552283A patent/JP2023530802A/ja active Pending
- 2022-02-18 KR KR1020227029834A patent/KR20220160549A/ko not_active Application Discontinuation
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200351332A1 (en) * | 2017-07-28 | 2020-11-05 | Kong Inc. | Auto-documentation for application program interfaces based on network requests and responses |
CN110971646A (zh) * | 2018-09-30 | 2020-04-07 | 浙江大学 | 一种集群控制装置、系统及方法 |
CN110175077A (zh) * | 2019-05-27 | 2019-08-27 | 浪潮云信息技术有限公司 | 一种基于命令管理容器资源的方法及系统 |
CN111212077A (zh) * | 2020-01-08 | 2020-05-29 | 中国建设银行股份有限公司 | 主机访问系统及方法 |
CN111510444A (zh) * | 2020-04-09 | 2020-08-07 | 上海云励科技有限公司 | 容器的远程访问方法、系统、服务端和访问辅助组件 |
CN111796858A (zh) * | 2020-07-07 | 2020-10-20 | 金蝶软件(中国)有限公司 | Kubernetes集群内部应用程序访问检测的方法、系统及相关设备 |
CN111935110A (zh) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | 一种对租户访问容器实例的权限的控制方法和装置 |
CN112468442A (zh) * | 2020-10-28 | 2021-03-09 | 苏州浪潮智能科技有限公司 | 双因子认证方法、装置、计算机设备及存储介质 |
CN113360882A (zh) * | 2021-05-27 | 2021-09-07 | 北京百度网讯科技有限公司 | 集群访问方法、装置、电子设备和介质 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116909757A (zh) * | 2023-09-13 | 2023-10-20 | 中移(苏州)软件技术有限公司 | 集群管理的控制系统、方法、电子设备和存储介质 |
CN116909757B (zh) * | 2023-09-13 | 2024-01-26 | 中移(苏州)软件技术有限公司 | 集群管理的控制系统、方法、电子设备和存储介质 |
Also Published As
Publication number | Publication date |
---|---|
JP2023530802A (ja) | 2023-07-20 |
KR20220160549A (ko) | 2022-12-06 |
EP4120109A1 (en) | 2023-01-18 |
CN113360882A (zh) | 2021-09-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022247359A1 (zh) | 集群访问方法、装置、电子设备和介质 | |
US11736469B2 (en) | Single sign-on enabled OAuth token | |
CN111556006B (zh) | 第三方应用系统登录方法、装置、终端及sso服务平台 | |
US9094208B2 (en) | User identity management and authentication in network environments | |
US9386007B2 (en) | Multi-domain applications with authorization and authentication in cloud environment | |
US10237254B2 (en) | Conditional login promotion | |
CN112422532B (zh) | 业务通信方法、系统、装置及电子设备 | |
CN108880822B (zh) | 一种身份认证方法、装置、系统及一种智能无线设备 | |
US20170006020A1 (en) | Authentication context transfer for accessing computing resources via single sign-on with single use access tokens | |
JP2017517823A (ja) | 機械生成認証トークンによってサービスを運用する技法 | |
CN107743702B (zh) | 托管移动设备的单点登录 | |
CN107534557A (zh) | 提供访问控制和单点登录的身份代理 | |
US9571495B2 (en) | Methods and systems for authorizing web service requests | |
US20230370265A1 (en) | Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control | |
JP2017524214A (ja) | サードパーティの認証サポートを介した企業認証 | |
CN113923020A (zh) | SaaS多租户架构的微服务鉴权方法、装置、及设备 | |
KR20220019834A (ko) | 디바이스로의 보안 자격증명 전송을 인증하는 방법 및 시스템 | |
CN111865882A (zh) | 一种微服务认证方法和系统 | |
KR101836211B1 (ko) | 전자 기기 인증 매니저 장치 | |
EP4149053B1 (en) | Authorization processing method and apparatus, and storage medium | |
Huang et al. | A method for trusted usage control over digital contents based on cloud computing | |
US11405379B1 (en) | Multi-factor message-based authentication for network resources | |
CN113794571A (zh) | 一种基于动态口令的认证方法、装置及介质 | |
CN115834252B (zh) | 一种服务访问方法及系统 | |
TWI768307B (zh) | 開源軟體整合方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2022552283 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 17909295 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2022757466 Country of ref document: EP Effective date: 20220830 |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22757466 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |